draft-ietf-cdni-uri-signing-07.txt   draft-ietf-cdni-uri-signing-08.txt 
CDNI K. Leung CDNI K. Leung
Internet-Draft F. Le Faucheur Internet-Draft F. Le Faucheur
Intended status: Standards Track Cisco Systems Intended status: Standards Track Cisco Systems
Expires: October 7, 2016 R. van Brandenburg Expires: December 22, 2016 R. van Brandenburg
TNO TNO
B. Downey B. Downey
Verizon Labs Verizon Labs
M. Fisher M. Fisher
Limelight Networks Limelight Networks
April 5, 2016 June 20, 2016
URI Signing for CDN Interconnection (CDNI) URI Signing for CDN Interconnection (CDNI)
draft-ietf-cdni-uri-signing-07 draft-ietf-cdni-uri-signing-08
Abstract Abstract
This document describes how the concept of URI signing supports the This document describes how the concept of URI signing supports the
content access control requirements of CDNI and proposes a URI content access control requirements of CDNI and proposes a URI
signing scheme. signing scheme.
The proposed URI signing method specifies the information needed to The proposed URI signing method specifies the information needed to
be included in the URI and the algorithm used to authorize and to be included in the URI and the algorithm used to authorize and to
validate access requests for the content referenced by the URI. The validate access requests for the content referenced by the URI. The
skipping to change at page 1, line 44 skipping to change at page 1, line 44
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on October 7, 2016. This Internet-Draft will expire on December 22, 2016.
Copyright Notice Copyright Notice
Copyright (c) 2016 IETF Trust and the persons identified as the Copyright (c) 2016 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 29 skipping to change at page 2, line 29
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4
1.2. Background and overview on URI Signing . . . . . . . . . 5 1.2. Background and overview on URI Signing . . . . . . . . . 5
1.3. CDNI URI Signing Overview . . . . . . . . . . . . . . . . 6 1.3. CDNI URI Signing Overview . . . . . . . . . . . . . . . . 6
1.4. URI Signing in a non-CDNI context . . . . . . . . . . . . 8 1.4. URI Signing in a non-CDNI context . . . . . . . . . . . . 8
2. Signed URI Information Elements . . . . . . . . . . . . . . . 8 2. Signed URI Information Elements . . . . . . . . . . . . . . . 8
2.1. Enforcement Information Elements . . . . . . . . . . . . 10 2.1. Enforcement Information Elements . . . . . . . . . . . . 10
2.2. Signature Computation Information Elements . . . . . . . 11 2.2. Signature Computation Information Elements . . . . . . . 12
2.3. URI Signature Information Elements . . . . . . . . . . . 13 2.3. URI Signature Information Elements . . . . . . . . . . . 14
2.4. URI Signing Package Attribute . . . . . . . . . . . . . . 14 2.4. URI Signing Package Attribute . . . . . . . . . . . . . . 15
2.5. User Agent Attributes . . . . . . . . . . . . . . . . . . 15 2.5. User Agent Attributes . . . . . . . . . . . . . . . . . . 16
3. Create a Signed URI . . . . . . . . . . . . . . . . . . . . . 15 3. Create a Signed URI . . . . . . . . . . . . . . . . . . . . . 16
3.1. Compose URI Signing IEs with Protected URI . . . . . . . 16 3.1. Compose URI Signing IEs with Protected URI . . . . . . . 17
3.2. Compute URI Signature . . . . . . . . . . . . . . . . . . 18 3.2. Compute URI Signature . . . . . . . . . . . . . . . . . . 19
3.3. Encode the URI Signing Package . . . . . . . . . . . . . 19 3.3. Encode the URI Signing Package . . . . . . . . . . . . . 20
3.4. Assemble the Signed URI . . . . . . . . . . . . . . . . . 20 3.4. Assemble the Signed URI . . . . . . . . . . . . . . . . . 20
4. Validate a Signed URI . . . . . . . . . . . . . . . . . . . . 20 4. Validate a Signed URI . . . . . . . . . . . . . . . . . . . . 22
4.1. Extract and Decode URI Signing Package . . . . . . . . . 21 4.1. Extract and Decode URI Signing Package . . . . . . . . . 22
4.2. Extract URI Signing IEs . . . . . . . . . . . . . . . . . 21 4.2. Extract URI Signing IEs . . . . . . . . . . . . . . . . . 22
4.3. Obtain URI Signing IEs with Protected URI . . . . . . . . 22 4.3. Obtain URI Signing IEs with Protected URI . . . . . . . . 24
4.4. Validate URI Signature . . . . . . . . . . . . . . . . . 23 4.4. Validate URI Signature . . . . . . . . . . . . . . . . . 25
4.5. Distribution Policy Enforcement . . . . . . . . . . . . . 25 4.5. Distribution Policy Enforcement . . . . . . . . . . . . . 26
5. Relationship with CDNI Interfaces . . . . . . . . . . . . . . 25 5. Relationship with CDNI Interfaces . . . . . . . . . . . . . . 27
5.1. CDNI Control Interface . . . . . . . . . . . . . . . . . 26 5.1. CDNI Control Interface . . . . . . . . . . . . . . . . . 27
5.2. CDNI Footprint & Capabilities Advertisement Interface . . 26 5.2. CDNI Footprint & Capabilities Advertisement Interface . . 27
5.3. CDNI Request Routing Redirection Interface . . . . . . . 27 5.3. CDNI Request Routing Redirection Interface . . . . . . . 28
5.4. CDNI Metadata Interface . . . . . . . . . . . . . . . . . 27 5.4. CDNI Metadata Interface . . . . . . . . . . . . . . . . . 28
5.5. CDNI Logging Interface . . . . . . . . . . . . . . . . . 30 5.5. CDNI Logging Interface . . . . . . . . . . . . . . . . . 32
6. URI Signing Message Flow . . . . . . . . . . . . . . . . . . 32 6. URI Signing Message Flow . . . . . . . . . . . . . . . . . . 33
6.1. HTTP Redirection . . . . . . . . . . . . . . . . . . . . 32 6.1. HTTP Redirection . . . . . . . . . . . . . . . . . . . . 33
6.2. DNS Redirection . . . . . . . . . . . . . . . . . . . . . 35 6.2. DNS Redirection . . . . . . . . . . . . . . . . . . . . . 36
7. HTTP Adaptive Streaming . . . . . . . . . . . . . . . . . . . 37 7. HTTP Adaptive Streaming . . . . . . . . . . . . . . . . . . . 39
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 38 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 39
8.1. CDNI Payload Type . . . . . . . . . . . . . . . . . . . . 38 8.1. CDNI Payload Type . . . . . . . . . . . . . . . . . . . . 39
8.1.1. CDNI UriSigning Payload Type . . . . . . . . . . . . 38 8.1.1. CDNI UriSigning Payload Type . . . . . . . . . . . . 39
8.2. CDNI Logging Record Type . . . . . . . . . . . . . . . . 38 8.2. CDNI Logging Record Type . . . . . . . . . . . . . . . . 40
8.2.1. CDNI Logging Record Version 2 for HTTP . . . . . . . 39 8.2.1. CDNI Logging Record Version 2 for HTTP . . . . . . . 40
8.3. CDNI Logging Field Names . . . . . . . . . . . . . . . . 39 8.3. CDNI Logging Field Names . . . . . . . . . . . . . . . . 40
8.4. CDNI URI Signing Enforcement Information Elements . . . . 39 8.4. CDNI URI Signing Enforcement Information Elements . . . . 40
8.5. CDNI URI Signing Signature Computation Information 8.5. CDNI URI Signing Signature Computation Information
Elements . . . . . . . . . . . . . . . . . . . . . . . . 40 Elements . . . . . . . . . . . . . . . . . . . . . . . . 41
8.6. CDNI URI Signing Signature Information Elements . . . . . 40 8.6. CDNI URI Signing Signature Information Elements . . . . . 42
9. Security Considerations . . . . . . . . . . . . . . . . . . . 41 9. Security Considerations . . . . . . . . . . . . . . . . . . . 43
10. Privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 10. Privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 42 11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 44
12. References . . . . . . . . . . . . . . . . . . . . . . . . . 43 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 44
12.1. Normative References . . . . . . . . . . . . . . . . . . 43 12.1. Normative References . . . . . . . . . . . . . . . . . . 44
12.2. Informative References . . . . . . . . . . . . . . . . . 43 12.2. Informative References . . . . . . . . . . . . . . . . . 45
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 44 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 46
1. Introduction 1. Introduction
This document describes the concept of URI Signing and how it can be This document describes the concept of URI Signing and how it can be
used to provide access authorization in the case of redirection used to provide access authorization in the case of redirection
between interconnected CDNs (CDNI) and between a Content Service between interconnected CDNs (CDNI) and between a Content Service
Provider (CSP) and a CDN. The primary goal of URI Signing is to make Provider (CSP) and a CDN. The primary goal of URI Signing is to make
sure that only authorized User Agents (UAs) are able to access the sure that only authorized User Agents (UAs) are able to access the
content, with a CSP being able to authorize every individual request. content, with a CSP being able to authorize every individual request.
It should be noted that URI Signing is not a content protection It should be noted that URI Signing is not a content protection
skipping to change at page 9, line 33 skipping to change at page 9, line 33
carry the actual message digest or digital signature representing carry the actual message digest or digital signature representing
the URI signature used for checking the integrity and authenticity the URI signature used for checking the integrity and authenticity
of the URI. A typical Signed URI will only contain one embedded of the URI. A typical Signed URI will only contain one embedded
URI Signature Information Element. URI Signature Information Element.
In addition, the this document specifies the following URI attribute: In addition, the this document specifies the following URI attribute:
o URI Signing Package Attribute: The URI attribute that encapsulates o URI Signing Package Attribute: The URI attribute that encapsulates
all the URI Signing information elements in an encoded format. all the URI Signing information elements in an encoded format.
Only this attribute is exposed in the Signed URI as a URI query Only this attribute is exposed in the Signed URI as a URI query
parameter. parameter or as URL path parameter.
Two types of keys can be used for URI Signing: asymmetric keys and Two types of keys can be used for URI Signing: asymmetric keys and
symmetric keys. Asymmetric keys are based on a public/private key symmetric keys. Asymmetric keys are based on a public/private key
pair mechanism and always contain a private key only known to the pair mechanism and always contain a private key only known to the
entity signing the URI (either CSP or uCDN) and a public key for the entity signing the URI (either CSP or uCDN) and a public key for the
verification of the Signed URI. With symmetric keys, the same key is verification of the Signed URI. With symmetric keys, the same key is
used by both the signing entity for signing the URI as well as by the used by both the signing entity for signing the URI as well as by the
validating entity for validating the Signed URI. Regardless of the validating entity for validating the Signed URI. Regardless of the
type of keys used, the validating entity has to obtain the key type of keys used, the validating entity has to obtain the key
(either the public or the symmetric key). There are very different (either the public or the symmetric key). There are very different
skipping to change at page 10, line 47 skipping to change at page 10, line 47
rejected if sourced from a client outside of the specified IP rejected if sourced from a client outside of the specified IP
range. range.
o Original URI Container (OUC) [optional] - Container for holding o Original URI Container (OUC) [optional] - Container for holding
the Full Original URI while the URI signature is calculated. The the Full Original URI while the URI signature is calculated. The
Original URI Container information element is not transmitted as Original URI Container information element is not transmitted as
part of the URI Signing Package Attribute. If the Original URI part of the URI Signing Package Attribute. If the Original URI
Container information element is used, the URI Pattern Sequence Container information element is used, the URI Pattern Sequence
information element MUST NOT be used. information element MUST NOT be used.
o URI Pattern Container (UPC) [optional] - Container for one or more o URI Pattern Container (UPC) [optional] - Percent-encoded container
URI Patterns that describes for which content the Signed URI is for one or more URI Patterns that describes for which content the
valid. The URI Pattern Container contains an expression to match Signed URI is valid. The URI Pattern Container contains an
against the requested URI to check whether the requested content expression to match against the requested URI to check whether the
is allowed to be requested. Multiple URI Patterns may be requested content is allowed to be requested. Multiple URI
concatenated in a single URI Pattern Container information element Patterns may be concatenated in a single URI Pattern Container
by seperating them with a semi-colon (';') character. Each URI information element by seperating them with a semi-colon (';')
Pattern follows the [RFC3986] URI format, including the '://' that character. Each URI Pattern follows the [RFC3986] URI format,
delimits the URI scheme from the hierarchy part. The pattern may including the '://' that delimits the URI scheme from the
include the wildcards '*' and '?', where '*' matches any sequence hierarchy part. The pattern may include the wildcards '*' and
of characters (including the empty string) and '?' matches exactly '?', where '*' matches any sequence of characters (including the
one character. The three literals '$', '*' and '?' should be empty string) and '?' matches exactly one character. The three
escaped as '$$', '$*' and '$?'. All other characters are treated literals '$', '*' and '?' should be escaped as '$$', '$*' and
as literals. The following is an example of a valid URI Pattern: '$?'. All other characters are treated as literals. The
'*://*/folder/content-83112371/quality_*/segment????.mp4'. An following is an example of a valid URI Pattern: '*://*/folder/
example of two concatenated URI Patterns is the following: content-83112371/quality_*/segment????.mp4'. In its final
'http://*/folder/content-83112371/manifest/*.xml;http://*/folder/ percent-encoded form, this is equal to
content-83112371/quality_*/segment????.mp4'. If the UPC is used, '%2A%3A%2F%2F%2A%2Ffolder%2Fcontent-
the Original URI Container information element MUST NOT be used. 83112371%2Fquality_%2A%2Fsegment%3F%3F%3F%3F.mp4'. An example of
two concatenated URI Patterns is the following: 'http://*/folder/
content-83112371/manifest/*.xml;http://*/folder/content-83112371/
quality_*/segment????.mp4', which in percent-encoded form is:
'http%3A%2F%2F%2A%2Ffolder%2Fcontent-83112371%2Fmanifest%2F%2A.xml
%3Bhttp%3A%2F%2F%2A%2Ffolder%2Fcontent-
83112371%2Fquality_%2A%2Fsegment%3F%3F%3F%3F.mp4' If the UPC is
used, the Original URI Container information element MUST NOT be
used.
The Expiry Time Information Element ensures that the content The Expiry Time Information Element ensures that the content
authorization expires after a predetermined time. This limits the authorization expires after a predetermined time. This limits the
time window for content access and prevents replay of the request time window for content access and prevents replay of the request
beyond the authorized time window. beyond the authorized time window.
The Client IP Information Element is used to restrict content access The Client IP Information Element is used to restrict content access
to a particular IP address or set of IP addresses based on the IP to a particular IP address or set of IP addresses based on the IP
address for whom the content access was authorized. The URI Signing address for whom the content access was authorized. The URI Signing
mechanism described in this document will communicate the IP address mechanism described in this document will communicate the IP address
in the URI. To prevent the IP address from being logged, the Client in the URI. To prevent the IP address from being logged, the Client
IP information element is transmitted in encrypted form. IP information element is transmitted in encrypted form.
The Original URI Container is used to limit access to the Original The Original URI Container is used to limit access to the Original
URI only. URI only.
The URI Pattern Container Information Element is used to restrict The URI Pattern Container Information Element is used to restrict
content access to a particular set of URIs. content access to a particular set of URIs.
In order to increase performance of string parsing of the UPC,
implementations can check often-used UPC prefixes to quickly check
whether certain URI components can be ignored. For example, UPC
prefixes '*://*/' or '*://*:*' will be used in case the scheme and
authority components of the URI are ignored for purposes of UPC
enforcement.
Note: See the Security Considerations (Section 9) section on the Note: See the Security Considerations (Section 9) section on the
limitations of using an expiration time and client IP address for limitations of using an expiration time and client IP address for
distribution policy enforcement. distribution policy enforcement.
2.2. Signature Computation Information Elements 2.2. Signature Computation Information Elements
This section identifies the set of information elements that may be This section identifies the set of information elements that may be
needed to verify the URI (signature). New information elements may needed to verify the URI (signature). New information elements may
be introduced in the future if new URI signing algorithms are be introduced in the future if new URI signing algorithms are
developed. developed.
skipping to change at page 12, line 23 skipping to change at page 12, line 40
NOT be present in the same URI Signing Package Attribute. NOT be present in the same URI Signing Package Attribute.
o Numerical Key ID (KID_NUM) [optional] - A 64-bit unsigned integer o Numerical Key ID (KID_NUM) [optional] - A 64-bit unsigned integer
used as an optional alternative for KID. The KID and KID_NUM used as an optional alternative for KID. The KID and KID_NUM
information elements MUST NOT be present in the same URI Signing information elements MUST NOT be present in the same URI Signing
Package Attribute. Package Attribute.
o Hash Function (HF) [optional] - A string used for identifying the o Hash Function (HF) [optional] - A string used for identifying the
hash function to compute the URI signature with HMAC. If this hash function to compute the URI signature with HMAC. If this
Information Element is not present in the URI Signing Package Information Element is not present in the URI Signing Package
Attribute, the default hash function is SHA-256. Attribute, the default hash function is "SHA-256". For
interoperability purposes, any hash function signalled via this
Information Element SHALL use the notation as used by NIST (e.g.
"SHA-256" instead of "SHA256", as defined in [FIPS.180-1.1995]).
o Digital Signature Algorithm (DSA) [optional] - Algorithm used to o Digital Signature Algorithm (DSA) [optional] - Algorithm used to
calculate the Digital Signature. If this Information Element is calculate the Digital Signature. If this Information Element is
not present in the URI Signing Package Attribute, the default is not present in the URI Signing Package Attribute, the default is
EC-DSA. "ECDSA". For interoperability purposes, any digital signature
algorithm signalled via this Information Element SHALL use the
notation as used by NIST (e.g. "ECDSA" instead of "EC-DSA", as
defined in [FIPS.186-4.2013]).
o Client IP Encryption Algorithm (CEA) [optional] - Algorithm used o Client IP Encryption Algorithm (CEA) [optional] - Algorithm used
to encrypt the Client IP. If this Information Element is not to encrypt the Client IP. If this Information Element is not
present in the URI Signing Package Attribute, the default is AES- present in the URI Signing Package Attribute, the default is "AES-
128. 128". For interoperability purposes, any encryption algorithm
signalled via this Information Element SHALL use the notation as
used by NIST (e.g. "AES-128" instead of "AES128", as defined in
[FIPS.197.2001]").
o Client IP Key ID (CKI) [optional] - A 64-bit unsigned integer used o Client IP Key ID (CKI) [optional] - A 64-bit unsigned integer used
for obtaining the key (e.g., database lookup) used for encrypting/ for obtaining the key (e.g., database lookup) used for encrypting/
decrypting the Client IP. decrypting the Client IP.
The Version Information Element indicates which version of URI The Version Information Element indicates which version of URI
signing scheme is used (including which attributes and algorithms are signing scheme is used (including which attributes and algorithms are
supported). The present document specifies Version 1. If the supported). The present document specifies Version 1. If the
Version attribute is not present in the Signed URI, then the version Version attribute is not present in the Signed URI, then the version
is obtained from the CDNI metadata, else it is considered to have is obtained from the CDNI metadata, else it is considered to have
skipping to change at page 14, line 35 skipping to change at page 15, line 16
The URI Signing Package Attribute is an encapsulation container for The URI Signing Package Attribute is an encapsulation container for
the URI Signing Information Elements defined in the previous the URI Signing Information Elements defined in the previous
sections. The URI Signing Information Elements are encoded and sections. The URI Signing Information Elements are encoded and
stored in this attribute. URI Signing Package Attribute is appended stored in this attribute. URI Signing Package Attribute is appended
to the Original URI to create the Signed URI. to the Original URI to create the Signed URI.
The primary advantage of the URI Signing Package Attribute is that it The primary advantage of the URI Signing Package Attribute is that it
avoids having to expose the URI Signing Information Elements directly avoids having to expose the URI Signing Information Elements directly
in the query string of the URI, thereby reducing the potential for a in the query string of the URI, thereby reducing the potential for a
namespace collision space within the URI query string. A side- namespace collision space within the URI query string (or the URL
benefit of the attribute is the obfuscation performed by the URI path in case path parameters are used). A side-benefit of the
Signing Package Attribute hides the information (e.g., client IP attribute is the obfuscation performed by the URI Signing Package
address) from view of the common user, who is not aware of the Attribute hides the information (e.g., client IP address) from view
encoding scheme. Obviously, this is not a security method since of the common user, who is not aware of the encoding scheme.
anyone who knows the encoding scheme is able to obtain the clear Obviously, this is not a security method since anyone who knows the
text. Note that any parameters appended to the query string after encoding scheme is able to obtain the clear text. Note that any
the URI Signing Package Attribute are not validated and hence do not parameters appended to the query string after the URI Signing Package
affect URI Signing. Attribute are not validated and hence do not affect URI Signing.
The following attribute is used to carry the encoded set of URI The following attribute is used to carry the encoded set of URI
Signing attributes in the Signed URI. Signing attributes in the Signed URI.
o URI Signing Package (URISigningPackage) - The encoded attribute o URI Signing Package (URISigningPackage) - The encoded attribute
containing all the CDNI URI Signing Information Elements used for containing all the CDNI URI Signing Information Elements used for
URI Signing. URI Signing.
The URI Signing Package Attribute contains the URI Signing The URI Signing Package Attribute contains the URI Signing
Information Elements in the Base-64 encoding with URL and Filename Information Elements in the Base-64 encoding with URL and Filename
Safe Alphabet (a.k.a. "base64url") as specified in the Base-64 Data Safe Alphabet (a.k.a. "base64url") as specified in the Base-64 Data
Encoding [RFC4648] document. The URI Signing Package Attribute is Encoding [RFC4648] document. The URI Signing Package Attribute is
the only URI Signing attribute exposed in the Signed URI. The the only URI Signing attribute exposed in the Signed URI. If the
attribute MUST be the last parameter in the query string of the URI Signed URI is communicated via the URI query string, the attribute
when the Signed URI is generated. However, a client or CDN may MUST be the last parameter in the query string of the URI when the
append other query parameters unrelated to URI Signing to the Signed Signed URI is generated. However, a client or CDN may append other
URI. Such additional query parameters SHOULD NOT use the same name query parameters unrelated to URI Signing to the Signed URI. Such
as the URI Signing Package Attribute to avoid namespace collision and additional query parameters SHOULD NOT use the same name as the URI
potential failure of the URI Signing validation. Signing Package Attribute to avoid namespace collision and potential
failure of the URI Signing validation.
The parameter name of the URI Signing Package Attribute shall be The parameter name of the URI Signing Package Attribute shall be
defined in the CDNI Metadata interface. If the CDNI Metadata defined in the CDNI Metadata interface. If the CDNI Metadata
interface is not used, or does not include a parameter name for the interface is not used, or does not include a parameter name for the
URI Signing Package Attribute, the parameter name is set by URI Signing Package Attribute, the parameter name is set by
configuration (out of scope of this document). configuration (out of scope of this document).
2.5. User Agent Attributes 2.5. User Agent Attributes
For some use cases, such as logging, it might be useful to allow the For some use cases, such as logging, it might be useful to allow the
skipping to change at page 17, line 50 skipping to change at page 18, line 33
skip this step when the hash function for the HMAC uses the skip this step when the hash function for the HMAC uses the
default value ("SHA-256"). If an information element was added default value ("SHA-256"). If an information element was added
to the buffer, append an "&" character. Append the string "HF=". to the buffer, append an "&" character. Append the string "HF=".
Append the string for the new hash function to be used. Note Append the string for the new hash function to be used. Note
that re-signing a URI MUST use the same hash function as the that re-signing a URI MUST use the same hash function as the
received Signed URI or one of the allowable hash functions received Signed URI or one of the allowable hash functions
designated by the CDNI metadata. designated by the CDNI metadata.
7. If asymmetric private/public keys are used, perform this step. 7. If asymmetric private/public keys are used, perform this step.
However, skip this step when the digital signature algorithm uses However, skip this step when the digital signature algorithm uses
the default value ("EC-DSA"). If an information element was the default value ("ECDSA"). If an information element was added
added to the buffer, append an "&" character. Append the string to the buffer, append an "&" character. Append the string
"DSA=". Append the string for the digital signature function. "DSA=". Append the string for the digital signature function.
Note that re-signing a URI MUST use the same digital signature Note that re-signing a URI MUST use the same digital signature
algorithm as the received Signed URI or one of the allowable algorithm as the received Signed URI or one of the allowable
digital signature algorithms designated by the CDNI metadata. digital signature algorithms designated by the CDNI metadata.
8. Depending on the type of URI enforcement used (Full Original URI 8. Depending on the type of URI enforcement used (Full Original URI
or URI Pattern), add the appropriate information element. or URI Pattern), add the appropriate information element.
A. If enforcement based on the Full Original URI, perform this A. If enforcement based on the Full Original URI, perform this
step. If an information element was added to the buffer, step. If an information element was added to the buffer,
append an "&" character. Append the string "OUC=". Append append an "&" character. Append the string "OUC=". Append
the Original URI, excluding the "scheme name" part and the the Original URI, excluding the "scheme name" part and the
"://" delimiter, to the buffer. Note: the Original URI "://" delimiter, to the buffer. Note: the Original URI
Container information element MUST be the last information Container information element MUST be the last information
element in the buffer before the signature information element in the buffer before the signature information
element. element.
B. If enforcement based on a URI Pattern, perform this step. If B. If enforcement based on a URI Pattern, perform this step. If
an information element was added to the buffer, append an "&" an information element was added to the buffer, append an "&"
character. Append the string "UPC=". Append the URI Pattern character. Append the string "UPC=". Append the URI Pattern
Container in the form of a string to the buffer. Container in the form of a percent-encoded string to the
buffer.
3.2. Compute URI Signature 3.2. Compute URI Signature
Compute the URI Signature by following the procedure below. The Compute the URI Signature by following the procedure below. The
buffer from the previous section is used. buffer from the previous section is used.
1. If symmetric shared key is used, perform this step. 1. If symmetric shared key is used, perform this step.
A. Obtain the shared key to be used for signing the URI. A. Obtain the shared key to be used for signing the URI.
skipping to change at page 20, line 22 skipping to change at page 21, line 7
=="). Note: This is the value for the URI Signing Package =="). Note: This is the value for the URI Signing Package
Attribute. Attribute.
3.4. Assemble the Signed URI 3.4. Assemble the Signed URI
Assemble the parts to create the Signed URI by following the Assemble the parts to create the Signed URI by following the
procedure below. procedure below.
1. Copy the entire Full Original URI into a new empty buffer. 1. Copy the entire Full Original URI into a new empty buffer.
2. Check if the Full Original URI already contains a query string. 2. If the Signed URI is communicated via the URI query string,
If not, append a "?" character. If yes, append an "&" character. perform this step.
3. Append the parameter name used to indicate the URI Signing A. Check if the Full Original URI already contains a query
Package Attribute, as communicated via the CDNI Metadata string. If not, append a "?" character. If yes, append an
interface, followed by an "=". If none is communicated by the "&" character.
CDNI Metadata interface, it defaults to "URISigningPackage". For
example, if the CDNI Metadata interface specifies "SIG", append
the string "SIG=" to the message.
4. Append the URI Signing Package that was generated in previous B. Append the parameter name used to indicate the URI Signing
section (e.g. "http://example.com/content.mov?URISigningPackage= Package Attribute, as communicated via the CDNI Metadata
RVQ9MTIwOTQyMjk3NiZhbXA7Q0tJPTMxMSZhbXA7Q0lQPTkwQzkxMzk3NzkzM0ZDN interface, followed by an "=". If none is communicated by
jUwRTcxODYzNjFBOTNENkMzJmFtcDtLSUQ9ZXhhbXBsZTprZXlzOjEyMyZhbXA7TU the CDNI Metadata interface, it defaults to
Q9MWVjYjE0NDZhNjQzMTM1MmFhYjBmYjZlMGRjYTMwZTMwMzU2NTkzYTk3YWNiOTc "URISigningPackage". For example, if the CDNI Metadata
yMjAyMTIwZGM0ODJiZGRhZg=="). Note: this is the completed Signed interface specifies "SIG", append the string "SIG=" to the
URI. message.
C. Append the URI Signing Package that was generated in previous
section (e.g. "http://example.com/content.mov?URISigningPacka
ge=RVQ9MTIwOTQyMjk3NiZhbXA7Q0tJPTMxMSZhbXA7Q0lQPTkwQzkxMzk3Nz
kzM0ZDNjUwRTcxODYzNjFBOTNENkMzJmFtcDtLSUQ9ZXhhbXBsZTprZXlzOjE
yMyZhbXA7TUQ9MWVjYjE0NDZhNjQzMTM1MmFhYjBmYjZlMGRjYTMwZTMwMzU2
NTkzYTk3YWNiOTcyMjAyMTIwZGM0ODJiZGRhZg=="). Note: this is
the completed Signed URI.
3. If the Signed URI is communicated via a URL path parameter,
perform this step.
A. Check if the Full Original URI already contains a path
parameter. If not, add "/;" before the last path component
indicating the file to be retrieved. If yes, character at
the last append a "?" character. If yes, append an ";"
character after the last path parameter.
B. Append the parameter name used to indicate the URI Signing
Package Attribute, as communicated via the CDNI Metadata
interface, after the inserted ";" character. If none is
communicated by the CDNI Metadata interface, it defaults to
"URISigningPackage". Append an "=" character. For example,
if the CDNI Metadata interface specifies "SIG" as the
parameter name, append the string "SIG=" to the message.
C. Append the URI Signing Package that was generated in previous
section after the "=" character (e.g. "http://example.com/;UR
ISigningPackage=RVQ9MTIwOTQyMjk3NiZhbXA7Q0tJPTMxMSZhbXA7Q0lQP
TkwQzkxMzk3NzkzM0ZDNjUwRTcxODYzNjFBOTNENkMzJmFtcDtLSUQ9ZXhhbX
BsZTprZXlzOjEyMyZhbXA7TUQ9MWVjYjE0NDZhNjQzMTM1MmFhYjBmYjZlMGR
jYTMwZTMwMzU2NTkzYTk3YWNiOTcyMjAyMTIwZGM0ODJiZGRhZg==/content
.mov"). Note: this is the completed Signed URI.
4. Validate a Signed URI 4. Validate a Signed URI
The process of validating a Signed URI can be divided into five sets The process of validating a Signed URI can be divided into five sets
of steps: 1) Extract and decode URI Signing Package from the Signed of steps: 1) Extract and decode URI Signing Package from the Signed
URI, 2) Extract the URI Signing information elements, 3) Obtain the URI, 2) Extract the URI Signing information elements, 3) Obtain the
Protected URI, 4) Validate URI signature to ensure integrity of Protected URI, 4) Validate URI signature to ensure integrity of
Signed URI, and 5) Ensure proper enforcement of the distribution Signed URI, and 5) Ensure proper enforcement of the distribution
policy. The integrity of the Signed URI is confirmed before policy. The integrity of the Signed URI is confirmed before
distribution policy enforcement because validation procedure will distribution policy enforcement because validation procedure will
skipping to change at page 21, line 33 skipping to change at page 22, line 48
4.2. Extract URI Signing IEs 4.2. Extract URI Signing IEs
Extract the information elements in the URI Signing Package Extract the information elements in the URI Signing Package
Attribute. Note that some steps are to be skipped if the Attribute. Note that some steps are to be skipped if the
corresponding URI Signing information elements are not embedded in corresponding URI Signing information elements are not embedded in
the attribute. Some of the information elements will be used to the attribute. Some of the information elements will be used to
validate the URI signature in the subsequent section. validate the URI signature in the subsequent section.
1. Extract the value from "VER" if the information element exists 1. Extract the value from "VER" if the information element exists
in the query string. Determine the version of the URI Signing in the decoded URI Signing Package. Determine the version of
algorithm used to process the Signed URI. If the CDNI Metadata the URI Signing algorithm used to process the Signed URI. If
interface is used, check to see if the used version of the URI the CDNI Metadata interface is used, check to see if the used
Signing algorithm is among the allowed set of URI Signing version of the URI Signing algorithm is among the allowed set of
versions specified by the metadata. If this is not the case, URI Signing versions specified by the metadata. If this is not
the request is denied. If the information element is not in the the case, the request is denied. If the information element is
URI, then obtain the version number in another manner (e.g., not in the URI, then obtain the version number in another manner
configuration, CDNI metadata or default value). (e.g., configuration, CDNI metadata or default value).
2. Extract the value from "MD" if the information element exists in 2. Extract the value from "MD" if the information element exists in
the query string. The existence of this information element the decoded URI Signing Package. The existence of this
indicates a symmetric key is used. information element indicates a symmetric key is used.
3. Extract the value from "DS" if the information element exists in 3. Extract the value from "DS" if the information element exists in
the query string. The existence of this information element the decoded URI Signing Package. The existence of this
indicates an asymmetric key is used. information element indicates an asymmetric key is used.
4. If neither "MD" or "DS" attribute is in the URI, then no URI 4. If neither "MD" or "DS" attribute is in the decoded URI Signing
Signature exists and the request is denied. If both the "MD" Package, then no URI Signature exists and the request is denied.
and the "DS" information elements are present, the Signed URI is If both the "MD" and the "DS" information elements are present,
considered to be malformed and the request is denied. the Signed URI is considered to be malformed and the request is
denied.
5. Extract the value from "UPC" if the information element exists 5. Extract the value from "UPC" if the information element exists
in the query string. The existence of this information element in the decoded URI Signing Package and convert it from its
indicates content delivery is enforced based on a (set of) URI percent-encoded form to a regular string. The existence of this
pattern(s) instead of the Full Original URI. information element indicates content delivery is enforced based
on a (set of) URI pattern(s) instead of the Full Original URI.
6. Extract the value from "CIP" if the information element exists 6. Extract the value from "CIP" if the information element exists
in the query string. The existence of this information element in the decoded URI Signing Package. The existence of this
indicates content delivery is enforced based on client IP information element indicates content delivery is enforced based
address. on client IP address.
7. Extract the value from "ET" if the information element exists in 7. Extract the value from "ET" if the information element exists in
the query string. The existence of this information element the decoded URI Signing Package. The existence of this
indicates content delivery is enforced based on time. information element indicates content delivery is enforced based
on time.
8. Extract the value from the "KID" or "KID_NUM" information 8. Extract the value from the "KID" or "KID_NUM" information
element, if they exist. The existence of either of these element, if they exist. The existence of either of these
information elements indicates a key can be referenced. If both information elements indicates a key can be referenced. If both
the "KID" and the "KID_NUM" information elements are present, the "KID" and the "KID_NUM" information elements are present,
the Signed URI is considered to be malformed and the request is the Signed URI is considered to be malformed and the request is
denied. denied.
9. Extract the value from the "HF" information element, if it 9. Extract the value from the "HF" information element, if it
exists. The existence of this information element indicates a exists. The existence of this information element indicates a
skipping to change at page 22, line 46 skipping to change at page 24, line 19
11. Extract the value from the "CEA" information element, if it 11. Extract the value from the "CEA" information element, if it
exists. The existence of this information element indicates a exists. The existence of this information element indicates a
different Client IP Encryption Algorithm than the default. different Client IP Encryption Algorithm than the default.
12. Extract the value from the "CKI" information element, if it 12. Extract the value from the "CKI" information element, if it
exists. The existence of this information element indicates a exists. The existence of this information element indicates a
key can be referenced using which the Client IP was encrypted. key can be referenced using which the Client IP was encrypted.
4.3. Obtain URI Signing IEs with Protected URI 4.3. Obtain URI Signing IEs with Protected URI
Obtain the message that contain the URI Signing Information Elements Obtain the message that contains the URI Signing Information Elements
and Protected URI (either Full Original URI or URI pattern). This is and Protected URI (either Full Original URI or URI pattern). This is
the content that was used to generate the URI signature, which is the content that was used to generate the URI signature, which is
validated by Downstream CDN in the next section.. validated by Downstream CDN in the next section.
1. Copy the decoded URI Signing Package into a new buffer to hold 1. Copy the decoded URI Signing Package into a new buffer to hold
the message for performing the operations below. Note: The the message for performing the operations below. Note: The
attribute contains all the URI Signing Information Elements and attribute contains all the URI Signing Information Elements and
may also include the URI Pattern Container. may also include the URI Pattern Container.
2. Remove the value part of the "MD" or "DS" information element 2. Remove the value part of the "MD" or "DS" information element
from the message. The part of information element that remains from the message. The part of information element that remains
is "MD=" or "DS=". is "MD=" or "DS=".
skipping to change at page 26, line 34 skipping to change at page 28, line 9
For Signature Computation Information Elements: For Signature Computation Information Elements:
No need to advertise "VER" Information Element unless it's not No need to advertise "VER" Information Element unless it's not
"1". In this case, a draft is needed to describe the new "1". In this case, a draft is needed to describe the new
version. version.
Advertise value of the "HF" Information Element (i.e. SHA-256) Advertise value of the "HF" Information Element (i.e. SHA-256)
to indicate support for the hash function; Need IANA assignment to indicate support for the hash function; Need IANA assignment
for new hash function. for new hash function.
Advertise value of the "DSA" Information Element (i.e. EC-DSA) Advertise value of the "DSA" Information Element (i.e.
to indicate support for the DSA; Need IANA assignment for new "ECDSA") to indicate support for the DSA; Need IANA assignment
digital signature algorithm. for new digital signature algorithm.
Advertise "MD" Information Element (i.e., SHA-256) to indicate Advertise "MD" Information Element (i.e., SHA-256) to indicate
support for symmetric key method; A new draft is needed for an support for symmetric key method; A new draft is needed for an
alternative method. alternative method.
Advertise "DS" Information Element (i.e., EC-DSA) to indicate Advertise "DS" Information Element (i.e., "ECDSA") to indicate
support for asymmetric key method; A new draft is needed for an support for asymmetric key method; A new draft is needed for an
alternative method. alternative method.
For URI Signing Package Attribute, there is no need to advertise For URI Signing Package Attribute, there is no need to advertise
the base attribute. the base attribute.
5.3. CDNI Request Routing Redirection Interface 5.3. CDNI Request Routing Redirection Interface
The CDNI Request Routing Redirection Interface The CDNI Request Routing Redirection Interface
[I-D.ietf-cdni-redirection] describes the recursive request [I-D.ietf-cdni-redirection] describes the recursive request
skipping to change at page 29, line 9 skipping to change at page 30, line 31
Property: digital-signature-algorithm Property: digital-signature-algorithm
Description: Designated digital signature function used for URI Description: Designated digital signature function used for URI
Signing computation when the Signed URI does not contain the Signing computation when the Signed URI does not contain the
Digital Signature Algorithm information element. Digital Signature Algorithm information element.
Type: String (limited to the digital signature algorithm Type: String (limited to the digital signature algorithm
strings in the registry defined by the IANA Considerations strings in the registry defined by the IANA Considerations
(Section 8) section). (Section 8) section).
Mandatory-to-Specify: No. Default is EC-DSA. Mandatory-to-Specify: No. Default is "ECDSA".
Property: digital-signature-algorithm-set Property: digital-signature-algorithm-set
Description: Allowable digital signature function set that the Description: Allowable digital signature function set that the
Signed URI's Digital Signature Algorithm information element Signed URI's Digital Signature Algorithm information element
can reference. can reference.
Type: List of Strings Type: List of Strings
Mandatory-to-Specify: No. Default is to allow any DSA. Mandatory-to-Specify: No. Default is to allow any DSA.
skipping to change at page 30, line 31 skipping to change at page 32, line 14
{ {
"generic-metadata-type": "MI.UriSigning.v1" "generic-metadata-type": "MI.UriSigning.v1"
"generic-metadata-value": "generic-metadata-value":
{ {
"enforce": true, "enforce": true,
"key-id": "1", "key-id": "1",
"key-id-set": ["1", "2", "3"], "key-id-set": ["1", "2", "3"],
"hash-function": "SHA-512", "hash-function": "SHA-512",
"hash-function-set": ["SHA-384", "SHA-512"], "hash-function-set": ["SHA-384", "SHA-512"],
"digital-signature-algorithm": "EC-DSA", "digital-signature-algorithm": "ECDSA",
"digital-signature-algorithm-set": ["EC-DSA"], "digital-signature-algorithm-set": ["ECDSA"],
"version": 1, "version": 1,
"version-set": [1], "version-set": [1],
"package-attribute": "usp" "package-attribute": "usp"
} }
} }
5.5. CDNI Logging Interface 5.5. CDNI Logging Interface
For URI Signing, the Downstream CDN reports that enforcement of the For URI Signing, the Downstream CDN reports that enforcement of the
access control was applied to the request for content delivery. When access control was applied to the request for content delivery. When
skipping to change at page 38, line 4 skipping to change at page 39, line 24
multiple CDNI hops including non-adjacent hops. This raises a multiple CDNI hops including non-adjacent hops. This raises a
security concern for applicability of URI Signing with symmetric keys security concern for applicability of URI Signing with symmetric keys
in case of DNS-based inter-CDN request routing. in case of DNS-based inter-CDN request routing.
7. HTTP Adaptive Streaming 7. HTTP Adaptive Streaming
The authors note that in order to perform URI signing for individual The authors note that in order to perform URI signing for individual
content segments of HTTP Adaptive Bitrate content, specific URI content segments of HTTP Adaptive Bitrate content, specific URI
signing mechanisms are needed. Such mechanisms are currently out-of- signing mechanisms are needed. Such mechanisms are currently out-of-
scope of this document. More details on this topic is covered in scope of this document. More details on this topic is covered in
Models for HTTP-Adaptive-Streaming-Aware CDNI [RFC6983]. [Editor Models for HTTP-Adaptive-Streaming-Aware CDNI [RFC6983]. In
note: DASH draft discussion] addition, [I-D.brandenburg-cdni-uri-signing-for-has] provides an
extension to the algorithm defined in this document that deals
specifically with URI signing of segmented content.
8. IANA Considerations 8. IANA Considerations
8.1. CDNI Payload Type 8.1. CDNI Payload Type
This document requests the registration of the following CDNI Payload This document requests the registration of the following CDNI Payload
Type under the IANA "CDNI Payload Type" registry: Type under the IANA "CDNI Payload Type" registry:
+------------------+---------------+ +------------------+---------------+
| Payload Type | Specification | | Payload Type | Specification |
skipping to change at page 42, line 46 skipping to change at page 44, line 32
attribute) is embedded in the Signed URI. For this reason, the attribute) is embedded in the Signed URI. For this reason, the
mechanism described in Section 3.1 encrypts the Client IP before mechanism described in Section 3.1 encrypts the Client IP before
including it in the URI Signing Package (and thus the URL itself). including it in the URI Signing Package (and thus the URL itself).
11. Acknowledgements 11. Acknowledgements
The authors would like to thank the following people for their The authors would like to thank the following people for their
contributions in reviewing this document and providing feedback: contributions in reviewing this document and providing feedback:
Scott Leibrand, Kevin Ma, Ben Niven-Jenkins, Thierry Magnien, Dan Scott Leibrand, Kevin Ma, Ben Niven-Jenkins, Thierry Magnien, Dan
York, Bhaskar Bhupalam, Matt Caulfield, Samuel Rajakumar, Iuniana York, Bhaskar Bhupalam, Matt Caulfield, Samuel Rajakumar, Iuniana
Oprescu, Leif Hedstrom and Phil Sorber. In addition, Matt Caulfield Oprescu, Leif Hedstrom, Phil Sorber and Gancho Tenev. In addition,
provided content for the CDNI Metadata Interface section. Matt Caulfield provided content for the CDNI Metadata Interface
section.
12. References 12. References
12.1. Normative References 12.1. Normative References
[I-D.ietf-cdni-logging] [I-D.ietf-cdni-logging]
Faucheur, F., Bertrand, G., Oprescu, I., and R. Faucheur, F., Bertrand, G., Oprescu, I., and R.
Peterkofsky, "CDNI Logging Interface", draft-ietf-cdni- Peterkofsky, "CDNI Logging Interface", draft-ietf-cdni-
logging-24 (work in progress), April 2016. logging-27 (work in progress), June 2016.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<http://www.rfc-editor.org/info/rfc2119>. <http://www.rfc-editor.org/info/rfc2119>.
[RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an
IANA Considerations Section in RFCs", BCP 26, RFC 5226, IANA Considerations Section in RFCs", BCP 26, RFC 5226,
DOI 10.17487/RFC5226, May 2008, DOI 10.17487/RFC5226, May 2008,
<http://www.rfc-editor.org/info/rfc5226>. <http://www.rfc-editor.org/info/rfc5226>.
[RFC6707] Niven-Jenkins, B., Le Faucheur, F., and N. Bitar, "Content [RFC6707] Niven-Jenkins, B., Le Faucheur, F., and N. Bitar, "Content
Distribution Network Interconnection (CDNI) Problem Distribution Network Interconnection (CDNI) Problem
Statement", RFC 6707, DOI 10.17487/RFC6707, September Statement", RFC 6707, DOI 10.17487/RFC6707, September
2012, <http://www.rfc-editor.org/info/rfc6707>. 2012, <http://www.rfc-editor.org/info/rfc6707>.
12.2. Informative References 12.2. Informative References
[FIPS.180-1.1995]
National Institute of Standards and Technology, "Secure
Hash Standard", FIPS PUB 180-1, April 1995,
<http://www.itl.nist.gov/fipspubs/fip180-1.htm>.
[FIPS.186-4.2013]
National Institute of Standards and Technology, "Digital
Signature Standard", FIPS PUB 186-1, December 1998,
<http://nvlpubs.nist.gov/nistpubs/FIPS/
NIST.FIPS.184-4.pdf>.
[FIPS.197.2001]
National Institute of Standards and Technology, "Advanced
Encryption Standard (AES)", FIPS PUB 197, November 2001,
<http://csrc.nist.gov/publications/fips/fips197/
fips-197.pdf>.
[I-D.brandenburg-cdni-uri-signing-for-has]
Brandenburg, R., "URI Signing for HTTP Adaptive Streaming
(HAS)", draft-brandenburg-cdni-uri-signing-for-has-03
(work in progress), June 2016.
[I-D.ietf-cdni-metadata] [I-D.ietf-cdni-metadata]
Niven-Jenkins, B., Murray, R., Caulfield, M., and K. Ma, Niven-Jenkins, B., Murray, R., Caulfield, M., and K. Ma,
"CDN Interconnection Metadata", draft-ietf-cdni- "CDN Interconnection Metadata", draft-ietf-cdni-
metadata-13 (work in progress), March 2016. metadata-18 (work in progress), June 2016.
[I-D.ietf-cdni-redirection] [I-D.ietf-cdni-redirection]
Niven-Jenkins, B. and R. Brandenburg, "Request Routing Niven-Jenkins, B. and R. Brandenburg, "Request Routing
Redirection interface for CDN Interconnection", draft- Redirection interface for CDN Interconnection", draft-
ietf-cdni-redirection-17 (work in progress), February ietf-cdni-redirection-18 (work in progress), April 2016.
2016.
[RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed- [RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-
Hashing for Message Authentication", RFC 2104, Hashing for Message Authentication", RFC 2104,
DOI 10.17487/RFC2104, February 1997, DOI 10.17487/RFC2104, February 1997,
<http://www.rfc-editor.org/info/rfc2104>. <http://www.rfc-editor.org/info/rfc2104>.
[RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
Resource Identifier (URI): Generic Syntax", STD 66, Resource Identifier (URI): Generic Syntax", STD 66,
RFC 3986, DOI 10.17487/RFC3986, January 2005, RFC 3986, DOI 10.17487/RFC3986, January 2005,
<http://www.rfc-editor.org/info/rfc3986>. <http://www.rfc-editor.org/info/rfc3986>.
 End of changes. 40 change blocks. 
143 lines changed or deleted 226 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/