Network Working Group A. Barbir Internet-Draft N. Mistry Expires: May 12, 2002 R. Penno Nortel Networks D. Kaplan Activia November 12, 2001 A Framework for OPES End to End Data Integrity: Virtual Private Content Networks (VPCN) draft-barbir-opes-vpcn-00.txt Status of this Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http:// www.ietf.org/ ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on January 10, 2002. Copyright Notice Copyright (C) The Internet Society (2001). All Rights Reserved. Intellectual Property Existence The authors are aware of the existence of intellectual property associated with certain edge service implementations of the high level model described herein. Barbir, et. al. Expires May 10,2002 Page [1] Internet-Draft VPCN November 2001 Abstract In the IETF, OPES is developing a framework for a "services engine" in the Internet to communicate with a user agent to deliver content in a format based on user preferences and abiding to content owners policies. The document introduces the concept of Virtual Private Content Networks as a layer-7 Virtual Private Network as a vehicle for providing content integrity and trust model that ensures the delivery of content in a network with distributed intelligence. The VPCN framework represents a trusted closed group of entities that agree to deliver, store/cache, modify or adapt content as specified by the rules and polices in the content profile. In a VPCN, the content provider is a member and the owner of the VPCN. Any surrogate or an application gateway that is in the content path must be a member of the VPCN. In a VPCN content is distributed among members' nodes through the use of Content Tunnels that ensure the integrity of the transport of content among network nodes. 1. Introduction Content Delivery is of increasing importance to the overall architecture of the web. Content providers and content consumers are interested in value-add services that operate on content before its delivery to content consumer. In the IETF, OPES is currently in the process of providing services that would be deployed in the network, for example, at a web proxy cache between the origin server and the client, that would transform or filter content. Examples of proposed OPES services include assembling personalized web pages, adding user-specific regional information to web pages, virus scanning, content adaptation for clients with limited bandwidth, language translation, and the like [12,20]. Providing Edge Services have also paved the road to the use of Content Services Overlay Networks [16], whereby, the customization of the content can be performed across Service engines or Application Gateways that span multiple networks. Content Services Overlay Networks can consist of Service Engines that belong to different Authoritative domains that agree to cooperate together to provide value added service on the content on behalf of Content Providers. However, the introduction of intermediaries in the Content Path requires the development of mechanisms that guarantee the integrity of the content in transit in the Internet between client/intermediary, intermediary/intermediary, and intermediary/origin server. This in return raises serious questions about the integrity of the content as delivered to the consumer, and whether the content provider or content consumer authorizes the adaptations that were performed on the content. For example, in transparent caching a proxy server instead of the intended server can silently fulfill user's requests for the content. In general, transparent caching can be performed without the user or the content provider consent. Barbir, et. al. Expires May 10,2002 Page [2] Internet-Draft VPCN November 2001 In [20], the IAB stated that the architecture of OPES type devices must protect end-to-end data integrity by supporting end-host detection and response to inappropriate behavior by OPES intermediaries. Certainly, the presence of OPES type intermediaries and caches in the content path add intelligence within the public network, where content storage and/or adaptation can occur. Thus, what is needed is an approach that ensures the security, trust and integrity of content in an intelligent network. In the essence, there should be an approach that guarantee the end-to-end data integrity in a network with distributed intelligence. In the Internet today, Virtual Private Networks (VPN) may be constructed as Overlay Networks to ensure the integrity of transition of packets between private networks as it span public networks (IPSec for example). The same concept can be extended to layer-7 to introduce Virtual Private Networks focused on content. These networks are overlay networks permitting establishment of a framework for data trust and integrity at the content level. In this regard, the document introduces the concept of Virtual Private Content Networks (VPCN) as a layer 7 overlay network that ensures the trust, integrity and security of content. The VPCN concept associates a content profile or attribute with the content. The content profile determines the rules and polices that are associated with the content as a whole or any part that is dynamically generated. Intermediaries that deal with content must be members of a VPCN. Intermediaries within a VPCN are treated as extension or authorized agents of the content source. In VPCN content traverses among the members using "Content Tunnels" that ensure that content is received by authorized entities. In a VPCN there are provisions that enable the content provider to verify that the intermediary is acting on the content as specified in the content profile. The current version of the draft uses the VPCN concept to address the data integrity with server-centric OPES or OPES type services. The emphasis is on responses as opposed to requests. However, the concept can be easily extended to cover that aspect. The draft presents a vocabulary that can be used in developing Virtual Private Content Networks and describes the core components of such, and their relationships. Section 2 introduces the terms used for elements of VPCN. Section 3 explains the concept of overlay networks and how different types of such are built upon each other. The core CVPN components and their relationship are introduced in Sections 4 and 5, followed by OPES security considerations in Section 6. Barbir, et. al. Expires May 10,2002 Page [3] Internet-Draft VPCN November 2001 2. Definitions and Terminology The section provides the definitions of a number of terms used to refer to the roles, participants, and objects involved in Virtual Private Content Networks. The definition are based on the OPES framework [12]. Although the following uses many terms used in RFC 2616 [4] and RFC 3040 [6], there is no required dependency on HTTP or web caching technology. This vocabulary is applicable to other protocols and content networks. ACTION An action is a form of a policy action [] that results in the execution of an 'content service module' when 'conditions' of a 'rule' are met. AUTHORITATIVE DOMAIN A logical domain in which the network elements have rights, either delegated or inherited to act authoritatively on behalf of a party. This logical domain may be wholly contained within the administrative domain [2] of the party, or it may be a collection of administrative domains in which the party rights have been delegated. CACHE A program's local store of response messages and the subsystem that controls its message storage, retrieval, and deletion. A cache stores cacheable responses in order to reduce the response time and network bandwidth consumption on future, equivalent requests. Any client or server may include a cache, however, a cache cannot be used by a server that is acting as a tunnel. CACHING PROXY A proxy with a cache, acting as a server to clients, and a client to servers. Caching proxies are often referred to as "proxy caches" or simply "caches". The term "proxy" is also frequently misused when referring to caching proxies. CLIENT A program that establishes connections for the purpose of sending requests. CONDITION A form of a policy condition[11] that is an expression which is used to determine whether a 'rule' 'action' should be executed. CONTENT CONSUMER The 'client' that is the final destination of content delivery. CONTENT PATH The content path describes the path that content requests and responses take through the network. Typically, content requests and responses flow between a client, one or more intermediaries, and a content server. CONTENT ATTRIBUTE See content profile. Barbir, et. al. Expires May 10,2002 Page [4] Internet-Draft VPCN November 2001 CONTENT PROFILE A content profile consists of a set of elements that describe available variants for given content. The profile also includes policy information about allowable transformations, adaptations, and Digital Rights Management that are applicable for that content. The profile can be applicable to a specific piece of content, a set or class of content, or an aggregation of content from several locations. The profile is also applicable to dynamically generated content. CONTENT SERVER The server that delivers the content. It may be an 'origin server', replica server, 'surrogate' or parent proxy. CONTENT SERVICE A service operating on and providing a value-add to content. DELEGATE A caching proxy located near or at the network access point of the 'user agent', delegated the authority to operate on behalf of, and typically working in close co-operation with a group of 'user agents'. IN-PATH In-Path Content Services are naturally within the message path of the application they are associated with. This may be an application proxy, gateway, or in the extreme case, one of the end-hosts, that is party to the application. INTERMEDIARY Intermediaries are application gateway devices located in the content path between client and origin server. Caching proxies' and 'surrogates' are probably the most commonly known and used intermediaries today. OVERLAY NETWORK A set of connected network elements layered onto existing underlying networks, and presented as a virtual application layer to both 'clients' and 'origin servers'. OUT-OF-PATH Out-of-Path Content Services are not natively in the transport path of an application. In other words, they are not necessarily resident (or co-resident) on entities that are natively in the path of application flows [18] PDP See 'policy decision point'. PEP See 'policy enforcement point'. Barbir, et. al. Expires May 10,2002 Page [5] Internet-Draft VPCN November 2001 POLICY DECISION POINT A logical entity that makes policy decisions for itself or for other network elements that request such decisions. POLICY ENFORCEMENT POINT A logical entity that enforces policy decisions. SURROGATE A gateway co-located with an origin server, or at a different point in the network, delegated the authority to operate on behalf of, and typically working in close co-operation with, one or more origin servers. Responses are typically delivered from an internal cache. Surrogates may derive cache entries from the origin server or from another of the origin server's delegates. In some cases a surrogate may tunnel such requests. Devices commonly known as "reverse proxies" and "(origin) server accelerators" are both more properly defined as surrogates. USER AGENT The client that initiates a request. These are often browsers, editors, spiders (web-traversing robots), or other end user tools. VPN See Virtual Private Network Virtual Private Network Virtual Private Networks (VPN) represents communication between a set of sites making use of a shared network infrastructure. Multiple sites of a private network may therefore communicate via the public infrastructure, in order to facilitate the operation of the private network. The logical structure of the VPN, such as addressing, topology, connectivity, reach-ability and access control, is equivalent to part of or all of a conventional private network using private facilities 3. Content Integrity The Internet provides an attractive medium for the distribution of content in electronic form. However, the ease of delivering and the ease of manipulation of information in electronic form make tracking such acts intractable. To address these issues a model that guarantee content trust, security and integrity must be developed. The model should create an environment in which information cannot be stored or manipulated in the network without the consent of content source and/or the content consumers. Barbir, et. al. Expires May 10,2002 Page [6] Internet-Draft VPCN November 2001 In order to provide content delivery and content services, there may be a need to store/cache and/or adapt the content in the network in its transit from the content source to the content consumer. In order to be able to provide content delivery and services in a legal and trust worthy manner, the entity that is providing the services must guarantee the following minimum functionality: - Content source (owners) must be assured that their content is used and manipulated only in authorized ways. - Content providers must be able to remove, update, and modify their content (or variant such as OPES versions) on the fly. - Content providers are able to maintain control over literary or copyrighted assets. - Content providers are compensated for all uses of the content. - Privacy rights of users of content are preserved. - Diverse business models related to content could be implemented. 3.1 Content Profiles Content providers can describe the list of adaptations, modifications, cache-ability and policies that they authorize on their content in whole or any dynamically generated parts in content profiles. The content profile also includes the set of policies that they would like to be used to determine the allowable set of modifications that could be used on the content. In order to ensure content trust and integrity a mechanism should be developed that allow the creation of content profiles. The profiles encapsulate information about the content and their associated polices. This includes information such as available variants at the content source, encoding method, and dimensions. Content profiles and policies also include information about what is and is not allowed in terms of use or manipulation of that content (e.g. do not allow legal documents to be translated into another language). Furthermore, content profiles must be able applicable to static and dynamically generated content. The static content and the dynamically generated content can also be cacheable. Content policies are an integral part of the content profile for a given piece of content. A content profile must encapsulate all of the information about the content, which is needed to make any of the adaptation decisions required for that content. RFC 2295 provides the means for automatically and efficiently retrieving the best content variant from a content source in HTTP. This specification defines transparent content negotiation as an extension on top of the HTTP/1.1 protocol. Ensuring the integrity of content in the Internet requires the development of a generalized, protocol-independent definition of content profiles. Barbir, et. al. Expires May 10,2002 Page [7] Internet-Draft VPCN November 2001 Content profiles may be stored as part of the content or as separate entities. In this regard, there may be a need to develop appropriate protocols that distribute and invalidate content profiles in the network in a secure manner. The next subsection provide a brief overview of a method [17] that content providers can use to indicate to intermediaries the possible set of modifications that could be performed on content. 3.1.1 Content Adaptation and Validation Method In [17], a method is proposed that enable content owners to express how their content is treated as part of the content message. The method allows for fine-grained delegation of modification rights. The method allows any party to validate the message with respect to owner's intentions, even if several intermediaries are involved in the modification process. In particular, the requester can validate the final message. The method is friendly to caches whereby partially modified message forms can be cached. This is because the method separates the content from the authorization and validation information. 3.1.1.1 Overview of the Method In the method, the content owner specifies content as a set of parts, some of which are immutable and some of which are replaceable. Each part has permissions, and the set of parts and their permissions is the message "manifest", an index to the message. The content owner's signature on the manifest specifies his/her intentions. In order for the owner to delegate modification rights verifiable to parts of a message, the message must have well-defined part boundaries. This can be accomplished by specifying byte ranges with MIME or other standards. The manifest names each part and its hash value: non-invertible, collision-resistant function of each byte of the part. The modification right for a part includes both the permitted action and the identification of the parties authorized to perform the action. The modification rights can be extended to specify content type, size, resolution and method. Each party that modifies the message in accordance with the owner instructions must attach an action notification to the message. This refers to the permission in the manifest, the message part, the action, the hash of the manifest, the identity of the editor, and a signature over these items. Because, the manifest and the signed actions are separate from the content, the content remains cacheable even in partially modified from. The manifest concept is similar to the W3C XML Digital Signature standard. This allows for the possibility of including information about the content that might not be part of the current content, such as the contents associated with URL. Barbir, et. al. Expires May 10,2002 Page [8] Internet-Draft VPCN November 2001 The full details of the method are given in [17]. The method separates Content profile from the content and is a good candidate to be used as a building block for defining content profiles that include the rules that are associated with it. It can also be used as a building block for developing techniques that enable the content provider to verify the operations of OPES intermediaries. 3.2 Content Path The content path describes the path that content requests and responses take through the network. In the traditional client/server Internet end-to-end model content requests and responses flow between the client and the content server. However, in an intelligent network, content requests and responses may flow between a client, a single or group of intermediaries and a content server. Furthermore, for OPES [12] type intermediaries, content requests and responses may also be directed to remote callout servers that perform added content services. In general, there may be Policy Decision Points (PDP) that is associated with Policy Enforcement Points (PEP) that determines the number of intermediaries that the content path will consist off. To ensure content integrity and security, every intermediary in the content path must be authorized by the content provider to act on the content. Content profiles can be used to enforce the rules and policies that are associated with that content. What is needed is a proper model that ensures that all the entities in the content path are entities with legal access to the content and its associated profiles. 4. Content Level Overlay Networks Overlay networks are a powerful abstraction that creates a virtual network of connected devices layered on an existing underlying network in order to provide new network functionality. The functionality can be packet based or content based. For example, Virtual Private Networks [19] are packet based overlay networks that aim towards providing connectivity of multi-networks over the public networks. Similarly, Edge Services networks are overlay networks that aim towards providing content services. In packet based VPNs, the emphasis is on transporting packets in a secure fashion across a public medium. The level of security depends on the tunneling mechanism that is used. This type of VPNs examine the packet headers at a given protocol stack in order to make a routing or forwarding decision. There is no consideration to which content the packets belong to and no attempt to relate the packets to a given content profile. Barbir, et. al. Expires May 10,2002 Page [9] Internet-Draft VPCN November 2001 At the content level, it is possible to define Edge Networks [16] consisting of intermediaries in the network for the delivery of content in a close proximity to the content consumer. These overlay networks create a virtual overlay on top of IP packet networks, that via 'intermediaries' enables the necessary network infrastructure to provide better content delivery services. There are two forms of edge servers, the 'delegate' and the 'surrogate'. 'Delegates', are authorized agents 'intermediaries' that act on behalf of 'clients'. Surrogates on the other hand, are authorized agent 'intermediaries' that act on behalf of 'origin servers'. Due to their strategic location in the network, Edge servers are ideal candidates for performing content delivery and 'content services'. In a similar fashion overlay networks can be used to construct Content Services Networks [16]. In this case, Application Gateways can be introduced between independent end-to-end sessions to construct a specialized form of application network Overlays. Content service networks provide services that act on content flowing through the 'content path'. Content service networks are constrained to provide services only on the 'content path', as opposed to general applications. For OPES type networks, content service networks provide a mechanism for vectoring the content flow to Application Gateways for processing. This vectoring is accomplished with 'rules' that set 'conditions' to trap on the content flowing through the 'content path'. This process is a classic example of a policy 'PEP'. 5. Virtual Private Content Networks There are other models that can be used within the Internet for providing content services [16]. However, regardless of the nature of the network, there should exist mechanisms that allow the establishment of a trust model for the content. At the content level, the content path may traverse one or more of the following components: Client, Delegate, Service Modules, Surrogate and Origin Server. A proper trust model must ensure the integrity of the content throughout the whole content path. Here, the concept of overlay networks can be used to construct Virtual Private Content Networks (VPCN) as an overlay network that has as members all the entities that are on the content path. All the members' of a VPCN agree to act on the content as described in the content profile. Content profiles can be stored in a single location or distributed manner in the Internet or the network. In essence, a VPCN represents a trusted closed group of entities that agree to deliver, store/cache, modify or adapt content as specified by the rules and polices in the content profile. In a VPCN, the content provider is a member and the owner of the VPCN. Any surrogate or an application gateway that is in the content path must be a member of the VPCN. Barbir, et. al. Expires May 10,2002 Page [10] Internet-Draft VPCN November 2001 Members of a VPCN can belong to different Administrative domains. Figure 1 depicts the construction of a VPCN as an overlay network consisting of surrogates, service modules and content servers that belong to various Edge Services Networks. Form Figure 1, a service module (ag) can be the broker for content from content providers P1 and P2. In this case the 'ag' can be a member of content trust overlays termed VPCN-P1 with provider P1 and a member of a content trust overlay termed VPCN-P2 with provider P2. Associated with each VPCN would be its own set of policies and attributes. This would be negotiated between the 'ag' service provider and the content provider. 'Client' or 'Delegate' can subscribe to become members of the VPCNs either subscribing to a default set of policies and attributes or negotiating a subset. In this simplified model, the VPCN has publisher and consumers of the content; allowing supports for content push and pop models plus the ability to enforce policies. +--------+ / Client / +--------+ ^ / v _________________(i)_______________ / intermediary / / (P1) content services /__ +-------+ / (P2) / / +-------+ / Client /<->(i) Virtual Private Content / /<-> / Content / +------+/ / Network (ag) / / / Server / / (ag) / /__ +-------+ /___________________(i)____________/ / / /__________________________________/ / / Edge Services Network Overlay / / . / /___________________(i)______________/ Figure 1. OPES Based VPCN Network Overlay The concept of VPCN enables deployment of layer 7 content networks, independent of physical topology. Thus, the term "virtual" implies the ability to allow a geographically distributed group of hosts to interact and be managed at the content level as a single network without concern to physical location. The term 'private' is simply defined as a closed user group with secure access. It is important to note here that security can be achieved through various techniques. The choice of the technique will be based on overlay network that delivers the content. In addition, the choice of security is also based on the nature of the content. In some cases, there may be a need to encrypt the data. However, in some other Barbir, et. al. Expires May 10,2002 Page [11] Internet-Draft VPCN November 2001 cases such as live streaming sessions, the use of encryption may not be appropriate. Data security is achieved through the use of Content Tunnels that establish a trusted path between any two end points. The term Content refers to layer 7 content. The VPCN concept leads to virtual networks that provide content confidentiality, integrity, and authentication within the content path. 5.1 VPCN Requirements The previous sections have stated that VPCN can be constructed as an overlay network on top of other overlay networks such as Edge Services Networks. When implementing VPCN care must be taken to ensure the integrity of content across the content path. In this regard, it is possible to implement a VPCN using the same techniques as Virtual Private Networks. In general, VPNs come in various flavors. It is possible to define Layer 1 to Layer 3 VPNs. Some VPNs implement encryption techniques, while others achieve the security of the data at the routing table level. Regardless of how a VPCN is implemented, the following minimum characteristics must be met: 1. Confidentiality. : The VPCN must ensure the privacy of content data sent over it and protect it from interception by eavesdroppers. Basically, content must be protected along the content path. 2. Authenticity. The VPCN must ensure that intermediaries accessing it are indeed authorized members of the VPCN community. In addition, the VPCN should ensure the authenticity of the data and its source, that is, it must ensure that senders are indeed who they say they are. 3. Integrity. The VPCN must ensure that the data received is indeed the same data that was transmitted, that is, it must protect data from corruption by transmission errors or vandals. 4. Optimize performance. The VPCN must be designed to optimize use of the limited bandwidth of the Internet. 5. The VPCN must be able to support protocols that allow for the delivery, update, and invalidation of content and content profiles. 6. Content Providers and Surrogates can belong to different VPCN. 7. Compliance: The content source (provider) must be able to verify the members of the VPCN are generating content that is compliant by the content profile. This can be done by using the method of 3.1.1 or through the logging of some of the user's requests and the responses. Barbir, et. al. Expires May 10,2002 Page [12] Internet-Draft VPCN November 2001 5.2 VPCN Characteristics This section looks at how a VPCN service can be provided. The distinguishing characteristic of a VPCN is that packets are treated at the content layer. In VPCNs packets are forwarded to intermediaries that are member of the content path. Note that VPCN operation is decoupled from the mechanisms that are used to transport packets across the Internet. 5.2.1 VPCN Topology The topology of a VPCN may consist of a full mesh of content tunnels between each VPCN node, or may be an arbitrary topology, such as a set of nodes connected to the nearest regional site. The regional sites may be connected together via a full or partial mesh. 5.2.1 Addressing The addressing used within a VPCN may have no relation to the addressing used on the IP backbone over which the VPCN is instantiated. Multiple VPCNs may be instantiated over the same set of physical devices, and they may use the same or overlapping address spaces. 5.2.3 Forwarding In a VPCN forwarding of packets is performed at the content layer for a given content profile. Packets are forwarded at the application level to other OPES or non-OPES intermediaries or remote callout servers based on the content profile. Packets are forwarded to members' nodes only. 5.2.4 Multiple concurrent VPCN connectivity A single intermediary or content provider may belong concurrently to multiple VPCNs and may want to transmit traffic both onto one or more VPCNs. 5.3 VPCN Generic Requirements There are a number of common requirements, which any network-based VPCN solution must address, and there are a number of different mechanisms that can be used to meet these requirements. These generic issues are 1. The use of a globally unique VPCN identifier in order to be able to refer to a particular VPCN. 2. VPCN membership determination. There should a mechanism that enables the VPCN nodes to determine member nodes in that VPCN. 3. Reachability information. VPCN nodes must be able to determine the reachability of other VPCN nodes. Barbir, et. al. Expires May 10,2002 Page [13] Internet-Draft VPCN November 2001 4. Content Tunneling mechanism. A VPCN node must be able to construct the necessary tunnels to other nodes members in the VPCN. The nodes must be able to perform content tunneling on the packets that may include the encapsulation and de-encapsulation necessary to send and receive packets over the tunnels. 5. Authentication. VPCN nodes must be able to authenticate all members of the group. 6. Accounting/billing. Members of the VPCN must be able to bill each other for services that is being performed on content. 7. Content addition and deletion. Content providers must be able to inject content and its associated profile into the VPCN. Furthermore, they should be able to modify/delete that content, it's profile and any cached dynamic content. 5.3.1 VPCN Membership Information Configuration and Dissemination In order to establish a VPCN, or to insert new nodes into an established VPCN, a mechanism must exist that can either perform the task through manual configuration or through an appropriate VPCN auto discovery and configuration protocol. For subscribers that want to attach to the VPCN dynamically it is possible to Add them to the VPCN during the authentication phase. If the node is unsuccessfully authenticated (e.g. using a Radius server), then the newly created node can be bound to the correct VPCN. Note that static configuration information is still needed, for example to maintain the list of authorized subscribers for each VPCN. Whether a particular node joins the VPCN dynamically or statically (through configuration) the VPCN-ID can be used to determine the appropriate VPCN. 5.4 Contrast Packet Based and Content Based Overlay Networks Packet based VPNs provide a mechanism for transmitting data packets in a secure fashion across public networks. Depending on how the VPNs are constructed, the packet routing decisions is performed at OSI layers 1 to 3. Packet based VPNs do not perform packet forwarding that are based on content type or based on rules that specify required adaptations on the content. On the other hand, VPCN are layer 7 virtual private networks that perform routing decisions that are solely based on content types, content attributes and policies that are related to a given content. While the main task of packet based VPN is to deliver the packets in a secure fashion, the main objective of VPCN is to ensure the integrity of data at the content level. Barbir, et. al. Expires May 10,2002 Page [14] Internet-Draft VPCN November 2001 VPCN can be constructed using any technology that ensures the appropriate delivery of content between two end points in the content path is a secure fashion. In this regard, VPCN can be constructed as overlay networks that uses basic packet based VPNs. 5. VPCN and OPES Requirements for Data Integrity and Security This section discusses the applicability of VPCN to address the requirements for data integrity, security and privacy for OPES. 6.1. VPCN and OPES Content Integrity Requirements The VPCN framework ensures that any intermediary that is in the content path be a member of the layer 7 VPCN. The VPCN framework ensures the following content integrity criteria for OPES type intermediaries: 1. OPES intermediaries can only modify content as expressly permitted by the Content Provider. Note: The intermediaries must still get the consent of the End User. 2. OPES intermediaries have permissions from the content provider based on the content profile that indicates what parts of the content can be modified and what modifications are allowed. The content profile can allow different permissions for different resources. 3. VPCN Framework provides OPES intermediaries the ability to fetch the content provider's content profile that could be stored at a well-known place (similar to P3P) on the Internet. Furthermore, the VPCN framework allows the content provider the ability to modify/change/delete or expires the content profile on the fly. 4. The VPCN framework enables the content provider to identify all intermediaries that can act on the content. Content Providers can exclude certain intermediaries from performing any actions on the content by simply excluding them from the VPCN. 5. In the VPCN framework, End Users can easily discover the types of Intermediaries that are on the content path. This enables the development of proper tools that allow the End Users to indicate what type of Intermediary activities they allow. 6. The VPCN framework requires the development of means to pass End User Intermediaries Permissions to OPES Intermediaries as part of a resource request. 7. The VPCN framework can provide the means for either a Content Provider or End User to indicate that Intermediary activity is limited to passing on the request or response. Barbir, et. al. Expires May 10,2002 Page [15] Internet-Draft VPCN November 2001 6.2 VPCN and OPES End to End Data Integrity The End to End data integrity for OPES type intermediaries is guaranteed by the VPCN framework. The VPCN concept provides the following: 1. The use of content tunnels among the members of the VPCN may preclude the need of associating digital signatures with parts or all of content. End User agents are ensured about the content integrity when served from an intermediary. 2. The VPCN framework allow the content provider to specify the rules for dynamically created content. This may preclude the need for creating temporary versions of the integrity check format for dynamically created content. 3. The VPCN framework does not preclude the development of a mechanism that allows End Users (or others) to retrieve integrity checking information about how the content is handled in the VPCN. 6.3 VPCN and OPES Privacy requirements The VPCN framework allows all the intermediaries that are on the content path to become legal extensions of the content providers. The intermediaries therefore must honor the privacy policies of the content providers. These policies can be packaged in the content profile. 1. As a member of a VPCN, OPES Intermediaries must agree to confirm to the content provider Web site's W3C P3P policy as applicable to a resource. 2. The VPCN framework does not preclude Users and Content Providers from defining additional privacy requirements that apply to Intermediaries in an Intermediaries Privacy policy. P3P describes privacy policy end to end, but a more restrictive privacy policy may be desirable at Intermediaries. The Intermediaries Privacy Policy must include the ability to specify what information can be recorded by Intermediaries and how it is used. 3. The VPCN framework does not preclude the development of mechanisms for OPES intermediaries to access a Content Provider's Intermediaries Privacy policy. 4. The VPCN framework does not preclude the development of a mechanism for OPES Intermediaries to receive an End User's Intermediaries Privacy policy. 5. The VPCN framework requires OPES intermediaries to honor both End User and content provider intermediaries privacy policies. 6. The VPCN framework does not preclude OPES Intermediaries Privacy policies from specifying what information Intermediaries can or cannot record, including cookies, IP addresses, HTTP header fields and how they can use that information. Barbir, et. al. Expires May 10,2002 Page [16] Internet-Draft VPCN November 2001 7. The VPCN framework does not preclude OPES Intermediaries Privacy policies from specifying what information can or cannot be passed by OPES Intermediaries to OPES callout services, including cookies, IP addresses, HTTP header fields. 8. The VPCN framework ensures that OPES Intermediaries will report back to the content provider any information that is related to its content. The needed information can be specified in the content profile. 7. Acknowledgements The authors acknowledge the contributions and comments of Wayne Ding (Nortel), Hilarie Orman (Volear) and Markus Hufmann (Lucent), and R. Chen (AT&T) References [1] Postel, J., "Internet Protocol", RFC 791, September 1981, . [2] Hares, S. and D. Katz, "Administrative Domains and Routing Domains A Model for Routing in the Internet", RFC 1136, December 1989, . [3] Carpenter, B., "Architecture Principles of the Internet", RFC 1958, June 1996, . [4] Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., Leach, P. and T. Berners-Lee, "Hypertext Transfer Protocol-- HTTP/1.1", RFC 2616, June 1999, . [5] Carpenter, B., "Internet Transparency", RFC 2775, February 2000, . [6] Cooper, I., Melve, I. and G. Tomlinson, "Internet Web Replication and Caching Taxonomy", RFC 3040, January 2001, . [7] Day, M., Cain, B., Tomlinson, G. and P. Rzewski, "A Model for Content Internetworking", draft-day-cdnp-model-09.txt (work in progress), June 2001, . Barbir, et. al. Expires May 10,2002 Page [17] Internet-Draft VPCN November 2001 [8] Beck, A. and M. Hofmann, "IRML: A Rule Specification Language for Intermediary Services", draft-beck-opes-irml-00.txt (work in progress) February s001, . [9] Elson, J. and A. Cerpa, "ICAP the Internet Content Adaptation Protocol", ICAP Forum http://www.circlemud.org/~jelson/icap-1.72.txt, June 2001, . [10] Box, D., Ehnebuske, D., Kakivaya, G., Layman, A., Mendelsohn, N., Frystyk Nielsen, H., Thatte, S. and D. Winer, "Simple Object Access Protocol (SOAP) 1.1", W3C Note http://www.w3.org/TR/2000/NOTE-SOAP-20000508/, May 2000, . [11] Westerinen, A., Schnizlein, J., Strassner, J., Scherling, M., Quinn, B., Perry, J., Herzog, S., Huynh, A., Carlson, M. and S. Waldbusser, "Policy Terminology", draft-ietf-policy-terminology-03..txt (work in progress), April 2001, . [12] McHenry, S., Condry, M. and G. Tomlinson, "Open Pluggable Edge Services Use Cases and Deployment Scenarios", draft-mchenry-opes-deployment- scenarios.txt (work in progress), November 2000, . [13] Rafalow, L., Yang, L. and A. Beck, "Policy Requirements for Edge Services", draft-rafalow-opes-policy-requirements-00.txt (work in progress), July 2001. [14] Nottingham, M., Tsimelzon, M., Weihl, B. and L. Jacobs, "ESI Language Specification 1.0", EDGE SIDE INCLUDES http://www.edge- delivery.org/language_spec_1-0.html, May 2001, . [15] P. Srisuresh, J. Kuthan, J. Rosenberg, A. Molitor, A. Rayhan, "Middlebox Communication Architecture and framework", draft-ietf-midcom-framework-03.txt, work in progress. [16] G. Tomlinson et al, "A Model for OPES Service Overlay Networks", URL:http://www.ietf.org/internet-drafts/draft-tomlinson-opes-model- 01.txt, work in progress. [17] Hillary Orman, "Data Integrity in an Active Content System", http://www.cs.utah.edu/~horman/opes.html. [18] R. Penno, A. Rayhan, M. Duffy, "Out-Of-Path (OOP) Agents and MIDCOM Framework Integration", draft-penno-midcom-oop-01.txt, work in progress. [19] B. Gleeson et al, "A Framework for IP based Virtual Private Networks", RFC 2764, February 2000. Barbir, et. al. Expires May 10,2002 Page [18] Internet-Draft VPCN November 2001 [20] S. Floyd et al, "IAB Architectural and Policy Considerations for OPES ",draft-iab-opes-01.txt. [21] Wayne Carr, ``Suggested OPES Requirements for Integrity, Privacy and Security'', email to ietf-openproxy@imc.org, August 16, 2001. URL ``http://www.imc.org/ietf-openproxy/mail-archive/msg00869.html''. Authors' Addresses Abbie Barbir, Ph.D. Nortel Networks 3500 Carling Avenue Nepean Ontario K2H 8E9 Canada Email: abbieb@nortelnetworks.com Nalin Mistry Nortel Networks 3500 Carling Avenue Nepean Ontario K2H 8E9 Canada Reinaldo Penno Nortel Networks, Inc. 2305 Mission College Boulevard Building SC9-B1240 San Jose, CA 95134 Email: rpenno@nortelnetworks.com Delphine Kaplan ActiVia Networks Space Antipolis 5 Parc de Sophia Antipolis 2323 Chemin St Bernard 06225 Vallauris, Cedex FRANCE Phone: +33 4 97 23 46 66 email: Delphine.Kaplan@activia.net URI: http://www.activia.net/ Barbir, et. al. Expires May 10,2002 Page [19] Internet-Draft VPCN November 2001 Full Copyright Statement Copyright (C) The Internet Society (2001). All Rights Reserved. This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English. The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns. This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Acknowledgement Funding for the RFC editor function is currently provided by the Internet Society. Barbir, et. al. Expires May 10,2002 Page [20]