--- 1/draft-ietf-opes-end-comm-00.txt 2006-02-05 00:55:53.000000000 +0100 +++ 2/draft-ietf-opes-end-comm-01.txt 2006-02-05 00:55:53.000000000 +0100 @@ -1,17 +1,17 @@ Network Working Group A. Barbir Internet-Draft Nortel Networks -Expires: December 10, 2003 June 11, 2003 +Expires: March 12, 2004 September 12, 2003 OPES processor and end points communications - draft-ietf-opes-end-comm-00 + draft-ietf-opes-end-comm-01 Status of this Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. @@ -19,61 +19,58 @@ and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http:// www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. - This Internet-Draft will expire on December 10, 2003. + This Internet-Draft will expire on March 12, 2004. Copyright Notice Copyright (C) The Internet Society (2003). All Rights Reserved. Abstract This memo documents tracing requirements for Open Pluggable Edge Services (OPES). Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 - 2. OPES Tracing . . . . . . . . . . . . . . . . . . . . . . . . 4 - 2.1 What is traceable in an OPES Flow? . . . . . . . . . . . . . 4 - 2.2 Requirements for Information Related to Traceable - Entities? . . . . . . . . . . . . . . . . . . . . . . . . . 5 - 3. Requirements for OPES systems . . . . . . . . . . . . . . . 6 - 4. Requirements for OPES processors . . . . . . . . . . . . . . 7 - 5. Requirements for callout servers . . . . . . . . . . . . . . 8 - 6. Privacy considerations . . . . . . . . . . . . . . . . . . . 9 - 6.1 Tracing and Trust Domains . . . . . . . . . . . . . . . . . 9 - 7. How to Support Tracing . . . . . . . . . . . . . . . . . . . 10 - 7.1 Tracing and OPES System Granularity . . . . . . . . . . . . 10 - 7.2 Requirements for In-Band Tracing . . . . . . . . . . . . . . 11 + 2. OPES Domain and OPES System . . . . . . . . . . . . . . . . 4 + 3. OPES Tracing . . . . . . . . . . . . . . . . . . . . . . . . 6 + 3.1 What is traceable in an OPES Flow? . . . . . . . . . . . . . 6 + 3.2 Requirements for Information Related to Traceable + Entities? . . . . . . . . . . . . . . . . . . . . . . . . . 7 + 4. Requirements for OPES processors . . . . . . . . . . . . . . 8 + 5. Requirements for callout servers . . . . . . . . . . . . . . 9 + 6. Privacy considerations . . . . . . . . . . . . . . . . . . . 10 + 6.1 Tracing and Trust Domains . . . . . . . . . . . . . . . . . 10 + 7. How to Support Tracing . . . . . . . . . . . . . . . . . . . 11 + 7.1 Tracing and OPES System Granularity . . . . . . . . . . . . 11 + 7.2 Requirements for In-Band Tracing . . . . . . . . . . . . . . 12 7.2.1 Tracing Information Granularity and Persistence levels - Requirements . . . . . . . . . . . . . . . . . . . . . . . . 11 - 7.3 Protocol Binding . . . . . . . . . . . . . . . . . . . . . . 12 - 7.4 Tracing scenarios and examples . . . . . . . . . . . . . . . 12 - 8. IAB considerations . . . . . . . . . . . . . . . . . . . . . 13 - 8.1 Notification Concerns . . . . . . . . . . . . . . . . . . . 13 - 8.1.1 Addressing IAB Consideration 3.1 . . . . . . . . . . . . . . 14 - 8.1.2 Addressing IAB Consideration 3.2 . . . . . . . . . . . . . . 15 - 9. Security considerations . . . . . . . . . . . . . . . . . . 17 - 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . 18 - Normative References . . . . . . . . . . . . . . . . . . . . 19 - Informative References . . . . . . . . . . . . . . . . . . . 20 - Author's Address . . . . . . . . . . . . . . . . . . . . . . 20 - A. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 21 - Intellectual Property and Copyright Statements . . . . . . . 22 + Requirements . . . . . . . . . . . . . . . . . . . . . . . . 12 + 7.3 Protocol Binding . . . . . . . . . . . . . . . . . . . . . . 13 + 7.4 Tracing scenarios and examples . . . . . . . . . . . . . . . 13 + 8. Optional Notification . . . . . . . . . . . . . . . . . . . 14 + 9. IANA considerations . . . . . . . . . . . . . . . . . . . . 16 + 10. Security Considerations . . . . . . . . . . . . . . . . . . 17 + Normative References . . . . . . . . . . . . . . . . . . . . 18 + Informative References . . . . . . . . . . . . . . . . . . . 19 + Author's Address . . . . . . . . . . . . . . . . . . . . . . 19 + A. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 20 + Intellectual Property and Copyright Statements . . . . . . . 21 1. Introduction The Open Pluggable Edge Services (OPES) architecture [8] enables cooperative application services (OPES services) between a data provider, a data consumer, and zero or more OPES processors. The application services under consideration analyze and possibly transform application-level messages exchanged between the data provider and the data consumer. @@ -93,109 +90,247 @@ by OPES entities. The work focus on developing tracing requirements that can be used to fulfil the notification and Non-Blocking requirements [2]. In the OPES architecture document [8], there is a requirement of relaying tracing information in-band. This work investigates this possibility and discusses possible methods that could be used to detect faulty OPES processors or callout servers by end points in an OPES flow. - The document is organized as follows: ....... + The document is organized as follows: Section 2 defines OPES Domain + and OPES System. Section 3 discusses entities that are traceable in + an OPES Flow. Sections 4 and 5 discuss tracing requirements for OPES + systems and callout servers. Section 6 focus on Tracing and Trust + Domains. Section 7 discusses how to support tracing and provides uses + cases. Section 8 examines Optional Notofication. Section 9 looks + into IANA considerations. Section 10 examines security + considerations. -2. OPES Tracing +2. OPES Domain and OPES System + + This sections clarifies the terms OPES system and OPES Domain [8]. + These terms are needed in order to define what is traceable in an + OPES Flow [8]. + + An OPES domain describes the collection of OPES entities that a + single provider operates. OPES domains can be based on trust or other + operational boundaries. All elements of an "OPES Domain" MUST be in + the same trust domain. This would be independent of any specific OPES + flow. + + An OPES system consists of a limited set of OPES entities, parts of a + single or of multiple OPES operators domains, organized by (or on + behalf) of either a data provider application or a data consumer + application to perform authorized services on a given application + message. Each OPES entity in an OPES system MUST be directly + addressable on IP level by a data consumer application. + + An OPES system can be formed in a recursive manner. An OPES system + can start with either a data provider application or a data consumer + application (for a given message). The OPES system then includes any + OPES entity trusted by (accepting authority from) an entity that is + already in the OPES system. The trust and authority delegation is + viewed in the context of the given application message. + + As implied by the above definition, some OPES entities in the system + may not participate in the processing of a given message. + + An OPES domain MUST not be an OPES sub-system. An OPES domain MUST + require external resources to provide services. An OPES domain is a + part of an OPES system belonging to a given operator. OPES domains + have no incidence on the structure of an OPES system, but they may + influence its organization for different reasons such as security, + payment, quality of service, delivery parameters among others. + + In Figure 1 an OPES Flow is shown that traverses across various OPES + Domains. A data consumer application MUST be able to recive tracing + information on per message basis that enable it to determine the set + of transformations that were perfomed on the data for a particular + OPES Flow. The formation of an OPES flow can be static or dynamic, + meaning that the determination of which OPES Domains will participate + in a given OPES Flow (per message basis) can be a function of + business arrangements. + + +------------------------------------------+ + | Data Consumer Application | + +------------------------------------------+ + ^ + | + +-------------------------------------------+ + | OPES System | O | + | | | + | +-------------------------+ | P | + | | OPES Domain | | | + | | +---------------+ | | E | + | | | OPES Entity | | | | + | | +---------------+ | | S | + | | . | | | + | | . | | | + | | +---------------+ | | F | + | | |Callout Server | | | | + | | +---------------+ | | L | + | | | | | + | +-------------------------+ | O | + | . | | + | . | W | + | +-------------------------+ | | + | | OPES Domain | | | + | | +---------------+ | | | + | | | OPES Entity | | | | + | | +---------------+ | | | + | | . | | | + | | . | | | + | | +---------------+ | | | + | | | OPES Entity | | | | + | | +---------------+ | | | + | +-------------------------+ | | + | v | + | +-----------------------------------+ | + | | Data Provider Application | | + | +-----------------------------------+ | + | | + +-------------------------------------------+ + + Figure 1: OPES System + +3. OPES Tracing Before discussing what is traceable in an OPES flow, it is beneficial to define what tracing means. Tracing is defined as the inclusion of necessary information within a message in an OPES flow that could be used to identify the set of transformations or adpatations that have - been performed on its content before its delivery to an end point - (the data consumer application). + been performed on its content in an OPES System before its delivery + to an end point (the data consumer application). - o OPES trace: application message information about OPES entities - that adapted that message + o OPES trace: application message information about OPES entities in + an OPES System that adapted that message. o OPES tracing: the process of including, manipulating, and - interpreting an OPES trace + interpreting an OPES trace in an OPES System. To emphasize, the above definition means that OPES tracing SHOULD be performed on per message basis. Trace format is dependent on the - application protocol being adapted by OPES. Data consumer application - can use OPES trace to infer the actions that have been performed by - OPES system(s). The architecture document requires [8] that tracing - be supported in-band. + application protocol that is being adapted by OPES. Data consumer + application can use OPES trace to infer the actions that have been + performed by the OPES system. The architecture document requires [8] + that tracing be supported in-band. -2.1 What is traceable in an OPES Flow? + In an OPES System the task of providing tracing information, must + take into account the following considerations: - o The data consumer application end point MUST be able to identify - the OPES processors that have acted on an application message. + o Providers may be hesitant to reveal information about their + internal network infrastructure. - o The data consumer application end point SHOULD be able to identify - OPES services (including callout services) that were performed on - request/responses that are part of an application message. + o Within a service provider network, OPES processors may be + configured to use non-routable, private IP addresses. - o TBD + o A Data consumer applications would prefer to have a single point + of contact regarding the trace information. o TBD - For a given trace, an OPES entity involved in handling the - corresponding application message is "traceable" or "traced" if - information about it appears in that trace. OPES entities have - different levels of traceability requirements. Specifically, +3.1 What is traceable in an OPES Flow? - o An OPES system MUST be traceable + This section focuses on identifying the traceable entities in an OPES + Flow. Tracing information MUST be able to provide a data consumer + application with useful information without tracing the exact OPES + Processor or callout servers that adapted the data. It is up to the + OPES service provider to have maintained appropriate internal + detailed traces to find the answer to the data consumer applications + inquiry. - o An OPES processor SHOULD be traceable + At the implementation level, for a given trace, an OPES entity + involved in handling the corresponding application message is + "traceable" or "traced" if information about it appears in that + trace. OPES entities have different levels of traceability + requirements. Specifically, - o An OPES service MAY be traceable + o An OPES system MUST add its entry to the trace. - o Editor Note: Need to define an OPES System properly + o An OPES processor SHOULD add its entry to the trace. -2.2 Requirements for Information Related to Traceable Entities? + o An OPES service SHOULD add its entry to the trace. + + o An OPES entity MAY manage trace information from entities that are + under its control. For example, an OPES processor may add or + remove callout service entries in order to manage the size of a + trace. Other considerations include: + + * The OPES processor may have a fixed configuration that enable + it to respond to tracing inquires. + + * The OPES processor may insert a summary of the services that it + controls. The summary can be used to respond to tracing + inquiries. + + * The OPES processor may package tracing information related to + the entities that it control based on the policy of a given + OPES System. + + From an OPES context, a good tracing approach is similar to a trouble + ticket ready for submission to a known address. The trace in itself + is not necessarily a detailed description of what has happened. It is + the resposibility of the operator to resolve the problems. + +3.2 Requirements for Information Related to Traceable Entities? The requirements for information as related to entities that are terceable in an OPES flow are: o The privacy policy at the time it dealt with the message o Identification of the party responsible for setting and enforcing that policy o Information pointing to a technical contact o Information that identifies, to the technical contact, the OPES processors involved in processing the messag o TBD -3. Requirements for OPES systems +4. Requirements for OPES processors - Editor Note: Need to define OPES System and state requirements + In order to facilitate compliance, the concept of an "OPES system" + being traceable, requires that each OPES processor MUST support + tracing. Policy can be set that defines which domain has + authorization to turn on tracing and its granularity. An OPES + provider can have its private policy for trace information, but it + MUST support tracing mechanisms and it MUST reveal it's policy. -4. Requirements for OPES processors + The requirements for OPES processors that are applicatble to tracing + are: - TBD + o Each OPES processor MUST belong to a single OPES Domain. + + o Each OPES processor MUST have a Unique Identity in that Domain. + + o Each OPES processor MUST support tracing, policy can be used to + turn tracing on and.to determine granuality. + + o TBD 5. Requirements for callout servers If it is the task of an OPES processor to add trace records to application messages, then callout servers that uses the OCP protocol - are not affected by tracing requirements.In order for an OCP protocol - to be tracing neutral, the OPES server SHOULD be able to meet the - following requirements: + are not affected by tracing requirements. In order for an OCP + protocol to be tracing neutral, the OPES server SHOULD be able to + meet the following requirements: o Callout services adapt payload regardless of the application protocol in use and leave header adjustment to OPES processor. - o OPES processor SHOULD be able to trace its own invocation and - service(s) execution because OPES processor understand the - application protocol. + o OPES processor SHOULD be able to trace it's own invocation and + service(s) execution since they understand the application + protocol. o Callout servers MAY be able to add their own OPES trace records to application level messages. o TBD 6. Privacy considerations 6.1 Tracing and Trust Domains @@ -311,178 +446,84 @@ 7.3 Protocol Binding How tracing is added is application protocol-specific and will be documented in separate drafts. This work documents what tracing information is required and some common tracing elements. 7.4 Tracing scenarios and examples TBD -8. IAB considerations +8. Optional Notification This section examines IAB [2] considerations (3.1) and (3.2) - regarding notification in an OPES architecture. The IAB - considerations are reiterated here for ease of reference. + regarding notification in an OPES architecture. Notification propagates in opposite direction of tracing and cannot be attached to application messages that it notifies about. Notification can be done out-band and may require the development of a new protocol. The direction of data flow for tracing and - notification are deoicted in Figure 1. + notification are depicted in Figure 2. Notification +----------------------------------------------- | | | V +---------------+ +-------+ +---------------+ | | | | | Data Provider | | Data Consumer | Tracing | OPES |<----->| Application | | Application |<-----------| | +---------------+ +---------------+ +-------+ ^ |OCP | V +---------+ | Callout | | Server | +---------+ - Figure 1: Notification Flow - -8.1 Notification Concerns - - Notifications for every HTTP request can burden some content - providers. Therefore, it might be preferable to consider mechanisms - that allow for the explicit request of notification. Hence, a - mechanism for explicit request of notification May be required. - - Furthermore, end point privacy is a concern. An end user may consider - information about OPES services applied on their behalf as private. - For example, if translation for braille device has been applied, it - can be concluded that the user is having eyesight problems; such - information may be misused if the user is applying for a job online. - Similarly, a content provider may consider information about its OPES - services private. For example, use of a specific OPES intermediary by - a high traffic volume site may indicate business alliances that have - not been publicly announced yet. Another example of privacy, include - situations where a user may not want to reveal to any content - provider all the OPES services that have been applied on their - behalf. For example, why should every content provider know what - exact virus scanner a user is using? - - Security is also a concern. An attacker may benefit from knowledge - of internal OPES services layout, execution order, software versions - and other information that are likely to be present in automated - notifications. - - The level of available details in notifications versus content - provider interest in supporting notification is a concern. - Experience shows that content providers often require very detailed - information about user actions to be interested in notifications at - all. For example, Hit Metering protocol [11] has been designed to - supply content providers with proxy cache hit counts, in an effort to - reduce cache busting behavior which was caused by content providers - desire to get accurate site "access counts". However, the Hit - Metering protocol is currently not widely deployed. This is because - the protocol does not supply content providers with information such - as client IP addresses, browser versions, or cookies. - - The Hit Metering experience is relevant because Hit Metering - protocol was designed to do for HTTP caching intermediaries what - OPES notifications are meant to do for OPES intermediaries. Thus, it - is important to have the right balance when specifying the - notofication requirements for OPES. - - In this document, IAB choice of "Notification" label is interpreted - as "Notification assistance" (i.e. making notifications meaningful) - and is not be interpreted as a "Notification protocol". Therefore, - the work treats IAB considerations (3.1 and 3.2) as informative (not - normative). - -8.1.1 Addressing IAB Consideration 3.1 - - The consideration is restated below for ease of reference. + Figure 2: Notification Flow - (3.1) Notification: The overall OPES framework needs to assist - content providers in detecting and responding to client-centric - actions by OPES intermediaries that are deemed inappropriate by the - content provider. + In [9] it was argued that Notification is an expensive approach for + providing tracing information. However, the current work does not + prevent an OPES System from publishing policy and specifications that + allow Optional Notification. For example, an OPES System can adopt a + mechanism that uses a flag that would allow a data consumer and a + data provider application to signal to each other that they are + interested to receive an explicit notification if an OPES service is + applied to a specific message. The value of this optional flag/field + can be a URI that identifies notification method plus parameters. If + a processor understands the method, it would be able to further + decode the field and send a notification. The specification of the + field name and format for an application protocol can be stated in + the associated binding document. The details of the notification + protocol is beyond the scope of this Working Group. - IAB consideration (3.1) suggests that the overall OPES framework - needs to assist content providers in detecting and responding to - client-centric actions by OPES intermediaries that are deemed - inappropriate by the content provider. + For example, the following HTTP header: - It is important to note that most client-centric actions happen after - the application message has left the content provider(s). Thus, - notifications cannot be piggy-backed to application messages and have - to travel in the opposite direction of traces, see Figure 1. To - address this requirement directly, one would have to develop an out - of band protocol to support notification. + o OPES-Notify: URI *(pname=pvalue) - At this stage, there is no need to develop an out of band protocol to - support notification, since requiring the OPES architecture to having - a tracing facility can fulfil the objectives of notification. In - this regard, it is recommended that tracing MUST be always-on, just - like HTTP Via headers. This should eliminate notification as a - separate requirement. + Or, -8.1.2 Addressing IAB Consideration 3.2 + o My-OPES-Notify: foo=bar q=0.5 - The consideration is restated below for ease of reference. + can be used. - (3.2) Notification: The overall OPES framework should assist end - users in detecting the behavior of OPES intermediaries, potentially - allowing them to identify imperfect or compromised intermediaries. +9. IANA considerations TBD - If the OPES end points cooperate then notification can be supported - by tracing. Content providers that suspect or experience difficulties - can do any of the following: - - o Check whether requests they receive pass through OPES - intermediaries. Presence of OPES tracing info will determine that. - This check is only possible for request/response protocols. For - other protocols (e.g., broadcast or push), the provider would have - to assume that OPES intermediaries are involved until proven - otherwise. - - o If OPES intermediaries are suspected, request OPES traces from - potentially affected user(s). The trace will be a part of the - application message received by the user software. If users - cooperate, the provider(s) have all the information they need. If - users do not cooperate, the provider(s) cannot do much about it - (they might be able to deny service to uncooperative users in - some cases). - - o Some traces may indicate that more information is available by - accessing certain resources on the specified OPES intermediary or - elsewhere. Content providers may query for more information in - that case. - - o If everything else fails, providers can enforce no-adaptation - policy using appropriate OPES bypass mechanisms and/or end-to-end - mechanisms. - -9. Security considerations +10. Security Considerations TBD -10. IANA Considerations - - The proposed work will evaluate current protocols for OCP. If the - work determines that a new protocol need to be developed, then there - may be a need to request new numbers from IANA. - Normative References [1] McHenry, S., et. al, "OPES Scenarios and Use Cases", Internet-Draft TBD, May 2002. [2] Floyd, S. and L. Daigle, "IAB Architectural and Policy Considerations for Open Pluggable Edge Services", RFC 3238, January 2002. [3] Fielding, R., Gettys, J., Mogul, J., Nielsen, H., Masinter, L., @@ -500,32 +541,36 @@ draft-ietf-opes-protocol-reqs-03.txt, December 2002. [7] A. Barbir et al., "Security Threats and Risks for Open Pluggable Edge Services", Internet-Draft http://www.ietf.org/ internet-drafts/draft-ietf-opes-threats-00.txt, October 2002. [8] A. Barbir et al., "An Architecture for Open Pluggable Edge Services (OPES)", Internet-Draft http://www.ietf.org/ internet-drafts/draft-ietf-opes-architecture-04, December 2002. + [9] A. Barbir et al., "OPES Treatment of IAB Considerations", + Internet-Draft http://www.ietf.org/internet-drafts/ + draft-ietf-opes-iab-01.txt, February 2004. + Informative References - [9] Westerinen, A., Schnizlein, J., Strassner, J., Scherling, M., + [10] Westerinen, A., Schnizlein, J., Strassner, J., Scherling, M., Quinn, B., Herzog, S., Huynh, A., Carlson, M., Perry, J. and S. Waldbusser, "Terminology for Policy-Based Management", RFC 3198, November 2001. - [10] L. Cranor, et. al, "The Platform for Privacy Preferences 1.0 + [11] L. Cranor, et. al, "The Platform for Privacy Preferences 1.0 (P3P1.0) Specification", W3C Recommendation 16 http:// www.w3.org/TR/2002/REC-P3P-20020416/ , April 2002. - [11] "Hit Metering", RFC . + [12] "Hit Metering", RFC . Author's Address Abbie Barbir Nortel Networks 3500 Carling Avenue Nepean, Ontario K2H 8E9 Canada Phone: +1 613 763 5229