- 1 - AP IX-50-E Recommendation X.32 INTERFACE BETWEEN DATA TERMINAL EQUIPMENT (DTE) AND DATA CIRCUIT-TERMINATING EQUIPMENT (DCE) FOR TERMINALS OPERATING IN THE PACKET MODE AND ACCESSING A PACKET SWITCHED PUBLIC DATA NETWORK THROUGH A PUBLIC SWITCHED TELEPHONE NETWORK OR AN INTEGRATED SERVICES DIGITAL NETWORK OR A CIRCUIT SWITCHED PUBLIC DATA NETWORK Preface The establishment in various countries of packet switched public data networks (PSPDN) providing data services creates the need to produce Recommendations to facilitate access to the PSPDN through a public switched telephone network (PSTN) or an integrated services digital network (ISDN) or a circuit switched public data network (CSPDN). The CCITT, considering: (a) that Recommendation X.1 specifies the user classes of service for DTEs operating in the packet mode, that Recommendation X.2 defines user facilities provided by public data networks, that Recommendation X.10 defines categories of access, that Recommendations X.21 and X.21 bis define DTE/DCE physical level interface characteristics, that Recommendation X.25 defines the interface between the DTE and the DCE for terminals operating in the packet mode and connected to public data networks by dedicated lines, that Recommendation X.31 defines the support of packet mode terminal equipment by an ISDN, that Recommendation X.121 defines the international numbering plan for public data networks (PDNs), that Recommendation X.300 defines the principles and arrangements for interworking between PDNs and other public networks; (b) that the V-Series Recommendations define modem and interface characteristics for use of data services on the PSTN; (c) that Recommendation T.70 defines the procedures and interfaces to be used by telematic terminals, that Recommendation T.71 defines the extension of Link Access Procedure Balanced (LAPB) procedure to be used in half-duplex transmission facilities (LAPX); (d) that a need has been identified to access a PSPDN through a PSTN, or an ISDN, or CSPDN, because a dedicated circuit to the PSPDN is not justified, or because global service availability is required with back-up network access via public switched networks; however permanent virtual circuits are not available in the types of access covered in this Recommendation; (e) that some Administrations have considered the provision of Telematic services in different types of networks, e.g. PSPDN, PSTN, ISDN and CSPDN; (3191) - 2 - AP IX-50-E (f) that, when this Recommendation is used to provide the Network Service defined in Recommendation X.213, the physical, link and packet layers correspond to the Physical, Data link and Network layers respectively, as defined in Recommendation X.200, (unanimously) recommends that the functional and procedural aspects of packet mode DTEs accessing a PSPDN through a PSTN or an ISDN circuit switched bearer service, or CSPDN, are as specified in this Recommendation. Note - A packet mode terminal (TE 1 or TE 2) conforming to the I-Series Recommendations may access a PSPDN through an ISDN circuit switched bearer service. In this case the functional and procedural aspects related to layer 2 and layer 3 in the B-channel are as specified in this Recommendation. (3191) - 3 - AP IX-50-E CONTENTS 1 Scope 2 Functional aspects 2.1 Dial-in and dial-out considerations 2.2 Identification 2.3 Service aspects 2.4 DTE identification methods 2.5 DCE identification methods 2.6 Dial-in-by-the-DTE and dial-out-by-the-PSPDN operation 2.7 DTE service requirement 2.8 Duplex and half-duplex operation 2.9 Identification protocol 2.10 Negotiation of values 3 DTE service descriptions 3.1 DTE service attributes 3.2 Summary of DTE services 3.3 Nonidentified DTE service 3.4 Identified DTE service 3.5 Customized DTE service 4 Interface characteristics (physical layer) 4.1 X.21 interface 4.2 X.21 bis interface 4.3 V-Series interface 5 Link access procedure across the DTE/DCE interface 5.1 Introduction 5.2 Link layer address assignment 5.3 Use of XID frames 5.4 Link set-up and disconnection 5.5 Multilink 5.6 Half-duplex operation 6 Packet layer 6.1 Scope and field of application 6.2 Use of registration packets for identification of DTE and/or DCE and for conveyance of X.32 optional user facilities 6.3 Identification and authentication of the DTE using the NUI selection facility in call set-up packets (3191) - 4 - AP IX-50-E 7 X.32 procedures, formats, and facilities 7.1 Identification protocol 7.2 Procedures for X.32 optional user facilities 7.3 Coding of the identification protocol elements and X.32 facilities 7.4 Security grade 2 method 7.5 DCE timer T14 7.6 DCE timer T15 Annex A - Actions taken by the DCE in the roles of questioning and challenged parties for security grade 1 and security grade 2 identifications Annex B - Abbreviations Appendix I -Implementation of LAPX Appendix II - RSA public key algorithm Appendix III - Relationship of T14 to the different methods of DTE identification (3191) - 5 - AP IX-50-E 1 Scope This Recommendation defines the functional and procedural aspects of the DTE/DCE interface for packet mode user classes of service DTEs as defined in Recommendations X.1 and X.10, for DTEs that access a PSPDN via public switched networks. In this Recommendation, a public switched network (PSN) is either a public switched telephone network (PSTN) or an integrated services digital network (ISDN) providing circuit switched bearer service or a circuit switched public data network (CSPDN). Note - The ISDN interface specification for transparent circuit connection is described in Recommendation X.31. In this Recommendation only the DTE functionalities for the access to a PSPDN service through an ISDN are considered. In the PSTN case, the X.32 DTE/DCE interface coincides with the interface between the DTE and the modem. In the ISDN case, the X.32 interface coincides with the R reference point (see Figure 1/X.32). In the CSPDN case, the X.32 DTE/DCE interface coincides with the X.21 or X.21 bis interface. This definition applies whether or not the administration provides the DCE and regardless of how the interface is physically realized (e.g., whether or not the DTE and DCE are contained within the same enclosure). In either case the PSN is involved only: a) in the establishment of the switched access path; b) to provide a transmission medium; and c) optionally, to provide a PSN number for purposes of identification and addressing. Administrations may offer one or more of the following physical layer interfaces: 1) for access by way of a CSPDN, either Recommendation X.21 or Recommendation X.21bis will be used, as described in  4.1 or 4.2, respectively; 2) for access by way of a PSTN, appropriate V-Series Recommendations will be used as described in  4.3; 3) for access by way of an ISDN, refer to Recommendation X.31. The exact use of the relevant points in these Recommendations is given in  4. The transmission facility is duplex or, optionally, half-duplex. Specific procedures are defined in  5.6 of this Recommendation for operation over a half- duplex transmission facility. At the link layer, the LAPB link access procedure of Recommendation X.25 is used over a single switched physical circuit. The LAPB formats and procedures shall be in accordance with  2.2, 2.3 and 2.4 of Recommendation X.25, with additions as noted in  5 of this Recommendation. The formats and the procedures at the packet layer shall be in accordance with  3, 4, 5, 6 and 7 of Recommendation X.25 with the additions noted in  6 of this Recommendation. (3191) - 6 - AP IX-50-E FIGURE 1/X.32 ISDN reference point Note - The DTE and TA functionalities may be implemented in the same piece of equipment in the case of a TE 1 terminal. In this case this Recommendation covers layers 2 and 3 operation in the B-channel while the S reference point procedures are described in Recommendation X.31. 2 Functional aspects 2.1 Dial-in and dial-out considerations Dial-in operation allows a packet-mode DTE to access a PSPDN by means of selection procedures on a PSTN or CSPDN or ISDN (see Figure 2/X.32). This operation is termed "dial-in-by-the-DTE" within this Recommendation. FIGURE 2/X.32 Dial-in-by-the-DTE operation Note - In the ISDN case, the ISDN is accessed via TA functions that may be implemented in separate equipment (DTE and TA case) or in the same piece of equipment (TE 1) case as the DTE functions. For performing this operation, the DTE may use an automatic or manual calling procedure. Dial-out operation allows a PSPDN to access a packet-mode DTE by means of selection procedures on a PSTN or CSPDN or ISDN (see Figure 3/X.32). This operation is termed "dial-out-by-the-PSPDN" within this Recommendation. FIGURE 3/X.32 (3191) - 7 - AP IX-50-E Dial-out-by-the-PSPDN operation (3191) - 8 - AP IX-50-E Note - In the ISDN case, the ISDN is accessed via TA functions that may be implemented in separate equipment (DTE and TA) or in the same piece of equipment (TE 1 case) as the DTE functions. For dial-out-by-the-PSPDN operation, the DTE should use the automatic answering procedure but may use manual answering. Virtual call origination is independent of dial-in-by-the-DTE and dial- out-by-the-PSPDN operations. That is, a DTE that has been involved in a dial-in- by-the-DTE or dial-out-by-the-PSPDN operation may then initiate or receive virtual calls, subject to the limitations in specific situations as described in  3. 2.2 Identification 2.2.1 DTE identity When a DTE accesses a PSPDN through a PSN (dial-in-by-the-DTE) or when a DTE is accessed by a PSPDN through a PSN (dial-out-by-the-PSPDN), there may be a requirement for identification of the DTE to the DCE. The DTE "identity" is a means of referring to the DTE. The DTE identity is either explicitly agreed to between the DTE and the Administration or is implicitly acceptable to the administration through agreements with other Administrations, organizations or authorities. It may be composed of different elements such as a number from a numbering plan, identification of the DTE service and authority, validity dates and period, public keys used for authentication, etc. The characteristics of the service which a DTE obtains via dial-in-by- the- DTE or dial-out-by-the-PSPDN access depend upon whether the PSPDN considers the DTE identified for each particular switched access connection or virtual call. If the DTE is identified, then the PSPDN has a way to accrue charges to be paid on behalf of the DTE. That is, either the DTE or some other party is billable. Two components are required in order for a DTE to be considered identified: a) the DTE is administratively registered either: 1) through direct arrangement with the PSPDN (i.e. explicitly), or 2) through pre-arrangement between the PSPDN and a PSN or another authority, and direct arrangement between the DTE and that authority (i.e. not explicitly), b) the DTE identity is made known to the DCE during the switched access connection using one of the methods described in  2.4. A DTE may incur charges even if not identified because some Administrations collect charges via the PSTN, ISDN or CSPDN. (3191) - 9 - AP IX-50-E In any case, DTE identification is used for billing and accounting purposes. In addition to this basic function, DTE identification may optionally be used for one or both of the following purposes: a) enabling the PSPDN to provide a calling DTE address to a called DTE, or b) enabling the DTE to obtain a different service than that offered to DTEs which do not establish an identity (see  2.3). 2.2.2 DCE identity When a network supports dial-out-by-the-PSPDN access to DTEs, there may be a requirement for identification of the network (i.e. DCE) to the DTE. In the case of dial-in-by-the-DTE access, although the identity of the DCE may already be known by the DTE (as the DTE originated the switched access connection), there may also be a DTE requirement for identification of the network. The identification of the DCE to the DTE may be used for different purposes, such as: a) to enable the DTE to select the specific security related information (e.g. encrypted key, password, etc.) appropriate to that network for use in exchanges with the DCE; b) to enable the DTE to select different parameters, procedures or profiles appropriate to that network; c) to enable a DTE to ascertain by which PSPDN the switched access has been established, thus enabling proper operation of the optional closed user group facility and of the conveyance of the appropriate calling DTE address provided by the PSPDN, if applicable. For each dial-in-by-the-DTE or dial-out-by-the-PSPDN access, the DCE may establish its identity by successfully completing one of the methods for DCE identification described in  2.5. The DCE identity is composed of the network's Data Network Identification Code (DNIC), and optionally, a DTE profile designator (see  3.1.11), except when the identity is provided by the PSN (see  5.2.1.1); in the latter case the identity is a number of the PSN numbering plan. 2.3 Service aspects The switched access service given to a particular DTE is dependent upon: a) the PSPDN; b) the use/non-use of DTE identification, and c) the DTE service available to and chosen by the DTE. Three DTE service types are defined in this Recommendation (see  2.3.2). One of the DTE service types (nonidentified) is independent of the specific DTE identity. One service type (identified) may or may not be independent of the specific DTE identity. The third type (customized) is related to the specific DTE identity in order to provide customization of some service aspects. (3191) - 10 - AP IX-50-E The types of DTE service are further distinguished by whether there is a number assigned by the network to be used to represent the DTE identity in the address fields of call set-up packets. This number is called a "DTE address" and is defined in  3.1.3. 2.3.1 Service attributes "Attributes" are defined to describe each aspect of switched access service. However, the values of the attributes do not necessarily include all capabilities offered to PSPDN users that access the PSPDN via a leased line. The attributes are: a) DTE identity; b) DTE identification method; c) DTE address; d) registered address; e) registered PSN number; f) X.25 subscription set; g) logical channels assignment; h) dial-out-by-the-PSPDN availability; i) dial-out access type; j) X.32 optional user facilities; k) DCE identity presentation, and l) link layer address assignment. For each DTE service, each attribute is either provided or not provided; if it is provided it is either: 1) set to a default value specified by the network (Network Default) or 2) set to a value selected by the user from a set of values provided by the network (User Selectable). (Note - A network may define a default value for the attribute). A DTE profile is the set of values of the Network Default and User Selectable attributes that have been selected for a particular DTE identity. Note - The DTE profile need not be stored in the PSPDN. Some networks may allow a subscriber to arrange for more than one DTE profile to meet different requirements for switched access service. Each DTE profile is independent. A "DTE profile designator" is used to differentiate the multiple profiles of the DTE. (3191) - 11 - AP IX-50-E 2.3.2 DTE services Some networks may offer service to unidentified DTEs, that is, to DTEs for which no identification is provided to the DCE. Some networks may offer service to identified DTEs, that is, to DTEs for which an implicit or explicit DTE identity is provided to the DCE via one of the methods specified in  2.4. Different types of service are defined for use in different situations. The network may offer one or more of these services. The three types of service defined in this Recommendation are called DTE services. One is a service for unidentified DTEs. The other two are services for identified DTEs. The three DTE services are: a) nonidentified, b) identified, and c) customized. 2.3.2.1Service for unidentified DTEs The service offered to unidentified DTEs is called nonidentified DTE service and is detailed in  3.3. This DTE service may be offered as part of dial-in-by-the-DTE or dial-out-by-the-PSPDN operation or both. For a dial-out-by-the-PSPDN operation, the lifetime of a switched access path corresponds to the lifetime of the virtual call. That is, at the completion of the clearing procedures for the virtual call, the DCE initiates those procedures necessary to disconnect the switched access path. For a dial-in-by-the-DTE operation, the switched access path shall not be disconnected for a period of time (T14) even in the absence of any virtual calls. This allows users a period of time to reestablish a virtual call. See  7.5. For dial-in-by-the-DTE operation, the PSPDN may limit the number of unsuccessful attempts to establish a virtual call. When a DTE uses the nonidentified DTE service: a) it is not required to use any optional procedures; b) it is able to operate with different networks without having to subscribe to any of them (i.e. not administratively registered and/or assigned an identity with any PSPDN); and c) it should not be permitted to make paid calls or receive reverse- charged calls (i.e. the local charging prevention facility is set by the network), thus allowing the administration to guarantee collection of charges. However, some administrations may permit nonidentified DTEs to make free calls or may use other methods to collect charges (e.g. via the PSTN, ISDN or CSPDN). (3191) - 12 - AP IX-50-E 2.3.2.2Services for identified DTEs The services offered to identified DTEs provide a set of capabilities/facilities different from and/or enhanced beyond the nonidentified DTE service. In particular, on those networks which allow only identified DTEs to accrue charges, it is possible for DTEs to: a) make calls for which the calling DTE assumes responsibility for the charges, and/or b) receive reverse-charged calls. 2.3.2.2.1 Identified DTE service The PSPDN may offer the identified DTE service in which: a) the DTE identity has not been explicitly agreed to with the administration, or the DTE identity has been explicitly agreed to. In this case, allocation of registered addresses, to some DTEs, by the administration is a network option; b) the other attributes have the values set by the network as specified in  3.4. The effect of the identified DTE service is that this DTE is billable but the service is otherwise similar to the nonidentified DTE service. Note that the use of the network user identification (NUI) subscription facility provides a DTE identity used for billing purposes and may, in conjunction with the NUI override facility ( 6.3), override, for the specific virtual call, the default set of X.25 subscription facilities. However, when using the NUI override facility feature, overridding the facilities is performed only when a Call Request is made by the switched access DTE and not for an Incoming Call to the switched access DTE. The identified DTE service may be offered as part of dial-in-by-the-DTE or dial-out-by-the-PSPDN operation or both. 2.3.2.2.2 Customized DTE service The PSPDN may offer the customized DTE service in which the DTE identity has been explicitly agreed to with the administration, a registered address has been allocated and the other attributes are set according to the DTE profile which has been customized for the DTE according to the capabilities supported by the network as permitted within the specification given in  3.5. The effect is that this DTE is billable, has an X.121 address registered with the PSPDN, and is provided a service tailored in many aspects to its requirements. This DTE service may be offered as part of dial-in-by-the-DTE or dial-out-by-the-PSPDN operation or both. 2.4 DTE identification methods This Recommendation provides four distinct methods for DTE identification. These methods are: a) identification provided by the public switched network, (3191) - 13 - AP IX-50-E (3191) - 14 - AP IX-50-E b) identification by means of a link layer Exchange Identification (XID) procedure, c) identification by means of a packet layer registration procedure, d) identification by means of the NUI selection facility in call set- up packets. (Note - For an interim period, support of the use of a DTE identification method by means of the calling address field in call request packets is a national matter. It should be remembered that the use of the calling address field for conveying identification conflicts with the use of this field for addressing, and problems can arise if both uses are needed.) A network may support any, all or none of these methods in conjunction with the DTE services offered (see  2.7). The mechanisms in b), c) and d) may be used by some networks to offer functions other than, or in addition to, DTE identification. The identity of the DTE becomes known to the network via one of the identification procedures at either or both of the following times: 1) prior to any virtual call establishment (see  2.4.1), or 2) on a per virtual call basis (see  2.4.2). It is considered vital that a reasonable degree of protection be achieved in the DTE identification procedure so that administrations and subscribers can prevent fraudulent DTE identification. Therefore, the identification procedure includes the capabilities to verify and/or authenticate the correctness of the DTE identification. The XID and registration methods obey an "identification protocol" that has been defined in  2.9 and 7.1 for conveying the information necessary for the DCE to receive the DTE identity, verify it to the proper degree of authenticity, and to report on the success of the procedure. Two grades of security are defined in the identification protocol. Identification provided by the public switched network and the X.25 NUI selection facility do not use an explicit identification protocol. However, the success of authentication is implicit in the reception by the DTE of a call connected packet. DCE identification may be achieved by using the identification protocol while it is simultaneously being used for DTE identification, but as an independent invocation of the protocol. Networks may choose to offer "secure dial-back" as an additional means for authentication of the DTE identity. Secure dial-back, as specified in  7.2.1, uses physical location as a basis for DTE authentication by combining dial-in-by-the-DTE, dial-out-by-the-PSPDN, and DTE identification prior to virtual call establishment. 2.4.1 Identification prior to virtual call establishment There are three methods by which the identity of the DTE can be determined by the DCE prior to the establishment of any virtual call. These methods are (3191) - 15 - AP IX-50-E described in the following three subsections. All three methods apply to both dial- in-by-the-DTE and dial-out-by-the-PSPDN operation. (3191) - 16 - AP IX-50-E The service that a DTE which is identified prior to virtual call establishment obtains is either the identified or the customized DTE service. If the service obtained is the customized DTE service and includes customized values for link layer options and system parameters, the DTE identification must be performed at the link level (see  2.4.1.2) or be provided by the public switched network (see  2.4.1.1). The DTE identification that is determined by any of the prior-to- virtual- call-establishment methods remains in effect even in the absence of any virtual calls. 2.4.1.1Identity provided by the public switched network In the case of dial-in-by-the-DTE operation, the DTE identity may be provided by the public switched network (i.e. PSTN, ISDN or CSPDN) to the PSPDN during the PSN connection establishment stage. Note - The administrative arrangements described in  2.2.1 are necessary for the calling line identification to be used by the PSPDN as a DTE identity. The DTE is a subscriber of the PSTN, ISDN or CSPDN network, and, therefore, the PSTN number, the ISDN number or the CSPDN number (as well as some additional management information in some circumstances) may be available and will be signalled to the PSPDN. In the case of dial-out-by-the-PSPDN, the PSPDN uses, as the DTE identification, the information which has been provided to the PSN in order to do the dial-out-by-the-PSPDN operation. Note - This method of identification may be used in the case of dial-out-by-the- PSPDN operation even when the PSN does not provide calling line identification. As the PSN is providing the identification information, the DTE is not required to use any optional user procedures in order to accomplish DTE identification. The DTE identification determined by means of this method remains in effect until the switched access path is disconnected. Note - Although the operational requirements for a DTE which is not identified or which is identified via the "provided-by-public-switched-network" method are the same, the capabilities/facilities available to DTEs using these methods can be very different. This may result in differences in general DTE operation, especially in regard to reverse charging. In particular, the differences are those between the nonidentified DTE service and the identified or customized DTE services. 2.4.1.2Identity provided by means of the link layer XID procedure Identification of the DTE may be provided by a link layer procedure, as described in  5 and 7, based on exchanges of XID frames between the DTE and the DCE before the logical link is established (disconnected phase of Recommendation X.25). (3191) - 17 - AP IX-50-E This procedure may be optionally offered by networks depending, in part, on the offering by the network of the optional frames that this procedure uses. When it is offered by the network, use of this identification procedure by DTEs is optional. The XID frame used in this method may also be used for other link layer functions. The DTE identification determined by means of this method remains in effect until the switched access path is disconnected or the link layer has left the information transfer phase and has entered the disconnected phase. 2.4.1.3Identity provided by means of the packet layer registration procedure Identification of the DTE may be provided by means of a packet layer procedure described in  6 and 7. This procedure is based on one or more exchanges of registration request packets (from DTE to DCE) and registration confirmation packets (from DCE to DTE) and is always initiated by the DTE. (These packets are described in  5.7.2 of Recommendation X.25). The DTE may initiate this procedure (for purposes of identification) once at the beginning of the existence of the switched access path, i.e. before any virtual calls are made in which the nonidentified DTE service is obtained or in which a per- virtual-call-DTE identification method is used. The DTE identification determined by means of this method remains in effect until the switched access path is disconnected or the link layer has entered the disconnected phase. Also, the receipt of a restart indication packet by the DTE may mean that DTE identification has been lost (see  6.1 of Recommendation X.25 and  6 and 7 of this Recommendation). This procedure may be optionally offered by networks depending, in part, on the offering by the network of the optional registration packets that this procedure uses. When it is offered by the network, use of this identification procedure by DTEs is optional. The registration packets used in this method are also used by those networks which offer the optional on-line facility registration facility. 2.4.2 Identification per virtual call by means of network user identification facility There is a method, using the network user identification selection facility, by which the identity of the DTE can be determined on a per-virtual- call basis. The identification of the DTE is provided in the facility field of the call request packet via the use of the optional NUI selection facility. Use of NUI in the facility field in a call accepted packet allows a modification of billing (e.g. subaccount billing) to be carried out and has no effect on the values of the DTE profile in use for this DTE. This procedure may be optionally offered by networks depending, in part, on the offering by the network of the optional NUI selection facility that this procedure uses. When it is offered by the network, use of this identification procedure by DTEs is optional. The identification established by this method is accomplished at the same time as virtual call set-up and remains in effect until the virtual call is cleared. (3191) - 18 - AP IX-50-E The NUI selection facility may also be used when a prior-to-virtua - call- establishment identification method has been used. In this case, the service obtained by the DTE using the NUI selection facility in a call request packet is detailed in  6.3.2 concerning operation of the NUI selection facility. The service that a DTE using the NUI method obtains is the identified DTE service. Upon termination of the virtual call: a) if no prior-to-virtual-call-establishment DTE identification had been accomplished, the logical channel is usable again for a nonidentified call or a DTE-identification-via-NUI call, or b) if a prior-to-virtual-call-establishment DTE identification had been accomplished, the logical channel is usable again under the conditions of the DTE service that the prior-to-virtual-call DTE identity had invoked. 2.5 DCE identification methods This Recommendation provides three distinct methods for DCE identification. These methods are: a) identification provided by the public switched network, b) identification by means of a link layer XID procedure, and c) identification by means of a packet layer registration procedure. When a network provides dial-in-by-the-DTE access and/or dial-out-by- the- PSPDN access, it need not provide the DCE identification to the DTE. Some networks may not provide the DCE identification to the DTE regardless of the approach used for the DTE identification. However, for the networks that choose to provide the DCE identification to the DTE using one of the optional identification procedures, it is possible that the DTE may not use that optional identification procedure and, therefore, may not recognize the DCE identification. Additionally, networks are not required to provide DCE identification on dial-in-by-the-DTE operation. There is a need to provide a reasonable degree of protection in the identification procedure so that Administrations and subscribers can prevent inaccurate DCE identification. Therefore, the identification procedure incorporates the functions of authentication and verification of the DCE's identity. The XID and registration methods of DCE identification obey an "identification protocol" that has been defined in  2.9 and 7.1 for conveying the information necessary for the DTE to recognize the DCE identity, including verifying the identity to the proper degree of authenticity and reporting on the success of the procedure. When no DCE identification is received by the DTE, it is the responsibility of the DTE to decide if the level of security is sufficient to continue operation. DTE identification may be achieved by using the identification protocol while it is simultaneously being used for DCE identification, but as an independent invocation of the protocol. (3191) - 19 - AP IX-50-E (3191) - 20 - AP IX-50-E 2.5.1 Identification prior to virtual call establishment 2.5.1.1Identity provided by the public switched network In the case of dial-out-by-the-PSPDN, the PSTN number, the ISDN number or the CSPDN number identifying the DCE may be provided by the public switched network (as well as some additional network management information from the PSPDN in some circumstances). When identification is provided by the PSN, the DCE is not required to use any optional packet/frame types or any optional packet/frame fields defined in  5, 6 or 7 or in Recommendation X.25. 2.5.1.2Identity provided by means of the link layer XID procedure DCE identification can be optionally provided to the DTE by means of the exchange of XID frames prior to the link set-up. The detailed procedure to provide such information is the identification protocol given in  2.9 and 7.1. 2.5.1.3Identity provided by means of the packet layer registration procedure DCE identification can be optionally provided to the DTE using the registration packets. The exact process is the identification protocol given in  2.9 and 7.1. 2.5.2 Identification per virtual call Identification of the DCE to the DTE on a per-virtual-call basis is currently not provided. The need for such a capability has been left for further study. 2.6 Dial-in-by-the-DTE and dial-out-by-the-PSPDN operation All PSPDNs conforming to this Recommendation shall provide dial-in-by- the-DTE operation. Provision of dial-out-by-the-PSPDN operation is optional. 2.7 DTE service requirement To provide a switched access service to DTEs, without introducing additional procedures, all PSPDNs conforming to this Recommendation shall offer the nonidentified DTE service and/or support use of the provided-by-the-PSN DTE identification method. Networks may also provide access to and/or from DTEs through a PSN, with the DTE being identified to the network using one of the optional identification procedures (see  2.4.1.2, 2.4.1.3 and 2.4.2). 2.8 Duplex and half-duplex operation If CSPDN access is used, the transmission facility is duplex. If PSTN access is used, the transmission facility operation is duplex, or, optionally, some networks may also provide for half-duplex operation. The additional procedures necessary for half-duplex operation are described in  5.6. If an ISDN transparent circuit connection is used, the transmission facility is duplex. (3191) - 21 - AP IX-50-E 2.9 Identification protocol The elements of protocol which are used in performing DTE or DCE identification by either the XID or registration methods are independent of the procedure (the vehicle) used to transfer these elements between DTE and DCE (i.e. either XID frames or registration packets). The "identification protocol" consists of exchanges between the "challenged" party and the "questioning" party. The "challenged" party provides and, optionally, certifies its identity and the "questioning" party checks and authenticates this identity. The DTE and DCE, either calling or called, may be questioning, challenged, or both questioning and challenged. This is the result of the identification protocol being used independently for DTE identification and DCE identification, possibly simultaneously. The identification protocol provides two grades of security characterized by how many operations are needed and which elements are needed in each direction. The operational details of the identification protocol are given in  7.1. 2.10 Negotiation of values Negotiation of link layer parameters is left for further study. Presently, DCE parameters are set to specific values according to the DTE profile as outlined in  2.3 and 3. Some networks may provide the capability for negotiation of packet layer facilities by means of the on-line facility registration facility. When provided, this negotiation takes as a starting point the values established in the DTE profile and, as a result, may override them. Packet layer facilities may also be overridden by using the NUI selection facility when the NUI override facility is in effect. 3 DTE service descriptions 3.1 DTE service attributes 3.1.1 DTE identity The DTE identity attribute, when provided, defines the identity of the DTE. 3.1.2 DTE identification method The DTE identification method attribute, when provided, defines the DTE identification method used for establishing the DTE identity (see  2.4). The method is the same for dial-in-by-the-DTE and dial-out-by-the-PSPDN operation unless the provided-by-PSN method is selected for one operation, in which case the methods may be different. (3191) - 22 - AP IX-50-E 3.1.3 DTE address When this attribute is provided a DTE address is assigned by the network for a given DTE identity. The DTE address can be derived and validated from the identification method. This DTE address may be, as a network option, either an X.121 number from the PSPDN numbering plan (see  2.3 of Recommendation X.121) or a number in the X.121 format from the PSN numbering plan. The number in the X.121 format from the PSN numbering plan for CSPDN is according to  2.3 of Recommendation X.121. The number in the X.121 format from the PSN numbering plan for PSTN and for ISDN is either according to  2.2.1.3 of Recommendation X.121 or to  2.6 of Recommendation X.121. The possible formats of the DTE address are given in  6.6 of Recommendation X.301. Note - The inclusion or application of the TOA/NP1 address format to Recommendation X.32 as defined in Recommendation X.25 requires further study. 3.1.3.1DTE address not provided In the case of dial-in-by-the-DTE, when the DTE makes a call request, the contents of the calling address field in the corresponding incoming call packet are either: a) incomplete X.121 PSN format; this means the contents of the calling address field are not valid with respect to the definition of a "valid number" in the various Recommendations (e.g. a four digit number representing a DNIC that is assigned to a PSN; a number in the form 0 + CC; and a number in the form 9 + TCC are not valid numbers as defined in Recommendations X.121, E.164 and E.163); or b) temporary number from the PSPDN numbering plan; this means the contents of the calling address field, although valid with respect to the definition of a "valid number" in the various Recommendations, is not a number permanently attributed to the DTE. It may be, as an example, attributed to the dial-in part used for a particular call. Note - If the temporary number is used, the called DTE must be made aware that the contents of the calling address field is not a DTE address. The means to convey this information are for further study. Pending the results of such a study, this option may be used nationally, but such a temporary number shall not be carried on international interconnections. Moreover, when the PSN implements calling line identification but there is no arrangement between the PSN and PSPDN to use the number provided by the PSN as DTE identification and when no other DTE identification method is used, the PSPDN may include the PSN-provided number in the calling address field of the incoming call packet. (3191) - 23 - AP IX-50-E 3.1.3.2DTE address provided When an identified DTE makes a call request, the contents of the calling DTE address field in the incoming call packet given to the called DTE is the DTE address. This applies even if the temporary location facility has been used to change the registered PSN number (see  7.2). 3.1.4 Registered address This attribute, when provided, permits the DCE to be aware of a possible already established PSN connection with the DTE. The value of the registered address is always identical to the value of the DTE address. 3.1.4.1. Registered address not provided If the called DTE address field in a call request packet contains an X.121 number from the PSN numbering plan which is not a registered address, then a dial- out-by-the-PSPDN call is made to that PSN number without checking if a switched connection already exists with the DTE. If a switched connection already exists, a subsequent dial-out-by-the-PSPDN operation will result in a busy signal. Therefore, the incoming virtual call is cleared. 3.1.4.2Registered address provided Upon receiving a call request with a called DTE address, that is the registered address, the PSPDN needs to determine whether or not to perform a dial- out-by-the-PSPDN operation. If there is a switched connection in existence on which the DTE identity that corresponds to the registered address has been established, that switched connection will be used by the PSPDN. Otherwise, the PSPDN will perform the dial-out-by-the-PSPDN operation. Note - This dial-out-by-the-PSPDN will not be successful if there is already a switched connection to the DTE when there has not been an establishment of a DTE identity or there has been a DTE identity established that does not correspond to the registered address. The PSN number used for the dial-out-by-PSPDN is the registered PSN number. Note - In some networks, if the called address used in a Call Request packet to call a switched access DTE is not the registered address for a DTE identity but is a registered PSN number, the PSPDN will not recognize this as a registered address and may treat the call according to the nonidentified DTE service (see  3.5 and 3.3). (3191) CCITT\AP-IX\DOC\050E4.TXS