4.3 LAN – Local Area
Networking 
4.3.1 LAN.GEN – General LAN Protocols
| ID | Requirement |
|---|---|
| LAN.GEN.1 |
The RG MAY support SOCKS as defined in RFC 1928 [56] for non-ALG access to the public address. |
| LAN.GEN.2 |
Both NetBios and zero config naming mechanisms MAY be used to populate the DNS tables. |
| LAN.GEN.3 |
The RG MAY act as a NETBIOS master browser for that name service. |
| LAN.GEN.4 |
The RG MUST support multiple subnets being used on the local LAN. |
4.3.2 LAN.ADDRESS – Private IPv4 Addressing
| ID | Requirement |
|---|---|
| LAN.ADDRESS.1
|
The RG MUST be able to be configured to specify alternate public and private subnets (without restriction) for local device addressing. |
| LAN.ADDRESS.2
|
The RG MUST be able to be configured to specify the start and stop addresses within a subnet used for local addressing. |
| LAN.ADDRESS.3
|
The RG MUST NOT use auto IP for address assignment of its LAN-side IPv4 address. |
| LAN.ADDRESS.4
|
The RG MUST allow its assigned address and netmask to be specified through the Web GUI, Broadband Forum TR-064i2 [158] interfaces and from a Controller. |
| LAN.ADDRESS.5
|
If the RG is in bridged configuration and LAN-side configuration is enabled, the RG MUST ARP on the LAN side for the following addresses, in order, and assign itself the first one that is not taken: 192.168.1.254, 192.168.1.63, and then starting from 192.168.1.253 and descending. |
LAN.ADDRESS.6 |
The RG MUST be able to assign its own WAN IPv4 address (i.e. its public address) to a particular LAN device, concurrent with private IPv4 addressing being used for other LAN CPE. In this situation, one device on the LAN is given the same public IPv4 address (through DHCP or manual configuration of the LAN CPE IPv4 stack). Other LAN devices utilize private IPv4 addresses. The RG can then be configured as identified in LAN.PFWD.2 so that the LAN device sharing the WAN IPv4 address receives all unidentified or unsolicited port traffic to any specific LAN device. If the RG is not configured in this manner, then only inbound traffic resulting from outbound traffic from the LAN CPE would be directed to that LAN CPE. The gateway identified to the LAN device must be on the same subnet as that associated with the WAN IPv4 address. Note that the use of the WAN gateway address does not guarantee this since it need not meet this requirement. |
| LAN.ADDRESS.7
|
When operating in multiple WAN public IPv4 address mode, the RG MUST support up to 16 public IPv4 addresses being used by LAN devices (statically or dynamically issued) and whose traffic must be routed to and from the public IPv4 address associated with the LAN device. Additionally, a transparent basic NAT mapping feature MAY be supported, allowing the 16 public addresses to be mapped to a device’s private address. A user configurable option in the Web GUI MUST be provided to enable or disable the firewall on a per public IPv4 address basis. This feature must operate concurrently with other LAN usage (e.g. NAPT on the gateway’s primary IPv4 address). |
LAN.ADDRESS.8 |
When using a WAN IPv4 address assigned to a LAN device, the RG MUST be able to be configured by the user whether this LAN device can directly communicate with other devices on the local LAN without the need to traverse the broadband connection. This will only be done to the extent to which the RG can control isolation (e.g. routing and internal switch fabric). It does not extend to isolation external to the RG (e.g. external switch or router), which are beyond the control of the RG. |
4.3.3 LAN.ADDRESSv6 – LAN.ADDRESSv6- LAN
IPv6 Addressing
| ID | Requirement |
|---|---|
| LAN.ADDRESSv6.1 |
The RG MUST create a Link Local (LL) address for its LAN interface, and perform Duplicate Address Discovery (DAD), per RFC 4862 [115]. It MUST always use the same LL address, even after reboot or power failure. |
| LAN.ADDRESSv6.2 |
The RG SHOULD try alternate LL addresses, if DAD fails. The RG vendor can define the algorithm to be used in this case. |
| LAN.ADDRESSv6.3 |
The RG MUST have a ULA prefix (RFC 4193 [101]). It MUST always maintain the same prefix, even after reboot or power failure, unless this prefix is changed through configuration, in which case it MUST maintain the changed value. |
| LAN.ADDRESSv6.4 |
The RG MAY allow its ULA prefix to be changed through configuration. |
| LAN.ADDRESSv6.5 |
The RG MUST support the ability to enable or disable advertising a /64 from its ULA prefix through Router Advertisement. When enabled, this /64 will be included in RA messages, with L=1, A=1, and reasonable timer values. |
| LAN.ADDRESSv6.6 |
The RG MUST support RFC 4861 [114] section 6.2, Router specification requirements. |
| LAN.ADDRESSv6.7 |
The RG MUST support configuration of the following elements of a Router Advertisement: M and O flags (RFC 4861 [114]), route information ([100]), and default router preference (Prf) ([100]). |
| LAN.ADDRESSv6.8 |
The RG SHOULD support configuration of the following elements of a router advertisement: MTU (RFC 4861 [114]). |
| LAN.ADDRESSv6.9 |
The RG MUST advertise (in RA) a /64 prefix from all prefixes delegated via the WAN interface. This will have L=1, A=1, and lifetimes per the received (from the WAN) delegation. |
| LAN.ADDRESSv6.10 |
The RG SHOULD advertise DNS server using the RDNSS option in Router Advertisements (RFC 6106 [126]). |
4.3.4 LAN.DHCPS – DHCPv4 Server
| ID | Requirement |
|---|---|
LAN.DHCPS.1
|
The RG MUST provide application layer support for host name mapping, booting, and management including DHCPv4 and the Domain Name System (DNS) protocol. This includes support for the standards below:
|
| LAN.DHCPS.2 |
The RG MUST be a DHCPv4 server to local LAN devices, supporting all LAN devices. |
| LAN.DHCPS.3 |
The embedded DHCPv4 server function of the RG MUST be able to operate while in bridged mode. The default state should be on in bridged and routed mode. |
| LAN.DHCPS.4 |
The RG MUST support a minimum of 253 LAN devices. |
| LAN.DHCPS.5 |
The RG MUST support turning off the embedded DHCPv4 server via a configuration change via the Web GUI, TR-064i2 interfaces and from a Controller. |
LAN.DHCPS.6
|
The RG MAY incorporate auto-detection of other DHCPv4 servers on the local LAN and, if configured to do so, disable the internal DHCPv4 server functionality of the RG in this situation. In this situation, the RG would try to obtain a configuration for its LAN port through DHCPv4. If a DHCPv4 response was received, the RG would then use the information in the DHCPv4 response (e.g. IPv4 address, subnet and DNS information) and disable its internal DHCPv4 server. If implemented and a DHCPv4 response is received, this requirement takes precedence over requirement LAN.DHCPS.15. |
| LAN.DHCPS.7 |
The embedded DHCPv4 server functionality of the RG MUST verify that an address is not in use prior to making it available in a lease (e.g. via ping or ARP table validation) even when lease information shows that it is not in use. |
| LAN.DHCPS.8 |
If the RG is in a routed configuration (i.e. full NAPT router), the RG MUST use the default start address 192.168.1.64 and the default stop address 192.168.1.253 for assignment to DHCPv4 leases for local device addressing, or use an operator-specific configuration. |
| LAN.DHCPS.9 |
If the RG is in a routed configuration (i.e. full NAPT router), the RG MUST use a default netmask of 255.255.255.0 for assignment to DHCPv4 leases for local device addressing, or use an operator-specific configuration. |
LAN.DHCPS.10 |
If the RG is in a bridged configuration for LAN device traffic (i.e. NAT/NAPT is not enabled), the RG MUST support the enabling and configuration of the local RG DHCPv4 server (address range and subnet mask) remotely from a Controller. This address range may be either public or private addresses (assuming that the service provider is providing the NAT/NAPT function in the network). Note that this assumes that a separate management IP (v4 or v6) interface has been established to the RG expressly for the purpose of CWMP or USP remote management. |
| LAN.DHCPS.11
|
The default lease time for DHCPv4 information provided to LAN CPE that do not share the WAN side IPv4 address MUST be configurable. The default value MUST be 24 hours, or use an operator-specific configuration. |
| LAN.DHCPS.12
|
The default lease time for DHCPv4 information provided to LAN CPE that share the WAN side IPv4 address MUST be configurable. The default value MUST be 10 minutes, or use an operator-specific configuration. |
| LAN.DHCPS.13
|
When the domain name that the embedded DHCPv4 server passes to LAN CPE has not been set, the value “domain_not_set.invalid” SHOULD be used. |
| LAN.DHCPS.14
|
If the RG is in a routed configuration (i.e. full NAPT router) and the RG’s embedded DHCPv4 server is enabled, the RG itself MUST default to the address 192.168.1.254 (with a netmask of 255.255.255.0), or use an operator-specific configuration. |
| LAN.DHCPS.15
|
When the RG’s embedded DHCPv4 server is disabled, the RG MUST ARP for the following addresses, in order, and assign itself the first one that is not taken: 192.168.1.254, 192.168.1.63, and then starting from 192.168.1.253 and descending. |
| LAN.DHCPS.16
|
The RG MAY allow the embedded DHCPv4 server to be configured so that specific MAC addresses can be identified as being served or not served. |
| LAN.DHCPS.17
|
The RG MAY allow the embedded DHCPv4 server to be configured with a default setting (provide IPv4 addresses or not provide IPv4 addresses) for devices whose MAC addresses have not been specified in accordance with LAN.DHCPS.16. |
LAN.DHCPS.18 |
The embedded DHCPv4 server functionality of the RG SHOULD provide a mechanism by which an IPv4 address can be assigned to a particular LAN device by MAC address. The user interface to establish this association may use an alternate mechanism to identify this assignment (e.g. by selecting the device using its current IPv4 address or device name) and the MAC address may be transparent to the user. These addresses may include addresses within the default subnet or addresses from additional public/private subnets that may be provisioned. For example, the RG might have a default WAN side IPv4 address that is used for NAPT to a subset of devices and an additional set of WAN side IPv4 addresses that are bridged. The embedded DHCPv4 server might be used to assign this second set of IPv4 addresses to specific LAN CPE. |
LAN.DHCPS.19 |
The RG MUST support a single PC mode of operation. In this mode of operation only a single LAN device is supported. Note that this is not the default mode of operation. In this configured mode, all network traffic, except for configured management traffic destined for the RG itself (e.g. temporary remote access to the Web GUI) MUST be passed between the access network and the designated LAN device as if the RG was not present. One possible implementation is for the embedded DHCPv4 server to issue one and only one private address in this situation, with the start and stop addresses for the embedded DHCPv4 server being the same. The LAN devices can be assigned either a private IPv4 address (i.e. using 1:1 NAT) or the public IPv4 address of the RG (i.e. using IP pass-through as identified in requirement LAN.ADDRESS.6). The type of IPv4 address to be used (private or public) is configured through the Web GUI, TR-064i2 interfaces and from a Controller. The default is a public IPv4 address. If a WAN connection is not available when the RG is configured to use a public IPv4 address, the RG provides a private IPv4 address to the LAN device via DHCPv4. Once a WAN connection is established, the public IPv4 address provided by the broadband network is passed to the LAN device during the next DHCPv4 lease renewal. The RG acts as the default gateway to the LAN devices when private IPv4 addressing is in use. When public IPv4 addressing is in use, the gateway identified to the LAN device should be that identified in requirement LAN.ADDRESS.6 above. No other restrictions (e.g. restricted routing for other devices) need to be implemented to meet this requirement (e.g. no routing restrictions on traffic from secondary devices on the LAN). |
| LAN.DHCPS.20
|
If the RG is configured in a routed configuration (i.e. full NAPT router), the RG MUST operate by default in the multiple PC mode of operation, or use an operator-specific configuration. |
4.3.5 LAN.DHCPv6S – DHCPv6 Server
| ID | Requirement |
|---|---|
| LAN.DHCPv6S.1
|
The RG MUST support DHCPv6 server messages and behavior per RFC 3315 [84]. |
| LAN.DHCPv6S.2
|
The RG MUST support and be configurable to enable/disable address assignment using DHCPv6. |
| LAN.DHCPv6S.3
|
The RG MUST either have an algorithm or allow configuration (or both) as to which /64 prefix to use, from any received WAN prefixes or its own ULA prefix. |
| LAN.DHCPv6S.4
|
The RG SHOULD be configurable to support rules as to which host devices will be assigned addresses through DHCPv6. That is, it should be possible for a service provider to place its own host devices at the customer premises and have the RG only support DHCPv6 address assignment to those devices. Note that this does not require use of the RA “M” flag, as the service provider host devices can be configured to always use DHCPv6 for address assignment. The DUID may help to identify host devices. |
| LAN.DHCPv6S.5
|
The RG MUST be configurable to enable/disable prefix delegation via DHCPv6. |
| LAN.DHCPv6S.6
|
The RG MUST support delegation of any received WAN prefix and its own ULA prefix, that is shorter than /64, using mechanisms of RFC 3633 [90]. |
| LAN.DHCPv6S.7
|
The WAN / ULA prefixes that an RG is allowed to further delegate SHOULD be configurable. |
| LAN.DHCPv6S.8
|
The RG MUST support DHCPv6 Information_request messages. |
| LAN.DHCPv6S.9
|
The RG MUST support the following DHCPv6 options: IA_NA ([84]), IA_PD ([90]), and DNS_SERVERS ([91]). |
| LAN.DHCPv6S.10 |
The RG SHOULD support Reconfigure Accept ([84]) and pass the additional set of DHCP options received from the DHCP client on its WAN interface to IPv6 hosts. |
| LAN.DHCPv6S.11 |
The options that the RG will provide via DHCPv6 MUST be configurable. |
| LAN.DHCPv6S.12 |
If address selection policy option is requested in a DHCPv6 request from hosts, the RG SHOULD advertise the generated address selection policy (see WAN.IPv6.21). |
4.3.6 LAN.DNS – Naming Services (IPv4 and
general requirements)
| ID | Requirement |
|---|---|
| LAN.DNS.1 |
The RG MUST be capable of acting as a DNS server to LAN devices, passing its address as the DNS server back to these devices in DHCPv4 requests. |
| LAN.DNS.2 |
The RG SHOULD allow the user to specify that either network-learned or user-specified addresses be passed back to LAN devices as the DNS server(s) in DHCPv4 responses, instead of the RG’s address. |
LAN.DNS.3 |
When the RG learns DNS name server addresses from multiple WAN connections, the RG MUST follow specified DNS selection policy (if one is configured) to make recursive queries to DNS name servers, or (if there is no DNS selection policy) MUST query a server on each connection simultaneously and provide the requesting LAN client with the first returned positive result from these DNS servers. A negative response will not be transmitted to a LAN device until all WAN DNS servers have either timed out or returned a negative response to a common query. Service providers may choose not to provide DNS name server addresses on certain connections in a multiple connection configuration. |
| LAN.DNS.4 |
The RG MUST add the DNS entry “dsldevice” for its own address. |
| LAN.DNS.5 |
The RG MAY support additional DNS entries, as there could be additional types of CPE. |
| LAN.DNS.6 |
The RG MUST maintain local DNS entries for a minimum of 253 local LAN devices. This information can be obtained through auto discovery (e.g. from DHCPv4 requests, such as Client Identifier, and other protocol information). When unknown, the entry MUST be of the form “unknownxxxxxxxxxxxx” where “x” represents the MAC address of the associated LAN device. |
| LAN.DNS.7 |
The RG SHOULD provide a manual mechanism for overriding the learned names of all LAN CPE except that of the RG itself. |
| LAN.DNS.8 |
If the RG’s DNS server is implemented as a forwarding proxy, it MUST be done according to the recommendations in RFC 5625 [120]. |
4.3.7 LAN.DNSv6 – LAN.DNSv6- Naming Services
(IPv6)
| ID | Requirement |
|---|---|
| LAN.DNSv6.1 |
The RG MUST act as a DNS server for IPv6-capable LAN devices by supporting IPv6 (AAAA) records in its DNS server (per [89]) and allowing these records to be queried using either IPv4 or IPv6 transport ([93]). |
| LAN.DNSv6.2 |
The RG MUST attach all known (for the host device) globally scoped IPv6 addresses to the DNS record for a particular host device (see LAN.DNS.6), as AAAA records for that device. |
| LAN.DNSv6.3 |
The RG SHOULD support dynamic DNS (DDNS) for devices to provide their own DNS information. This would override any DNS entries the RG might have created for the IP addresses included in the DDNS request. |
| LAN.DNSv6.4 |
The RG MUST be able to query for A and AAAA records using either IPv4 or IPv6 transport to DNS recursive name servers in the WAN. |
| LAN.DNSv6.5 |
The RG SHOULD use a DNS recursive name server obtained through DHCPv6 option 23 (OPTION_DNS_SERVERS) to query for AAAA records to the WAN, as its first choice. |
| LAN.DNSv6.6 |
When the RG is proxying DNS queries for LAN devices, it SHOULD use IPv6 transport regardless of the transport mode used by the LAN device, when querying to the WAN. This is only possible if the RG has IPv6 addresses for DNS recursive name servers on the WAN. |
| LAN.DNSv6.7 |
The RG MUST support receiving at least 2 DNS recursive name server IPv6 addresses from the network through DHCPv6 option 23 (OPTION_DNS_SERVERS) ([91]). |
| LAN.DNSv6.8 |
The RG SHOULD allow the user to specify that the network-learned or user-specified DNS recursive name server addresses be passed back to the LAN devices in DHCPv6 responses instead of the RG’s address itself as the DNS recursive name server(s). |
| LAN.DNSv6.9 |
When the RG learns DNS name server addresses from multiple WAN connections, the RG SHOULD make recursive query to the DNS name server specified with DNS selection policy that is obtained through DHCPv6 (draft-ietf-mif-dns-server-selection) or manually configured DNS selection policy. |
4.3.8 LAN.NAT – LAN.NAT- NAT/NAPT
| ID | Requirement |
|---|---|
| LAN.NAT.1 |
The RG MUST support Network Address Port Translation (NAPT; also known as Port Address Translation) as defined in RFC 2663 [73], RFC 3022 [76], and RFC 3027 [77]. |
| LAN.NAT.2 |
The RG MUST support disabling NAPT. |
4.3.9 LAN.PFWD – Port Forwarding (IPv4)
| ID | Requirement |
|---|---|
LAN.PFWD.1 |
The RG MUST support port forwarding. That is, the RG MUST be able to be configured to direct traffic based on any combination of source IPv4 address, source protocol (TCP or UDP) and port (or port range) to a particular LAN device and port (or port range on that device). Individual port forwarding rules MUST be associated with a LAN device, not the IPv4 address of the LAN device, and follow the LAN device should its IPv4 address change. |
LAN.PFWD.2 |
The port forwarding mechanism MUST be able to be configured to direct all inbound unidentified or unsolicited port traffic originating from a user-selected public IPv4 address to any user selected LAN device. The LAN device may be using either a private IPv4 address or the public WAN IPv4 address as identified in requirement LAN.ADDRESS.6 and LAN.ADDRESS.7. |
| LAN.PFWD.3 |
The port forwarding mechanism of the RG SHOULD be easy to configure for common applications and user protocols (e.g. ftp, http, etc.) by specifying a protocol name or application name in a “Common Applications Names List” instead of a port number and protocol type. A partial list of applications for potential inclusion appears in Appendix I. |
| LAN.PFWD.4 |
The “Common Applications Names List” mechanism MUST be integrated with the port forwarding mechanism. |
| LAN.PFWD.5 |
The RG MUST include port forwarding configurations and “Common Applications Name Listings” for the following applications and protocols that do not function properly with NAT or NAPT: FTP client, H.323, SIP, IPsec, PPTP, MSN Messenger, AOL Instant Messenger, Yahoo Messenger and ICQ. |
| LAN.PFWD.6 |
The RG SHOULD include port forwarding configurations and “Common Applications Name Listings” for other major applications and protocols that do not function properly with NAT or NAPT. |
4.3.10 LAN.PFWDv6 – LAN.PFWDv6- Port
Forwarding (IPv6)
| ID | Requirement |
|---|---|
| LAN.PFWDv6.1
|
The RG MUST support security mechanisms described in RFC 6092 [125]. |
| LAN.PFWDv6.2
|
Individual port forwarding rules MUST be associated with a LAN device, not the IPv6 address of the LAN device, and follow the LAN device should its IPv6 address change. |
| LAN.PFWDv6.3
|
The port forwarding mechanism of the RG SHOULD be easy to configure for common applications and user protocols (e.g. ftp, http, etc.) by specifying a protocol name or application name in a “Common Applications Names List” instead of a port number and protocol type. A partial list of applications for potential inclusion appears in Appendix I. |
| LAN.PFWDv6.4
|
The RG SHOULD NOT apply RFC 6092 [125] security mechanisms to traffic associated with prefixes it has delegated to other routers inside the LAN. |
4.3.11 LAN.ALG – ALG Functions (IPv4)
| ID | Requirement |
|---|---|
LAN.ALG.1 |
The RG MUST allow for pass-through of IPv4 traffic in which the payload is compressed or encrypted (e.g. VPN traffic). This means that, as well as the RG, it must be possible that LAN CPE originate PPTP and L2TP sessions to an external network (over IPv4). |
| LAN.ALG.2 |
The RG MUST allow LAN CPE to originate IPv4 IPsec sessions to an external network. This function MUST work properly through the NAPT function of the RG. |
| LAN.ALG.3 |
This requirement is encompassed by .4 |
| LAN.ALG.4 |
The RG MUST allow multiple devices on the LAN to launch independent and simultaneous IPv4 IPsec sessions. These sessions can be to the same or separate destinations. |
| LAN.ALG.5 |
The RG MUST support LAN device UDP encapsulation of IPv4 IPsec packets as defined in RFC 3948 [97]. |
| LAN.ALG.6 |
The RG MUST support LAN device negotiation of NAT traversal with IKE as identified in RFC 3947 [96]. |
| LAN.ALG.7 |
The RG should support a minimum of 4 concurrent LAN IPv4 IPsec sessions per LAN device. These sessions can be to the same or separate destinations. |
| LAN.ALG.8 |
The RG MUST seamlessly handle RTSP traffic to LAN devices with no user intervention required. |
| LAN.ALG.9 |
The RG MUST allow the service provider to disable SIP ALG functionality. |
| LAN.ALG.10 |
The RG MUST be aware of the presence of active SIP clients on the LAN side using some rules (e.g. matching IP address, port, or protocol number through interception of SIP REGISTER messages). |
| LAN.ALG.11 |
The SIP ALG function MUST keep track of SIP events (e.g. REGISTER reply from the registrar) and maintain allocated resources within the event timeout period. |
4.3.12 LAN.FWD – Connection Forwarding
The IPv6 parts of this module apply only if the RG has an IPv6 stack.
| ID | Requirement |
|---|---|
| LAN.FWD.1 |
The RG MUST be able to route IP (v4 or v6) over Ethernet to LAN CPE. |
| LAN.FWD.2 |
PPPoE forwarding and associated operation in the RG MUST NOT fail nor operate improperly in the presence of vendor-specific PPPoE extensions that may be in use by LAN devices (i.e. the RG MUST interoperate with well known PPPoE client software). |
| LAN.FWD.3 |
The RG MUST support a minimum of eight LAN device-initiated PPPoE sessions from each LAN device being forwarded to a logical WAN connection. |
| LAN.FWD.4 |
The RG MUST be able to forward up to eight PPPoE sessions per logical WAN interface (PVC, RFC 2684 [74] connection, VLAN, etc.). |
| LAN.FWD.5 |
The RG MUST be able to forward PPPoE sessions at all times when encapsulating Ethernet over AAL5. This applies when the RG has set up zero or more PPPoE sessions and/or when the RG is also running IP over Ethernet. The default setting MUST be for this pass-through to be on. |
| LAN.FWD.6 |
The RG MUST support manually setting (via the Web GUI and TR-064i2 interfaces) an MTU to be used in negotiating MTU, overriding the default MTU. This applies to MTU negotiated in IPv4 or IPv6. |
| LAN.FWD.7 |
The RG MUST support path MTU discovery as defined in IETF RFC 1191 [50] so that a LAN device can be told what to set its MTU to for IPv4 traffic. |
| LAN.FWD.8 |
The RG MUST support accepting IP (v4 and v6) forwarding/routing information from a Controller. |
| LAN.FWD.9 |
The RG MUST maintain route table entries for all connections it maintains on the WAN (e.g. per PVC, IP (v4 and v6) and PPP sessions) and for all LAN networks (including subnets). |
LAN.FWD.10 |
The RG MUST allow for the selection of which traffic to forward over which connection (in the case of multiple PVCs, multiple PPPoE sessions, GPON Port ID, etc…) according to any one or more of the following pieces of information:
|
LAN.FWD.11 |
The RG MUST allow for the selection of which traffic to forward over which connection (in the case of multiple PVCs, multiple PPPoE sessions, etc.) according to any one or more of the following pieces of information:
|
| LAN.FWD.12 |
The RG MUST NOT bridge or route between WAN connections (i.e. WAN to WAN) except when explicitly configured to do so. |
| LAN.FWD.13 |
The RG MUST NOT forward UPnP traffic (including UPnP multicast messages) to the WAN interface. This applies to both bridged and routed style configurations. This satisfies TR-101 R-235. |
LAN.FWD.14 |
The RG SHOULD be able to restrict the routing information for each WAN connection to specific LAN devices. For example, a user might have four PCs in the home, have a WAN connection to the Internet and have a WAN connection to an employer’s network. The RG could be configured to allow all PCs access to the Internet, but only one specific PC might be allowed to send traffic over the WAN interface to the employer’s network. |
| LAN.FWD.15 |
The RG MUST support the possibility that all LAN devices concurrently access one or more WAN connections. |
| LAN.FWD.16 |
The RG SHOULD support the ability to accept IPv4 routes dynamically pushed from the WAN. This allows it to set up routing tables to support routing traffic over multiple connections (PVCs, PPPoE sessions, etc.). In particular, the RG SHOULD be configurable to accept RIP version 2 (RIP-2) messages as defined in RFC 2453 [65] to fulfill this task. |
| LAN.FWD.17 |
If RIP-2 is supported, it SHOULD be software configurable. |
| LAN.FWD.18 |
If RIP-2 is supported, by default, the RG MUST NOT transmit RIP-2 information to WAN connections. |
| LAN.FWD.19 |
If RIP-2 is supported, the RG MUST be configurable to accept triggered RIP messages, as defined in RFC 2091 [58]. |
| LAN.FWD.20 |
The RG MUST be able to bridge IPv4 or route IPv4 or IPv6 over an Ethernet session concurrently with at least one RG-originated PPPoE session on each PVC that is running bridged Ethernet over the AAL. |
| LAN.FWD.21 |
The RG SHOULD be capable of initiating at least two PPPoE sessions per PVC and forwarding the IP (v4 or v6) traffic above PPPoE to the LAN CPE. |
4.3.13 LAN.IGMP – IGMP
4.3.13.1 LAN.IGMP.BRIDGED – IGMP and
Multicast in Bridged Configurations (IPv4)
| ID | Requirement |
|---|---|
| LAN.IGMP.BRIDGED.1 |
If the RG is in a bridge type architecture and an IGMP querier is supported in the access network, the RG MUST support IGMP snooping per IP bridge to an individual LAN addressable port or interface level (each Ethernet port, USB (PC), Wi-Fi, etc.). On each interface, the RG MUST forward only the multicast groups explicitly requested by that interface. A recommended reference implementation can be found in IETF RFC 4541 [108]. |
4.3.13.2 LAN.IGMP.ROUTED – IGMP and
Multicast in Routed Configurations (IPv4)
| ID | Requirement |
|---|---|
| LAN.IGMP.ROUTED.1 |
The RG MUST support an IGMP proxy-routing function as defined in RFC 4605 [109]. This satisfies Broadband Forum TR-101 [161] R-225. |
| LAN.IGMP.ROUTED.2 |
The RG MUST support IGMPv3 as defined in IETF [85]. This satisfies TR-101 [161] R-226. |
| LAN.IGMP.ROUTED.3 |
The RG MUST support IGMP proxy-routing with local NAT and firewall features including establishing any pin-holes in the firewall for the multicast streams received (after join). This satisfies TR-101 [161] R-227. |
| LAN.IGMP.ROUTED.4 |
When the RG is configured with multiple WAN-facing IPv4 interfaces (e.g. PPP or IPoE), the IGMP proxy-routing function MUST be able to configure a filter for multicasting upstream IGMP messages to one or more interfaces. This satisfies [161] requirements R-228 and R-229. |
| LAN.IGMP.ROUTED.5 |
When the RG receives an IGMP membership query on a given WAN-facing IPv4 interface, the IGMP proxy-routing function MUST only send a corresponding membership report on this specific interface. This satisfies TR-101 [161] R-230. |
| LAN.IGMP.ROUTED.6 |
The RG SHOULD be able to classify IGMP requests according to source IPv4/MAC address or incoming LAN physical port to distinguish between multicast services (e.g. IPTV and some other best effort Internet multicast application). This satisfies TR-101 [161] R-231. |
| LAN.IGMP.ROUTED.7 |
The RG MUST have a way to suppress the flooding of multicast to all LAN devices by only sending the traffic to selected ports/interfaces, either through configuration of dedicated ports connecting to multicast hosts or IGMP proxy-routing (where the traffic is only sent to host devices that have joined the multicast group). This satisfies TR-101 [161] R-232. |
| LAN.IGMP.ROUTED.8 |
It MUST be possible to configure a WAN-facing IPv4 interface with an IPoE encapsulation and no IPv4 address visible by the access network. It MUST be possible to receive multicast traffic on such an interface, independent of whether upstream IGMP is sent on this interface or not. The RG’s IGMP proxy-routing function MUST be able to send upstream IGMP traffic on such an interface, using an unspecified (0.0.0.0/::) IPv4 source address. This satisfies TR-101 [161] requirements R-269, R-270 and R-271. |
| LAN.IGMP.ROUTED.9 |
All RG LAN ports and interfaces MUST be capable of processing IGMP messages. |
| LAN.IGMP.ROUTED.10 |
The RG SHOULD be able to allow (default) or discard IGMP join requests based on the source interface, port and host. This satisfies the requirement stated in TR-101 [161] R-233. |
| LAN.IGMP.ROUTED.11 |
The RG MUST support IGMP snooping per IPv4 bridge to an individual LAN addressable port or interface level (each Ethernet port, USB (PC), Wi-Fi, etc.). A recommended reference implementation can be found in [108]. |
| LAN.IGMP.ROUTED.12 |
The RG MUST be configurable to prevent sending IGMP messages to the WAN interfaces for specified multicast groups or ranges (such as 239.0.0.0 through 239.255.255.255 for IPv4, which are limited scope or administratively scoped addresses). |
| LAN.IGMP.ROUTED.13 |
The RG MUST default to not sending IGMP messages for IPv4 addresses 239.0.0.0 through 239.255.255.255 to the WAN interfaces. This satisfies TR-101 [161] R-235. |
LAN.IGMP.ROUTED.14 |
The RG MUST have a join and leave latency less than 20 ms. This means that when the RG receives a leave, it must stop sending the stream to that device (although it is expected to continue sending to other devices that have not left) in less than 20 ms. The RG must not wait for the results of a membership query before it stops sending the stream. Rather, it must rely on its membership database to know whether there are other devices receiving that stream. When the RG receives a join, its allocation of the overall time for starting to forward that stream must not exceed 20 ms. This latency definition handles southbound join/leave; however a definition for the northbound join/leave latency will also be useful. Also, the northbound as well as southbound latency definition involves a tradeoff between multicast system dynamics (lower latency -> higher dynamics) and bandwidth efficiency (low latency -> better bandwidth efficiency). A statistical analysis will be helpful, based on empirical TV channel switching dynamics, when available. |
| LAN.IGMP.ROUTED.15 |
The RG MUST support IGMP immediate leave (also known as fast leave) with explicit host tracking. This satisfies TR-101 [161] R-234. |
| LAN.IGMP.ROUTED.16 |
The RG MUST support a minimum of 32 multicast groups. |
| LAN.IGMP.ROUTED.17 |
The RG SHOULD support a minimum of 64 multicast groups. |
| LAN.IGMP.ROUTED.18 |
The RG MUST be configurable to log (on demand) all IGMP messages on both the LAN and WAN interfaces. |
| LAN.IGMP.ROUTED.19 |
The RG MUST be able to provide a summary of the current state of IGMP group memberships as managed by the RG (e.g. multicast groups and LAN devices currently associated with each multicast group). |
| LAN.IGMP.ROUTED.20 |
The RG MUST be able to provide a summary of IGMP activity over specific time periods (e.g. previous hour, previous day, since reboot, etc.), per multicast stream and per LAN device. |
| LAN.IGMP.ROUTED.21 |
The RG MUST be able to report IGMP statistics and logs through the Web GUI, TR-064i2 interfaces and to a Controller. |
| LAN.IGMP.ROUTED.22 |
The RG MUST be capable of supporting LAN to LAN multicast between devices on a shared medium, and between devices on separate switched LAN interfaces. |
| LAN.IGMP.ROUTED.23 |
The RG MUST be configurable as to how many simultaneous multicast streams are allowed from WAN to LAN. |
4.3.14 LAN.MLD – Multicast Listener Discovery
(MLD)
4.3.14.1 LAN.MLD.ROUTED – MLD and
Multicast in Routed Configurations (IPv6)
| ID | Requirement |
|---|---|
| LAN.MLD.ROUTED.1 |
The RG MUST support MLDv2 as defined in RFC 3810 [92]. |
| LAN.MLD.ROUTED.2 |
The RG MUST support functionality as described for IGMP in requirements LAN.IGMP.ROUTED. 1, 3-5, 7, 9, 11, 14-16, 18-23 |
| LAN.MLD.ROUTED.3 |
The RG SHOULD support functionality as described for IGMP in requirements LAN.IGMP.ROUTED. 6, 10, 17 |
| LAN.MLD.ROUTED.4 |
The RG MUST be configurable to prevent sending MLD messages to the WAN interfaces for specified multicast addresses or scopes. |
| LAN.MLD.ROUTED.5 |
The RG MUST default to not sending MLD messages for scope of 0 through 8. |
4.3.15 LAN.FW – Firewall (Basic)
This module applies to IPv6 as well as IPv4, but only if the RG has an IPv6 stack
| ID | Requirement |
|---|---|
| LAN.FW.1 |
The RG MUST drop or deny IPv4 access requests from WAN side connections to LAN side devices and to the RG itself except in direct response to outgoing traffic or as explicitly permitted through configuration of the RG (e.g. for port forwarding or management). |
| LAN.FW.2 |
The RG MUST support a separate firewall log to maintain records of transactions according to firewall rules. |
| LAN.FW.3 |
The firewall log file MUST be able to hold at least the last 100 entries or 10 Kbytes of text. |
| LAN.FW.4 |
Firewall log entries SHOULD NOT be cleared except when the RG is reset to its factory default settings. |
| LAN.FW.5 |
The RG MUST timestamp each firewall log entry. |
| LAN.FW.6 |
The RG MUST support the definition of IPv6 firewall rules separate from IPv4. |
4.3.15.1 LAN.FW.SPI – Firewall (Advanced)
This module applies to IPv6 as well as IPv4, but only if the RG has an IPv6 stack.
| ID | Requirement |
|---|---|
| LAN.FW.SPI.1
|
The RG MUST support a more robust firewall, such as one that provides a full OSI 7 layer stack stateful packet inspection and packet filtering function. |
LAN.FW.SPI.2 |
The RG SHOULD provide protection for the following:
The extent of this protection will be limited when the RG is configured as a bridge in which only PPPoE traffic is bridged. This protection MUST be available when the RG terminates IP (v4 or v6) or bridges IPv4. |
| LAN.FW.SPI.3
|
Each type of attack for which protection is provided SHOULD be configurable on the RG and be on by default. |
| LAN.FW.SPI.4
|
The RG MUST support passing and blocking of traffic by user-defined and TR-181 configurable rules. |
| LAN.FW.SPI.5
|
The RG MUST support setting firewall rules by an Controller that cannot be altered by the user. If firewall rules are set via security policies in TR-181i2 profiles, or via other mechanisms such as Controller file download, the rules MUST NOT be able to be overridden by user firewall rules. |
| LAN.FW.SPI.6
|
The RG MUST support the user temporarily disabling specific user-defined rules or all user defined rules, that is, without deleting the rules. |
LAN.FW.SPI.7 |
The RG MUST support the user specifying the order in which firewall rules are processed. Note: not all firewall rules need be included under the scope of this requirement. |
LAN.FW.SPI.8 |
The RG SHOULD support specification of any of the following in a firewall rule:
|
| LAN.FW.SPI.9
|
The RG MAY support filtering based on other fields unique to specific protocols. |
LAN.FW.SPI.10 |
The RG SHOULD support firewall rules that support generic pattern matching against the header or data payload of traffic. Logically this can be envisioned as:
where condition is (relationship, data) such as:
|
| LAN.FW.SPI.11
|
The RG SHOULD support a set of predefined rules to which the user can set or reset the firewall settings. |
| LAN.FW.SPI.12
|
If a set of predefined rules has been set on the RG, the RG rule set SHOULD be able to be used as the basis for a user maintained set of firewall rules. |
LAN.FW.SPI.13 |
In addition to blocking or passing traffic identified by a firewall filter, the RG MUST support other actions as well, including but not limited to:
|
| LAN.FW.SPI.14
|
The RG MUST allow for configuration of global firewall values. |
| LAN.FW.SPI.15
|
The RG firewall SHOULD be either ICSA certified (www.icsalabs.com) or be able to display all the attributes necessary for ICSA certification for the current version of either the Residential category or the Small/Medium Business (SMB) category. |
| LAN.FW.SPI.16
|
Unless configured otherwise, DOS, port blocking and stateful packet inspection MUST be provided to all LAN devices receiving traffic from the WAN interface. |
4.3.16 LAN.FILTER – Filtering
4.3.16.1 LAN.FILTER.TIME – Time of Day
Filtering
| ID | Requirement |
|---|---|
| LAN.FILTER.TIME.1 |
The RG MAY support filtering based on time of day on a per LAN device basis. |
4.3.16.2 LAN.FILTER.CONTENT –
Content Filtering
| ID | Requirement |
|---|---|
| LAN.FILTER.CONTENT.1 |
The RG MAY support filtering based on web content or URL string screening techniques on a per LAN device basis. |
4.3.17 LAN.DIAGNOSTICS – Automated User
Diagnostics
| ID | Requirement |
|---|---|
LAN.DIAGNOSTICS.1 |
If the RG is on the same subnet as any LAN device, when network connectivity problems occur, the RG MUST provide a mechanism that intercepts web browser pages (i.e. port 80 web page requests) and responds to these by directing the web browser to appropriate internal web pages to identify and resolve network connectivity problems including but not limited to:
|
4.3.18 LAN.CAPTIVE – Captive Portal with
Web Redirection
This module applies to IPv6 as well as IPv4, but only if the RG has an IPv6 stack.
| ID | Requirement |
|---|---|
LAN.CAPTIVE.1 |
The RG MUST support a redirect function, which, when enabled, intercepts WAN destination IP (v4 or v6) HTTP requests and responds to these by substituting a specified URL in place of the web page request. The URL, as well as a list of locations for which this redirect would be bypassed (i.e. white list), MUST be settable from a Controller. The actual captive portal to be redirected to may be established at the time the white list is defined or the white list may be defined first and the captive portal specified at a later time. |
| LAN.CAPTIVE.2
|
The redirection function and associated fields MUST NOT be modifiable by the subscriber. |
| LAN.CAPTIVE.3
|
The RG MUST support turning on and off the redirect function when the captive portal URL field is populated and cleared respectively by the Controller. |
| LAN.CAPTIVE.4
|
All port 80 traffic, excluding that associated with the white list, MUST be redirected when the redirect function is turned on in the RG. |
| LAN.CAPTIVE.5
|
To specify the captive portal, the RG must accept an IPv4 or IPv6 address or a URL whose length does not exceed 2000 characters. |
| LAN.CAPTIVE.6
|
The redirect white list MUST support 512 separate list entries, each of which can be an individual IP (v4 or v6) address, a range of IPv4 addresses, an IPv6 prefix, or any combination thereof. For a range of IPv4 addresses a subnet mask is required. |
LAN.CAPTIVE.7 |
Variable length subnet masking (VLSM) MUST be supported in the redirect white list. For example:
|
| LAN.CAPTIVE.8
|
The RG MUST support only one set of captive portal and redirect settings at a time. If new settings are needed, the Controller will overwrite existing values within the RG. |
| LAN.CAPTIVE.9
|
A valid set of redirect settings MUST be enabled in an RG within five seconds of the redirect URL being sent from the Controller. |
| LAN.CAPTIVE.10 |
The redirect function MUST be disabled on the RG within five seconds of the captive portal string being cleared in a RG by an empty redirect URL being sent from the Controller. |
| LAN.CAPTIVE.11 |
Incremental packet delay through the RG due to white list lookup MUST NOT exceed 5 ms. |
4.3.19 LAN.QoS – LAN quality of service
requirements
| ID | Requirement |
|---|---|
LAN.QoS.1 |
The RG MUST support classification of LAN directed WAN traffic and placement into appropriate queues (or discard) based on any one or more of the following pieces of information:
In an ATM based access network:
Where Ethernet is present on the access link:
|
LAN.QoS.2 |
The RG SHOULD support classification of LAN directed WAN traffic and placement into appropriate queues (or discard) based on any one or more of the following pieces of information:
|
LAN.QoS.3 |
The RG MUST support classification of LAN directed traffic and placement into appropriate queues (or discard) based on any one or more of the following pieces of information:
|
| LAN.QoS.4 |
The RG SHOULD support classification of LAN directed traffic and placement into appropriate queues (or discard) based on any one or more of the pieces of information defined in WAN.QoS. 1, WAN.QoS. 2, WAN.QoS. 22 and WAN.QoS. 23. |
| LAN.QoS.5 |
The RG MUST support classification of LAN directed internally generated traffic and placement into appropriate queues based on any one or more of information defined in WAN.QoS. 20 and WAN.QoS. 21. |
| LAN.QoS.6 |
The RG MUST be able to mark or remark the Diffserv codepoint of traffic identified based on any of the classifiers supported by the RG. |
| LAN.QoS.7 |
The RG MUST support a minimum of four downstream queues per LAN port. |
| LAN.QoS.8 |
The RG MUST duplicate the set of queues for each LAN egress port. This can be done logically or physically. |
LAN.QoS.9 |
The RG SHOULD be able to configure each queue for strict priority or weighted round robin scheduling. Strict priority queues are served with priority over all other queues. WRR queues are served on the basis of configurable weights. |
| LAN.QoS.10 |
The RG MUST provide counters in terms of dropped and emitted packets/bytes for each queue. Statistics SHOULD be collected from the time of last counter reset or on a configurable sample interval. |
| LAN.QoS.11 |
The RG MUST provide information about queue occupancy in terms of packets and peak percentage. Statistics SHOULD be collected from the time of last counter reset or on a configurable sample interval. |
| LAN.QoS.12 |
The RG SHOULD be able to monitor the physical layer rate of the LAN interfaces, maintaining information about the current available bandwidth and measurement history. |
4.3.20 LAN.SIPserver – SIP Server
| ID | Requirement |
|---|---|
| LAN.SIPserver.1 |
The RG MUST support the SIP registrar server function ([83]), accept register requests and respond to them with success or failure indication. |
| LAN.SIPserver.2 |
The RG MUST support the SIP registrar server function ([83]), and place the information it receives in register requests into the location service for the domain it handles. |
| LAN.SIPserver.3 |
The RG MUST support the SIP redirect server function ([83]), receive SIP requests and respond with 3xx (redirection) responses, directing the SIP client to contact an alternate set of SIP addresses. |
| LAN.SIPserver.4 |
The RG MUST support the SIP proxy server function ([83]), acting as a proxy for the SIP client to route SIP requests in the direction of the corresponding proxy server, and acting in place of a server to route SIP responses toward the SIP client. |
| LAN.SIPserver.5 |
Acting as proxy, the RG MUST consistently operate in either a stateful or stateless mode for each new SIP request. |
4.3.21 LAN.SIPmixer – SIP Mixer
| ID | Requirement |
|---|---|
| LAN.SIPmixer.1 |
The RG MUST support the SIP mixer function ([87]) to mix incoming multiple streams to adapt to the participant’s network condition. |
| LAN.SIPmixer.2 |
The RG MUST have the capability to change the encoding format of incoming multiple streams. |
| LAN.SIPmixer.3 |
The RG MUST terminate any RTCP messages sent to (or received from) clients, but generate its own RTCP messages and send them to (or send them out on behalf of) clients. |
4.3.22 LAN.Interworking – 3GPP
Interworking
4.3.22.1
LAN.Interworking.UE-Authentication – 3GPP User Equipment Authentication
Support
| ID | Requirement |
|---|---|
| LAN.Interworking.UE-Authentication.1
|
The RG MUST be able to act as an 802.1X authenticator using a RADIUS client (as defined in RFC 3579 [88]). connected to a fixed access AAA server. |
| LAN.Interworking.UE-Authentication.2
|
The RG MUST support proxying EAP-AKA/EAP-AKA’ messages over RADIUS, using an internal RADIUS client. |
| LAN.Interworking.UE-Authentication.3
|
The RG MUST be able to receive policies from the AAA server during User Equipment authentication and during an ongoing session using RADIUS CoA as per RFC 5176 [118]. |
| LAN.Interworking.UE-Authentication.4
|
The RG MUST be able to have pre-configured policies to handle User Equipment traffic or to download such policies via RADIUS from the AAA server during authentication or by using RADIUS CoA. |