分享
 
 
 

RFC1801 - MHS use of the X.500 Directory to support MHS Routing

王朝other·作者佚名  2008-05-31
窄屏简体版  字體: |||超大  

Network Working Group S. Kille

Request for Comments: 1801 ISODE Consortium

Category: EXPerimental June 1995

X.400-MHS use of the X.500 Directory to support X.400-MHS Routing

Status of this Memo

This memo defines an Experimental Protocol for the Internet

community. This memo does not specify an Internet standard of any

kind. Discussion and suggestions for improvement are requested.

Distribution of this memo is unlimited.

Table of Contents

1 IntrodUCtion 3

2 Goals 3

3 Approach 5

4 Direct vs Indirect Connection 6

5 X.400 and RFC822 8

6 Objects 9

7 Communities 10

8 Routing Trees 11

8.1 Routing Tree Definition . . . . . . . 12

8.2 The Open Community Routing Tree . . . . . 12

8.3 Routing Tree Location . . . . . . . 13

8.4 Example Routing Trees . . . . . . . 13

8.5 Use of Routing Trees to look up Information . . 13

9 Routing Tree Selection 14

9.1 Routing Tree Order . . . . . . . . 14

9.2 Example use of Routing Trees . . . . . . 15

9.2.1 Fully Open Organisation . . . . . 15

9.2.2 Open Organisation with Fallback . . . 15

9.2.3 Minimal-routing MTA . . . . . . 16

9.2.4 Organisation with Firewall . . . . . 16

9.2.5 Well Known Entry Points . . . . . 16

9.2.6 ADMD using the Open Community for Advertising 16

9.2.7 ADMD/PRMD gateway . . . . . . . 17

10 Routing Information 17

10.1 Multiple routing trees . . . . . . . 20

10.2 MTA Choice . . . . . . . . . . 22

10.3 Routing Filters . . . . . . . . . 25

10.4 Indirect Connectivity . . . . . . . 26

11 Local Addresses (UAs) 27

11.1 Searching for Local Users . . . . . . 30

12 Direct Lookup 30

13 Alternate Routes 30

13.1 Finding Alternate Routes . . . . . . . 30

13.2 Sharing routing information . . . . . . 31

14 Looking up Information in the Directory 31

15 Naming MTAs 33

15.1 Naming 1984 MTAs . . . . . . . . . 35

16 Attributes Associated with the MTA 35

17 Bilateral Agreements 36

18 MTA Selection 38

18.1 Dealing with protocol mismatches . . . . . 38

18.2 Supported Protocols . . . . . . . . 39

18.3 MTA Capability Restrictions . . . . . . 39

18.4 SuBTree Capability Restrictions . . . . . 40

19 MTA Pulling Messages 41

20 Security and Policy 42

20.1 Finding the Name of the Calling MTA . . . . 42

20.2 Authentication . . . . . . . . . 42

20.3 Authentication Information . . . . . . 44

21 Policy and Authorisation 46

21.1 Simple MTA Policy . . . . . . . . 46

21.2 Complex MTA Policy . . . . . . . . 47

22 Delivery 49

22.1 Redirects . . . . . . . . . . 49

22.2 Underspecified O/R Addresses . . . . . . 50

22.3 Non Delivery . . . . . . . . . . 51

22.4 Bad Addresses . . . . . . . . . 51

23 Submission 53

23.1 Normal Derivation . . . . . . . . 53

23.2 Roles and Groups . . . . . . . . . 53

24 Access Units 54

25 The Overall Routing Algorithm 54

26 Performance 55

27 Acknowledgements 55

28 References 56

29 Security Considerations 57

30 Author's Address 58

A Object Identifier Assignment 59

B Community Identifier Assignments 60

C Protocol Identifier Assignments 60

D ASN.1 Summary 61

E Regular Expression Syntax 71

List of Figures

1 Location of Routing Trees . . . . . . 12

2 Routing Tree Use Definition . . . . . . 14

3 Routing Information at a Node . . . . . 17

4 Indirect Access . . . . . . . . . 25

5 UA Attributes . . . . . . . . . 27

6 MTA Definitions . . . . . . . . . 33

7 MTA Bilateral Table Entry . . . . . . 36

8 Bilateral Table Attribute . . . . . . 37

9 Supported MTS Extensions . . . . . . . 39

10 Subtree Capability Restriction . . . . . 40

11 Pulling Messages . . . . . . . . . 41

12 Authentication Requirements . . . . . . 43

13 MTA Authentication Parameters . . . . . 45

14 Simple MTA Policy Specification . . . . . 46

15 Redirect Definition . . . . . . . . 48

16 Non Delivery Information . . . . . . . 50

17 Bad Address Pointers . . . . . . . . 52

18 Access Unit Attributes . . . . . . . 53

19 Object Identifier Assignment . . . . . . 59

20 Transport Community Object Identifier Assignments 60

21 Protocol Object Identifier Assignments . . . 61

22 ASN.1 Summary . . . . . . . . . 61

1. Introduction

MHS Routing is the problem of controlling the path of a message as it

traverses one or more MTAs to reach its destination recipients.

Routing starts with a recipient O/R Address, and parameters

associated with the message to be routed. It is assumed that this is

known a priori, or is derived at submission time as described in

Section 23.

The key problem in routing is to map from an O/R Address onto an MTA

(next hop). This shall be an MTA which in some sense is "nearer" to

the destination UA. This is done repeatedly until the message can be

directly delivered to the recipient UA. There are a number of things

which need to be considered to determine this. These are discussed

in the subsequent sections. A description of the overall routing

process is given in Section 25.

2. Goals

Application level routing for MHS is a complex procedure, with many

requirements. The following goals for the solution are set:

o Straightforward to manage. Non-trivial configuration of routing

for current message handling systems is a black art, often

involving gathering and processing many tables, and editing

complex configuration files. Many problems are solved in a very

ad hoc manner. Managing routing for MHS is the most serious

headache for most mail system managers.

o Economic, both in terms of network and computational resources.

o Robust. Errors and out of date information shall cause minimal

and localised damage.

o Deal with link failures. There needs to be some ability to choose

alternative routes. In general, it is desirable that the routing

approach be redundant.

o Load sharing. Information on routes shall allow "equal" routes

to be specified, and thus facilitate load sharing.

o Support format and protocol conversion

o Dynamic and automatic. There shall be no need for manual

propagation of tables or administrator intervention.

o Policy robust. It shall not allow specification of policies which

cause undesirable routing effects.

o Reasonably straightforward to implement.

o Deal with X.400, RFC822, and their interaction.

o Extensible to other mail architectures

o Recognise existing RFC822 routing, and coexist smoothly.

o Improve RFC822 routing capabilities. This is particularly

important for RFC822 sites not in the SMTP Internet.

o Deal correctly with different X.400 protocols (P1, P3, P7), and

with 1984, 1988 and 1992 versions.

o Support X.400 operation over multiple protocol stacks (TCP/IP,

CONS, CLNS) and in different communities.

o Messages shall be routed consistently. Alternate routing

strategies, which might introduce unexpected delay, shall be used

with care (e.g., routing through a protocol converter due to

unavailability of an MTA).

o Delay between message submission and delivery shall be minimised.

This has indirect impact on the routing approaches used.

o Interact sensibly with ADMD services.

o Be global in scope

o Routing strategy shall deal with a scale of order of magnitude

1,000,000 -- 100,000,000 MTAs.

o Routing strategy shall deal with of order 1,000,000 -- 100,000,000

Organisations.

o Information about alterations in topology shall propagate rapidly

to sites affected by the change.

o Removal, examination, or destruction of messages by third parties

shall be difficult. This is hard to quantify, but "difficult"

shall be comparable to the effort needed to break system security

on a typical MTA system.

o As with current Research Networks, it is recognised that

prevention of forged mail will not always be possible. However,

this shall be as hard as can be afforded.

o Sufficient tracing and logging shall be available to track down

security violations and faults.

o Optimisation of routing messages with multiple recipients, in

cases where this involves selection of preferred single recipient

routes.

The following are not initial goals:

o Advanced optimisation of routing messages with multiple

recipients, noting dependencies between the recipients to find

routes which would not have been chosen for any of the single

recipients.

o Dynamic load balancing. The approach does not give a means to

determine load. However, information on alternate routes is

provided, which is the static information needed for load

balancing.

3. Approach

A broad problem statement, and a survey of earlier approaches to the

problem is given in the COSINE Study on MHS Topology and Routing [8].

The interim (table-based) approach suggested in this study, whilst

not being followed in detail, broadly reflects what the research

X.400 (GO-MHS) community is doing. The evolving specification of the

RARE table format is defined in [5]. This document specifies the

envisaged longer term approach.

Some documents have made useful contributions to this work:

o A paper by the editor on MHS use of directory, which laid out the

broad approach of mapping the O/R Address space on to the DIT [7].

o Initial ISO Standardisation work on MHS use of Directory for

routing [19]. Subsequent ISO work in this area has drawn from

earlier drafts of this specification.

o The work of the VERDI Project [3].

o Work by Kevin Jordan of CDC [6].

o The routing approach of ACSNet [4, 17] paper. This gives useful

ideas on incremental routing, and replicating routing data.

o A lot of work on network routing is becoming increasingly

relevant. As the MHS routing problem increases in size, and

network routing increases in sophistication (e.g., policy based

routing), the two areas have increasing amounts in common. For

example, see [2].

4. Direct vs Indirect Connection

Two extreme approaches to routing connectivity are:

1. High connectivity between MTAs. An example of this is the way

the Domain Name Server system is used on the DARPA/NSF Internet.

Essentially, all MTAs are fully interconnected.

2. Low connectivity between MTAs. An example of this is the UUCP

network.

In general an intermediate approach is desirable. Too sparse a

connectivity is inefficient, and leads to undue delays. However,

full connectivity is not desirable, for the reasons discussed below.

A number of general issues related to relaying are now considered.

The reasons for avoiding relaying are clear. These include.

o Efficiency. If there is an open network, it is desirable that it

be used.

o Extra hops introduce delay, and increase the (very small)

possibility of message loss. As a basic principle, hop count

shall be minimised.

o Busy relays or Well Known Entry points can introduce high delay

and lead to single point of failure.

o If there is only one hop, it is straightforward for the user to

monitor progress of messages submitted. If a message is delayed,

the user can take appropriate action.

o Many users like the security of direct transmission. It is an

argument often given very strongly for use of SMTP.

Despite these very powerful arguments, there are a number of reasons

why some level of relaying is desirable:

o Charge optimisation. If there is an expensive network/link to be

traversed, it may make sense to restrict its usage to a small

number of MTAs. This would allow for optimisation with respect to

the charging policy of this link.

o Copy optimisation. If a message is being sent to two remote MTAs

which are close together, it is usually optimal to send the

message to one of the MTAs (for both recipients), and let it pass

a copy to the other MTA.

o To access an intermediate MTA for some value added service. In

particular for:

-- Message Format Conversion

-- Distribution List expansion

o Dealing with different protocols. The store and forward approach

allows for straightforward conversion. Relevant cases include:

-- Provision of X.400 over different OSI Stacks (e.g.,

Connectionless Network Service).

-- Use of a different version of X.400.

-- Interaction with non-X.400 mail services

o To compensate for inadequate directory services: If tables are

maintained in an ad hoc manner, the manual effort to gain full

connectivity is too high.

o To hide complexity of structure. If an organisation has many

MTAs, it may still be advantageous to advertise a single entry

point to the outside world. It will be more efficient to have an

extra hop, than to (widely) distribute the information required to

connect directly. This will also encourage stability, as

organisations need to change internal structure much more

frequently than their external entry points. For many

organisations, establishing such firewalls is high priority.

o To handle authorisation, charging and security issues. In

general, it is desirable to deal with user oriented authorisation

at the application level. This is essential when MHS specific

parameters shall be taken into consideration. It may well be

beneficial for organisations to have a single MTA providing access

to the external world, which can apply a uniform access policy

(e.g., as to which people are allowed access). This would be

particularly true in a multi-vendor environment, where different

systems would otherwise have to enforce the same policy --- using

different vendor-specific mechanisms.

In summary there are strong reasons for an intermediate approach.

This will be achieved by providing mechanisms for both direct and

indirect connectivity. The manager of a configuration will then be

able to make appropriate choices for the environment.

Two models of managing large scale routing have evolved:

1. Use of a global directory/database. This is the approach

proposed here.

2. Use of a routing table in each MTA, which is managed either by a

management protocol or by directory. This is coupled with means

to exchange routing information between MTAs. This approach is

more analogous to how network level routing is commonly performed.

It has good characteristics in terms of managing links and

dealing with link related policy. However, it assumes limited

connectivity and does not adapt well to a network environment

with high connectivity available.

5. X.400 and RFC822

This document defines mechanisms for X.400 message routing. It is

important that this can be integrated with RFC822 based routing, as

many MTAs will work in both communities. This routing document is

written with this problem in mind, and some work to verify this has

been done. support for RFC822 routing using the same basic

infrastructure is defined in a companion document [13]. In addition

support for X.400/RFC822 gatewaying is needed, to support

interaction. Directory based mechanisms for this are defined in

[16]. The advantages of the approach defined by this set of

specifications are:

o Uniform management for sites which wish to support both protocols.

o Simpler management for gateways.

o Improved routing services for RFC822 only sites.

For sites which are only X.400 or only RFC822, the mechanisms

associated with gatewaying or with the other form of addressing are

not needed.

6. Objects

It is useful to start with a manager's perspective. Here is the set

of object classes used in this specification. It is important that

all information entered relates to something which is being managed.

If this is achieved, configuration decisions are much more likely to

be correct. In the examples, distinguished names are written using

the String Syntax for Distinguished Names [11]. The list of objects

used in this specification is:

User An entry representing a single human user. This will typically

be named in an organisational context. For example:

CN=Edgar Smythe,

O=Zydeco Services, C=GB

This entry would have associated information, such as telephone

number, postal address, and mailbox.

MTA A Message Transfer Agent. In general, the binding between

machines and MTAs will be complex. Often a small number of MTAs

will be used to support many machines, by use of local approaches

such as shared filestores. MTAs may support multiple protocols,

and will identify separate addressing information for each

protocol.

To achieve support for multiple protocols, an MTA is modelled as

an Application Process, which is named in the directory. Each MTA

will have one or more associated Application Entities. Each

Application Entity is named as a child of the Application Process,

using a common name which conveniently identifies the Application

Entity relative to the Application Process. Each Application

Entity supports a single protocol, although different Application

Entities may support the same protocol. Where an MTA only

supports one protocol or where the addressing information for all

of the protocols supported have different attributes to represent

addressing information (e.g., P1(88) and SMTP) the Application

Entity(ies) may be represented by the single Application Process

entry.

User Agent (Mailbox) This defines the User Agent (UA) to which mail

may be delivered. This will define the account with which the UA

is associated, and may also point to the user(s) associated with

the UA. It will identify which MTAs are able to access the UA.

(In the formal X.400 model, there will be a single MTA delivering

to a UA. In many practical configurations, multiple MTAs can

deliver to a single UA. This will increase robustness, and is

desirable.)

Role Some organisational function. For example:

CN=System Manager, OU=Sales,

O=Zydeco Services, C=GB

The associated entry would indicate the occupant of the role.

Distribution Lists There would be an entry representing the

distribution list, with information about the list, the manger,

and members of the list.

7. Communities

There are two basic types of agreement in which an MTA may participate

in order to facilitate routing:

Bilateral Agreements An agreement between a pair of MTAs to route

certain types of traffic. This MTA pair agreement usually

reflects some form of special agreement and in general bilateral

information shall be held for the link at both ends. In some

cases, this information shall be private.

Open Agreements An agreement between a collection of MTAs to behave

in a cooperative fashion to route traffic. This may be viewed as

a general bilateral agreement.

It is important to ensure that there are sufficient agreements in

place for all messages to be routed. This will usually be done by

having agreements which correspond to the addressing hierarchy. For

X.400, this is the model where a PRMD connects to an ADMD, and the

ADMD provides the inter PRMD connectivity, by the ability to route to

all other ADMDs. Other agreements may be added to this hierarchy, in

order to improve the efficiency of routing. In general, there may be

valid addresses, which cannot be routed to, either for connectivity

or policy reasons.

We model these two types of agreements as communities. A community

is a scope in which an MTA advertises its services and learns about

other services. Each MTA will:

1. Register its services in one or more communities.

2. Look up services in one or more communities.

In most cases an MTA will deal with a very small number of

communities --- very often one only. There are a number of different

types of community.

The open community This is a public/global scope. It reflects

routing information which is made available to any MTA which

wishes to use it.

The local community This is the scope of a single MTA. It reflects

routing information private to the MTA. It will contain an MTA's

view of the set of bilateral agreements in which it participates,

and routing information private and local to the MTA.

Hierarchical communities A hierarchical community is a subtree of the

O/R Address tree. For example, it might be a management domain,

an organisation, or an organisational unit. This sort of

community will allow for firewalls to be established. A community

can have complex internal structure, and register a small subset

of that in the open community.

Closed communities A closed community is a set of MTAs which agrees

to route amongst themselves. Examples of this might be ADMDs

within a country, or a set of PRMDs representing the same

organisation in multiple countries.

Formally, a community indicates the scope over which a service is

advertised. In practice, it will tend to reflect the scope of

services offered. It does not make sense to offer a public service,

and only advertise it locally. Public advertising of a private

service makes more sense, and this is shown below. In general,

having a community offer services corresponding to the scope in which

they are advertised will lead to routing efficiency. Examples of how

communities can be used to implement a range of routing policies are

given in Section 9.2.

8. Routing Trees

Communities are a useful abstract definition of the routing approach

taken by this specification. Each community is represented in the

directory as a routing tree. There will be many routing trees

instantiated in the directory. Typically, an MTA will only be

registered in and make use of a small number of routing trees. In

most cases, it will register in and use the same set of routing

trees.

8.1 Routing Tree Definition

Each community has a model of the O/R address space. Within a

community, there is a general model of what to do with a given O/R

Address. This is structured hierarchically, according to the O/R

address hierarchy. A community can register different possible

actions, depending on the depth of match. This might include

identifying the MTA associated with a UA which is matched fully, and

providing a default route for an O/R address where there is no match

in the community --- and all intermediate forms. The name structure

of a routing tree follows the O/R address hierarchy, which is

specified in a separate document [15]. Where there is any routing

action associated with a node in a routing tree, the node is of

object class routingInformation, as defined in Section 10.

8.2 The Open Community Routing Tree

The routing tree of the open community starts at the root of the DIT.

This routing tree also serves the special function of instantiating

the global O/R Address space in the Directory. Thus, if a UA wishes

to publish information to the world, this hierarchy allows it to do

so.

The O/R Address hierarchy is a registered tree, which may be

instantiated in the directory. Names at all points in the tree are

valid, and there is no requirement that the namespace is instantiated

by the owner of the name. For example, a PRMD may make an entry in

the DIT, even if the ADMD above it does not. In this case, there

will be a "skeletal" entry for the ADMD, which is used to hang the

PRMD entry in place. The skeletal entry contains the minimum number

of entries which are needed for it to exist in the DIT (Object Class

and Attribute information needed for the relative distinguished

name). This entry may be placed there solely to support the

subordinate entry, as its existence is inferred by the subordinate

entry. Only the owner of the entry may place information into it.

An analogous situation in current operational practice is to make DIT

entries for Countries and US States.

---------------------------------------------------------------------

routingTreeRoot OBJECT-CLASS ::= {

SUBCLASS OF {routingInformationsubtree}

ID oc-routing-tree-root}

Figure 1: Location of Routing Trees

---------------------------------------------------------------------

8.3 Routing Tree Location

All routing trees follow the same O/R address hierarchy. Routing

trees other than the open community routing tree are rooted at

arbitrary parts of the DIT. These routing trees are instantiated

using the subtree mechanism defined in the companion document

"Representing Tables and Subtrees in the Directory" [15]. A routing

tree is identified by the point at which it is rooted. An MTA will

use a list of routing trees, as determined by the mechanism described

in Section 9. Routing trees may be located in either the

organisational or O/R address structured part of the DIT. All routing

trees, other than the open community routing tree, are rooted by an

entry of object class routingTreeRoot, as defined in Figure 1.

8.4 Example Routing Trees

Consider routing trees with entries for O/R Address:

P=ABC; A=XYZMail; C=GB;

In the open community routing tree, this would have a distinguished

name of:

PRMD=ABC, ADMD=XYZMail, C=GB

Consider a routing tree which is private to:

O=Zydeco Services, C=GB

They might choose to label a routing tree root "Zydeco Routing Tree",

which would lead to a routing tree root of:

CN=Zydeco Routing Tree, O=Zydeco Services, C=GB

The O/R address in question would be stored in this routing tree as:

PRMD=ABC, ADMD=XYZMail

C=GB, CN=Zydeco Routing Tree,

O=Zydeco Services, C=GB

8.5 Use of Routing Trees to look up Information

Lookup of an O/R address in a routing tree is done as follows:

1. Map the O/R address onto the O/R address hierarchy described in

[15] in order to generate a Distinguished Name.

2. Append this to the Distinguished Name of the routing tree, and

then look up the whole name.

3. Handling of errors will depend on the application of the lookup,

and is discussed later.

Note that it is valid to look up a null O/R Address, as the routing

tree root may contain default routing information for the routing

tree. This is held in the root entry of the routing tree, which is a

subclass of routingInformation. The open community routing tree does

not have a default.

Routing trees may have aliases into other routing trees. This will

typically be done to optimise lookups from the first routing tree

which a given MTA uses. Lookup needs to take account of this.

9. Routing Tree Selection

The list of routing trees which a given MTA uses will be represented

in the directory. This uses the attribute defined in Figure 2.

---------------------------------------------------------------------

routingTreeList ATTRIBUTE ::= {

WITH SYNTAX RoutingTreeList

SINGLE VALUE

ID at-routing-tree-list}

RoutingTreeList ::= SEQUENCE OF RoutingTreeName

RoutingTreeName ::= DistinguishedName

Figure 2: Routing Tree Use Definition

---------------------------------------------------------------------

This attribute defines the routing trees used by an MTA, and the

order in which they are used. Holding these in the directory eases

configuration management. It also enables an MTA to calculate the

routing choice of any other MTA which follows this specification,

provided that none of its routing trees have access restrictions.

This will facilitate debugging routing problems.

9.1 Routing Tree Order

The order in which routing trees are used will be critical to the

operation of this algorithm. A common approach will be:

1. Access one or more shared private routing trees to access private

routing information.

2. Utilise the open routing tree.

3. Fall back to a default route from one of the private routing

trees.

Initially, the open routing tree will be very sparse, and there will

be little routing information in ADMD level nodes. Access to many

services will only be via ADMD services, which in turn will only be

accessible via private links. For most MTAs, the fallback routing

will be important, in order to gain access to an MTA which has the

right private connections configured.

In general, for a site, UAs will be registered in one routing tree

only, in order to avoid duplication. They may be placed into other

routing trees by use of aliases, in order to gain performance. For

some sites, Users and UAs with a 1:1 mapping will be mapped onto

single entries by use of aliases.

9.2 Example use of Routing Trees

Some examples of how this structure might be used are now given.

Many other combinations are possible to suit organisational

requirements.

9.2.1 Fully Open Organisation

The simplest usage is to place all routing information in the open

community routing tree. An organisation will simply establish O/R

addresses for all of its UAs in the open community tree, each

registering its supporting MTA. This will give access to all systems

accessible from this open community.

9.2.2 Open Organisation with Fallback

In practice, some MTAs and MDs will not be directly reachable from

the open community (e.g., ADMDs with a strong model of bilateral

agreements). These services will only be available to

users/communities with appropriate agreements in place. Therefore it

will be useful to have a second (local) routing tree, containing only

the name of the fallback MTA at its root. In many cases, this

fallback would be to an ADMD connection.

Thus, open routing will be tried first, and if this fails the message

will be routed to a single selected MTA.

9.2.3 Minimal-routing MTA

The simplest approach to routing for an MTA is to deliver messages to

associated users, and send everything else to another MTA (possibly

with backup).

An organisation using MTAs with this approach will register its users

as for the fully open organisation. A single routing tree will be

established, with the name of the organisation being aliased into the

open community routing tree. Thus the MTA will correctly identify

local users, but use a fallback mechanism for all other addresses.

9.2.4 Organisation with Firewall

An organisation can establish an organisation community to build a

firewall, with the overall organisation being registered in the open

community. This is an important structure, which it is important to

support cleanly.

o Some MTAs are registered in the open community routing tree to

give access into the organisation. This will include the O/R tree

down to the organisational level. Full O/R Address verification

will not take place externally.

o All users are registered in a private (organisational) routing

tree.

o All MTAs in the organisation are registered in the organisation's

private routing tree, and access information in the organisation's

community. This gives full internal connectivity.

o Some MTAs in the organisation access the open community routing

tree. These MTAs take traffic from the organisation to the

outside world. These will often be the same MTAs that are

externally advertised.

9.2.5 Well Known Entry Points

Well known entry points will be used to provide access to countries

and MDs which are oriented to private links. A private routing tree

will be established, which indicates these links. This tree would be

shared by the well known entry points.

9.2.6 ADMD using the Open Community for Advertising

An ADMD uses the open community for advertising. It advertises its

existence and also restrictive policy. This will be useful for:

o Address validation

o Advertising the mechanism for a bilateral link to be established

9.2.7 ADMD/PRMD gateway

An MTA provides a gateway from a PRMD to an ADMD. It is important to

note that many X.400 MDs will not use the directory. This is quite

legitimate. This technique can be used to register access into such

communities from those that use the directory.

o The MTA registers the ADMD in its local community (private link)

o The MTA registers itself in the PRMD's community to give access to

the ADMD.

10. Routing Information

Routing trees are defined in the previous section, and are used as a

framework to hold routing information. Each node, other than a

skeletal one, in a routing tree has information associated with it,

which is defined by the object class routingInformation in Figure 3.

This structure is fundamental to the operation of this specification,

and it is recommended that it be studied with care.

---------------------------------------------------------------------

routingInformation OBJECT-CLASS ::= {

SUBCLASS OF top

KIND auxiliary

MAY CONTAIN {

subtreeInformation

routingFilter

routingFailureAction

mTAInfo

accessMD 10

nonDeliveryInfo

badAddressSearchPoint

badAddressSearchAttributes}

ID oc-routing-information}

-- No naming attributes as this is not a

-- structural object class

subtreeInformation ATTRIBUTE ::= { 20

WITH SYNTAX SubtreeInfo

SINGLE VALUE

ID at-subtree-information}

SubtreeInfo ::= ENUMERATED {

all-children-present(0),

not-all-children-present(1) }

routingFilter ATTRIBUTE ::= { 30

WITH SYNTAX RoutingFilter

ID at-routing-filter}

RoutingFilter ::= SEQUENCE{

attribute-type OBJECT-IDENTIFIER,

weight RouteWeight,

dda-key String OPTIONAL,

regex-match IA5String OPTIONAL,

node DistinguishedName } 40

String ::= CHOICE {PrintableString, TeletexString}

routingFailureAction ATTRIBUTE ::= {

WITH SYNTAX RoutingFailureAction

SINGLE VALUE

ID at-routing-failure-action}

RoutingFailureAction ::= ENUMERATED {

next-level(0), 50

next-tree-only(1),

next-tree-first(2),

stop(3) }

mTAInfo ATTRIBUTE ::= {

WITH SYNTAX MTAInfo

ID at-mta-info}

MTAInfo ::= SEQUENCE { 60

name DistinguishedName,

weight [1] RouteWeight DEFAULT preferred-access,

mta-attributes [2] SET OF Attribute OPTIONAL,

ae-info SEQUENCE OF SEQUENCE {

aEQualifier PrintableString,

ae-weight RouteWeight DEFAULT preferred-access,

ae-attributes SET OF Attribute OPTIONAL} OPTIONAL

}

RouteWeight ::= INTEGER {endpoint(0), 70

preferred-access(5),

backup(10)} (0..20)

Figure 3: Routing Information at a Node

---------------------------------------------------------------------

For example, information might be associated with the (PRMD) node:

PRMD=ABC, ADMD=XYZMail, C=GB

If this node was in the open community routing tree, then the

information represents information published by the owner of the PRMD

relating to public access to that PRMD. If this node was present in

another routing tree, it would represent information published by the

owner of the routing tree about access information to the referenced

PRMD. The attributes associated with a routingInformation node

provide the following information:

Implicit That the node corresponds to a partial or entire valid O/R

address. This is implicit in the existence of the entry.

Object Class If the node is a UA. This will be true if the node is of

object class routedUA. This is described further in Section 11.

If it is not of this object class, it is an intermediate node in

the O/R Address hierarchy.

routingFilter A set of routing filters, defined by the routingFilter

attribute. This attribute provides for routing on information in

the unmatched part of the O/R Address. This is described in

Section 10.3.

subtreeInformation Whether or not the node is authoritative for the

level below is specified by the subtreeInformation attribute. If

it is authoritative, indicated by the value all-children-present,

this will give the basis for (permanently) rejecting invalid O/R

Addresses. The attribute is encoded as enumerated, as it may be

later possible to add partial authority (e.g., for certain

attribute types). If this attribute is missing, the node is

assumed to be non-authoritative (not-all-children-present).

The value all-children-present simply means that all of the child

entries are present, and that this can be used to determine

invalid addresses. There are no implications about the presence

of routing information. Thus it is possible to verify an entire

address, but only to route on one of the higher level components.

For example, consider the node:

MHS-O=Zydeco, PRMD=ABC, ADMD=XYZMail, C=GB

An organisation which has a bilateral agreement with this

organisation has this entry in its routing tree, with no children

entries. This is marked as non-authoritative. There is a second

routing tree maintained by Zydeco, which contains all of the

children of this node, and is marked as authoritative. When

considering an O/R Address

MHS-G=Random + MHS-S=Unknown, MHS-O=Zydeco,

PRMD=ABC, ADMD=XYZMail, C=GB

only the second, authoritative, routing tree can be used to

determine that this address is invalid. In practice, the manager

configuring the non-authoritative tree, will be able to select

whether an MTA using this tree will proceed to full verification,

or route based on the partially verified information.

mTAInfo A list of MTAs and associated information defined by the

mTAInfo attribute. This information is discussed further in

Sections 15 and 18. This information is the key information

associated with the node. When a node is matched in a lookup, it

indicates the validity of the route, and a set of MTAs to connect

to. Selection of MTAs is discussed in Sections 18 and

Section 10.2.

routingFailureAction An action to be taken if none of the MTAs can be

used directly (or if there are no MTAs present) is defined by the

routingFailureAction attribute. Use of this attribute and

multiple routing trees is described in Section 10.1.

accessMD The accessMD attribute is discussed in Section 10.4. This

attribute is used to indicate MDs which provide indirect access

to the part of the tree that is being routed to.

badAddressSearchPoint/badAddressSearchAttributes The

badAddressSearchPoint and badAddressSearchAttributes are

discussed in Section 17. This attribute is for when an address

has been rejected, and allows information on alternative addresses

to be found.

10.1 Multiple routing trees

A routing decision will usually be made on the basis of information

contained within multiple routing trees. This section describes the

algorithms relating to use of multiple routing trees. Issues

relating to the use of X.500 and handling of errors is discussed in

Section 14. The routing decision works by examining a series of

entries (nodes) in one or more routing trees. This information is

summarised in Figure 3. Each entry may contain information on

possible next-hop MTAs. When an entry is found which enables the

message to be routed, one of the routing options determined at this

point is selected, and a routing decision is made. It is possible

that further entries may be examined, in order to determine other

routing options. This sort of heuristic is not discussed here.

When a single routing tree is used, the longest possible match based

on the O/R address to be routed to is found. This entry, and then

each of its parents in turn is considered, ending with the routing

tree root node (except in the case of the open routing tree, which

does not have such a node). When multiple routing trees are

considered, the basic approach is to treat them in a defined order.

This is supplemented by a mechanism whereby if a matched node cannot

be used directly, the routing algorithm will have the choice to move

up a level in the current routing tree, or to move on to the next

routing tree with an option to move back to the first tree later.

This option to move back is to allow for the common case where a tree

is used to specify two things:

1. Routing information private to the MTA (e.g., local UAs or routing

info for bilateral links).

2. Default routing information for the case where other routing has

failed.

The actions allow for a tree to be followed, for the private

information, then for other trees to be used, and finally to fall

back to the default situation. For very complex configurations it

might be necessary to split this into two trees. The options defined

by routingFailureAction, to be used when the information in the entry

does not enable a direct route, are:

next-level Move up a level in the current routing tree. This is the

action implied if the attribute is omitted. This will usually be

the best action in the open community routing tree.

next-tree-only Move to the next tree, and do no further processing on

the current tree. This will be useful optimisation for a routing

tree where it is known that there is no useful additional routing

information higher in the routing tree.

next-tree-first Move to the next tree, and then default back to the

next level in this tree when all processing is completed on

subsequent trees. This will be useful for an MTA to operate in

the sequence:

1. Check for optimised private routes

2. Try other available information

3. Fall back to a local default route

stop This address is unroutable. No processing shall be done in any

trees.

For the root entry of a routing tree, the default action and next-

level are interpreted as next-tree-only.

10.2 MTA Choice

This section considers how the choice between alternate MTAs is made.

First, it is useful to consider the conditions why an MTA is entered

into a node of the routing tree:

o The manager for the node of the tree shall place it there. This

is a formality, but critical in terms of overall authority.

o The MTA manager shall agree to it being placed there. For a well

operated MTA, the access policy of the MTA will be set to enforce

this.

o The MTA will in general (for some class of message) be prepared

to route to any valid O/R address in the subtree implied by the

address. The only exception to this is where the MTA will route

to a subset of the tree which cannot easily be expressed by

making entries at the level below. An example might be an MTA

prepared to route to all of the subtree, with certain explicit

exceptions.

Information on each MTA is stored in an mTAInfo attribute, which is

defined in Figure 3. This attribute contains:

name The Distinguished Name of the MTA (Application Process)

weight A weighting factor (Route Weight) which gives a basis to

choose between different MTAs. This is described in Section 10.2.

mta-attributes Attributes from the MTA's entry. Information on the

MTA will always be stored in the MTA's entry. The MTA is

represented here as a structure, which enables some of this entry

information to be represented in the routing node. This is

effectively a maintained cache, and can lead to considerable

performance optimisation. For example if ten MTAs were

represented at a node, another MTA making a routing decision might

need to make ten directory reads in order to obtain the

information needed. If any attributes are present here, all of

the attributes needed to make a routing decision shall be

included, and also all attributes at the Application Entity level.

ae-info Where an MTA supports a single protocol only, or the

protocols it supports have address information that can be

represented in non-conflicting attributes, then the MTA may be

represented as an application process only. In this case, the

ae-info structure which gives information on associated

application entities may be omitted, as the MTA is represented by

a single application entity which has the same name as the

application process. In other cases, the names of all application

entities shall be included. A weight is associated with each

application entity to allow the MTA to indicate a preference

between its application entities.

The structure of information within ae-info is as follows:

ae-qualifier A printable string (e.g., "x400-88"), which is the

value of the common name of the relative distinguished name of the

application entity. This can be used with the application process

name to derive the application entity title.

ae-weight A weighting factor (Route Weight) which gives a basis to

choose between different Application Entities (not between

different MTAs). This is described below.

ae-attributes Attributes from the AEs entry.

Information in the mta-attributes and ae-info is present as a

performance optimisation, so that routing choices can be made with a

much smaller number of directory operations. Using this information,

whose presence is optional, is equivalent to looking up the

information in the MTA. If this information is present, it shall be

maintained to be the same as that information stored in the MTA

entry. Despite this maintenence requirement, use of this performance

optimisation data is optional, and the information may always be

looked up from the MTA entry.

Note: It has been suggested that substantial performance optimisation

will be achieved by caching, and that the performance gained

from maintaining these attributes does not justify the effort

of maintaining the entries. If this is borne out by

operational experience, this will be reflected in future

versions of this specification.

Route weighting is a mechanism to distinguish between different route

choices. A routing weight may be associated with the MTA in the

context of a routing tree entry. This is because routing weight will

always be context dependent. This will allow machines which have

other functions to be used as backup MTAs. The Route Weight is an

integer in range 0--20. The lower the value, the better the choice

of MTA. Where the weight is equal, and no other factors apply, the

choice between the MTAs shall be random to facilitate load balancing.

If the MTA itself is in the list, it shall only route to an MTA of

lower weight. The exact values will be chosen by the manager of the

relevant part of the routing tree. For guidance, three fixed points

are given:

o 0. For an MTA which can deliver directly to the entire subtree

implied by the position in the routing tree.

o 5. For an MTA which is preferred for this point in the subtree.

o 10. For a backup MTA.

When an organisation registers in multiple routing trees, the route

weight used is dependent on the context of the subtree. In general

it is not possible to compare weights between subtrees. In some

cases, use of route weighting can be used to divert traffic away from

expensive links.

Attributes present in an MTA Entry are defined in various parts of

this specification. A summary and pointers to these sections is

given in Section 16.

Attributes that are available in the MTA entry and will be needed for

making a routing choice are:

protocolInformation

applicationContext

mhs-deliverable-content-length

responderAuthenticationRequirements

initiatorAuthenticationRequirements

responderPullingAuthenticationRequirements

initiatorPullingAuthenticationRequirements

initiatorP1Mode

responderP1Mode

polledMTAs Current MTA shall be in list if message is to be pulled.

mTAsAllowedToPoll

supportedMTSExtensions

If any MTA attributes are present in the mTAInfo attribute, all of

the attributes that may affect routing choice shall be present.

Other attributes may be present. A full list of MTA attributes, with

summaries of their descriptions are given in Section 16, with a

formal definition in Figure 6.

10.3 Routing Filters

This attribute provides for routing on information in the unmatched

part of the O/R Address, including:

o Routing on the basis of an O/R Address component type

o Routing on the basis of a substring match of an O/R address

component. This might be used to route X121 addressed faxes to

an appropriate MTA.

When present, the procedures of analysing the routing filters shall

be followed before other actions. The routing filter overrides

mTAInfo and accessMD attributes, which means that the routing filter

must be considered first. Only in the event that no routing filters

match shall the mTAInfo and accessMD attributes be considered. The

components of the routingFilter attribute are:

---------------------------------------------------------------------

attribute-type This gives the attribute type to be matched, and is

selected from the attribute types which have not been matched to

identify the routing entry. The filter applies to this attribute

type. If there is no regular expression present (as defined

below), the filter is true if the attribute is present. The

value is the object identifier of the X.500 attribute type

(e.g., at-prmd-name).

weight This gives the weight of the filter, which is encoded as a

Route Weight, with lower values indicating higher priority. If

multiple filters match, the weight of each matched filter is used

to select between them. If the weight is the same, then a random

choice shall be made.

dda-key If the attribute is domain defined, then this parameter may

be used to identify the key.

accessMD ATTRIBUTE ::= {

SUBTYPE OF distinguishedName

ID at-access-md}

Figure 4: Indirect Access

---------------------------------------------------------------------

regex-match This string is used to give a regular expression match on

the attribute value. The syntax for regular expressions is

defined in Appendix E.

node This distinguished name specifies the entry which holds routing

information for the filter. It shall be an entry with object

class routingInformation, which can be used to determine the MTA

or MTA choice. All of the attributes from this entry should be

used, as if they had been directly returned from the current entry

(i.e., the procedure recurses). The current entry does not set

defaults.

An example of use of routing filters is now given, showing how to

route on X121 address to a fax gateway in Germany. Consider the

routing point.

PRMD=ABC, ADMD=XYZMail, C=GB

The entry associated would have two routing filters:

1. One with type x121 and no regular expression, to route a default

fax gateway.

2. One with type x121 and a regular expression ^9262 to route all

German faxes to a fax gateway located in Germany with which there

is a bilateral agreement. This would have a lower weight, so that

it would be selected over the default fax gateway.

10.4 Indirect Connectivity

In some cases a part of the O/R Address space will be accessed

indirectly. For example, an ADMD without access from the open

community might have an agreement with another MD to provide this

access. This is achieved by use of the accessMD attribute defined in

Figure 4. If this attribute is found, the routing algorithm shall

read the entry pointed to by this distinguished name. It shall be an

entry with object class routingInformation, which can be used to

determine the MTA or MTA choice and route according to the

information retrieve to this access MD. All of the attributes from

this entry should be used, as if they had been directly returned from

the current entry (i.e., the procedure recurses). The current entry

does not set defaults.

The attribute is called an MD, as this is descriptive of its normal

use. It might point to a more closely defined part of the O/R

Address space.

It is possible for both access MD and MTAs to be specified. This

might be done if the MTAs only support access over a restricted set

of transport stacks. In this case, the access MD shall only be

routed to if it is not possible to route to any of the MTAs.

This structure can also be used as an optimisation, where a set of

MTAs provides access to several parts of the O/R Address space.

Rather than repeat the MTA information (list of MTAs) in each

reference to the MD, a single access MD is used as a means of

grouping the MTAs. The value of the Distinguished Name of the access

MD will probably not be meaningful in this case (e.g., it might be

the name "Access MTA List", within the organisation.)

If the MTA routing is unable to access the information in the Access

MD due to directory security restrictions, the routing algorithm

shall continue as if no MTA information was located in the routing

entry.

11. Local Addresses (UAs)

Local addresses (UAs) are a special case for routing: the endpoint.

The definition of the routedUA object class is given in Figure 5.

This identifies a User Agent in a routing tree. This is needed for

several reasons:

---------------------------------------------------------------------

routedUA OBJECT-CLASS ::= {

SUBCLASS OF {routingInformation}

KIND auxiliary

MAY CONTAIN {

-- from X.402

mhs-deliverable-content-length

mhs-deliverable-content-types

mhs-deliverable-eits

mhs-message-store 10

mhs-preferred-delivery-methods

-- defined here

supportedExtensions

redirect

supportingMTA

userName

nonDeliveryInfo}

ID oc-routed-ua}

supportedExtensions ATTRIBUTE ::= { 20

SUBTYPE OF objectIdentifier

ID at-supported-extensions}

supportingMTA ATTRIBUTE ::= {

SUBTYPE OF mTAInfo

ID at-supporting-mta}

userName ATTRIBUTE ::= {

SUBTYPE OF distinguishedName

ID at-user-name} 30

Figure 5: UA Attributes

---------------------------------------------------------------------

1. To allow UAs to be defined without having an entry in another part

of the DIT.

2. To identify which (leaf and non-leaf) nodes in a routing tree are

User Agents. In a pure X.400 environment, a UA (as distinct from

a connecting part of the O/R address space) is simply identified

by object class. Thus an organisation entry can itself be a UA. A

UA need not be a leaf, and can thus have children in the tree.

3. To allow UA parameters as defined in X.402 (e.g., the

mhs-deliverable-eits) to be determined efficiently from the

routing tree, without having to go to the user's entry.

4. To provide access to other information associated with the UA, as

defined below.

The following attributes are defined associated with the UA.

supportedExtensions MTS extensions supported by the MTA, which affect

delivery.

supportingMTA The MTAs which support a UA directly are noted in the

supportingMTA attribute, which may be multi-valued. In the X.400

model, only one MTA is associated with a UA. In practice, it is

possible and useful for several MTAs to be able to deliver to a

single UA. This attribute is a subtype of mTAInfo, and it defines

access information for an MTA which is able to deliver to the UA.

There may also be an mTAInfo attribute in the entry.

Components of the supportingMTA attribute are interpreted in the

same manner as mtaInfo is for routing, with one exception. The

values of the Route Weight are interpreted in the following

manner:

o 0. A preferred MTA for delivery.

o 5. A backup MTA.

o 10. A backup MTA, which is not presferred.

The supportingMTA attribute shall be present, unless the address

is being non-delivered or redirected, in which case it may be

omitted.

redirect The redirect attribute controls redirects, as described in

Section 22.1.

userName The attribute userName points to the distinguished Name of

the user, as defined by the mhs-user in X.402. The pointer from

the user to the O/R Address is achieved by the mhs-or-addresses

attribute. This makes the UA/User linkage symmetrical.

nonDeliveryInfo The attribute nonDeliveryInfo mandates non-delivery

to this address, as described in Section 22.3.

When routing to a UA, an MTA will read the supportingMTA attribute.

If it finds its own name present, it will know that the UA is local,

and invoke appropriate procedures for local delivery (e.g., co-

resident or P3 access information). The cost of holding these

attributes for each UA at a site will often be reduced by use of

shared attributes (as defined in X.500(93)).

Misconfiguration of the supportingMTA attribute could have serious

operational and possibly security problems, although for the most

part no worse than general routing configuration problems. An MTA

using this attribute may choose to perform certain sanity checks,

which might be to verify the routing tree or subtree that the entry

resides in.

The linkage between the UA and User entries was noted above. It is

also possible to use a single entry for both User and UA, as there is

no conflict between the attributes in each of the objects. In this

case, the entries shall be in one part of the DIT, with aliases from

the other. Because the UA and User are named with different

attributes, the aliases shall be at the leaf level.

11.1 Searching for Local Users

The approach defined in this specification performs all routing by

use of reads. This is done for performance reasons, as it is a

reasonable expectation that all DSA implementations will support a

high performance read operation. For local routing only, an MTA in

cooperation with the provider of the local routing tree may choose to

use a search operation to perform routing. The major benefit of this

is that there will not be a need to store aliases for alternate

names, and so the directory storage requirement and alias management

will be reduced. The difficulty with this approach is that it is

hard to define search criteria that would be effective in all

situations and well supported by all DUAs. There are also issues

about determining the validity of a route on the basis of partial

matches.

12. Direct Lookup

Where an O/R address is registered in the open community and has one

or more "open" MTAs which support it, this will be optimised by

storing MTA information in the O/R address entry. In general, the

Directory will support this by use of attribute inheritance or an

implementation will optimise the storage or repeated information, and

so there will not be a large storage overhead implied. This is a

function of the basic routing approach. As a further optimisation of

this case, the User's distinguished name entry may contain the

mTAInfo attribute. This can be looked up from the distinguished

name, and thus routing on submission can be achieved by use of a

single read.

Note: This performance optimisation has a management overhead, and

further experience is needed to determine if the effort

justifies the performance improvement.

13. Alternate Routes

13.1 Finding Alternate Routes

The routing algorithm selects a single MTA to be routed to. It could

be extended to find alternate routes to a single MTA with possibly

different weights. How far this is done is a local configuration

choice. Provision of backup routing is desirable, and leads to

robust service, but excessive use of alternate routing is not usually

beneficial. It will often force messages onto convoluted paths, when

there was only a short outage on the preferred path. It is important

to note that this strategy will lead to picking the first acceptable

route. It is important to configure the routing trees so that the

first route identified will also be the best route.

13.2 Sharing routing information

So far, only single addresses have been considered. Improving

routing choice for multiple addresses is analogous to dealing with

multiple routes. This section defines an optional improvement. When

multiple addresses are present, and alternate routes are available,

the preferred routes may be chosen so as to maximise the number of

recipients sent with each message.

Specification of routing trees can facilitate this optimisation.

Suppose there is a set of addresses (e.g., in an organisation) which

have different MTAs, but have access to an MTA which will do local

switching. If each address is registered with the optimal MTA as

preferred, but has the "hub" MTA registered with a higher route

weight, then optimisation may occur when a message is sent to

multiple addresses in the group.

14. Looking up Information in the Directory

The description so far has been abstract about lookup of information.

This section considers how information is looked up in the Directory.

Consider that an O/R Address is presented for lookup, and there is a

sequence of routing trees. At any point in the lookup sequence,

there is one of a set of actions that can take place:

Entry Found Information from the entry (node) is returned and shall

be examined. The routing process continues or terminates, based

on this information.

Entry Not Found Return information on the length of best possible

match to the routing algorithm.

Temporary Reject The MTA shall stop the calculation, and repeat the

request later. Repeated temporary rejects should be handled in a

similar manner to the way the local MTA would handle the failure

to connect to a remote MTA.

Permanent Reject Administrative error on the directory which may be

fixed in future, but which currently prevents routing. The

routing calculation should be stopped and the message

non-delivered.

The algorithm proceeds by a series of directory read operations. If

the read operation is successful, the Entry Found procedure should be

followed. Errors from the lookup (directory read) shall be handled

in terms of the above procedures as follows. The following handling

is used when following a routing tree:

AttributeError This leads to a Permanent Reject.

NameError Entry Not Found is used. The matched parameter is used to

determine the number of components of the name that have matched

(possibly zero). The read may then repeated with this name.

This is the normal case, and allows the "best" entry in the

routingn tree to be located with two reads.

Referral The referral shall be followed, and then the procedure

recurses.

SecurityError Entry Not Found is used. Return a match length of one

less than the name provided.

ServiceError This leads to a Temporary Reject.

There will be cases where the algorithm moves to a name outside of

the routing tree being followed (Following an accessMD attribute, or

a redirect or a matched routing filter). The handling will be the

same as above, except:

NameError This leads to a Permanent Reject.

SecurityError This leads to a Permanent Reject.

When reading objects which of not of object class routingInformation,

the following error handling is used:

AttributeError This leads to a Permanent Reject.

NameError This leads to a Permanent Reject.

Referral The referral shall be followed, and then the procedure

recurses.

SecurityError In the case of an MTA, treat as if it is not possible

to route to this MTA. In other cases, this leads to a Permanent

Reject.

ServiceError This leads to a Temporary Reject.

The algorithm specifies the object class of entries which are read.

If an object class does not match what is expected, this shall lead

to a permanent reject.

15. Naming MTAs

MTAs need to be named in the DIT, but the name does not have routing

significance. The MTA name is simply a unique key. Attributes

associated with naming MTAs are given in Figure 6. This figure also

gives a list of attributes, which may be present in the MTA entry.

The use of most of these is explained in subsequent sections. The

mTAName and globalDomainID attributes are needed to define the

information that an MTA places in trace information. As noted

previously, an MTA is represented as an Application Process, with one

or more Application Entities.

---------------------------------------------------------------------

mTAName ATTRIBUTE ::= {

SUBTYPE OF name

WITH SYNTAX DirectoryString{ub-mta-name-length}

SINGLE VALUE

ID at-mta-name}

-- used for naming when

-- MTA is named in O=R Address Hierarchy

globalDomainID ATTRIBUTE ::= { 10

WITH SYNTAX GlobalDomainIdentifier

SINGLE VALUE

ID at-global-domain-id}

-- both attributes present when MTA

-- is named outside O=R Address Hierarchy

-- to enable trace to be written

mTAApplicationProcess OBJECT-CLASS ::= {

SUBCLASS OF {application-process}

KIND auxiliary 20

MAY CONTAIN {

mTAWillRoute

globalDomainID

routingTreeList

localAccessUnit

accessUnitsUsed

}

ID oc-mta-application-process}

mTA OBJECT CLASS ::= { -- Application Entity 30

SUBCLASS OF {mhs-message-transfer-agent}

KIND structural

MAY CONTAIN {

mTAName

globalDomainID -- per AE variant

responderAuthenticationRequirements

initiatorAuthenticationRequirements

responderPullingAuthenticationRequirements

initiatorPullingAuthenticationRequirements

initiatorP1Mode 40

responderP1Mode

polledMTAs

protocolInformation

respondingRTSCredentials

initiatingRTSCredentials

callingPresentationAddress

callingSelectorValidity

bilateralTable

mTAWillRoute

mhs-deliverable-content-length 50

routingTreeList

supportedMTSExtensions

mTAsAllowedToPoll

}

ID oc-mta}

Figure 6: MTA Definitions

---------------------------------------------------------------------

In X.400 (1984), MTAs are named by MD and a single string. This

style of naming is supported, with MTAs named in the O/R Address tree

relative to the root of the DIT (or possibly in a different routing

tree). The mTAName attribute is used to name MTAs in this case. For

X.400(88) the Distinguished Name shall be passed as an AE Title.

MTAs may be named with any other DN, which can be in the O/R Address

or Organisational DIT hierarchy. There are several reasons why MTAs

might be named differently.

o The flat naming space is inadequate to support large MDs. MTA

name assignment using the directory would be awkward.

o An MD does not wish to register its MTAs in this way (essentially,

it prefers to give them private names in the directory).

o An organisation has a policy for naming application processes,

which does not fit this approach.

In this case, the MTA entry shall contain the correct information to

be inserted in trace. The mTAName and globalDomainID attributes are

used to do this. They are single value. For an MTA which inserts

different trace in different circumstances, a more complex approach

would be needed.

An MD may choose to name its MTAs outside of the O/R address

hierarchy, and then link some or all of them with aliases. A pointer

from this space may help in resolving information based on MTA Trace.

The situation considered so far is where an MTA supports one

application context (protocol). The MTA is represented in the

directory by a single directory entry, having no subordinate

applicationEntity entries. This name is considered to be the name of

the MTA and its Application Process Title. The MTA has no

Application Entity Qualifier, and so this is also the Application

Entity Title. In the case where an MTA supports more than one

application context, the Application Process Title is exactly the

same as above, but it also has one or more subordinate

applicationEntity entries. Each of these subordinate entries is

associated with a single application context. The relative

distinguished name of the subordinate applicationEntity entry is the

Application Entity Qualifier of the Application Entity Title. The

Application Entity Title is the distinguished name of the

applicationEntity. The term MTA Name is used to refer to the

Application Process Title.

15.1 Naming 1984 MTAs

Some simplifications are necessary for 1984 MTAs, and only one naming

approach may be used. This is because Directory Names are not

carried in the protocol, and so it must be possible to derive the

name algorithmically from parameters carried. In X.400, MTAs are

named by MD and a single string. This style of naming is supported,

with MTAs named in the O/R Address tree relative to the root of the

DIT (or possibly in a different routing tree). The MTAName attribute

is used to name MTAs in this case.

16. Attributes Associated with the MTA

This section lists the attributes which may be associated with an MTA

as defined in Figure 6, and gives pointers to the sections that

describe them.

mTAName Section 15.

globalDomainID Section 15.

protocolInformation Section 18.1.

applicationContext Section 18.2.

mhs-deliverable-content-length Section 18.3.

responderAuthenticationRequirements Section 20.2.

initiatorAuthenticationRequirements Section 20.2.

responderPullingAuthenticationRequirements Section 20.2.

initiatorPullingAuthenticationRequirements Section 20.2.

initiatorP1Mode Section 19.

responderP1Mode Section 19.

polledMTAs Section 19.

mTAsAllowedToPoll Section 19.

respondingRTSCredentials Section 20.3.

initiatingRTSCredentials Section 20.3.

callingPresentationAddress Section 20.3.

callingSelectorValidity Section 20.3.

bilateralTable Section 17.

mTAWillRoute Section 21.

routingTreeList Section 9.

supportedMTSExtensions Section 18.3.

---------------------------------------------------------------------

mTABilateralTableEntry OBJECT-CLASS ::=

SUBCLASS OF {mTA distinguishedNameTableEntry}

ID oc-mta-bilateral-table-entry}

Figure 7: MTA Bilateral Table Entry

---------------------------------------------------------------------

17. Bilateral Agreements

Each MTA has an entry in the DIT. This will be information which is

globally valid, and will be useful for handling general information

about the MTA and for information common to all connections. In many

cases, this will be all that is needed. This global information may

be restricted by access control, and so need not be globally

available. In some cases, MTAs will maintain bilateral and

multilateral agreements, which hold authentication and related

information which is not globally valid. This section describes a

mechanism for grouping such information into tables, which enables an

MTA to have bilateral information or for a group of MTAs to share

multilateral information. The description is for bilateral

information, but is equally applicable to multilateral agreements.

For the purpose of a bilateral agreement, the MTA is considered to be

an application entity. This means that when this is distinct from

the application process, that the agreements are protocol specific.

A bilateral agreement is represented by one entry associated with

each MTA participating in the bilateral agreement. For one end of

the bilateral agreement, the agreement information will be keyed by

the name of the MTA at the other end. Each party to the agreement

will set up the entry which represents its half of the agreed policy.

The fact that these correspond is controlled by the external

agreement. In many cases, only one half of the agreement will be in

the directory. The other half might be in an ADMD MTA configuration

file.

MTA bilateral information is stored in a table, as defined in [15].

An MTA has access to a sequence of such tables, each of which

controls agreements in both directions for a given MTA. Where an MTA

is represented in multiple tables, the first agreement shall be used.

This allows an MTA to participate in multilateral agreements, and to

have private agreements which override these. The definition of

entries in this table are defined in Figure 7. This table will

usually be access controlled so that only a single MTA or selected

MTAs which appear externally as one MTA can access it.

---------------------------------------------------------------------

bilateralTable ATTRIBUTE ::= {

WITH SYNTAX SEQUENCE OF DistinguishedName

SINGLE VALUE

ID at-bilateral-table}

Figure 8: Bilateral Table Attribute

---------------------------------------------------------------------

Each entry in the table is of the object class

distinguishedNameTableEntry, which is used to name the entry by the

distinguished name of the MTA. In some cases discussed in Section

20.1, there will also be aliases of type textTableEntry. The MTA

attributes needed as a part of the bilateral agreement (typically MTA

Name/PassWord pairs), as described in Section 20.3, will always be

present. Other MTA attributes (e.g., presentation address) may be

present for one of two reasons:

1. As a performance optimisation

2. Because the MTA does not have a global entry

Every MTA with bilateral agreements will define a bilateral MTA

table. When a connection from a remote MTA is received, its

Distinguished Name is used to generate the name of the table entry.

For 1984, the MTA Name exchanged at the RTS level is used as a key

into the table. The location of the bilateral tables used by the MTA

and the order in which they are used are defined by the

bilateralTable attribute in the MTA entry, which is defined in Figure

8.

All of the MTA information described in Section 16 may be used in the

bilateral table entries. This will allow bilateral control of a wide

range of parameters.

Note: For some bilateral connections there is a need control various

other functions, such as trace stripping and originator address

manipulation. For now, this is left to implementation specific

extensions. This is expected to be reviewed in light of

implementation experience.

18. MTA Selection

18.1 Dealing with protocol mismatches

MTAs may operate over different stacks. This means that some MTAs

cannot talk directly to each other. Even where the protocols are the

same, there may be reasons why a direct connection is not possible.

An environment where there is full connectivity over a single stack

is known as a transport community [9]. The set of transport

communities supported by an MTA is specified by use of the

protocolInformation attribute defined in X.500(93). This is

represented as a separate attribute for the convenience of making

routing decisions.

---------------------------------------------------------------------

supportedMTSExtensions ATTRIBUTE ::= {

SUBTYPE OF objectIdentifier

ID at-supported-mts-extensions}

Figure 9: Supported MTS Extensions

---------------------------------------------------------------------

A community is identified by an object identifier, and so the

mechanism supports both well known and private communities. A list

of object identifiers corresponding to well known communities is

given in Appendix B.

18.2 Supported Protocols

It is important to know the protocol capabilities of an MTA. This is

done by the application context. There are standard definitions for

the following 1988 protocols.

o P3 (with and without RTS, both user and MTS initiated)

o P7 (with and without RTS).

o P1 (various modes). Strictly, this is the only one that matters

for routing.

In order to support P1(1984) and P1(1988) in X.410 mode, application

contexts which define these protocols are given in Appendix C. This

context is for use in the directory only, and would never be

exchanged over the network.

For routing purposes, a message store which is not co-resident with

an MTA is represented as if it had a co-resident MTA and configured

with a single link to its supporting MTA.

In cases where the UA is involved in exchanges, the UA will be of

object class mhs-user-agent, and this will allow for appropriate

communication information to be registered.

18.3 MTA Capability Restrictions

In addition to policy restrictions, described in Section 21, an MTA

may have capability restrictions. The maximum size of MPDU is

defined by the standard attribute mhs-deliverable-content-length.

The supported MTS extensions are defined by a new attribute specified

in Figure 9.

---------------------------------------------------------------------

restrictedSubtree OBJECT-CLASS ::= {

SUBCLASS OF {top}

KIND auxiliary

MAY CONTAIN {

subtreeDeliverableContentLength

subtreeDeliverableContentTypes

subtreeDeliverableEITs}

ID oc-restricted-subtree}

10

subtreeDeliverableContentLength ATTRIBUTE ::= {

SUBTYPE OF mhs-deliverable-content-length

ID at-subtree-deliverable-content-length}

subtreeDeliverableContentTypes ATTRIBUTE ::= {

SUBTYPE OF mhs-deliverable-content-types

ID at-subtree-deliverable-content-types}

subtreeDeliverableEITs ATTRIBUTE ::= {

SUBTYPE OF mhs-deliverable-eits 20

ID at-subtree-deliverable-eits}

Figure 10: Subtree Capability Restriction

---------------------------------------------------------------------

It may be useful to define other capability restrictions, for example

to enable routing of messages around MTAs with specific deficiencies.

It has been suggested using MTA capabilities as an optimised means of

expressing capabilities of all users associated with the MTA. This is

felt to be undesirable.

18.4 Subtree Capability Restrictions

In many cases, users of a subtree will share the same capabilities.

It is possible to specify this by use of attributes, as defined in

Figure 10. This will allow for restrictions to be determined in

cases where there is no entry for the user or O/R Address. This will

be a useful optimisation in cases where the UA capability information

is not available from the directory, either for policy reasons or

because it is not there. This information may also be present in the

domain tree (RFC822).

This shall be implemented as a collective attribute, so that it is

available to all entries in the subtree below the entry. This can

also be used for setting defaults in the subtree.

---------------------------------------------------------------------

initiatorP1Mode ATTRIBUTE ::= {

WITH SYNTAX P1Mode

SINGLE VALUE

ID at-initiator-p1-mode}

responderP1Mode ATTRIBUTE ::= {

WITH SYNTAX P1Mode

SINGLE VALUE

ID at-responder-p1-mode} 10

P1Mode ::= ENUMERATED {

push-only(0),

pull-only(1),

twa(2) }

polledMTAs ATTRIBUTE ::= {

WITH SYNTAX PolledMTAs

ID at-polled-mtas}

20

PolledMTAs ::= SEQUENCE {

mta DistinguishedName,

poll-frequency INTEGER OPTIONAL --frequency in minutes

}

mTAsAllowedToPoll ATTRIBUTE ::= {

SUBTYPE OF distinguishedName

ID at-mtas-allowed-to-poll}

Figure 11: Pulling Messages

---------------------------------------------------------------------

19. MTA Pulling Messages

Pulling messages between MTAs, typically by use of two way alternate,

is for bilateral agreement. It is not the common case. There are

two circumstances in which it can arise.

1. Making use of a connection that was opened to push messages.

2. Explicitly polling in order to pull messages

Attributes to support this are defined in Figure 11. These

attributes indicate the capabilities of an MTA to pull messages, and

allows a list of polled MTAs to be specified. If omitted, the normal

case of push-only is specified. In the MTA Entry, the polledMTAs

attribute indicates MTAs which are to be polled and the

mTAsAllowedToPoll attribute indicates MTAs that may poll the current

MTA.

20. Security and Policy

20.1 Finding the Name of the Calling MTA

A key issue for authentication is for the called MTA to find the name

of the calling MTA. This is needed for it to be able to look up

information on a bilateral agreement.

Where X.400(88) is used, the name is available as a distinguished

name from the AE-Title derived from the AP-Title and AE-Qualifier in

the A-Associate. For X.400(84), it will not be possible to derive a

global name from the bind. The MTA Name exchanged in the RTS Bind

will provide a key into the private bilateral agreement table (or

tables), where the connection information can be verified. Thus for

X.400(1984) it will only be possible to have bilateral inbound links

or no authentication of the calling MTA.

Note: CDC use a search here, as a mechanism to use a single table and

an 88/84 independent access. This may be considered for general

adoption. It appears to make the data model cleaner, possibly

at the expense of some performance. This will be considered in

the light of implementation experience.

20.2 Authentication

The levels of authentication required by an MTA will have an impact

on routing. For example, if an MTA requires strong authentication,

not all MTAs will be able to route to it. The attributes which

define the authentication requirements are defined in Figure 12.

The attributes specify authentication levels for the following cases:

Responder These are the checks that the responder will make on the

initiator's credentials.

Initiator These are the checks that the initiator will make on the

responders credentials. Very often, no checks are needed ---

establishing the connection is sufficient.

Responder Pulling These are responder checks when messages are

pulled. These will often be stronger than for pushing.

Initiator Pulling For completeness.

If an attribute is omitted, no checks are required. If multiple

checks are required, then each of the relevant bits shall be set.

The attribute is single value, which implies that the MTA must set a

single authentication policy.

---------------------------------------------------------------------

responderAuthenticationRequirements ATTRIBUTE ::= {

WITH SYNTAX AuthenticationRequirements

SINGLE VALUE

ID at-responder-authentication-requirements}

initiatorAuthenticationRequirements ATTRIBUTE ::= {

WITH SYNTAX AuthenticationRequirements

SINGLE VALUE

ID at-initiator-authentication-requirements} 10

responderPullingAuthenticationRequirements ATTRIBUTE ::= {

WITH SYNTAX AuthenticationRequirements

SINGLE VALUE

ID at-responder-pulling-authentication-requirements}

initiatorPullingAuthenticationRequirements ATTRIBUTE ::= {

WITH SYNTAX AuthenticationRequirements

SINGLE VALUE

ID at-initiator-pulling-authentication-requirements} 20

AuthenticationRequirements ::= BITSTRING {

mta-name-present(0),

aet-present(1),

aet-valid(2),

network-address(3),

simple-authentication(4),

strong-authentication(5),

bilateral-agreement-needed(6)}

Figure 12: Authentication Requirements

---------------------------------------------------------------------

The values of the authentication requirements mean:

mta-name-present That an RTS level MTA parameter shall be present for

logging purposes.

aet-present That a distinguished name application entity title shall

be provided at the ACSE level.

aet-valid As for aet-present, and that the AET be registered in the

directory. This may be looked up as a part of the validation

process. If mta-name-present is set, the RTS value of mta and

password shall correspond to those registered in the directory.

network-address This can only be used for the responder. The AET

shall be looked up in the directory, and the

callingPresentationAddress attribute matched against the calling

address. This shall match exactly at the network level. The

validity of selectors will be matched according to the

callingSelectorValidity attribute.

simple-authentication All MTA and password parameters needed for

simple authentication shall be used. This will usually be in

conjunction with a bilateral agreement.

strong-authentication Use of strong authentication.

bilateral-agreement-needed This means that this MTA will only accept

connections in conjunction with a bilateral or multilateral

agreements. This link cannot be used unless such an agreement

exists.

These attributes may also be used to specify UA/MTA authentication

policy. They may be resident in the UA entry in environments where

this information cannot be modified by the user. Otherwise, it will

be present in an MTA table (represented in the directory).

An MTA could choose to have different authentication levels related

to different policies (Section 21). This is seen as too complex, and

so they are kept independent. The equivalent function can always be

achieved by using multiple Application Entities with the application

process.

20.3 Authentication Information

This section specifies connection information needed by P1. This is

essentially RTS parameterisation needed for authentication. This is

defined in Figure 13. Confidential bilateral information is implied

by these attributes, and this will be held in the bilateral

information agreement. This shall have appropriate access control

applied. Note that in some cases, MTA information will be split

across a private and public entry.

---------------------------------------------------------------------

respondingRTSCredentials ATTRIBUTE ::= {

WITH SYNTAX RTSCredentials

SINGLE VALUE

ID at-responding-rts-credentials}

initiatingRTSCredentials ATTRIBUTE ::= {

WITH SYNTAX RTSCredentials

SINGLE VALUE 10

ID at-initiating-rts-credentials}

RTSCredentials ::= SEQUENCE {

request [0] MTAandPassword OPTIONAL,

response [1] MTAandPassword OPTIONAL }

MTAandPassword ::= SEQUENCE {

MTAName, 20

Password } -- MTAName and Password

-- from X.411

callingPresentationAddress ATTRIBUTE ::= {

SUBTYPE OF presentationAddress

MULTI VALUE

ID at-calling-presentation-address}

callingSelectorValidity ATTRIBUTE ::= { 30

WITH SYNTAX CallingSelectorValidity

SINGLE VALUE

ID at-calling-selector-validity}

CallingSelectorValidity ::= ENUMERATED {

all-selectors-fixed(0),

tsel-may-vary(1),

all-selectors-may-vary(2) }

Figure 13: MTA Authentication Parameters

---------------------------------------------------------------------

---------------------------------------------------------------------

mTAWillRoute ATTRIBUTE ::= {

WITH SYNTAX MTAWillRoute

ID at-mta-will-route}

MTAWillRoute ::= SEQUENCE {

from [0] SET OF ORAddressPrefix OPTIONAL,

to [1] SET OF ORAddressPrefix OPTIONAL,

from-excludes [2] SET OF ORAddressPrefix OPTIONAL,

to-excludes [3] SET OF ORAddressPrefix OPTIONAL } 10

ORAddressPrefix ::= DistinguishedName

Figure 14: Simple MTA Policy Specification

---------------------------------------------------------------------

The parameters are:

Initiating Credentials The credentials to be used when the local MTA

initiates the association. It gives the credentials to insert

into the request, and those expected in the response.

Responding Credentials The credentials to be used when the remote MTA

initiates the association. It gives the credential expected in

the request, and those to be inserted into the response.

Remote Presentation Address Valid presentation addresses, which the

remote MTA may connect from.

If an MTA/Password pair is omitted, the MTA shall default to the

local MTA Name, and the password shall default to a zero-length OCTET

STRING.

Note: Future versions of this specification may add more information

here relating to parameters required for strong authentication.

21. Policy and Authorisation

21.1 Simple MTA Policy

The routing trees will generally be configured in order to identify

MTAs which will route to the destination. A simple means is

identified to specify an MTA's policy. This is defined in Figure 14.

If this attribute is omitted, the MTA shall route all traffic to the

implied destinations from the context of the routing tree for any

MTAs that have valid access to the routing tree.

The multi-valued attribute gives a set of policies which the MTA will

route. O/R Addresses are represented by a prefix, which identifies a

subtree. A distinguished name encoding of O/R Address is used.

There are three components:

from This gives a set of O/R addresses which are granted permission

by this attribute value. If omitted, "all" is implied.

to This gives the set of acceptable destinations. If omitted,

"all" is implied.

from-excludes This defines (by prefix) subtrees of the O/R address

tree which are explicitly excluded from the "from" definition.

If omitted, there are no exclusions.

to-excludes This defines (by prefix) subtrees of the O/R address tree

which are explicitly excluded from the "to" definition. If

omitted, there are no exclusions.

This simple policy will suffice for most cases. In particular, it

gives sufficient information for most real situations where a policy

choice is forced, and the application of this policy would prevent a

message being routed.

This simple prefixing approach does not deal explicitly with alias

dereferencing. The prefixes refer to O/R addresses where aliases

have been dereferenced. To match against these prefixes, O/R

addresses being matched need to be "normalised by being looked up in

the directory to resolve alias values. If the lookup fails, it shall

be assumed that the provided address is already normalised. This

means that policy may be misinterpreted for parts of the DIT not

referenced in the directory.

The originator refers to the MTS originator, and the recipient to the

MTS recipient, following any list expansion or redirect. This simple

policy does not apply to delivery reports. Any advertised route

shall work for delivery reports, and it does not makes sense to

regulate this on the basis of the sender.

21.2 Complex MTA Policy

MTAs will generally have a much more complex policy mechanism, such

as that provided by PP MTA [10]. Representing this as a part of the

routing decision is not done here, but may be addressed in future

versions. Some of the issues which need to be tackled are:

o Use of charging and non-charging nets

o Policy dependent on message size

o Different policy for delivery reports.

o Policy dependent on attributes of the originator or

recipient (e.g., mail from students)

o Content type and encoded information types

o The path which the message has traversed to reach the MTA

o MTA bilateral agreements

o Pulling messages

o Costs. This sort of policy information may also be for

information only.

MTAs may apply more complex routing policies. However, this shall

not lead to the rejection of messages which might otherwise be

correctly routed on the published policy information. Policies

relating to submission do not need to be public. They can be private

to the MTA.

---------------------------------------------------------------------

redirect ATTRIBUTE ::= {

WITH SYNTAX Redirect

SINGLE VALUE

ID at-redirect}

Redirect ::= SEQUENCE OF SEQUENCE {

or-name ORName,

reason RedirectionReason, -- from X.411

filter CHOICE { 10

min-size [1] INTEGER,

max-size [2] INTEGER,

content [3] ContentType,

eit [4] ExternalEncodedInformationType } OPTIONAL

}

Figure 15: Redirect Definition

---------------------------------------------------------------------

22. Delivery

22.1 Redirects

There is a need to specify redirects in the Directory. This will be

useful for alternate names where an equivalent name (synonym) defined

by an alias is not natural. An example where this might be

appropriate is to redirect mail to a new O/R address where a user had

changed organisation. A mechanism is given to allow conditional

(filtered) redirects for different types of messages. This allow

small messages, large messages, or messages containing specific EITs

or content to be redirected. The definitions are given in Figure 15.

Redirection is specified by the redirect attribute. If present, this

attribute shall be processed before supportingMTA and

nonDeliveryInfo. These two attributes shall only be considered if it

is determined that no redirection applies. The redirect attribute is

a sequence of elements which are considered in the order specified.

Each element is examined in turn. The first element which applies is

used, and no further elements are examined. Use of an element for

redirection, shall follow the X.400 procedures for redirection, and

an element shall not be used if prevented by a service control. If

the redirect attribute is processed and no redirection is generated,

processing shall continue irrespective of service controls. If non-

delivery is intended in this event, this shall be achieved by use of

the nonDeliveryInfo attribute.

The components have the following interpretations:

or-name This X.400 O/R Name is for use in the redirection. This O/R

Name will contain an optional directory name and optional O/R

address. One or both of the must be present. If the O/R Address

element is present, the Directory Name, if present, is for

information only. and is to be placed in the X.400 redirection.

If the O/R address element is absent, the Directory Name shall be

present and shall be looked up to determine the O/R address of the

redirected recipient. The O/R Address of the intended recipient

will either be present or derived by lookup. Routing shall be

done on the basis of this O/R Address.

reason This is the reason information to be placed in the X.400

redirect, and it shall take one of the following values of

RedirectReason defined in X.411:

recipient-assigned-alternate-recipient;

recipient-MD-assigned-alternate-recipient; or alias. It shall not

have the value originator-requested-alternate-recipient.

filter If filter is absent, the redirect is mandoatory and shall be

followed. If the filter is present, use of the redirect under

consideration depends on the type of filter as follows:

min-size Follow redirect if the message (MT content) is larger

than min-size (measured in kBytes).

max-size Follow redirect if the message (MT content) is smaller

than max-size (measured in kBytes).

content Follow redirect if message content is of type content.

eit Follow redirect if the encoded information types registered

in the envelope contain eit.

When a delivery report is sent to an address which would be

redirected, X.400 would ignore the redirect. This means that every

O/R address would need to have a valid means of delivery. This would

seem to be awkward to manage. Therefore, the redirect shall be

followed, and the delivery report delivered to the redirected

address.

These redirects are handled directly by the MTA. Redirects can also

be initiated by the UA, for example in the context of a P7

interaction.

---------------------------------------------------------------------

nonDeliveryInfo ATTRIBUTE ::= {

WITH SYNTAX NonDeliveryReason

SINGLE VALUE

ID at-non-delivery-info}

NonDeliveryReason ::= SEQUENCE {

reason INTEGER (0..ub-reason-codes),

diagnostic INTEGER (0..ub-diagnostic-codes) OPTIONAL,

supplementaryInfo PrintableString OPTIONAL } 10

Figure 16: Non Delivery Information

---------------------------------------------------------------------

22.2 Underspecified O/R Addresses

X.400 requires that some underspecified O/R Addresses are handled in

a given way (e.g., if a surname is given without initials or given

name). Where an underspecified O/R Address is to be treated as if it

were another O/R Address, an alias shall be used. If the O/R Address

is to be rejected as ambiguous, an entry shall be created in the DIT,

and forced non-delivery specified for this reason.

Note: It is also possible to handle this situation by searching. An

MTA conforming to this specification may handle underspecified

addresses in this manner. The choice of mechanism will be

reviewed after operational experience with both approaches.

22.3 Non Delivery

It is possible for a manager to define an address to non-deliver with

specified reason and diagnostic codes. This might be used for a

range of management purposes. The attribute to do this is defined in

Figure 16. If a nonDeliveryInfo attribute is present, any

supportingMTA attribute shall be ignored and the message non-

delivered.

22.4 Bad Addresses

If there is a bad address, it is desirable to do a directory search

to find alternatives. This is a helpful user service and may be

supported. This function is invoked after address checking has

failed, and where this is no user supplied alternate recipient. This

function would be an MTA-chosen alternative to administratively

assigned alternate recipient.

Attributes to support handling of bad addresses are defined in Figure

17. The attributes are:

badAddressSearchPoint This gives the point (or list of points) from

which to search.

badAddressSearchAttributes This gives the set of attribute types to

search on. The default is common name.

---------------------------------------------------------------------

badAddressSearchPoint ATTRIBUTE ::= {

SUBTYPE OF distinguishedName

ID at-bad-address-search-point}

badAddressSearchAttributes ATTRIBUTE ::= {

WITH SYNTAX AttributeType

ID at-bad-address-search-attributes}

alternativeAddressInformation EXTENSION 10

AlternativeAddressInformation

::= id-alternative-address-information

-- X.400(92) continues to use MACRO notation

AlternativeAddressInformation ::= SET OF SEQUENCE {

distinguished-name DistinguishedName OPTIONAL,

or-address ORAddress OPTIONAL,

other-useful-info SET OF Attribute }

Figure 17: Bad Address Pointers

---------------------------------------------------------------------

Searches are always single level, and always use approximate match.

If a small number of matches are made, this is returned to the

originator by use of the per recipient AlternativeAddressInformation

in the delivery report (DR). This shall be marked non-critical, so

that it will not cause the DR to be discarded (e.g., in downgrading

to X.400(1984)). This attribute allows the Distinguished Name and

O/R Address of possible alternate recipients to be returned with the

delivery report. There is also the possibility to attach extra

information in the form of directory attributes. Typically this

might be used to return attributes of the entry which were matched in

the search. A summary of the information shall also be returned

using the delivery report supplementary information filed (e.g.,

"your message could not be delivered to smith, try J. Smith or P.

Smith"), so that the information is available to user agents not

supporting this extension. Note the length restriction of this field

is 256 (ub-supplementary-info-length) in X.400(1988).

If the directory search fails, or there are no matches returned, a

delivery report shall be returned as if this extra check had not been

made.

Note: It might be useful to allow control of search type, and also

single level vs subtree. This issue is for further study.

---------------------------------------------------------------------

localAccessUnit ATTRIBUTE ::= {

WITH SYNTAX AccessUnitType

ID at-local-access-unit}

AccessUnitType ::= ENUMERATED {

fax (1),

physical-delivery (2),

teletex (3),

telex (4) } 10

accessUnitsUsed ATTRIBUTE ::= {

WITH SYNTAX SelectedAccessUnit

ID at-access-units-used}

SelectedAccessUnit ::= SEQUENCE {

type AccessUnitType,

providing-MTA DistinguishedName,

filter SET OF ORAddress OPTIONAL }

Figure 18: Access UnitAttributes

---------------------------------------------------------------------

23. Submission

A message may be submitted with Distinguished Name only. If the MTA

to which the message is submitted supports this service, this section

describes how the mapping is done.

23.1 Normal Derivation

The Distinguished Name is looked up to find the attribute mhs-or-

addresses. If the attribute is single value, it is straightforward.

If there are multiple values, one O/R address shall be selected at

random.

23.2 Roles and Groups

Some support for roles is given. If there is no O/R address, and the

entry is of object class role, then the roleOccupant attribute shall

be dereferenced, and the message submitted to each of the role

occupants. Similarly, if the entry is of object class group, where

the groupMember attribute is used.

24. Access Units

Attributes needed for support of Access Units, as defined in

X.400(88), are defined in Figure 18. The attributes defined are:

localAccessUnit This defines the list of access units supported by

the MTA.

accessUnitsUsed This defines which access units are used by the MTA,

giving the type and MTA. An O/R Address filter is provided to

control which access unit is used for a given recipient. For a

filter to match an address, all attributes specificed in the

filter shall match the given address. This is specified as an O/R

Address, so that routing to access units can be filtered on the

basis of attributes not mapped onto the directory (e.g., postal

attributes). Where a remote MTA is used, it may be necessary to

use source routing.

Note 1: This mechanism might be used to replace the routefilter

mechanism of the MTS routing. Comments are solicited.

Note 2: It has been proposed to add a more powerful filter mechanism.

Comments are solicited.

Note 3: The utility of this specification as a mechanism to route

faxes and other non MHS messages has been noted, but not explored.

Comments as to how and if this should be developed are solicited.

These three issues are for further study.

25. The Overall Routing Algorithm

Having provided all the pieces, a summary of how routing works can be

given.

The core of the X.400 routing is described in Section 10. A sequence

of routing trees are followed. As nodes of the routing tree are

matched, a set of MTAs will be identified for evaluation as possible

next hops. If all of these are rejected, the trees are followed

further. (It might be argued that the trees should be followed to

find alternate routes in the case that only one MTA is acceptable.

This is not proposed.) A set of MTAs is evaluated on the following

criteria:

o If an MTA is the local MTA, deliver locally.

o Supported protocols. The MTA shall support a protocol that the

current MTA supports, as described in Section 18.2.

(Note that this could be an RFC822 protocol, as well as an

X.400 protocol.)

o The protocols shall share a common transport community, as

described in Section 18.1.

o There shall be no capability restrictions in the MTA which

prevents transfer of the current message, as described in

Section 18.3.

o There shall be no policy restrictions in the MTA which prevents

transfer of the current message, as described in Section 21.

o The authentication requirements of the MTA shall be met by the

local MTA, as described in Section 20.2.

o If the authentication (Section 20.2) indicates that a bilateral

agreement is present, the MTA shall be listed in the local set of

bilateral agreements, as described in Section 17.

o In cases where the recipient UA's capabilities can be determined,

there should either be no mismatch, or there shall be an ability

to use local or remote reformatting capabilities, as described

in [12].

26. Performance

The routing algorithm has been designed with performance in mind. In

particular, care has been taken to use only the read function, which

will in general be optimised. Routing trees may be configured so

that routing decisions can be made with only two directory reads.

More complex configurations will not require a substantially larger

number of operations.

27. Acknowledgements

This memo is the central document of a series of specifications [14,

15, 16], and to other work in progress. The acknowledgements for all

of this work is given here. Previous work, which significantly

influenced these specifications is described in Section 3. This lead

to an initial proposal by the editor, which was subsequently split

into eight documents. Work on this specifications has been done by

the IETF MHS-DS working group. Special credit is given to the joint

chairs of this group: Harald Alvestrand (Uninett) and Kevin Jordan

(CDC). Credit is given to all members of the WG. Those who have made

active contribution include: Piete Brooks (Cambridge University);

Allan Cargille (University of Wisconsin); Jim Craigie (JNT); Dennis

Doyle (SSS); Urs Eppenberger (SWITCH); Peter Furniss; Christian

Huitema (Inria); Marko Kaittola (Dante); Sylvain Langlois (EDF); Lucy

Loftin (AT&T GIS); Julian Onions (NEXOR); Paul-Andre Pays (Inria);

Colin Robbins (NEXOR); Michael Roe (Cambridge University); Jim

Romaguera (Netconsult); Michael Storz (Leibniz Rechenzentrum); Mark

Wahl (ISODE Consortium); Alan Young (ISODE Consortium).

This work was partly funded by the COSINE Paradise project.

28. References

[1] The Directory --- overview of concepts, models and services,

1993. CCITT X.500 Series Recommendations.

[2] J.N. Chiappa. A new IP routing and addressing architecture,

1991.

[3] A. Consael, M. Tschicholz, O. Wenzel, K. Bonacker, and M. Busch.

DFN-Directory nutzung durch MHS, April 1990. GMD Report.

[4] P. Dick-Lauder, R.J. Kummerfeld, and K.R. Elz. ACSNet - the

Australian alternative to UUCP. In EUUG Conference, Paris, pages

60--69, April 1985.

[5] Eppenberger, U., "Routing Coordination for X.400 MHS Services

Within a Multi Protocol / Multi Network Environment Table Format

V3 for Static Routing", RFC1465, SWITCH, May 1993.

[6] K.E. Jordan. Using X.500 directory services in support of X.400

routing and address mapping, November 1991. Private Note.

[7] S.E. Kille. MHS use of directory service for routing. In IFIP

6.5 Conference on Message Handling, Munich, pages 157--164.

North Holland Publishing, April 1987.

[8] S.E. Kille. Topology and routing for MHS. COSINE Specification

Phase 7.7, RARE, 1988.

[9] Kille, S., "Encoding Network Addresses to support operation over

non-OSI lower layers", RFC1277, Department of Computer Science,

University College London, November 1991.

[10] S.E. Kille. Implementing X.400 and X.500: The PP and QUIPU

Systems. Artech House, 1991. ISBN 0-89006-564-0.

[11] Kille, S., "A Representation of Distinguished Names

(OSI-DS 23 (v5))", RFC1485, Department of Computer Science,

University College London, January 1992.

[12] Kille, S., Mhs use of X.500 directory to support mhs content

conversion, Work in Progress, July 1993.

[13] Kille, S., "Use of the X.500 directory to support routing for

RFC822 and related protocols", Work in Progress, July 1993.

[14] Kille, S., "Representing tables and subtrees in the X.500

directory", Work in Progress, September 1994.

[15] Kille, S., "Representing the O/R Address hierarchy in the X.500

directory information tree", Work in Progress, September 1994.

[16] Kille, S., "Use of the X.500 directory to support mapping

between X.400 and RFC822 addresses", Work in Progress,

September 1994.

[17] Lauder, P., Kummerfeld, R., and A. Fekete. Hierarchical network

routing. In Tricomm 91, 1991.

[18] CCITT recommendations X.400 / ISO 10021, April 1988. CCITT

SG 5/VII / ISO/IEC JTC1, Message Handling: System and Service

Overview.

[19] Zen and the ART of navigating through the dark and murky regions

of the message transfer system: Working document on MTS

routing, September 1991. ISO SC 18 SWG Messaging.

29. Security Considerations

Security issues are not discussed in this memo.

30. Author's Address

Steve Kille

ISODE Consortium

The Dome

The Square

Richmond

TW9 1DT

England

Phone: +44-81-332-9091

EMail: S.Kille@ISODE.COM

X.400: I=S; S=Kille; O=ISODE Consortium; P=ISODE;

A=Mailnet; C=FI;

DN: CN=Steve Kille,

O=ISODE Consortium, C=GB

UFN: S. Kille, ISODE Consortium, GB

A Object Identifier Assignment

-----------------------------------------------------------------------

mhs-ds OBJECT-IDENTIFIER ::= {iso(1) org(3) dod(6) internet(1)

private(4) enterprises(1) isode-consortium (453) mhs-ds (7)}

routing OBJECT IDENTIFIER ::= {mhs-ds 3}

oc OBJECT IDENTIFIER ::= {routing 1}

at OBJECT IDENTIFIER ::= {routing 2}

id OBJECT IDENTIFIER ::= {routing 3}

10

oc-mta OBJECT IDENTIFIER ::= {oc 1}

oc-mta-bilateral-table-entry OBJECT IDENTIFIER ::= {oc 2}

oc-routing-information OBJECT IDENTIFIER ::= {oc 3}

oc-restricted-subtree OBJECT IDENTIFIER ::= {oc 4}

oc-routed-ua OBJECT IDENTIFIER ::= {oc 8}

oc-routing-tree-root OBJECT IDENTIFIER ::= {oc 6}

oc-mta-application-process OBJECT IDENTIFIER ::= {oc 7}

at-access-md OBJECT IDENTIFIER ::= {at 1}

at-access-units-used OBJECT IDENTIFIER ::= {at 2} 20

at-subtree-information OBJECT IDENTIFIER ::= {at 3}

at-bad-address-search-attributes OBJECT IDENTIFIER ::= {at 4}

at-bad-address-search-point OBJECT IDENTIFIER ::= {at 5}

at-calling-selector-validity OBJECT IDENTIFIER ::= {at 7}

at-global-domain-id OBJECT IDENTIFIER ::= {at 10}

at-initiating-rts-credentials OBJECT IDENTIFIER ::= {at 11}

at-initiator-authentication-requirements OBJECT IDENTIFIER ::= {at 12}30

at-initiator-p1-mode OBJECT IDENTIFIER ::= {at 13}

at-initiator-pulling-authentication-requirements

OBJECT IDENTIFIER ::= {at 14}

at-local-access-unit OBJECT IDENTIFIER ::= {at 15}

at-redirect OBJECT IDENTIFIER ::= {at 46}

at-mta-info OBJECT IDENTIFIER ::= {at 40}

at-mta-name OBJECT IDENTIFIER ::= {at 19}

at-mta-will-route OBJECT IDENTIFIER ::= {at 21}

at-calling-presentation-address OBJECT IDENTIFIER ::= {at 22}

at-responder-authentication-requirements OBJECT IDENTIFIER ::= {at 23}40

at-responder-p1-mode OBJECT IDENTIFIER ::= {at 24}

at-responder-pulling-authentication-requirements

OBJECT IDENTIFIER ::= {at 25}

at-responding-rts-credentials OBJECT IDENTIFIER ::= {at 26}

at-routing-failure-action OBJECT IDENTIFIER ::= {at 27}

at-routing-filter OBJECT IDENTIFIER ::= {at 28}

at-routing-tree-list OBJECT IDENTIFIER ::= {at 29}

at-subtree-deliverable-content-length OBJECT IDENTIFIER ::= {at 30}

at-subtree-deliverable-content-types OBJECT IDENTIFIER ::= {at 31}

at-subtree-deliverable-eits OBJECT IDENTIFIER ::= {at 32}

at-supporting-mta OBJECT IDENTIFIER ::= {at 33} 50

at-transport-community OBJECT IDENTIFIER ::= {at 34}

at-user-name OBJECT IDENTIFIER ::= {at 35}

at-non-delivery-info OBJECT IDENTIFIER ::= {at 47}

at-polled-mtas OBJECT IDENTIFIER ::= {at 37}

at-bilateral-table OBJECT IDENTIFIER {at 45}

at-supported-extension OBJECT IDENTIFIER {at 42}

at-supported-mts-extension OBJECT IDENTIFIER {at 43}

at-mtas-allowed-to-poll OBJECT IDENTIFIER {at 44}

id-alternative-address-information OBJECT IDENTIFIER ::= {id 1} 60

Figure 19: Object Identifier Assignment

-----------------------------------------------------------------------

B Community Identifier Assignments

-----------------------------------------------------------------------

ts-communities OBJECT-IDENTIFIER ::= {iso(1) org(3) dod(6) internet(1)

private(4) enterprises(1) isode-consortium (453) ts-communities (4)}

tc-cons OBJECT IDENTIFIER ::= {ts-communities 1} -- OSI CONS

tc-clns OBJECT IDENTIFIER ::= {ts-communities 2} -- OSI CLNS

tc-internet OBJECT IDENTIFIER ::= {ts-communities 3}-- Internet+RFC1006

tc-int-x25 OBJECT IDENTIFIER ::= {ts-communities 4} -- International X.25

-- Without CONS10

tc-ixi OBJECT IDENTIFIER ::= {ts-communities 5} -- IXI (Europe)

tc-janet OBJECT IDENTIFIER ::= {ts-communities 6} -- Janet (UK)

Figure 20: Transport Community Object Identifier Assignments

-----------------------------------------------------------------------

C Protocol Identifier Assignments

-----------------------------------------------------------------------

mail-protocol OBJECT-IDENTIFIER ::= {iso(1) org(3) dod(6) internet(1)

private(4)n enterprises(1) isode-consortium (453) mail-protocol (5)}

ac-p1-1984 OBJECT IDENTIFIER ::= {mail-protocol 1} -- p1(1984)

ac-smtp OBJECT IDENTIFIER ::= {mail-protocol 2} -- SMTP

ac-uucp OBJECT IDENTIFIER ::= {mail-protocol 3} -- UUCP Mail

ac-jnt-mail OBJECT IDENTIFIER ::= {mail-protocol 4} -- JNT Mail

(UK)

ac-p1-1988-x410 OBJECT IDENTIFIER ::= {mail-protocol 5} -- p1(1988) in

X.410 mode

ac-p3-1984 OBJECT IDENTIFIER ::= {mail-protocol 6} -- p3(1984) 10

Figure 21: Protocol Object Identifier Assignments

-----------------------------------------------------------------------

D ASN.1 Summary

-----------------------------------------------------------------------

MHS-DS-Definitions

DEFINITIONS ::=

BEGIN

-- assign OID to module

-- define imports and exports

routingTreeRoot OBJECT-CLASS ::= {

SUBCLASS OF {routingInformationsubtree}

ID oc-routing-tree-root} 10

routingTreeList ATTRIBUTE ::= {

WITH SYNTAX RoutingTreeList

SINGLE VALUE

ID at-routing-tree-list}

RoutingTreeList ::= SEQUENCE OF RoutingTreeName

RoutingTreeName ::= DistinguishedName

20

routingInformation OBJECT-CLASS ::= {

SUBCLASS OF top

KIND auxiliary

MAY CONTAIN {

subtreeInformation

routingFilter

routingFailureAction

mTAInfo

accessMD

nonDeliveryInfo 30

badAddressSearchPoint

badAddressSearchAttributes}

ID oc-routing-information}

-- No naming attributes as this is not a

-- structural object class

subtreeInformation ATTRIBUTE ::= {

WITH SYNTAX SubtreeInfo 40

SINGLE VALUE

ID at-subtree-information}

SubtreeInfo ::= ENUMERATED {

all-children-present(0),

not-all-children-present(1) }

routingFilter ATTRIBUTE ::= {

WITH SYNTAX RoutingFilter 50

ID at-routing-filter}

RoutingFilter ::= SEQUENCE{

attribute-type OBJECT-IDENTIFIER,

weight RouteWeight,

dda-key String OPTIONAL,

regex-match IA5String OPTIONAL,

node DistinguishedName }

60

String ::= CHOICE {PrintableString, TeletexString}

routingFailureAction ATTRIBUTE ::= {

WITH SYNTAX RoutingFailureAction

SINGLE VALUE

ID at-routing-failure-action}

RoutingFailureAction ::= ENUMERATED {

next-level(0),

next-tree-only(1), 70

next-tree-first(2),

stop(3) }

mTAInfo ATTRIBUTE ::= {

WITH SYNTAX MTAInfo

ID at-mta-info}

MTAInfo ::= SEQUENCE {

name DistinguishedName, 80

weight [1] RouteWeight DEFAULT preferred-access,

mta-attributes [2] SET OF Attribute OPTIONAL,

ae-info SEQUENCE OF SEQUENCE {

aEQualifier PrintableString,

ae-weight RouteWeight DEFAULT preferred-access,

ae-attributes SET OF Attribute OPTIONAL} OPTIONAL

}

RouteWeight ::= INTEGER {endpoint(0),

preferred-access(5), 90

backup(10)} (0..20)

accessMD ATTRIBUTE ::= {

SUBTYPE OF distinguishedName

ID at-access-md}

routedUA OBJECT-CLASS ::= {

SUBCLASS OF {routingInformation}

KIND auxiliary

MAY CONTAIN { 100

-- from X.402

mhs-deliverable-content-length

mhs-deliverable-content-types

mhs-deliverable-eits

mhs-message-store

mhs-preferred-delivery-methods

-- defined here

supportedExtensions

redirect

supportingMTA 110

userName

nonDeliveryInfo}

ID oc-routed-ua}

supportedExtensions ATTRIBUTE ::= {

SUBTYPE OF objectIdentifier

ID at-supported-extensions}

supportingMTA ATTRIBUTE ::= {

SUBTYPE OF mTAInfo 120

ID at-supporting-mta}

userName ATTRIBUTE ::= {

SUBTYPE OF distinguishedName

ID at-user-name}

mTAName ATTRIBUTE ::= {

SUBTYPE OF name

WITH SYNTAX DirectoryString{ub-mta-name-length}

SINGLE VALUE 130

ID at-mta-name}

-- used for naming when

-- MTA is named in O=R Address Hierarchy

globalDomainID ATTRIBUTE ::= {

WITH SYNTAX GlobalDomainIdentifier

SINGLE VALUE

ID at-global-domain-id}

-- both attributes present when MTA

-- is named outside O=R Address Hierarchy 140

-- to enable trace to be written

mTAApplicationProcess OBJECT-CLASS ::= {

SUBCLASS OF {application-process}

KIND auxiliary

MAY CONTAIN {

mTAWillRoute

globalDomainID

routingTreeList

localAccessUnit 150

accessUnitsUsed

}

ID oc-mta-application-process}

mTA OBJECT CLASS ::= { -- Application Entity

SUBCLASS OF {mhs-message-transfer-agent}

KIND structural

MAY CONTAIN {

mTAName

globalDomainID -- per AE variant 160

responderAuthenticationRequirements

initiatorAuthenticationRequirements

responderPullingAuthenticationRequirements

initiatorPullingAuthenticationRequirements

initiatorP1Mode

responderP1Mode

polledMTAs

protocolInformation

respondingRTSCredentials

initiatingRTSCredentials 170

callingPresentationAddress

callingSelectorValidity

bilateralTable

mTAWillRoute

mhs-deliverable-content-length

routingTreeList

supportedMTSExtensions

mTAsAllowedToPoll

}

ID oc-mta} 180

mTABilateralTableEntry OBJECT-CLASS ::=

SUBCLASS OF {mTA distinguishedNameTableEntry}

ID oc-mta-bilateral-table-entry}

bilateralTable ATTRIBUTE ::= {

WITH SYNTAX SEQUENCE OF DistinguishedName

SINGLE VALUE

ID at-bilateral-table}

190

supportedMTSExtensions ATTRIBUTE ::= {

SUBTYPE OF objectIdentifier

ID at-supported-mts-extensions}

restrictedSubtree OBJECT-CLASS ::= {

SUBCLASS OF {top}

KIND auxiliary

MAY CONTAIN {

subtreeDeliverableContentLength

subtreeDeliverableContentTypes 200

subtreeDeliverableEITs}

ID oc-restricted-subtree}

subtreeDeliverableContentLength ATTRIBUTE ::= {

SUBTYPE OF mhs-deliverable-content-length

ID at-subtree-deliverable-content-length}

subtreeDeliverableContentTypes ATTRIBUTE ::= {

SUBTYPE OF mhs-deliverable-content-types

ID at-subtree-deliverable-content-types} 210

subtreeDeliverableEITs ATTRIBUTE ::= {

SUBTYPE OF mhs-deliverable-eits

ID at-subtree-deliverable-eits}

initiatorP1Mode ATTRIBUTE ::= {

WITH SYNTAX P1Mode

SINGLE VALUE

ID at-initiator-p1-mode} 220

responderP1Mode ATTRIBUTE ::= {

WITH SYNTAX P1Mode

SINGLE VALUE

ID at-responder-p1-mode}

P1Mode ::= ENUMERATED {

push-only(0),

pull-only(1),

twa(2) } 230

polledMTAs ATTRIBUTE ::= {

WITH SYNTAX PolledMTAs

ID at-polled-mtas}

PolledMTAs ::= SEQUENCE {

mta DistinguishedName,

poll-frequency INTEGER OPTIONAL --frequency in minutes

}

240

mTAsAllowedToPoll ATTRIBUTE ::= {

SUBTYPE OF distinguishedName

ID at-mtas-allowed-to-poll}

responderAuthenticationRequirements ATTRIBUTE ::= {

WITH SYNTAX AuthenticationRequirements

SINGLE VALUE

ID at-responder-authentication-requirements}

250

initiatorAuthenticationRequirements ATTRIBUTE ::= {

WITH SYNTAX AuthenticationRequirements

SINGLE VALUE

ID at-initiator-authentication-requirements}

responderPullingAuthenticationRequirements ATTRIBUTE ::= {

WITH SYNTAX AuthenticationRequirements

SINGLE VALUE

ID at-responder-pulling-authentication-requirements}

260

initiatorPullingAuthenticationRequirements ATTRIBUTE ::= {

WITH SYNTAX AuthenticationRequirements

SINGLE VALUE

ID at-initiator-pulling-authentication-requirements}

AuthenticationRequirements ::= BITSTRING {

mta-name-present(0),

aet-present(1),

aet-valid(2),

network-address(3), 270

simple-authentication(4),

strong-authentication(5),

bilateral-agreement-needed(6)}

respondingRTSCredentials ATTRIBUTE ::= {

WITH SYNTAX RTSCredentials

SINGLE VALUE

ID at-responding-rts-credentials}

280

initiatingRTSCredentials ATTRIBUTE ::= {

WITH SYNTAX RTSCredentials

SINGLE VALUE

ID at-initiating-rts-credentials}

RTSCredentials ::= SEQUENCE {

request [0] MTAandPassword OPTIONAL,

response [1] MTAandPassword OPTIONAL }

290

MTAandPassword ::= SEQUENCE {

MTAName,

Password } -- MTAName and Password

-- from X.411

callingPresentationAddress ATTRIBUTE ::= {

SUBTYPE OF presentationAddress

MULTI VALUE 300

ID at-calling-presentation-address}

callingSelectorValidity ATTRIBUTE ::= {

WITH SYNTAX CallingSelectorValidity

SINGLE VALUE

ID at-calling-selector-validity}

CallingSelectorValidity ::= ENUMERATED {

all-selectors-fixed(0),

tsel-may-vary(1), 310

all-selectors-may-vary(2) }

mTAWillRoute ATTRIBUTE ::= {

WITH SYNTAX MTAWillRoute

ID at-mta-will-route}

MTAWillRoute ::= SEQUENCE {

from [0] SET OF ORAddressPrefix OPTIONAL,

to [1] SET OF ORAddressPrefix OPTIONAL,

from-excludes [2] SET OF ORAddressPrefix OPTIONAL, 320

to-excludes [3] SET OF ORAddressPrefix OPTIONAL }

ORAddressPrefix ::= DistinguishedName

redirect ATTRIBUTE ::= {

WITH SYNTAX Redirect

SINGLE VALUE

ID at-redirect}

Redirect ::= SEQUENCE OF SEQUENCE { 330

or-name ORName,

reason RedirectionReason, -- from X.411

filter CHOICE {

min-size [1] INTEGER,

max-size [2] INTEGER,

content [3] ContentType,

eit [4] ExternalEncodedInformationType } OPTIONAL

}

nonDeliveryInfo ATTRIBUTE ::= { 340

WITH SYNTAX NonDeliveryReason

SINGLE VALUE

ID at-non-delivery-info}

NonDeliveryReason ::= SEQUENCE {

reason INTEGER (0..ub-reason-codes),

diagnostic INTEGER (0..ub-diagnostic-codes) OPTIONAL,

supplementaryInfo PrintableString OPTIONAL }

badAddressSearchPoint ATTRIBUTE ::= { 350

SUBTYPE OF distinguishedName

ID at-bad-address-search-point}

badAddressSearchAttributes ATTRIBUTE ::= {

WITH SYNTAX AttributeType

ID at-bad-address-search-attributes}

alternativeAddressInformation EXTENSION

AlternativeAddressInformation

::= id-alternative-address-information 360

-- X.400(92) continues to use MACRO notation

AlternativeAddressInformation ::= SET OF SEQUENCE {

distinguished-name DistinguishedName OPTIONAL,

or-address ORAddress OPTIONAL,

other-useful-info SET OF Attribute }

localAccessUnit ATTRIBUTE ::= {

WITH SYNTAX AccessUnitType

ID at-local-access-unit} 370

AccessUnitType ::= ENUMERATED {

fax (1),

physical-delivery (2),

teletex (3),

telex (4) }

accessUnitsUsed ATTRIBUTE ::= {

WITH SYNTAX SelectedAccessUnit

ID at-access-units-used} 380

SelectedAccessUnit ::= SEQUENCE {

type AccessUnitType,

providing-MTA DistinguishedName,

filter SET OF ORAddress OPTIONAL }

mhs-ds OBJECT-IDENTIFIER ::= {iso(1) org(3) dod(6) internet(1) private(4)

enterprises(1) isode-consortium (453) mhs-ds (7)}

routing OBJECT IDENTIFIER ::= {mhs-ds 3}

390

oc OBJECT IDENTIFIER ::= {routing 1}

at OBJECT IDENTIFIER ::= {routing 2}

id OBJECT IDENTIFIER ::= {routing 3}

oc-mta OBJECT IDENTIFIER ::= {oc 1}

oc-mta-bilateral-table-entry OBJECT IDENTIFIER ::= {oc 2}

oc-routing-information OBJECT IDENTIFIER ::= {oc 3}

oc-restricted-subtree OBJECT IDENTIFIER ::= {oc 4}

oc-routed-ua OBJECT IDENTIFIER ::= {oc 8} 400

oc-routing-tree-root OBJECT IDENTIFIER ::= {oc 6}

oc-mta-application-process OBJECT IDENTIFIER ::= {oc 7}

at-access-md OBJECT IDENTIFIER ::= {at 1}

at-access-units-used OBJECT IDENTIFIER ::= {at 2}

at-subtree-information OBJECT IDENTIFIER ::= {at 3}

at-bad-address-search-attributes OBJECT IDENTIFIER ::= {at 4}

at-bad-address-search-point OBJECT IDENTIFIER ::= {at 5}

at-calling-selector-validity OBJECT IDENTIFIER ::= {at 7} 410

at-global-domain-id OBJECT IDENTIFIER ::= {at 10}

at-initiating-rts-credentials OBJECT IDENTIFIER ::= {at 11}

at-initiator-authentication-requirements OBJECT IDENTIFIER ::= {at 12}

at-initiator-p1-mode OBJECT IDENTIFIER ::= {at 13}

at-initiator-pulling-authentication-requirements

OBJECT IDENTIFIER ::= {at 14}

at-local-access-unit OBJECT IDENTIFIER ::= {at 15}

at-redirect OBJECT IDENTIFIER ::= {at 46}

at-mta-info OBJECT IDENTIFIER ::= {at 40} 420

at-mta-name OBJECT IDENTIFIER ::= {at 19}

at-mta-will-route OBJECT IDENTIFIER ::= {at 21}

at-calling-presentation-address OBJECT IDENTIFIER ::= {at 22}

at-responder-authentication-requirements OBJECT IDENTIFIER ::= {at 23}

at-responder-p1-mode OBJECT IDENTIFIER ::= {at 24}

at-responder-pulling-authentication-requirements

OBJECT IDENTIFIER ::= {at 25}

at-responding-rts-credentials OBJECT IDENTIFIER ::= {at 26}

at-routing-failure-action OBJECT IDENTIFIER ::= {at 27}

at-routing-filter OBJECT IDENTIFIER ::= {at 28} 430

at-routing-tree-list OBJECT IDENTIFIER ::= {at 29}

at-subtree-deliverable-content-length OBJECT IDENTIFIER ::= {at 30}

at-subtree-deliverable-content-types OBJECT IDENTIFIER ::= {at 31}

at-subtree-deliverable-eits OBJECT IDENTIFIER ::= {at 32}

at-supporting-mta OBJECT IDENTIFIER ::= {at 33}

at-transport-community OBJECT IDENTIFIER ::= {at 34}

at-user-name OBJECT IDENTIFIER ::= {at 35}

at-non-delivery-info OBJECT IDENTIFIER ::= {at 47}

at-polled-mtas OBJECT IDENTIFIER ::= {at 37}

at-bilateral-table OBJECT IDENTIFIER {at 45} 440

at-supported-extension OBJECT IDENTIFIER {at 42}

at-supported-mts-extension OBJECT IDENTIFIER {at 43}

at-mtas-allowed-to-poll OBJECT IDENTIFIER {at 44}

id-alternative-address-information OBJECT IDENTIFIER ::= {id 1}

ts-communities OBJECT-IDENTIFIER ::= {iso(1) org(3) dod(6) internet(1)

private(4) enterprises(1) isode-consortium (453) ts-communities (4)}

450

tc-cons OBJECT IDENTIFIER ::= {ts-communities 1} -- OSI CONS

tc-clns OBJECT IDENTIFIER ::= {ts-communities 2} -- OSI CLNS

tc-internet OBJECT IDENTIFIER ::= {ts-communities 3}-- Internet+RFC1006

tc-int-x25 OBJECT IDENTIFIER ::= {ts-communities 4} -- International X.25

-- Without CONS

tc-ixi OBJECT IDENTIFIER ::= {ts-communities 5} -- IXI (Europe)

tc-janet OBJECT IDENTIFIER ::= {ts-communities 6} -- Janet (UK)

mail-protocol OBJECT-IDENTIFIER ::= {iso(1) org(3) dod(6) internet(1)

private(4) enterprises(1) isode-consortium (453) mail-protocol (5)} 460

ac-p1-1984 OBJECT IDENTIFIER ::= {mail-protocol 1} -- p1(1984)

ac-smtp OBJECT IDENTIFIER ::= {mail-protocol 2} -- SMTP

ac-uucp OBJECT IDENTIFIER ::= {mail-protocol 3} -- UUCP Mail

ac-jnt-mail OBJECT IDENTIFIER ::= {mail-protocol 4} -- JNT Mail (UK)

ac-p1-1988-x410 OBJECT IDENTIFIER ::= {mail-protocol 5}

-- p1(1988) in X.410 mode

ac-p3-1984 OBJECT IDENTIFIER ::= {mail-protocol 6} -- p3(1984)

END

Figure 22: ASN.1 Summary

-----------------------------------------------------------------------

E Regular Expression Syntax

This appendix defines a form of regular expression for pattern

matching. This pattern matching is derived from commonly available

regular expression software including UNIX egrep(1) The matching is

modified to be case insensitive.

A regular expression (RE) specifies a set of character strings to

match against - such as "any string containing digits 5 through

9". A member of this set of strings is said to be matched by the

regular expression.

Where multiple matches are present in a line, a regular expression

matches the longest of the leftmost matching strings.

Regular expressions can be built up from the following

"single-character" RE's:

c Any ordinary character not listed below. An ordinary

character matches itself.

\ Backslash. When followed by a special character, the RE

matches the "quoted" character, cancelling the special nature

of the character.

. Dot. Matches any single character.

^ As the leftmost character, a caret (or circumflex) con-

strains the RE to match the leftmost portion of a string. A

match of this type is called an "anchored match" because it is

"anchored" to a specific place in the string. The ^ character

loses its special meaning if it appears in any position other

than the start of the RE.

$ As the rightmost character, a dollar sign constrains the RE to

match the rightmost portion of a string. The $ character

loses its special meaning if it appears in any position other

than at the end of the RE.

^RE$ The construction ^RE$ constrains the RE to match the entire

string.

[c...]

A nonempty string of characters, enclosed in square brackets

matches any single character in the string. For example,

[abcxyz] matches any single character from the set `abcxyz'.

When the first character of the string is a caret (^), then

the RE matches any charac- ter except those in the remainder

of the string. For example, `[^45678]' matches any character

except `45678'. A caret in any other position is interpreted

as an ordinary character.

[]c...]

The right square bracket does not terminate the enclosed

string if it is the first character (after an initial `^', if

any), in the bracketed string. In this position it is treated

as an ordinary character.

[l-r]

The minus sign (hyphen), between two characters, indicates a

range of consecutive ASCII characters to match. For example,

the range `[0-9]' is equivalent to the string `[0123456789]'.

Such a bracketed string of characters is known as a character

class. The `-' is treated as an ordinary character if it

occurs first (or first after an initial ^) or last in the

string.

The following rules and special characters allow for

con-structing RE's from single-character RE's:

A concatenation of RE's matches a concatenation of text

strings, each of which is a match for a successive RE in the

search pattern.

* A regular expression, followed by an asterisk (*) matches zero

or more occurrences of the regular expression. For example,

[a-z][a-z]* matches any string of one or more lower case

letters.

+ A regular expression, followed by a plus character (+) matches

one or more occurrences of the regular expression. For

example, [a-z]+ matches any string of one or more lower case

letters.

? A regular expression, followed by a question mark (?) matches

zero or one occurrences of the regular expression. For

example, ^[a-z]?[0-9]* matches a string starting with an

optional lower case letter, followed by zero or more digits.

{m}

{m,}

{m,n}

A regular expression, followed by {m}, {m,}, or {m,n} matches

a range of occurrences of the regular expression. The values

of m and n must be non-negative integers less than 256; {m}

matches exactly m occurrences; {m,} matches at least m

occurrences; {m,n} matches any number of occurrences between m

and n inclusive. Whenever a choice exists, the regular

expression matches as many occurrences as possible.

Alternation: two regular expressions separated by `' or

NEWLINE match either a match for the first or a match for the

second.

(...)

A regular expression enclosed between the character sequences

( and ) matches whatever the unadorned RE matches.

The order of precedence of operators at the same parenthesis level

is `[ ]' (character classes), then `*' `+' `?' '{m,n}' (closures),

then concatenation, then `' (alternation) and NEWLINE.

 
 
 
免责声明:本文为网络用户发布,其观点仅代表作者个人观点,与本站无关,本站仅提供信息存储服务。文中陈述内容未经本站证实,其真实性、完整性、及时性本站不作任何保证或承诺,请读者仅作参考,并请自行核实相关内容。
2023年上半年GDP全球前十五强
 百态   2023-10-24
美众议院议长启动对拜登的弹劾调查
 百态   2023-09-13
上海、济南、武汉等多地出现不明坠落物
 探索   2023-09-06
印度或要将国名改为“巴拉特”
 百态   2023-09-06
男子为女友送行,买票不登机被捕
 百态   2023-08-20
手机地震预警功能怎么开?
 干货   2023-08-06
女子4年卖2套房花700多万做美容:不但没变美脸,面部还出现变形
 百态   2023-08-04
住户一楼被水淹 还冲来8头猪
 百态   2023-07-31
女子体内爬出大量瓜子状活虫
 百态   2023-07-25
地球连续35年收到神秘规律性信号,网友:不要回答!
 探索   2023-07-21
全球镓价格本周大涨27%
 探索   2023-07-09
钱都流向了那些不缺钱的人,苦都留给了能吃苦的人
 探索   2023-07-02
倩女手游刀客魅者强控制(强混乱强眩晕强睡眠)和对应控制抗性的关系
 百态   2020-08-20
美国5月9日最新疫情:美国确诊人数突破131万
 百态   2020-05-09
荷兰政府宣布将集体辞职
 干货   2020-04-30
倩女幽魂手游师徒任务情义春秋猜成语答案逍遥观:鹏程万里
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案神机营:射石饮羽
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案昆仑山:拔刀相助
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案天工阁:鬼斧神工
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案丝路古道:单枪匹马
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:与虎谋皮
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:李代桃僵
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:指鹿为马
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案金陵:小鸟依人
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案金陵:千金买邻
 干货   2019-11-12
 
推荐阅读
 
 
 
>>返回首頁<<
 
靜靜地坐在廢墟上,四周的荒凉一望無際,忽然覺得,淒涼也很美
© 2005- 王朝網路 版權所有