Network Working Group S. Kiesel, Ed. Internet-Draft University of Stuttgart Intended status: Informational S. Previdi Expires: April 28, 2011 Cisco Systems, Inc. M. Stiemerling NEC Europe Ltd. R. Woundy Comcast Corporation Y R. Yang Yale University October 25, 2010 Application-Layer Traffic Optimization (ALTO) Requirements draft-ietf-alto-reqs-06.txt Abstract Many Internet applications are used to access resources, such as pieces of information or server processes, which are available in several equivalent replicas on different hosts. This includes, but is not limited to, peer-to-peer file sharing applications. The goal of Application-Layer Traffic Optimization (ALTO) is to provide guidance to applications, which have to select one or several hosts from a set of candidates, that are able to provide a desired resource. This guidance shall be based on parameters that affect performance and efficiency of the data transmission between the hosts, e.g., the topological distance. The ultimate goal is to improve performance (or Quality of Experience) in the application while reducing resource consumption in the underlying network infrastructure. This document enumerates requirements for ALTO, which should be considered when specifying, assessing, or comparing protocols and implementations, and it solicits feedback and discussion. Status of this Memo This Internet-Draft is submitted to IETF in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any Kiesel, et al. Expires April 28, 2011 [Page 1] Internet-Draft ALTO Requirements October 2010 time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on April 28, 2011. Copyright Notice Copyright (c) 2010 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the BSD License. Kiesel, et al. Expires April 28, 2011 [Page 2] Internet-Draft ALTO Requirements October 2010 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 2. Terminology and Architectural Framework . . . . . . . . . . . 5 2.1. Requirements Notation . . . . . . . . . . . . . . . . . . 5 2.2. ALTO Terminology . . . . . . . . . . . . . . . . . . . . . 5 2.3. Architectural Framework for ALTO . . . . . . . . . . . . . 6 2.4. Sample Use Cases . . . . . . . . . . . . . . . . . . . . . 6 3. ALTO Requirements . . . . . . . . . . . . . . . . . . . . . . 9 3.1. ALTO Client Protocol . . . . . . . . . . . . . . . . . . . 9 3.1.1. General Requirements . . . . . . . . . . . . . . . . . 9 3.1.2. Host Group Descriptor Support . . . . . . . . . . . . 9 3.1.3. Rating Criteria Support . . . . . . . . . . . . . . . 10 3.1.4. Placement of Entities and Timing of Transactions . . . 11 3.1.5. Protocol Extensibility . . . . . . . . . . . . . . . . 13 3.1.6. Error Handling and Overload Protection . . . . . . . . 13 3.2. ALTO Server Discovery . . . . . . . . . . . . . . . . . . 14 3.3. Security and Privacy . . . . . . . . . . . . . . . . . . . 15 4. Host Group Descriptors . . . . . . . . . . . . . . . . . . . . 16 5. Rating Criteria . . . . . . . . . . . . . . . . . . . . . . . 17 5.1. Distance-related Rating Criteria . . . . . . . . . . . . . 17 5.2. Charging-related Rating Criteria . . . . . . . . . . . . . 17 5.3. Performance-related Rating Criteria . . . . . . . . . . . 18 5.4. Inappropriate Rating Criteria . . . . . . . . . . . . . . 19 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 20 7. Security Considerations . . . . . . . . . . . . . . . . . . . 21 7.1. High-level security considerations . . . . . . . . . . . . 21 7.2. Classification of Information Disclosure Scenarios . . . . 21 7.3. Security Requirements . . . . . . . . . . . . . . . . . . 23 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 24 8.1. Normative References . . . . . . . . . . . . . . . . . . . 24 8.2. Informative References . . . . . . . . . . . . . . . . . . 24 Appendix A. Contributors . . . . . . . . . . . . . . . . . . . . 25 Appendix B. Acknowledgments . . . . . . . . . . . . . . . . . . . 26 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 27 Kiesel, et al. Expires April 28, 2011 [Page 3] Internet-Draft ALTO Requirements October 2010 1. Introduction The motivation for Application-Layer Traffic Optimization (ALTO) is described in the ALTO problem statement [RFC5693]. The goal of ALTO is to provide information which can help peer-to- peer (P2P) applications to make better decisions with respect to peer selection. However, ALTO may be useful for non-P2P applications as well. For example, clients of client-server applications may use information provided by ALTO to select one of several servers or information replicas. As another example, ALTO information could be used to select a media relay needed for NAT traversal. The goal of these informed decisions is to improve performance (or Quality of Experience) in the application while reducing resource consumption in the underlying network infrastructure. Usually, it would be difficult or even impossible for application entities to acquire this information by other mechanisms (e.g., using measurements between the peers of a P2P overlay), because of complexity or because it is based on network topology information, network operational costs, or network policies, which the respective network provider does not want to disclose in detail. The logical entities that provide the ALTO service do not take part in the actual user data transport, i.e., they do not implement functions for relaying user data. They may be placed on various kinds of physical nodes, e.g., on dedicated servers, as auxiliary processes in routers, on "trackers" or "super peers" of a P2P application operated by the network provider, etc. Kiesel, et al. Expires April 28, 2011 [Page 4] Internet-Draft ALTO Requirements October 2010 2. Terminology and Architectural Framework 2.1. Requirements Notation The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. 2.2. ALTO Terminology This document uses the following ALTO-related terms, which are defined in [RFC5693]: Application, Overlay Network, Application protocol, Peer, P2P, Resource, Resource Identifier, Resource Provider, Resource Consumer, Resource Directory, Transport Address, ALTO Service, ALTO Server, ALTO Client, ALTO Client Protocol, ALTO Query, ALTO Reply, ALTO Transaction, Provisioning protocol, Inter ALTO-Server Protocol, Local Traffic, Peering Traffic, Transit Traffic. Furthermore, the following additional terms will be used: o Host Group Descriptor: Information used to describe the resource consumer which seeks ALTO guidance, or one or several candidate resource providers. This can be, for example, a single IP address, an address prefix or address range that contains the host(s), or an autonomous system (AS) number. Different options may provide different levels of detail. Depending on the system architecture, this may have implications on the quality of the guidance ALTO is able to provide, on whether recommendations can be aggregated, and on how much privacy-sensitive information about users might be disclosed to additional parties. For a discussion, see Section 4. o Host Characteristics Attribute: Properties of a host (other than the host group descriptor), in particular related to its attachment to the network. This information may be stored in the ALTO server and transmitted in the ALTO protocol. It may be evaluated according to the rating criteria. o Rating Criterion: The condition or relation that defines the "better" in "better-than-random peer selection", which is the ultimate goal of ALTO. Examples may include "host's Internet access is not subject to volume based charging (flat rate)" or "low topological distance". Some rating criteria, such as "low topological distance", need to include a reference point, i. e., "low topological distance from a given resource consumer", which can be described by means of a host group descriptor. Kiesel, et al. Expires April 28, 2011 [Page 5] Internet-Draft ALTO Requirements October 2010 2.3. Architectural Framework for ALTO There are various architectural options how ALTO could be implemented, and specifying or mandating one specific architecture is out of the scope of this document. The ALTO Working Group Charter [ALTO-charter] itemizes several key components, which shall be elaborated and specified by the ALTO Working Group. The ALTO problem statement [RFC5693] defines a terminology (see Section 2.2) and presents a figure that gives a high-level overview of protocol interaction between ALTO elements. This document itemizes requirements for the following components of the abovementioned architecture: o The ALTO client protocol, which is used for sending ALTO queries and ALTO replies between ALTO client and ALTO server. o The discovery mechanism, which will be used by ALTO clients in order to find out where to send ALTO requests. o The overall architecture, especially with respect to security and privacy issues. Furthermore, this document describes the following data structures, which might be used in the ALTO client protocol: o Host group descriptors, which are used to describe the location of a host in the network topology. o Rating criteria, i. e., conditions that shall be evaluated in order to generate the ALTO guidance. Requirements regarding other components are not considered in the current version of this document, but may be added later. 2.4. Sample Use Cases The ALTO problem statement [RFC5693] presents a figure that gives a high-level overview of protocol interaction between ALTO elements. The following figures are somewhat more elaborated and extended versions of it, in order to give some non-normative examples of ALTO usage. It can also be seen that, in some use cases, some of the requirements presented in later sections are more relevant than in others. Figure 1 shows an ALTO use case with a DHT-based P2P application. Using this distributed lookup mechanism, a peer can figure out which Kiesel, et al. Expires April 28, 2011 [Page 6] Internet-Draft ALTO Requirements October 2010 other peers are candidate resource providers for a desired resource. Every peer software includes an ALTO client, in order to request and receive guidance on peer selection from the ALTO servers. From an ALTO perspective this means that the ALTO servers will receive ALTO queries from a rather large number of different ALTO clients. The performance of many clients and their Internet connectivity may be rather limited and therefore, this puts certain restrictions on the amount of guiding data that can be sent to them. Furthermore, the privacy-sensitive IP addresses of the peers are visible to the (operators of the) ALTO servers, as these are also the source addresses of the ALTO query messages. Figure 2 shows an ALTO use case with a P2P application that makes use of a centralized resource directory (in some specific P2P implementations called a "tracker"). In this scenario the ALTO servers receive queries only from few entities, i.e., the resource directories. As these resource directories must be powerful machines anyway, it may be reasonable to send large amounts of ALTO guidance data to them, which will be cached there. Furthermore, in this scenario it may be possible to hide the exact addresses of the peers from the ALTO server. +-----+ =====| |** ==== +-----+ * ==== * * ==== * * +-----+ +------+===== +-----+ * | |.....| |======================| | * +-----+ +------+===== +-----+ * Source of ALTO ==== * * topological service ==== * * information ==== +-----+ * =====| |** +-----+ Legend: === ALTO client protocol *** Application protocol ... Provisioning protocol Figure 1: Overview of protocol interaction between ALTO elements, scenario without resource directory Kiesel, et al. Expires April 28, 2011 [Page 7] Internet-Draft ALTO Requirements October 2010 +-----+ **| |** ** +-----+ * ** * * ** * * +-----+ +------+ +-----+** +-----+ * | |.....| |=====| |**********| | * +-----+ +------+ +-----+** +-----+ * Source of ALTO Resource ** * * topological service directory ** * * information ("tracker") ** +-----+ * **| |** +-----+ Peers Legend: === ALTO client protocol *** Application protocol ... Provisioning protocol Figure 2: Overview of protocol interaction between ALTO elements, scenario with resource directory Kiesel, et al. Expires April 28, 2011 [Page 8] Internet-Draft ALTO Requirements October 2010 3. ALTO Requirements 3.1. ALTO Client Protocol 3.1.1. General Requirements REQ. ARv06-1: The ALTO service is provided by one or more ALTO servers. ALTO servers MUST implement the ALTO client protocol, for receiving ALTO queries from ALTO clients and for sending the corresponding ALTO replies. REQ. ARv06-2: ALTO clients MUST implement the ALTO client protocol, for sending ALTO queries to ALTO servers and for receiving the corresponding ALTO replies. REQ. ARv06-3: The format of the ALTO query message MUST allow the ALTO client to solicit guidance for selecting appropriate resource providers. REQ. ARv06-4: The format of the ALTO reply message MUST allow the ALTO server to express its guidance for selecting appropriate resource providers. REQ. ARv06-5: The detailed specification of a protocol is out of the scope of this document. However, any protocol specification that claims to implement the ALTO client protocol MUST be compliant to the requirements itemized in this document. 3.1.2. Host Group Descriptor Support The ALTO guidance is based on the evaluation of several resource providers or groups of resource providers, which are characterized by means of host group descriptors, considering one or several rating criteria. REQ. ARv06-6: The ALTO client protocol MUST support the usage of several different host group descriptor types. REQ. ARv06-7: The ALTO client protocol specification MUST define a basic set of host group descriptor types, which MUST be supported by all implementations of the ALTO client protocol. REQ. ARv06-8: The ALTO client protocol MUST support the host group descriptor types "IPv4 address prefix" and "IPv6 address prefix." They can be used to specify the IP address of one host, or an IP address range (in CIDR notation), which contains all hosts in question. It is also possible to specify a broader address range (i.e., a shorter prefix length) than the intended group of hosts Kiesel, et al. Expires April 28, 2011 [Page 9] Internet-Draft ALTO Requirements October 2010 actually uses, in order to conceal their exact identity. REQ. ARv06-9: The ALTO client protocol specification MUST define an appropriate procedure for adding new host group descriptor types, e.g., by establishing an IANA registry. See Section 4 for a discussion of possible other host group descriptor types. REQ. ARv06-10: ALTO clients and ALTO servers MUST clearly identify the type of each host group descriptor sent in ALTO queries or replies. REQ. ARv06-11: For host group descriptor types other than "IPv4 address prefix" and "IPv6 address prefix", the host group descriptor type identification MUST be supplemented by a reference to a facility, which can be used to translate host group descriptors of that type to IPv4/IPv6 address prefixes, e.g., by means of a mapping table or an algorithm. REQ. ARv06-12: Protocol functions for mapping other host group descriptor types to IPv4/IPv6 address prefixes SHOULD be designed and specified as part of the ALTO client protocol, and the corresponding address mapping information SHOULD be made available by the same entity that wants to use these host group descriptors within the ALTO client protocol. However, an ALTO server or an ALTO client MAY also send a reference to an external mapping facility, e.g., a translation table to be downloaded as file via HTTP. REQ. ARv06-13: The ALTO client protocol specification MUST define mechanisms, which can be used by the ALTO client and the ALTO server to indicate that a host group descriptor used by the other party is of an unsupported type, or that the indicated mapping mechanism could not be used. 3.1.3. Rating Criteria Support REQ. ARv06-14: The ALTO client protocol MUST support the usage of several different rating criteria types. REQ. ARv06-15: The ALTO client protocol specification MUST define a basic set of rating criteria types, which MUST be supported by all implementations of the ALTO client protocol. REQ. ARv06-16: The ALTO client protocol specification MUST support the rating criteria type "relative operator's preference." This is a relative measure, i.e., it is not associated with any unit of measurement. A higher rating according to this criterion indicates Kiesel, et al. Expires April 28, 2011 [Page 10] Internet-Draft ALTO Requirements October 2010 that the application should prefer the respective candidate resource provider over others with lower ratings (if no other reasons speak against it, such as transmission attempts suggesting that the path is currently congested). The operator of the ALTO server does not have to disclose how and based on which data the ratings are actually computed. Examples could be: cost for peering or transit traffic, traffic engineering inside the network, and other policies. REQ. ARv06-17: The ALTO client protocol specification MUST define an appropriate procedure for adding new rating criteria types, e.g., by establishing an IANA registry. See Section 5 for a discussion of possible other rating criteria. REQ. ARv06-18:The ALTO query message SHOULD allow the ALTO client to express which rating criteria should be considered, as well as their relative relevance for the specific application that will eventually make use of the guidance. REQ. ARv06-19:The ALTO reply message SHOULD allow the ALTO server to express which rating criteria have been considered when generating the reply. REQ. ARv06-20: The ALTO client protocol specification MUST define mechanisms, which can be used by the ALTO client and the ALTO server to indicate that a rating criteria used by the other party is of an unsupported type. 3.1.4. Placement of Entities and Timing of Transactions With respect to the placement of ALTO clients, several modes of operation exist: o One mode of ALTO operation is that ALTO clients may be embedded directly in the resource consumer (e.g., peer of a DHT-based P2P application), which wants to access a resource. o Another mode of operation is to perform ALTO queries indirectly, via resource directories (e.g., tracker of a P2P application), which may issue ALTO queries to solicit preference on potential resource providers, considering the respective resource consumer. REQ. ARv06-21: The ALTO client protocol MUST support the mode of operation, in which the ALTO client is directly embedded in the resource consumer. REQ. ARv06-22: The ALTO client protocol MUST support the mode of operation, in which the ALTO client is embedded in the resource Kiesel, et al. Expires April 28, 2011 [Page 11] Internet-Draft ALTO Requirements October 2010 directory. REQ. ARv06-23: The ALTO client protocol MUST be designed in a way that the ALTO service can be provided by an entity which is not the operator of the IP access network. REQ. ARv06-24: The ALTO client protocol MUST be designed in a way that different instances of the ALTO service operated by different providers can coexist. With respect to the timing of ALTO queries, several modes of operation exist: o In target-aware query mode, an ALTO client performs the ALTO query when the desired resource and a set of candidate resource providers are already known, i. e., after DHT lookups, queries to the resource directory, etc. o In target-independent query mode, ALTO queries are performed in advance or periodically, in order to receive comprehensive, "target-independent" guidance, which will be cached locally and evaluated later, when a resource is to be accessed. REQ. ARv06-25: The ALTO client protocol MUST support at least one of these two modes, either the target-aware or the target-independent query mode. REQ. ARv06-26: The ALTO client protocol SHOULD support both the target-aware and the target-independent query mode. REQ. ARv06-27: The ALTO client protocol SHOULD support lifetime attributes, to enable caching of recommendations at ALTO clients. REQ. ARv06-28: The ALTO client protocol SHOULD specify an aging mechanism, which allows to give newer recommendations precedence over older ones. REQ. ARv06-30: The ALTO client protocol SHOULD allow the ALTO server to add information about appropriate modes of re-use to its ALTO replies. Re-use may include redistributing an ALTO reply to other parties, as well as using the same ALTO information in a resource directory to improve the replies to different resource consumers, within the specified lifetime of the ALTO reply. The ALTO server SHOULD be able to express that o no re-use should occur Kiesel, et al. Expires April 28, 2011 [Page 12] Internet-Draft ALTO Requirements October 2010 o re-use is appropriate for a specific "target audience", i.e., a set of resource consumers explicitly defined by a list of host group descriptors. The ALTO server MAY specify a "target audience" in the ALTO reply, which is only a subset of the known actual "target audience", e.g., if required by operator policies o re-use is appropriate for any resource consumer that would send (or cause a third party sending on behalf of it) the same ALTO query (i.e., with the same query parameters, except for the resource consumer ID, if applicable) to this ALTO server o re-use is appropriate for any resource consumer that would send (or cause a third party sending on behalf of it) the same ALTO query (i.e., with the same query parameters, except for the resource consumer ID, if applicable) to any ALTO server REQ. ARv06-31: The ALTO client protocol MUST support scenarios with the ALTO client located in the private address realm behind a network address translator (NAT). There are different types of NAT, see [RFC4787] and [RFC5382]. 3.1.5. Protocol Extensibility REQ. ARv06-32: The ALTO client protocol MUST include support for adding protocol extensions in a non-disruptive, backward-compatible way. REQ. ARv06-33: The ALTO client protocol MUST include protocol versioning support, in order to clearly distinguish between incompatible versions of the protocol. 3.1.6. Error Handling and Overload Protection REQ. ARv06-34: Any application designed to use ALTO MUST also work if no ALTO servers can be found or if no responses to ALTO queries are received, e.g., due to connectivity problems or overload situation. REQ. ARv06-35: The ALTO client protocol MUST use TCP based transport. REQ. ARv06-36: An ALTO server, which is operating close to its capacity limit, MUST be able to inform clients about its impending overload situation, and require them to throttle their query rate. REQ. ARv06-37: An ALTO server, which is operating close to its capacity limit, MUST be able to inform clients about its impending overload situation, and redirect them to another ALTO server. Kiesel, et al. Expires April 28, 2011 [Page 13] Internet-Draft ALTO Requirements October 2010 REQ. ARv06-38: An ALTO server, which is operating close to its capacity limit, MUST be able to inform clients about its impending overload situation, and terminate the conversation with the ALTO client. REQ. ARv06-39: An ALTO server, which is operating close to its capacity limit, MUST be able to inform clients about its impending overload situation, and reject new conversation attempts. 3.2. ALTO Server Discovery The ALTO client protocol is supported by one or several ALTO server discovery mechanisms, which will be used by ALTO clients in order to find out where to send ALTO requests. REQ. ARv06-40: ALTO clients which are embedded in the resource consumer MUST be able to use the ALTO server discovery mechanism, in order to find one or several ALTO servers that can provide ALTO guidance suitable for the resource consumer. This mode of operation is called "resource consumer initiated ALTO server discovery". REQ. ARv06-41: ALTO clients which are embedded in a resource directory and perform third-party ALTO queries on behalf of a remote resource consumer MUST be able to use the ALTO server discovery mechanism, in order to find one or several ALTO servers that can provide ALTO guidance suitable for the respective resource consumer. This mode of operation is called "third-party ALTO server discovery". REQ. ARv06-42: ALTO clients MUST be able to perform resource consumer initiated ALTO server discovery, even if they are located behind a network address translator (NAT). REQ. ARv06-43: ALTO clients MUST be able to perform third-party ALTO server discovery, even if they are located behind a network address translator (NAT). REQ. ARv06-44: ALTO clients MUST be able to perform third-party ALTO server discovery, even if the resource consumer, on behalf of which the ALTO query will be sent, is located behind a network address translator (NAT). REQ. ARv06-45: The ALTO server discovery mechanism may be specified and provided using an existing protocol or mechanism, such as DNS, DHCP, or PPP based automatic configuration, etc. These candidate "base protocols" differ with respect to their availability in various access network architectures and their suitability for third-party queries. When evaluating different options this should be taken into account, in order to limit the total number of ALTO server discovery Kiesel, et al. Expires April 28, 2011 [Page 14] Internet-Draft ALTO Requirements October 2010 mechanisms that have to be specified for supporting a reasonably wide range of deployment scenarios. REQ. ARv06-46: The ALTO server discovery mechanism SHOULD be able to return the respective contact information for several ALTO servers. REQ. ARv06-47: The ALTO server discovery mechanism SHOULD be able to indicate preferences for each returned ALTO server contact information. 3.3. Security and Privacy REQ. ARv06-48: The ALTO client protocol MUST support mechanisms for the authentication of ALTO servers. REQ. ARv06-49: The ALTO client protocol MUST support mechanisms for the authentication of ALTO clients. REQ. ARv06-50: The ALTO client protocol MUST support different levels of detail in queries and responses, in order for the operator of an ALTO service to be able to control how much information (e.g., about the network topology) is disclosed. REQ. ARv06-51: The operator of an ALTO server MUST NOT assume that an ALTO client will implement mechanisms or comply with rules that limit the ALTO client's ability to redistribute information retrieved from the ALTO server to third parties. REQ. ARv06-52: The ALTO client protocol MUST support different levels of detail in queries and responses, in order to protect the privacy of users, to ensure that the operators of ALTO servers and other users of the same application cannot derive sensitive information. REQ. ARv06-53: The ALTO client protocol SHOULD be defined in a way, that the operator of one ALTO server cannot easily deduce the resource identifier (e.g., file name in P2P file sharing) which the resource consumer seeking ALTO guidance wants to access. REQ. ARv06-54: The ALTO client protocol MUST include appropriate mechanisms to protect the ALTO service against DoS attacks. Kiesel, et al. Expires April 28, 2011 [Page 15] Internet-Draft ALTO Requirements October 2010 4. Host Group Descriptors Host group descriptors are used in the ALTO client protocol to describe the location of a host in the network topology. The ALTO client protocol specification defines a basic set of host group descriptor types, which have to be supported by all implementations, and an extension procedure for adding new descriptor types (see Section 3.1.2). The following list gives an overview on further host group descriptor types that have been proposed in the past, or which are in use by ALTO-related prototype implementations. This list is not intended as normative text. Instead, the only purpose of the following list is to document the descriptor types that have been proposed so far, and to solicit further feedback and discussion: o Autonomous System (AS) number o Protocol-specific group identifiers, which expand to a set of IP address ranges (CIDR) and/or AS numbers. In one specific solution proposal, these are called Partition ID (PID). Kiesel, et al. Expires April 28, 2011 [Page 16] Internet-Draft ALTO Requirements October 2010 5. Rating Criteria Rating criteria are used in the ALTO client protocol to express topology- or connectivity-related properties, which are evaluated in order to generate the ALTO guidance. The ALTO client protocol specification defines a basic set of rating criteria, which have to be supported by all implementations, and an extension procedure for adding new criteria (see Section 3.1.3). The following list gives an overview on further rating criteria that have been proposed in the past, or which are in use by ALTO-related prototype implementations. This list is not intended as normative text. Instead, the only purpose of the following list is to document the rating criteria that have been proposed so far, and to solicit further feedback and discussion: 5.1. Distance-related Rating Criteria o Relative topological distance: relative means that a larger numerical value means greater distance, but it is up to the ALTO service how to compute the values, and the ALTO client will not be informed about the nature of the information. One way of generating this kind of information MAY be counting AS hops, but when querying this parameter, the ALTO client MUST NOT assume that the numbers actually are AS hops. o Absolute topological distance, expressed in the number of traversed autonomous systems (AS). o Absolute topological distance, expressed in the number of router hops (i.e., how much the TTL value of an IP packet will be decreased during transit). o Absolute physical distance, based on knowledge of the approximate geolocation (continent, country) of an IP address. 5.2. Charging-related Rating Criteria o Traffic volume caps, in case the Internet access of the resource consumer is not charged by "flat rate". For each candidate resource provider, the ALTO service could indicate the amount of data that may be transferred from/to this resource provider until a given point in time, and how much of this amount has already been consumed. Furthermore, it would have to be indicated how excess traffic would be handled (e.g., blocked, throttled, or charged separately at an indicated price). The interaction of several applications running on a host, out of which some use this criterion while others don't, as well as the evaluation of this criterion in resource directories, which issue ALTO queries on Kiesel, et al. Expires April 28, 2011 [Page 17] Internet-Draft ALTO Requirements October 2010 behalf of other peers, are for further study. 5.3. Performance-related Rating Criteria The following rating criteria are subject to the remarks below. o The minimum achievable throughput between the resource consumer and the candidate resource provider, which is considered useful by the application (only in ALTO queries), or o An arbitrary upper bound for the throughput from/to the candidate resource provider (only in ALTO replies). This may be, but is not necessarily the provisioned access bandwidth of the candidate resource provider. o The maximum round-trip time (RTT) between resource consumer and the candidate resource provider, which is acceptable for the application for useful communication with the candidate resource provider (only in ALTO queries), or o An arbitrary lower bound for the RTT between resource consumer and the candidate resource provider (only in ALTO replies). This may be, for example, based on measurements of the propagation delay in a completely unloaded network. The ALTO client MUST be aware, that with high probability, the actual performance values differ significantly from these upper and lower bounds. In particular, an ALTO client MUST NOT consider the "upper bound for throughput" parameter as a permission to send data at the indicated rate without using congestion control mechanisms. The discrepancies are due to various reasons, including, but not limited to the facts that o the ALTO service is not an admission control system o the ALTO service may not know the instantaneous congestion status of the network o the ALTO service may not know all link bandwidths, i.e., where the bottleneck really is, and there may be shared bottlenecks o the ALTO service may not know whether the candidate peer itself is overloaded o the ALTO service may not know whether the candidate peer throttles the bandwidth it devotes for the considered application Kiesel, et al. Expires April 28, 2011 [Page 18] Internet-Draft ALTO Requirements October 2010 o the ALTO service may not know whether the candidate peer will throttle the data it sends to us (e.g., because of some fairness algorithm, such as tit-for-tat) Because of these inaccuracies and the lack of complete, instantaneous state information, which are inherent to the ALTO service, the application must use other mechanisms (such as passive measurements on actual data transmissions) to assess the currently achievable throughput, and it MUST use appropriate congestion control mechanisms in order to avoid a congestion collapse. Nevertheless, these rating criteria may provide a useful shortcut for quickly excluding candidate resource providers from such probing, if it is known in advance that connectivity is in any case worse than what is considered the minimum useful value by the respective application. 5.4. Inappropriate Rating Criteria Rating criteria that SHOULD NOT be defined for and used by the ALTO service include: o Performance metrics that are closely related to the instantaneous congestion status. The definition of alternate approaches for congestion control is explicitly out of the scope of ALTO. Instead, other appropriate means, such as using TCP based transport, have to be used to avoid congestion. Kiesel, et al. Expires April 28, 2011 [Page 19] Internet-Draft ALTO Requirements October 2010 6. IANA Considerations This requirements document does not mandate any immediate IANA actions. However, such IANA considerations may arise from future ALTO specification documents which try to meet the requirements given here. Kiesel, et al. Expires April 28, 2011 [Page 20] Internet-Draft ALTO Requirements October 2010 7. Security Considerations 7.1. High-level security considerations High-level security considerations for the ALTO service can be found in the "Security Considerations" section of the ALTO problem statement document [RFC5693]. 7.2. Classification of Information Disclosure Scenarios The unwanted disclosure of information is one key concern related to ALTO. The following list gives a classification of information disclosure scenarios, which may be considered more or less critical by different parties: o (1) Excess disclosure of ALTO server operator's data to an authorized ALTO client. The operator of an ALTO server has to feed information, such as tables mapping host group descriptors to host characteristics attributes, into the server, thereby enabling it to give guidance to ALTO clients. Some operators might consider the full set of this information confidential (e.g., a detailed map of the operator's network topology), and might want to disclose only a subset of it or somehow obfuscated information to an ALTO client. o (2) Disclosure of the application behavior to the ALTO server. The operator of an ALTO server could infer the application behavior (e.g., content identifiers in P2P file sharing applications, or lists of resource providers that are considered for establishing a connection) from the ALTO queries sent by an ALTO client. o (3) Disclosure of ALTO server operator's data (e.g., network topology information) to an unauthorized third party. There are a couple of sub-cases here: * (3a) An ALTO server sends the information directly to an unauthorized ALTO client. * (3b) An unauthorized party snoops on the data transmission from the ALTO server to an authorized ALTO client. * (3c) An authorized ALTO client knowingly forwards the information it had received from the ALTO server to an unauthorized party. Kiesel, et al. Expires April 28, 2011 [Page 21] Internet-Draft ALTO Requirements October 2010 o (4) Disclosure of the application behavior to an unauthorized third party. o (5) Excess retrieval of ALTO server operator's data by collaborating ALTO clients. Several authorized ALTO clients could ask an ALTO server for guidance, and redistribute the replies among each other (see also case 3c). By correlating the ALTO replies they could find out more information than intended to be disclosed by the ALTO server operator. (1) may be addressed by the ALTO server operator choosing the level of detail of the information to be populated into the ALTO server. Furthermore, access control mechanisms for filtering ALTO replies according to the authenticated ALTO client identity might be installed in the ALTO server, although this might not be effective given the lack of efficient mechanisms for addressing (3c) and (5), see below. (2) is addressed by allowing ALTO clients to use the target- independent query mode. In this mode of operation, guiding information (e.g., "maps") is retrieved from the ALTO server and used entirely locally by the ALTO client, i.e., without sending host location attributes of candidate resource providers to the ALTO server. In the target-aware query mode, (2) can be addressed by ALTO clients by obfuscating the identity of candidate resource consumers, e.g., by zeroing-out or randomizing the last few bits of the IP addresses. However, there is the potential side effect of yielding inaccurate results. (3a), (3b), and (4) may be addressed by authentication, access control, and encryption schemes for the ALTO client protocol. However, deployment of encryption schemes might not be effective given the lack of efficient mechanisms for addressing (3c) and (5), see below. Straightforward authentication and encryption schemes won't help solving (3c) and (5), and there is no other simple and efficient mechanism known. The cost of complex approaches, e.g., based on digital rights management (DRM), might easily outweigh the benefits of the whole ALTO solution, and therefore they are not considered as a viable solution. That is, ALTO server operators must be aware that (3c) and (5) cannot be prevented from happening, and therefore they should feed only such data into an ALTO server, which they do not consider sensitive with respect to (3c) and (5). These insights are reflected by the requirements presented in this document. Kiesel, et al. Expires April 28, 2011 [Page 22] Internet-Draft ALTO Requirements October 2010 7.3. Security Requirements For a set of specific security requirements please refer to Section 3.3 of this document. Kiesel, et al. Expires April 28, 2011 [Page 23] Internet-Draft ALTO Requirements October 2010 8. References 8.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. 8.2. Informative References [ALTO-charter] Marocco, E. and V. Gurbani, "Application-Layer Traffic Optimization (ALTO) Working Group Charter", February 2009. [RFC4787] Audet, F. and C. Jennings, "Network Address Translation (NAT) Behavioral Requirements for Unicast UDP", BCP 127, RFC 4787, January 2007. [RFC5382] Guha, S., Biswas, K., Ford, B., Sivakumar, S., and P. Srisuresh, "NAT Behavioral Requirements for TCP", BCP 142, RFC 5382, October 2008. [RFC5693] Seedorf, J. and E. Burger, "Application-Layer Traffic Optimization (ALTO) Problem Statement", RFC 5693, October 2009. Kiesel, et al. Expires April 28, 2011 [Page 24] Internet-Draft ALTO Requirements October 2010 Appendix A. Contributors The authors were supported by the following people, who have contributed to this document: o Richard Alimi o Zoran Despotovic o Jason Livingood o Saverio Niccolini o Jan Seedorf The authors would like to thank the members of the P2PI and ALTO mailing lists for their feedback. Kiesel, et al. Expires April 28, 2011 [Page 25] Internet-Draft ALTO Requirements October 2010 Appendix B. Acknowledgments The initial version of this document was co-authored by Laird Popkin. The authors would like to thank o Vijay K. Gurbani o Enrico Marocco for fostering discussions that lead to the creation of this document, and for giving valuable comments on it. Laird Popkin and Y. Richard Yang are grateful to the many contributions made by the members of the P4P working group and Yale Laboratory of Networked Systems. The P4P working group is hosted by DCIA. Saverio Niccolini, Jan Seedorf, and Martin Stiemerling are partially supported by the NAPA-WINE project (Network-Aware P2P-TV Application over Wise Networks, http://www.napa-wine.org), a research project supported by the European Commission under its 7th Framework Program (contract no. 214412). The views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies or endorsements, either expressed or implied, of the NAPA-WINE project or the European Commission. Kiesel, et al. Expires April 28, 2011 [Page 26] Internet-Draft ALTO Requirements October 2010 Authors' Addresses Sebastian Kiesel (editor) University of Stuttgart Computing Center Allmandring 30 Stuttgart 70550 Germany Email: ietf-alto@skiesel.de URI: http://www.rus.uni-stuttgart.de/nks/ Stefano Previdi Cisco Systems, Inc. Email: sprevidi@cisco.com Martin Stiemerling NEC Laboratories Europe/University of Goettingen Email: martin.stiemerling@neclab.eu URI: http://ietf.stiemerling.org Richard Woundy Comcast Corporation Email: Richard_Woundy@cable.comcast.com Yang Richard Yang Yale University Email: yry@cs.yale.edu Kiesel, et al. Expires April 28, 2011 [Page 27]