客户端大气压力要求翻译-中英对照
用户端设备在 86-106Kpa 的大气压力条件下应能正常工作。
15. 软件系统
软件系统必须稳定,开放部分软件的操作系统推荐为 Linux2.6 版本,功能软件具有明 显的层次结构;
家庭的网关的软件模块均建立在相应的开放标准(IEEE、IETF RFCs、ITU)或行业规范
(DSL/ATM 论坛、UPnP 论坛)之上。 推荐家庭网关的开发环境必须对中国联通开放,以在将来支持中国联通中间件软件的开
发和编译。
16. 安全要求
16.1.用户侧接口安全
16.1.1. 网络访问的安全性
家庭网关应提供接入控制能力、报文过滤能力、防攻击能力、防端口扫描能力,并提供 本地网络日志。具体要求如下:
必须支持 DMZ;
必须支持基于 MAC 地址的接入控制(包括 LAN 和 WLAN); 必须支持基于 IP 地址和 IP 地址范围的接入控制; 必须支持基于 URL 的控制;
接入控制以黑白名单形式提供,黑名单和白名单不能同时启用,必须支持到 100 条纪录; 必须支持 IP 层协议报文过滤功能,建议支持应用层报文过滤,建议支持 SPI(Stateful
Packet Inspection);
必须具备一定的防 DoS 攻击能力,能够防止 LAND、SYN Flooding、ICMP Redirection、
Smurf、Winnuke 等类型的攻击;
第 95 页
中国联通家庭网关技术规范分册——Femto 家庭网关
必须能够提供防端口扫描功能;
必须能够提供防非法报文攻击能力; 必须支持日志功能,提供在本地存储 500 条日志的能力。
16.1.2. 用户侧 WLAN 接入安全性
家庭网关支持以下无线安全协议和功能,具体要求如下:
1. 必须支持配置不同 SSID 以区分网络,支持 SSID 广播开启/关闭功能,默认启用此功 能。设备出厂时,SSID-1 应由厂家随机生成,并在家庭网关外壳上加以标注,设备恢复 出厂设置后 SSID-1 应恢复为外壳标注的 SSID 标识。SSID 可设置隐藏。
2. 必须支持 Open System 和 Shared Key 两种链路层认证方式,默认家庭网关无需配置, 自动适应 STA 的认证方式。
3. 必须支持 64-bit、128-bit WEP 加密;密钥可以采用 HEX 或 ASCII 字符输入。
4. 必须支持 WPA-PSK、WPA2-PSK,必须支持 AES、TKIP 加密,默认启用 WPA-PSK。 设备出厂时,对应 SSID-1 的密钥应由厂家随机生成,并在家庭网关外壳上加以标注, 设备恢复出厂设置后应恢复为外壳标注的密钥。
5. 如果用户使用 WPS Push Button 方式接入,则按照 WPS 规范协商加密算法和密钥; 否则按照传统的方式为用户提供无线接入。
6. WPS 功能无需在 WEB 页面启用和配置,默认为启用。
16.2.登录安全
16.2.1. 用户侧登录安全性
(1)用户侧登录安全基本要求 家庭网关用户侧提供两种不同的权限的帐号:管理员帐号和用户帐号。用户需使用用户
名和密码登录,才能对家庭网关设备进行配置或管理。 每个帐号同时只允许一个用户登录;禁止两个用户同时登录; 用户登录后 5 分钟内无操作,家庭网关自动断开连接;
用户名与密码输入连续错误 3 次自动断开连接,必须在 1 分钟以后再次输入用户名与
密码验证;
中国联通家庭网关技术规范分册——Femto 家庭网关
每种权限仅有一套帐号生效,帐号权限不能因为密码的修改而改变。
(2)管理员帐号 管理员帐号,可以完成对家庭网关全部参数的配置。 在以下场景,必须通过 ACS 修改管理员帐号的密码: 当家庭网关第一次连接 ACS 时,ACS 下发随机密码。
(3) 家庭网关用户帐号
用户帐号用于查看当前系统运行的基本内容,可以进行部分参数的配置。 使用用户帐号,登录本地 WEB 界面可使用的功能与应用: 可进行部分的参数设置;
可以修改用户帐号的用户名和密码; 家庭网关用户帐号的用户名和密码的修改方式: 通过管理员帐号登录本地 WEB 界面强行修改;
通过用户帐号登录本地 WEB 界面,校验原用户名和密码后再进行修改。
16.2.2. Femto 鉴权
Femto基站应支持EAP-AKA/SIM方式进行设备鉴权,鉴权数据存储在Femto HLR中 7。
Femto 基站的鉴权密钥由运营商控制。
16.2.3. Femto 移动终端用户准入鉴权
Open模式:不需要准入鉴权过程,任何UE可以使用Femto资源;
Close模式:只有授权用户才能使用Femto资源,Femto系统通过准入判断,确定用 户是否有权使用该Femto资源;如果通过准入控制,那么允许接入;否则拒绝。 当用户发起紧急呼叫时,即使是非授权用户也可以使用Femto资源。
14.12. Requirements of atmospheric pressure
User Premise Equipment (CPE) shall be able to work normally under the condition of 86- 106Kpa atmospheric pressure.
15. Software system
The software system shall be steady, operating systems of some opening software recommend the Linux2.6 edition, and the function software has obvious hierarchical structure;
The software module of the home gateway is set up in the corresponding opening standard (IEEE, IETF RFCs, ITU) or trade norm (DSL/ATM forum, UPnP forum). The development environment of recommending the home gateway shall be open to CHINAUNICOM, in order to support the development and compilation of middleware software of CHINAUNICOM in future.
16. Safety requirements
16.1. User interface interface
16.1.1.Security of the netwoks access
The home gateway shall provide the controlling ability of accessing, packet filter capacity, attack defend capacity, port scan defend capacity, and provide the local network daily record. The detail requirements are as follows:
Support DMZ;
Support the access control based on MAC address (including LAN and WLAN); support the access control based on IP address and IP address range; support the control based on URL ;
The access control may provide the black list and white list in term of black and white list and can not start up in the same time; it is required to support internet protocol packet filter function, propose to support the packet filter function of allocation layer; propose to support the SPI (Stateful Packet Inspection);
Possess certain DoS defend capacity, prevent the attack of LAND, SYN Flooding, ICMP Redirection, Smurf and Winnuke, etc.;
Provide port scan defend function;
Provide illegal packet defend capacity; support the function of daily record, provide the capacity to store 500 daily local record.
16.1.2. Safety of user WLAN access
The home gateway supports the following wireless safety protocol and function, the detail requirements are as follows:
1. Support the different SSID system in order to distinguish the network; support SSID radio to open/close function; this function is enabled by default. When the equipment is dispatched from the factory, the manufacturer shall generate the SSID-1 at random, and mark on the outer cover of home gateway, SSID-1 shall resume to the SSID identification illustrated on the outer cover after the equipment resumes the factory reset. SSID can be treated as default.
2. Support two kinds of link layer authentication pattern of Open System and Shared Key; the home gateway by default is not required, automatically adopt the authentication pattern of STA.
3. Support 64 - bit, 128 - bit WEP encryption; the key system can adopt HEX or ASCII character introduction.
4. Support WPA-PSK, WPA2-PSK; support AES, TKIP encryption; start up the WPA-PSK by default. The manufacturer shall generate the key system of corresponding SSID-1 at random, and mark on the outer cover of home gateway, SSID-1 shall resume to the SSID identification illustrated on the outer cover by default after the equipment resumes the factory reset.
5. If users use WPS Push Button to access, consult and encrypt the algorithm and key system according to WPS norm; otherwise provide the wireless access for the user according to traditional pattern.
6. WPS function does not need to start up and dispose in the WEB page; default startup function.
16.2. Log-in security
16.2.1. Users log-in security
(1) The basic requirements of the security of user log-in
User of home gateway provides two kinds of different authorities of account numbers: Administrator account number and user account number. Users need to log-in by using the user’s ID and password, so as to dispose or manage to the equipments of home gateway. Each account number only permits one user's log-in at the same time; it is prohibited to log-in two users at the same time;
The home gateway shall be automatically disconnected if no operation is occurred within 5 minutes after log-in of users;
It is required to input the user ID and verified password again after 1 minute if input the fault user ID and password 3 times, the home gateway shall be automatically disconnected;
Each kind of authority only has one set of account numbers that come into force; the authority of account number shall not be modified with the change of password.
(2) Administrator account number
Administrator account number: may finish the disposition of all parameters of home gateway. In the following situations, it is required to change the password of administrator account number through ACS: when home gateway accesses to the ACS in the first time, ACS shall issue a random password.
(3) User account number of the home gateway
User account number is used for checking the basic content of current operating system; may carry on the dispositions of some parameters; log-in the available function and application of local WEB interface with user account number: may carry on the dispositions of some parameters;
May change the user ID and password of user account number; the modification pattern of the user ID and password of user account number of home gateway: log-in local WEB interface to implement the forcible change through administrator account number;
Log-in local WEB interface through user account number; implement the modification after check-up the original user ID and password.
16.2.2. Femto authentication
Femto base station shall support EAP-AKA/SIM to carry on the authentication of the equipment; the authentication store in Femto HLR7.
The authentication key of Femto base station is controlled by the operator.
16.2.3. User access authentication of Femto movable termination
Open mode: do not need the process of the authentication accessing; any UE may use Femto resources;
Close mode: only authorized users may use Femto resources; through the accessing judgment, Femto system may confirm whether the user has the authorization to use the Femto resources; if the user passes the accessing controlling process, he or she may allow access the system, otherwise it shall be refused. The unauthorized users may use Femto resources in case of initiating the emergency calling.
7 Adopt USIM or key pattern authentication for confirmation after testing
2013.1.19