客戶端大氣壓力要求翻譯-中英對照
用戶端設備在 86－106Kpa 的大氣壓力條件下應能正常工作。
15. 軟件系統
軟件系統必須穩定，開放部分軟件的操作系統推薦為  Linux2.6  版本，功能軟件具有明 顯的層次結構；
家庭的網關的軟件模塊均建立在相應的開放標準(IEEE、IETF  RFCs、ITU)或行業規范
(DSL/ATM 論壇、UPnP 論壇)之上。 推薦家庭網關的開發環境必須對中國聯通開放，以在將來支持中國聯通中間件軟件的開
發和編譯。
16. 安全要求
16.1.用戶側接口安全
16.1.1. 網絡訪問的安全性
家庭網關應提供接入控制能力、報文過濾能力、防攻擊能力、防端口掃描能力，并提供 本地網絡日志。具體要求如下：
必須支持 DMZ；
必須支持基于 MAC  地址的接入控制（包括 LAN 和 WLAN）； 必須支持基于 IP  地址和 IP  地址范圍的接入控制； 必須支持基于 URL  的控制；
接入控制以黑白名單形式提供，黑名單和白名單不能同時啟用，必須支持到 100 條紀錄； 必須支持 IP  層協議報文過濾功能，建議支持應用層報文過濾，建議支持 SPI（Stateful
Packet Inspection）；
必須具備一定的防 DoS 攻擊能力，能夠防止 LAND、SYN Flooding、ICMP Redirection、
Smurf、Winnuke 等類型的攻擊；
第  95  頁
中國聯通家庭網關技術規范分冊——Femto 家庭網關
必須能夠提供防端口掃描功能；
必須能夠提供防非法報文攻擊能力； 必須支持日志功能，提供在本地存儲 500 條日志的能力。
16.1.2. 用戶側 WLAN 接入安全性
家庭網關支持以下無線安全協議和功能，具體要求如下：
1.  必須支持配置不同 SSID 以區分網絡，支持 SSID  廣播開啟/關閉功能，默認啟用此功 能。設備出廠時，SSID-1 應由廠家隨機生成，并在家庭網關外殼上加以標注，設備恢復 出廠設置后 SSID-1 應恢復為外殼標注的 SSID 標識。SSID 可設置隱藏。
2.  必須支持 Open System 和 Shared Key 兩種鏈路層認證方式，默認家庭網關無需配置， 自動適應 STA 的認證方式。
3.  必須支持 64-bit、128-bit WEP 加密；密鑰可以采用 HEX 或 ASCII 字符輸入。
4.  必須支持 WPA-PSK、WPA2-PSK，必須支持 AES、TKIP 加密，默認啟用 WPA-PSK。 設備出廠時，對應  SSID-1  的密鑰應由廠家隨機生成，并在家庭網關外殼上加以標注， 設備恢復出廠設置后應恢復為外殼標注的密鑰。
5.  如果用戶使用 WPS  Push  Button 方式接入，則按照 WPS 規范協商加密算法和密鑰； 否則按照傳統的方式為用戶提供無線接入。
6. WPS 功能無需在 WEB 頁面啟用和配置，默認為啟用。
16.2.登錄安全
16.2.1. 用戶側登錄安全性
（1）用戶側登錄安全基本要求 家庭網關用戶側提供兩種不同的權限的帳號：管理員帳號和用戶帳號。用戶需使用用戶
名和密碼登錄，才能對家庭網關設備進行配置或管理。 每個帳號同時只允許一個用戶登錄；禁止兩個用戶同時登錄； 用戶登錄后 5  分鐘內無操作，家庭網關自動斷開連接；
用戶名與密碼輸入連續錯誤 3 次自動斷開連接，必須在 1  分鐘以后再次輸入用戶名與
密碼驗證；
中國聯通家庭網關技術規范分冊——Femto 家庭網關
每種權限僅有一套帳號生效，帳號權限不能因為密碼的修改而改變。
（2）管理員帳號 管理員帳號，可以完成對家庭網關全部參數的配置。 在以下場景，必須通過 ACS  修改管理員帳號的密碼： 當家庭網關第一次連接 ACS  時，ACS 下發隨機密碼。
（3）  家庭網關用戶帳號
用戶帳號用于查看當前系統運行的基本內容，可以進行部分參數的配置。 使用用戶帳號，登錄本地 WEB 界面可使用的功能與應用： 可進行部分的參數設置；
可以修改用戶帳號的用戶名和密碼； 家庭網關用戶帳號的用戶名和密碼的修改方式： 通過管理員帳號登錄本地 WEB 界面強行修改；
通過用戶帳號登錄本地 WEB 界面，校驗原用戶名和密碼后再進行修改。
16.2.2. Femto 鑒權
Femto基站應支持EAP-AKA/SIM方式進行設備鑒權，鑒權數據存儲在Femto HLR中 7。
Femto 基站的鑒權密鑰由運營商控制。
16.2.3. Femto 移動終端用戶準入鑒權
 Open模式：不需要準入鑒權過程，任何UE可以使用Femto資源；
 Close模式：只有授權用戶才能使用Femto資源，Femto系統通過準入判斷，確定用 戶是否有權使用該Femto資源；如果通過準入控制，那么允許接入；否則拒絕。 當用戶發起緊急呼叫時，即使是非授權用戶也可以使用Femto資源。
14.12. Requirements of atmospheric pressure
User Premise Equipment (CPE) shall be able to work normally under the condition of 86- 106Kpa atmospheric pressure.
15. Software system
The software system shall be steady, operating systems of some opening software recommend the Linux2.6 edition, and the function software has obvious hierarchical structure;
The software module of the home gateway is set up in the corresponding opening standard (IEEE, IETF RFCs, ITU) or trade norm (DSL/ATM forum, UPnP forum). The development environment of recommending the home gateway shall be open to CHINAUNICOM, in order to support the development and compilation of middleware software of CHINAUNICOM in future.
16. Safety requirements
16.1. User interface interface
16.1.1.Security of the netwoks access
The home gateway shall provide the controlling ability of accessing, packet filter capacity, attack defend capacity, port scan defend capacity, and provide the local network daily record. The detail requirements are as follows:
Support DMZ;
Support the access control based on MAC address (including LAN and WLAN); support the access control based on IP address and IP address range; support the control based on URL ;
The access control may provide the black list and white list in term of black and white list and can not start up in the same time; it is required to support internet protocol packet filter function, propose to support the packet filter function of allocation layer; propose to support the SPI (Stateful Packet Inspection);
Possess certain DoS defend capacity, prevent the attack of LAND, SYN Flooding, ICMP Redirection, Smurf and Winnuke, etc.;
Provide port scan defend function;
Provide illegal packet defend capacity; support the function of daily record, provide the capacity to store 500 daily local record.
16.1.2. Safety of user WLAN access
The home gateway supports the following wireless safety protocol and function, the detail requirements are as follows:
1. Support the different SSID system in order to distinguish the network; support SSID radio to open/close function; this function is enabled by default. When the equipment is dispatched from the factory, the manufacturer shall generate the SSID-1 at random, and mark on the outer cover of home gateway, SSID-1 shall resume to the SSID identification illustrated on the outer cover after the equipment resumes the factory reset. SSID can be treated as default.
2. Support two kinds of link layer authentication pattern of Open System and Shared Key; the home gateway by default is not required, automatically adopt the authentication pattern of STA.
3. Support 64 - bit, 128 - bit WEP encryption; the key system can adopt HEX or ASCII character introduction.
4. Support WPA-PSK, WPA2-PSK; support AES, TKIP encryption; start up the WPA-PSK by default. The manufacturer shall generate the key system of corresponding SSID-1 at random, and mark on the outer cover of home gateway, SSID-1 shall resume to the SSID identification illustrated on the outer cover by default after the equipment resumes the factory reset.
5. If users use WPS Push Button to access, consult and encrypt the algorithm and key system according to WPS norm; otherwise provide the wireless access for the user according to traditional pattern.
6. WPS function does not need to start up and dispose in the WEB page; default startup function.
16.2. Log-in security
16.2.1. Users log-in security
(1) The basic requirements of the security of user log-in
User of home gateway provides two kinds of different authorities of account numbers: Administrator account number and user account number. Users need to log-in by using the user’s ID and password, so as to dispose or manage to the equipments of home gateway. Each account number only permits one user's log-in at the same time; it is prohibited to log-in two users at the same time;
The home gateway shall be automatically disconnected if no operation is occurred within 5 minutes after log-in of users;
It is required to input the user ID and verified password again after 1 minute if input the fault user ID and password 3 times, the home gateway shall be automatically disconnected;
Each kind of authority only has one set of account numbers that come into force; the authority of account number shall not be modified with the change of password.
(2) Administrator account number
Administrator account number: may finish the disposition of all parameters of home gateway. In the following situations, it is required to change the password of administrator account number through ACS: when home gateway accesses to the ACS in the first time, ACS shall issue a random password.
(3) User account number of the home gateway
User account number is used for checking the basic content of current operating system; may carry on the dispositions of some parameters; log-in the available function and application of local WEB interface with user account number: may carry on the dispositions of some parameters;
May change the user ID and password of user account number; the modification pattern of the user ID and password of user account number of home gateway: log-in local WEB interface to implement the forcible change through administrator account number;
Log-in local WEB interface through user account number; implement the modification after check-up the original user ID and password.
16.2.2. Femto authentication
Femto base station shall support EAP-AKA/SIM to carry on the authentication  of the equipment; the authentication store in Femto HLR7.
The authentication key of Femto base station is controlled by the operator.
16.2.3. User access authentication of Femto movable termination
Open mode: do not need the process of the authentication accessing; any UE may use Femto resources;
Close mode: only authorized users may use Femto resources; through the accessing judgment, Femto system may confirm whether the user has the authorization to use the Femto resources; if the user passes the accessing controlling process, he or she may allow access the system, otherwise it shall be refused. The unauthorized users may use Femto resources in case of initiating the emergency calling.
 7 Adopt USIM or key pattern authentication for confirmation after testing

2013.1.19