RFC 4656 One-way Active Measurement Protocol





3. OWAMP-Control

   The type of each OWAMP-Control message can be found after reading the

   first 16 octets.  The length of each OWAMP-Control message can be

   computed upon reading its fixed-size part.  No message is shorter

   than 16 octets.




   An implementation SHOULD expunge unused state to prevent denial-of-

   service attacks, or unbounded memory usage, on the server.  For

   example, if the full control message is not received within some

   number of minutes after it is expected, the TCP connection associated

   with the OWAMP-Control session SHOULD be dropped.  In absence of

   other considerations, 30 minutes seems like a reasonable upper bound.




3.1.  Connection Setup


   Before either a Control-Client or a Fetch-Client can issue commands

   to a Server, it has to establish a connection to the server.


   First, a client opens a TCP connection to the server on a well-known

   port 861.  The server responds with a server greeting:



      0                   1                   2                   3


      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1


     |                                                               |

     |                      Unused (12 octets)                       |

     |                                                               |


     |                            Modes                              |


     |                                                               |

     |                     Challenge (16 octets)                     |

     |                                                               |

     |                                                               |


     |                                                               |

     |                        Salt (16 octets)                       |

     |                                                               |

     |                                                               |


     |                        Count (4 octets)                       |


     |                                                               |

     |                        MBZ (12 octets)                        |

     |                                                               |




   The following Mode values are meaningful: 1 for unauthenticated, 2

   for authenticated, and 4 for encrypted.  The value of the Modes field

   sent by the server is the bit-wise OR of the mode values that it is

   willing to support during this session.  Thus, the last three bits of

   the Modes 32-bit value are used.  The first 29 bits MUST be zero.  A

   client MUST ignore the values in the first 29 bits of the Modes

   value.  (This way, the bits are available for future protocol

   extensions.  This is the only intended extension mechanism.)






   Challenge is a random sequence of octets generated by the server; it
   is used subsequently by the client to prove possession of a shared
   secret in a manner prescribed below.

   Salt and Count are parameters used in deriving a key from a shared
   secret as described below.
   通过Shared secret可以派生一个关键值,Salt和Count就是用于派生该关键值的参数。

   Salt MUST be generated pseudo-randomly (independently of anything
   else in this document).

   Count MUST be a power of 2.  Count MUST be at least 1024.  Count
   SHOULD be increased as more computing power becomes common.
   Count必须是某个数的2次方。Count值必须至少是1024。Count值的 增大越来

   If the Modes value is zero, the server does not wish to communicate
   with the client and MAY close the connection immediately.  The client
   SHOULD close the connection if it receives a greeting with Modes
   equal to zero.  The client MAY close the connection if the client's
   desired mode is unavailable.
   如果Modes的值是零,那么就表示Server不希望与Client通信,并且 可能会立即
   关闭与Client的连接。如果Client在收到的greeting消息中 的Modes的值是零,
   那么就应该由Client关闭与Server的连接。如果 Client所需的Mode是无效的,那
   么Client可能会关闭与Server的连接 。

   Otherwise, the client MUST respond with the following Set-Up-Response
      0                   1                   2                   3 
      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -+-+ 
     |                             Mode                              | 
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -+-+ 
     |                                                               | 
     .                                                               . 
     .                       KeyID (80 octets)                       . 
     .                                                               . 
     |                                                               | 
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -+-+ 
     |                                                               | 
     .                                                               . 
     .                       Token (64 octets)                       . 
     .                                                               . 
     |                                                               | 
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -+-+ 
     |                                                               | 
     .                                                               . 
     .                     Client-IV (16 octets)                     . 
     .                                                               . 
     |                                                               | 
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -+-+

   Here Mode is the mode that the client chooses to use during this
   OWAMP-Control session.  It will also be used for all OWAMP-Test
   sessions started under control of this OWAMP-Control session.  In
   Mode, one or zero bits MUST be set within last three bits.  If it is
   one bit that is set within the last three bits, this bit MUST
   indicate a mode that the server agreed to use (i.e., the same bit
   MUST have been set by the server in the server greeting).  The first
   29 bits of Mode MUST be zero.  A server MUST ignore the values of the
   first 29 bits.  If zero Mode bits are set by the client, the client
   indicates that it will not continue with the session; in this case,
   the client and the server SHOULD close the TCP connection associated
   with the OWAMP-Control session.
   在Client回应的消息中,Mode的内容是Client在同一次OWAMP- Control会话期间

   In unauthenticated mode, KeyID, Token, and Client-IV are unused.
   Otherwise, KeyID is a UTF-8 string, up to 80 octets in length (if the
   string is shorter, it is padded with zero octets), that tells the
   server which shared secret the client wishes to use to authenticate
   or encrypt, while Token is the concatenation of a 16-octet challenge,
   a 16-octet AES Session-key used for encryption, and a 32-octet HMAC-
   SHA1 Session-key used for authentication.  The token itself is
   encrypted using the AES (Advanced Encryption Standard) [AES] in
   Cipher Block Chaining (CBC). Encryption MUST be performed using an
   Initialization Vector (IV) of zero and a key derived from the shared
   secret associated with KeyID.  (Both the server and the client use
   the same mappings from KeyIDs to shared secrets.  The server, being
   prepared to conduct sessions with more than one client, uses KeyIDs
   to choose the appropriate secret key; a client would typically have
   different secret keys for different servers.  The situation is
   analogous to that with passwords.)
   在不鉴权模式中, KeyID 、 Token 和 Client-IV 字段是不用到的。如果用到了就表明
   Client告诉Server期望是鉴权模式,Client通过使用Shared secret进行鉴权或者加密。
   于加密的16字节的AES Session-key以及用于鉴权的32位的HMAC-SHA1 Session-key。
   Token内容本身,即上述的3种串接的密码块(Cipher Block Chaining)是用AES
   (Advanced Encryption Standard)加密过的。加密时要用到2样参数,一个是全是零的
   初始化向量(Initialization Vector)和一个Key,key是从与KeyID关联的shared secret
   派生来的。(Server和Client用的是同一个从KeyIDs到shared secrets的映射。Server
   为准备执行与多个Client之间的会话,通过用KeyIDs来选择合适对应的Secret key。一个
   Client通常为不同的Server持有不同的Secret key。此情形与用密码的相似)。

   The shared secret is a passphrase; it MUST not contain newlines.  The
   secret key is derived from the passphrase using a password-based key
   derivation function PBKDF2 (PKCS #5) [RFC2898].  The PBKDF2 function
   requires several parameters: the PRF is HMAC-SHA1 [RFC2104]; the salt
   and count are as transmitted by the server.
   可以把Shared secret看成一种口令,口令中一定不能包含换行符。Secret key是用
   一种通过基于密钥的派生算法(PBKDF2——PKCS #5 [RFC2898])产生的。PBKDF2
   算法需要这样一些参数:the PRF is HMAC-SHA1 [RFC2104]; 以及从Server端传递的salt和count。

   AES Session-key, HMAC Session-key and Client-IV are generated
   randomly by the client.  AES Session-key and HMAC Session-key MUST be
   generated with sufficient entropy not to reduce the security of the
   underlying cipher [RFC4086].  Client-IV merely needs to be unique
   (i.e., it MUST never be repeated for different sessions using the
   same secret key; a simple way to achieve that without the use of
   cumbersome state is to generate the Client-IV values using a
   cryptographically secure pseudo-random number source:  if this is
   done, the first repetition is unlikely to occur before 2^64 sessions
   with the same secret key are conducted).
   AES Session-key, HMAC Session-key and Client-IV的值是Client随机产生的。
   AES Session-key and HMAC Session-key的产生是通过充分无序排列来避免降
   Secret key的不同的会话中,Client-IV一定不能重复;若想省去上述繁琐的步骤达到
   这样做,对于同一个Secret key在执行完2^64个会话之前是不会发生出现重复的Client-IV)

   The server MUST respond with the following Server-Start message:

      0                   1                   2                   3
      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
     |                                                               |
     |                         MBZ (15 octets)                       |
     |                                                               |
     |                                               +-+-+-+-+-+-+-+-+
     |                                               |   Accept      |
     |                                                               |
     |                     Server-IV (16 octets)                     |
     |                                                               |
     |                                                               |
     |                     Start-Time (Timestamp)                    |
     |                                                               |
     |                         MBZ (8 octets)                        |
     |                                                               |

   The MBZ parts MUST be zero.  The client MUST ignore their value.  MBZ
   (MUST be zero) fields here and after have the same semantics: the
   party that sends the message MUST set the field so that all bits are
   equal to zero; the party that interprets the message MUST ignore the
   value.  (This way, the field could be used for future extensions.)

   Server-IV is generated randomly by the server.  In unauthenticated
   mode, Server-IV is unused.

   The Accept field indicates the server's willingness to continue
   communication.  A zero value in the Accept field means that the
   server accepts the authentication and is willing to conduct further
   transactions.  Non-zero values indicate that the server does not
   accept the authentication or, for some other reason, is not willing
   to conduct further transactions in this OWAMP-Control session.  The
   full list of available Accept values is described in Section 3.3,
   "Values of the Accept Field".

   If a negative (non-zero) response is sent, the server MAY (and the
   client SHOULD) close the connection after this message.

   Start-Time is a timestamp representing the time when the current
   instantiation of the server started operating.  (For example, in a
   multi-user general purpose operating system, it could be the time
   when the server process was started.)  If Accept is non-zero, Start-
   Time SHOULD be set so that all of its bits are zeros.  In
   authenticated and encrypted modes, Start-Time is encrypted as
   described in Section 3.4, "OWAMP-Control Commands", unless Accept is
   non-zero.  (Authenticated and encrypted mode cannot be entered unless
   the control connection can be initialized.)
   “OWAMP-Control Commands”所描述的方式加密,除非Accept字段是非0。

   Timestamp format is described in Section 4.1.2.  The same
   instantiation of the server SHOULD report the same exact Start-Time
   value to each client in each session.

   The previous transactions constitute connection setup.

3.2.  Integrity Protection (HMAC)

   Authentication of each message (also referred to as a command in this
   document) in OWAMP-Control is accomplished by adding an HMAC to it.
   The HMAC that OWAMP uses is HMAC-SHA1 truncated to 128 bits.  Thus,
   all HMAC fields are 16 octets.  An HMAC needs a key.  The HMAC
   Session-key is communicated along with the AES Session-key during
   OWAMP-Control connection setup.  The HMAC Session-key SHOULD be
   derived independently of the AES Session-key (an implementation, of
   course, MAY use the same mechanism to generate the random bits for
   both keys).  Each HMAC sent covers everything sent in a given
   direction between the previous HMAC (but not including it) and up to
   the beginning of the new HMAC.  This way, once encryption is set up,
   each bit of the OWAMP-Control connection is authenticated by an HMAC
   exactly once.
   在OWAMP-Control连接设置期间,HMAC Session-key与AES Session-key有关联。
   HMAC Session-key的派生应该独立于AES Session-key。(实现过程可能会用同样的机制为

   When encrypting, authentication happens before encryption, so HMAC
   blocks are encrypted along with the rest of the stream.  When
   decrypting, the order, of course, is reversed: first one decrypts,
   then one checks the HMAC, then one proceeds to use the data.

   The HMAC MUST be checked as early as possible to avoid using and
   propagating corrupt data.

   In open mode, the HMAC fields are unused and have the same semantics
   as MBZ fields.
   在Open Mode下,HMAC字段与MBZ字段一样都设置成零,且不用到的。






