strict indicates that designated portions of this XML document may not be ignored by the device. This requirement does not bear on attributes and elements that are explicitly documented to be ignored, for instance, extension attributes.

If strict is false, devices shall ignore configuration of the following if they are not implemented by the device:

• /LXICommonConfiguration/Network/IPv6
• /LXICommonConfiguration/HTTP
• /LXICommonConfiguration/SCPIRaw
• /LXICommonConfiguration/SCPITLS
• /LXICommonConfiguration/Telnet
• /LXICommonConfiguration/HiSLIP
• /LXICommonConfiguration/VXI11

HSMPresent indicates if the device has a hardware security module.

True indicates the device has hardware that ensures that the private keys used to encrypt communication are not stored by the device unless encrypted by a hardware security module that performs encryption of private keys and other secrets using encryption keys that are not visible external from the hardware security module.

False indicates the device does not have hardware assistance to protect private keys.

RULE: HSMPresent is a read-only attribute that is true if and only if the device uses a HSM to protect the private keys used for LXI communication.

name identifies this physical network interface within the device. It differentiates the interfaces in devices that have multiple interfaces.

If name is omitted, the behaviors is the same as if the name were included with the value "LXI".

Some settings may be coupled between interfaces. That is the settings on separate physical interfaces may be required to be the same.

RULE: Devices with a single interface shall treat the Interface element with the name "LXI" (the default name) to configure the single interface. Devices with multiple interfaces shall assign one of them the name "LXI" (the default name).

OBSERVATION: Devices may have multiple network interface and choose to configure them all identically and bridge traffic internally.

LXIConformant is a read-only attribute that indicates the LXI specifications this device complies with. If this interface does not comply with the LXI Device specification, an empty string is used.

The returned string is a comma separated list of the LXI specifications this interface complies with. The individual substrings are the same as those defined for the Identification schema.

OBSERVATION: Clients should ignore white space in these strings.

OBSERVATION: An empty string indicates that the interface is not LXI compliant. However, an interface that does not comply with LXI is not required to implement this attribute.

enabled indicates if this physical network interface is enabled.

unsecureMode is a read-only attribute that indicates that one or more configurations in this XML do not meet the LXI minimum requirements for secure device operation.

See the LXI Security Extended Function for the criteria to determine if a device is in unsecureMode. Several configurations within the API schemas are documented as placing the instrument into Unsecure Mode, however, the overall determination shall be done by the instrument per the requirement in the LXI Security Extended function.

otherUnsecureProtocolsEnabled represents the state of various device-specific protocols that are beyond the scope of LXI. As a group, controllable unsecure protocols beyond the scope of the LCI Common Configuration including: 1) LXI specified instrument Common Configuration API, 2) Device specific extensions to the instrument Common Configuration are reflected by the state of this attribute.

If otherUnsecureProtocolsEnabled is true, various device unsecure protocols beyond the scope of the LXI Common Configuration are permitted to be enabled.

If otherUnsecureProtocolsEnabled is false, all controllable unsecure protocols not enabled by the LXI Common Configuration.

For the purpose of otherUnsecureProtocolsEnabled, a secure protocol is a protocol that authenticates the server and encrypts data. Client authentication is not required.

RULE: LXI Secure devices shall document the protocols that are controlled by this attribute.

RULE: If the device does not implement any other unsecure protocols, then on a GET, otherUnsecureProtocolsEnabled shall return false. However, if written true, such a device shall either fail the PUT or indicate unsecure mode is True.

Arbitrarily typed elements may be included for devices to represent device-specific configuration.

RULE: The impact of these configurations on the device secure mode are determined by the device vendor. However, if unsecure protocols are enabled, the device shall indicate it is in unsecure mode.

enabled generally enables or disables IPv4 operation.

autoIPEnabled represents the state of the Link Local Addressing capability in the device. If enabled, the device may acquire an address using Link Local Address. Link Local addresses supersede static values configured in the LXI Device Specific Configuration.

RULE: If omitted, and DHCPEnabled is present, the device uses the same state as DHCPEnabled.

OBSERVATION: If a device has no static IP address configured and both autoIPEnabled and DHCPEnabled are disabled, the device could be no longer reachable via IPv4 on this interface. Devices may either permit this case, generate an error and reject the schema, or leave the configuration pending till a static address is provided.

OBSERVATION: In some implementations autoIPEnabled and DHCPEnabled are coupled, that is, both must be enabled or disabled.

DHCPEnabled represents the state of the device DHCP protocol. If True, configuration is accepted via the DHCP protocol.

If DHCP is enabled, the device will accept IPv4 configuration from a DHCP server. DHCP configuration supersedes static values configured in the LXI Device Specific Configuration.

RULE: If omitted, and autoIPEnabled is present, the device uses the same state as autoIPEnabled.

OBSERVATION: If a device has no static IP address configured and both autoIPEnabled and DHCPEnabled are disabled, the device could be no longer reachable via IPv4 on this interface. Devices may either permit this case, generate an error and reject the schema, or leave the configuration pending till a static address is provided.

OBSERVATION: In some implementations autoIPEnabled and DHCPEnabled are coupled, that is, both must be enabled or disabled.

mDNSEnabled represents the state of the multicast DNS responder in the device.

The multicast DNS responder permits the device to be discovered and identified by clients.

In some implementations the mDNS capability is coupled between IPv4 and IPv6. For those devices, the configuration of the IPv4/@mDNSEnabled and the IPv6/@mDNSEnabled must be the same.

If mDNSEnabled is absent, and IPv6/@mDNSEnabled is present, then mDNSEnabled takes on the same value as IPv6/@mDNSEnabled.

dynamicDNSEnabled represents the state of the dynamic DNS capability. Dynamic DNS is used to publish the hostname of the device to DNS.

If dynamicDNSEnabled is absent, and IPv6/@dynamicDNSEnabled is present, then dynamicDNSEnabled takes on the same value as IPv6/@dynamicDNSEnabled.

RULE: Dynamic DNS is optional for LXI devices. Therefore, if not implemented, the device shall ignore this attribute on a PUT.

RULE: Devices that do not implement dynamic DNS shall omit this attribute on a GET.

RULE: The dynamicDNSEnabled attribute shall be implemented irrespective of if IPv6 dynamic DNS is implemented.

pingEnabled represents the state of the IPv4 ICMP ping responder.

In some IPv6 implementation the ICMPv4 ping capability is coupled to the ICMPv6 ping. For those devices, the configuration of the IPv4/@PingEnable and the IPv6/@PingEnabled must be the same.

If pingEnabled is absent, and IPv6/@pingEnabled is present, then pingEnabled takes on the same value as IPv6/@pingEnabled.

Arbitrary extension attributes may be included to provide device-specific IPv4 configuration that is beyond the scope of the LXI requirements.

RULE: LXI devices shall ignore extension attributes they do not recognize.

enabled generally enables or disables IPv6 capability.

DHCPEnabled represents the state of the device IPv6 DHCP protocol. If True, configuration is accepted via the DHCP protocol.

If DHCP is enabled, the device will accept IPv6 configuration from a DHCP server, which supercedes static values configured in the LXI Device Specific Configuration.

See the note on IPv6 autoconfiguration under Network/IPv6.

RAEnabled represents the state of address generation based on the router advertisement.

See the note on IPv6 autoconfiguration under Network/IPv6.

staticAddressEnabled indicates if the device uses the static address configured with LXIDeviceSpecificConfiguration/IPv6/StaticAddress.

OBSERVATION: There might not be a static address configured.

privacyModeEnabled indicates if the MAC address is included in the IPv6 address generation.

When privacyModeEnabled is enabled, neither the link local address, unique local address nor the SLAAC-generated addresses include the device MAC address.

See the Observation on IPv6 autoconfiguration under Network/IPv6.

mDNSEnabled represents the state of the IPv6 multicast DNS responder in the device.

The multicast DNS responder permits the device to be discovered and identified by clients.

In some implementations the mDNS capability is coupled between IPv4 and IPv6. For those devices, the configuration of the IPv4/@mDNSEnabled and the IPv6/@mDNSEnabled must be the same.

If mDNSEnabled is absent, and IPv4/@mDNSEnabled is present, then mDNSEnabled takes on the same value as IPv4/@mDNSEnabled.

dynamicDNSEnabled represents the state of the IPv6 dynamic DNS capability used to publish the hostname of the device.

If dynamicDNSEnabled is absent, and IPv4/@dynamicDNSEnabled is present, then dynamicDNSEnabled takes on the same value as IPv4/@dynamicDNSEnabled.

RULE: Dynamic DNS is optional for LXI devices. Therefore, if not implemented, the device shall ignore this attribute on a PUT.

RULE: Devices that do not implement dynamicDNS shall omit this attribute on a GET.

pingEnabled represents the state of the IPv6 ICMP ping function.

If pingEnabled is absent, and IPv4/@pingEnabled is present, then pingEnabled takes on the same value as IPv4/@pingEnabled.

OBSERVATION: The common IPv4 practice of blocking ICMP packets as a supposed security measure is not recommended on IPv6, as IPv6 functioning depends on ICMPv6 for error messages, path MTU discovery, multicast group management and Neighbor Discovery. IPv6 also relies upon multicast availability, which impacts firewalls, intrusion detection and access control rules.

OBSERVATION: On some devices IPv6/@pingEnabled must match the IPv4/@pingEnabled state.

Arbitrary extension attributes may be included to provide device specific IPv6 configuration that is beyond the scope of the LXI requirements.

RULE: LXI devices shall ignore extension attributes they do not recognize.

operation controls if the HTTP server is enabled, disabled, or if it forwards all requests to HTTPS.

enable	Enables the HTTP server, although secure pages shall redirect to HTTPS.
disable	Disables the HTTP server irrespective of the enabled services. No forwarding function is active.
redirectAll	All accesses to the HTTP server are redirected to HTTPS.

TCP port of the HTTP server.

TCP port of the HTTPS server.

clientAuthenticationRequired indicates if clients are required to authenticate as configured in this element.

clientAuthenticationRequired indicates that all services enabled in HTTPS shall require client authentication. This includes the human interface and any services that are enabled.

clientAuthenticationRequired does not impact the API-LXISecurity service which always requires client authentication. Note that client's presenting the API Key are regarded as authentic.

OBSERVATION: If the service is using application level authentication, this attribute may be the only indication in the schema that the HTTPS server communication is secure.

name indicates the name of the service.

RULE: LXI Service names are case sensitive. LXI Security specifies the following services:

Human-Interface	Indicates the endpoints required to serve a human interface to a browser Required of all LXI Security Devices.
API-LXISecurity	Indicates the LXI API Extended function endpoints required by the LXI Security extended function. Required of all LXI Security Devices.
API-Device	Indicates the endpoints used to implement various device-specific APIs. API-Device is required of all LXI Security devices that provide a device-specific API on this protocol. More fine-grained device-specific control is permitted as well.
other	Devices may define additional services that provide more granular control of enabled services or specify additional services. other service declarations are optional. OBSERVATION: clients can discover the available services by reading back the LXI Common Configuration. Although documentation of the device behavior is in product-specific documents. OBSERVATION: where servers define granular services that are a subset of other services, the presence of the less granular service enables all of the subset services.

enabled indicates if the designated service is enabled.

Devices may include attributes to further configure the service.

RULE: Devices that do not understand additional attributes shall ignore them.

enabled enables the SCPIRaw server at this address.

port specifies the port of this SCPIRaw server.

The IANA registered port of 5025 is preferred for SCPI traffic. If additional instances of SCPIRaw are enabled by default on the device, their ports are device-specific.

capability is a read-only attribute that indicates the approximate number of SCPIRaw ports that the client may configure.

enabled enables the secure raw SCPI server at this port.

port specifies the port of this secure raw SCPI server.

clientAuthenticationRequired indicates if client authentication is required. Secure raw SCPI connections use mutual TLS (mTLS) for client authentication.

The client certificate is authenticated based on the Interface/ClientAuthentication/ClientCertAuthentication element which must be configured if an active secure raw SCPI connection requires client authentication.

If false, the device accepts SCPITLS connections without client authentication, although mTLS connections may still be supported.

capability is a read-only attribute. It indicates the approximate number of SCPITLS ports that the client may configure.

enabled indicates if the Telnet server is enabled.

port specifies the Telnet server port.

For Command and Control traffic, the IANA assigned port of 5024 should be used.

TLSRequired indicates that telnet requires a secure TLS connection instead of TCP.

OBSERVATION: TLS only guarantees server (device) authentication. To require client authentication, @clientAuthenticationRequired must be true as well.

RULE: If the device implements TLS on Telnet it shall include the TLSRequired attribute in the query response regardless of the state of Telnet/@enabled.

clientAuthenticationRequired indicates that telnet exclusively uses mTLS.

OBSERVATION: If clientAuthenticationRequired is enabled, Telnet/@TLSRequired must be enabled as well. The unsecure Telnet USER and PASS are not used.

RULE: The mTLS client certificate authentication configured in Interface/ClientAuthentication/ClientCertAuthentication shall be used.

RULE: If the device implements mTLS (client authentication) on telnet it shall include the clientAuthenticationRequired attribute in the query response regardless of the state of Telnet/@enabled.

capability is a read-only attribute. It indicates the approximate number of Telnet ports that the client may configure.

Devices may further describe the telnet port, perhaps indicating if this server is SCPI or a command shell.

RULE: Devices that do not understand additional attributes shall ignore them.

enabled indicates if the HiSLIP server is enabled.

OBSERVATION: Disabling this server disables all the HiSLIP servers at every HiSLIP subaddress since they are all served from this port at the various subaddresses.

port indicates the TCP port from which the HiSLIP server is served.

mustStartEncrypted controls the initial encryption. If enabled, a secure connection must be initially made to this server. It can be subsequently stepped down to an unsecure connection if encryptionMandatory is not true.

It is erroneous to have mustStartEncrypted False and HiSLIP/@encryptionMandatory True.

encryptionMandatory indicates that this HiSLIP Server must always have encryption on. That is, the connection must be started securely, and the encryption may not be subsequently turned off.

It is erroneous to have encryptionMandatory True and HiSLIP/@mustStartEncrypted False.

enabled indicates that the SASL mechanism or HTTP scheme is enabled.

RULE: On LCI, the enabled mechanisms do not change.

Additional attributes that define SASL mechanisms or HTTPS schemas beyond the scope of LXI may include additional attributes to define them.

enabled state of the VXI11 server at this address.

scramHashIterationCount sets the minimum iteration count that SCRAM uses to hash the client credentials. The default value of this is device dependent, but should be chosen sufficiciently high that clients cannot successfully perform brute force attacks.

At the time of this writing RFC 7677 recommends a minimum of 4096 for SHA-256, although much larger values are reasonable for LXI devices.

OBSERVATION: Devices are permitted to use a higher value for scramHashIterationCount. The actual iteration count used by the device is indicated in the SCRAM protocol.

scramChannelBindingRequired specifies if the device permits the client to connect with a non-channel-bound version of SCRAM.

For instance, for a device that supports SCRAM with SHA-256 hashes: if false, then SCRAM-SHA-256 would be accepted in addition to SCRAM-SHA-256-PLUS. If true, only SCRAM-SHA-256-PLUS would be accepted by the device.

user that may be authenticated on the device.

RULE: LXI devices shall accept user names composed of alpha-numeric strings. User names shall be case-sensitive.

RULE: The IVI-6.5 SASL Mechanism Specification details the specific device and client requirements for the generation of usernames and passwords. Devices shall comply with the IVI device requirements.

APIAccess indicates if this user is authorized to use the API. If true, this user credential permits the client to use the API.

If APIAccess is false, this credential is not sufficient to permit the client to use the API.

On a write, the absence APIAccess indicates that no change is to be made to the users stored APIAccess value.

format Indicates the format used to generate the hash.

The following formats are required by LXI:

• ClearText indicates that the @value is not hashed.
• MCF indicates that the @value is in a format consistent with the Modular Crypt Format, used by tools such as libxcrypt or Linux crypt(3).

• SCRAM indicates that the @value is in a format to support SCRAM hashes and shall be represented as:

  <scram_sasl_mech>$<iteration_count>:<base64_salt>$<stored_key>:<server_key>

  Note that in the above string, the '$' and ':' characters are literals. The fields enclosed in <> indicate where hash algorithm values are incorporated into the string.

  The fields are as defined in RFC-5802. For example, the stored hash value of the password "123456" is:

  SCRAM-SHA-256$4096:sY29SmrcV71GPelgD3H1dg==$NicztZlfZMbAFFbqamvsz8tCZlTc5h2a9zNpteOxsrc=:93tB38XwNA5sE7xni/SyGVL8biMIB+ftW050VwR5/lc=

  This encodes the field values of:

  • scram_sasl_mech SCRAM-SHA-256
  • iteration_count 4096
  • base64_salt sY29SmrcV71GPelgD3H1dg==
  • stored_key NicztZlfZMbAFFbqamvsz8tCZlTc5h2a9zNpteOxsrc=
  • server_key 93tB38XwNA5sE7xni/SyGVL8biMIB+ftW050VwR5/lc=

Other formats are permitted, but not specified by LXI.

RULE: value contains the password in the format specified by @format.

RULE: If the device does not support the requested hash algorithm, then the CommonConfiguration put request shall fail. The returned LXIProblemDetails/Title element shall contain an indication that the hash algorithm specified in the value attribute was invalid. The LXIProblemDetails/Instance shall have a comma separated list of accepted values.

OBSERVATION: Clients can determine the supported hash algorithms by sending an empty value attribute.

Arbitrary attributes may be included for devices that wish to further qualify a password, for instance, to associate the password with a specific protocol.

hash indicates the hash function used to create this thumbPrint.

thumbPrint contains the certificate thumbPrint.