Network Working Group Andre Courtemanche, CS&T Internet Draft IRIP Steve Mansour, Netscape Pete O'Leary, Amplitude Expires 6 months after: April 16, 1999 ICalendar Real-time Interoperability Protocol (iRIP) Status of this Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. Abstract This document specifies a binding from the iCalendar Transport- independent Interoperability Protocol [ITIP] to a real-time transport. Calendaring entries defined by the iCalendar Object Model [ICAL] are composed using constructs from [RFC-2045], [RFC-2046], [RFC-2047], [RFC-2048] and [RFC-2049]. This document is based on discussions within the Internet Engineering Task Force (IETF) Calendaring and Scheduling (CALSCH) working group. More information about the IETF CALSCH working group activities can be found on the IMC website at http://www.imc.org, the IETF website at http://www.ietf.org/html.charters/calsch-charter.html. Refer to the references within this document for further information on how to access these various documents. Distribution of this document is unlimited. Comments and suggestions for improvement should be sent to the authors. Mansour/Courtemanche/O'Leary 1 Expires August 1999 Internet Draft IRIP April 16, 1999 Table Of Contents 1 Introduction 3 1.1Related Memos 3 1.2Formatting Conventions 3 2 Architecture 4 2.1Protocol States 5 2.2Calendar Address 6 2.3Bounded Latency 7 3 Protocol 7 3.1Commands 7 3.1.1ABORT 8 3.1.2AUTHENTICATE 9 3.1.3CAPABILITY 12 3.1.4CONTINUE 13 3.1.5DEQUEUE 14 3.1.6DISCONNECT 15 3.1.7RECIPIENT 15 3.1.8SENDATA 17 3.1.9SWITCH 19 3.2Fanout and Queued Transactions 19 3.3Bi-Directional Queue Operation 20 3.4Reply Codes 20 4 Implementation Considerations 23 5 Security Considerations 23 5.1Security Threats and Recommendations 23 5.1.1Authentication Hacking 23 5.1.2Spoofing 23 5.1.3Eavesdropping 24 5.1.4Connection Flooding 24 5.2Security Interoperability Issues 24 6 Examples 24 6.1Unauthenticated Freebusy Request 24 6.2Busy Time Request 25 6.3Using Switch 28 6.4Fanout Requests 29 6.4.1Successful Fanout Request 29 6.4.2Referral On Fanout 30 6.5Queued Requests 31 6.5.1Meeting Invitation 32 7 Acknowledgments 33 8 Bibliography 33 9 Open Issues 34 10 Author's Address 34 11 Full Copyright Statement 36 Mansour/Courtemanche/O'Leary 2 Expires August 1999 Internet Draft IRIP April 16, 1999 1 Introduction This binding document provides the transport specific information necessary to convey iCalendar Transport-independent Interoperability Protocol [ITIP] messages over a real-time transport. 1.1 Related Memos Implementers will need to be familiar with several other memos that, along with this memo, form a framework for Internet calendaring and scheduling standards. This document specifies a real-time binding for [ITIP]. - [ICAL] specifies a core specification of objects, data types, properties and property parameters; - [ITIP] specifies an interoperability protocol for scheduling between different implementations; - [IMIP] specifies a messaging-based protocol binding for [ITIP]. This document does not attempt to repeat the specification of concepts or definitions from these other memos. Where possible, references are made to the memo that provides for the specification of these concepts or definitions. 1.2 Formatting Conventions The mechanisms defined in this memo are defined in propose. In order to refer to elements of the calendaring and scheduling model, core object or interoperability protocol defined in [ICAL] and [ITIP] some formatting conventions have been used. Calendaring and scheduling roles defined by [ITIP] are referred to in quoted-strings of text with the first character of each word in upper case. For example, "Organizer" refers to a role of a "Calendar User" within the scheduling protocol defined by [ITIP]. Calendar components defined by [ICAL] are referred to with capitalized, quoted-strings of text. All calendar components start with the letter "V". For example, "VEVENT" refers to the event calendar component, "VTODO" refers to the to-do calendar component and "VJOURNAL" refers to the daily journal calendar component. Scheduling methods defined by [ITIP] are referred to with capitalized, quoted-strings of text. For example, "REQUEST" refers to the method for requesting a scheduling calendar component be created or modified, "REPLY" refers to the method a recipient of a request uses to update their status with the "Organizer" of the calendar component. Properties defined by [ICAL] are referred to with capitalized, quoted- strings of text, followed by the word "property". For example, Mansour/Courtemanche/O'Leary 3 Expires August 1999 Internet Draft IRIP April 16, 1999 "ATTENDEE" property refers to the iCalendar property used to convey the calendar address of a calendar user. Property parameters defined by [ICAL] are referred to with lower case, quoted-strings of text, followed by the word "parameter". For example, "VALUE" parameter refers to the iCalendar property parameter used to override the default data type for a property value. 2 Architecture iRIP enables real-time interoperability between scheduling systems using the iCalendar [ICAL] format for information exchange. iRIP is designed primarily to allow Calendar Services (CS) to forward real- time requests on behalf of Calendar User Agents (CUA) and receive real- time responses. The goal of iRIP is to allow two or more CS's to establish connections with each other. However, the design of iRIP does not preclude its use from CUA directly to CS. iRIP allows a CS to initiate a session and perform operations on behalf of multiple CUA's without the need to reauthenticate the session for each CUA. The sections and examples below refer to a "user", a "sender", and a "receiver". For purposes of this document these terms are defined as follows: user - the Calendar User that initiates a request. sender - the agent used to contact a receiving device, send commands, and receive replies. receiver - the agent that accepts commands and sends replies. The sender and receiver can take on varying roles of a Calendar User Agent (CUA) and Calendar Store (CS). iRIP allows two CS's to establish different levels of trust. When an iRIP connection is first established, the sender CS authenticates as the iRIP server acting as a proxy for the originator of each ITIP message being sent to the receiver. Mansour/Courtemanche/O'Leary 4 Expires August 1999 Internet Draft IRIP April 16, 1999 2.1 Protocol States1 The iRIP state diagram is shown below. The states are shown in the boxes. State names are written with the first letter capitalized. The commands used to switch between states are shown next to an arrow connecting the states. The commands are listed in all capital letters. A condition that causes a state to change is shown in lower case letters. CAPABILITY or SWITCH +----+ V | +-------------+ DISCONNECT +---------------+ | |---------------->| Terminated |<-----------------+ | Connected | +---------------+ | | |<---+ A | +-------------+ | | | | | | | |AUTHENTICATE | AUTHENTICATE |DISCONNECT | | | or CAPABILITY | | | SWITCH| +----+ | | | | V | | | | +----------------------------------+ | +--->| | ABORT +--------+ A | Authenticated |<-------| Idle | | +--->| |<--+ +--------+ | | +----------------------------------+ | | A | | | | complete| | | | |ABORT |RECEIVE DEQUEUE| or| CONT| |latency | | | | ABORT| INUE| |reply | | V V | | |from | +-------------+ +---------------+ | |server | | | SENDATA | |<----+ | | | Send |---------------->| Receive | | | | | | |--------+ | +-------------+ +---------------+ | A | | DISCONNECT | DISCONNECT | +----+ +---------------->-----------+-------------------------+ RECIPIENT An iRIP session begins when a TCP/IP connection is made on port 5228. The protocol begins in the Connected state. Once connected, the sender can issue the CAPABILITY which leaves the protocol in the Connected state. The sender can also issue the SWITCH command requesting the receiver to switch roles with the sender. Whether the receiver accepts or declines the request, the protocol remains in the Connected state. The DISCONNECT command terminates the connection. The AUTHENTICATE command, when successful, begins the Authenticated state. From the Authenticated state, the sender can: 1. begin sending an ITIP message to the receiver by issuing the Mansour/Courtemanche/O'Leary 5 Expires August 1999 Internet Draft IRIP April 16, 1999 RECIPIENT command, 2. re-authenticate as a different calendar using the AUTHENTICATE command, 3. request a queued ITIP message for the authenticated calendar using the DEQUEUE command, 4. execute the CAPABILITY command, 5. disconnect In order to send an ITIP message to other calendars, the sender begins by issuing the RECIPIENT command causing the protocol to enter the Send state. The sender repeats the RECIPIENT command as many times as needed to indicate all the target calendars. When all recipients have been specified, the sender issues the SENDATA command and supplies the [ITIP] message. This causes the protocol to enter the Receive state where the sender waits for a response from the receiver. If the receiver's response indicates that the request has been completed the protocol returns to the Authenticated state. If the receiver indicates that the request could not be completed in the time specified by the sender the protocol enters the Idle state. At this point the sender must decide how to proceed. If the sender issues the CONTINUE command, the command in progress continues and the session returns to the Receive state. If the sender issues the ABORT command the command is aborted and the session is returned to the Authenticated state. The sender may decide to abort sending the ITIP message while it issues the RECIPIENT commands (perhaps because a RECIPIENT does not exist). If the sender issues the ABORT command after one or more RECIPIENT commands, the protocol returns to the Authenticated state. A sender can abort an operation in progress while it is in the Receive state by sending an ABORT command to the receiver. >From the Authenticated state, a sender can also issue the DEQUEUE command causing the protocol to request the receiver to return a single queued ITIP message. Issuing the DEQUEUE command changes the protocol to the Receive state. The receiver replies with a single queued [ITIP] request or a status code to indicate that there are no more queued requests for the authenticated user. Though the DISCONNECT command should only be issued from the Authenticated or Connected states, implementations should be prepared to handle a DISCONNECT at any point in this state diagram. 2.2 Calendar Address Calendar addresses, or CALUIDs, are URIs that are modeled after [RFC2396]. iRIP CALIDs use the following form of URI. [://[:]/] where: Mansour/Courtemanche/O'Leary 6 Expires August 1999 Internet Draft IRIP April 16, 1999 must be "irip" is address of the computer on which the iRIP server is running. This is also called the Calendar Store ID or CSID. is optional. Its default value is 5228. is an identifier that uniquely identifies the calendar on a particular calendar store. There is no implied structure in a relativeCALUID, it is an arbitrary string of 7-bit ASCII characters. It may refer to the calendar of a user or of a resource such as a conference room. It MUST be unique within the calendar store. It is recommended that the relativeCALUID be globally unique. If the CSID is present the CALID is said to be "qualified". Qualified CALIDs are necessary when the CSID portion of a calendar address is different from the Calendar Store on which the calendar user is currently authenticated. Examples: irip://calendar.example.com/user1 user1 irip://calendar.example.com/conferenceRoomA irip://calendar.example.com/89798-098-zytytasd For the iRIP server on calendar.example.com, the first two addresses refer to the same calendar. 2.3 Bounded Latency iRIP is designed so that the sender can either obtain an immediate response from a request or discover within a specified amount of time that the request has not yet completed. The sender can initiate commands with an optional latency time specified. When the sender specifies the latency time and the receiver cannot complete the operation within the specified amount of time, the receiver return an appropriate response code to the sender. The sender then issues either a CONTINUE or ABORT command. The ABORT command immediately terminates the command in progress. The CONTINUE command instructs the receiver to continue processing the command. The ABORT command causes the receiver to discard the current command and return to the Authenticated state. Mansour/Courtemanche/O'Leary 7 Expires August 1999 Internet Draft IRIP April 16, 1999 3 Protocol 3.1 Commands iRIP commands are summarized in the table below and described in detail in the following sections. +=================================================+ | Command Issued from State | +=================================================+ | ABORT Idle, Send, Receive | | AUTHENTICATE Connected, Authenticated | | CAPABILITY Connected, Authenticated, Send | | CONTINUE Idle | | DEQUEUE Authenticated | | DISCONNECT Connected, Authenticated | | SENDATA Send | | RECIPIENT Authenticated, Send | | SWITCH Connected, Authenticated | +=================================================+ Commands have the general form: [arguments...] where is a command listed in the table above. A command MAY have arguments. Arguments are defined in the detailed command definitions below. The length of a command and its arguments, and the terminating MUST be l024 characters or less. Responses to commands have the following general form: [ICAL OBJECT] . [arguments...] A response MAY include an [ICAL] object. Whether an [ICAL] object is present or not, the sequence . followed by a reply code is mandatory. The reply code may have associated arguments. These arguments are defined in the command descriptions for each command. Arguments MUST NOT be present unless they are specifically called for by the particular reply code.. The length of the reply code, any arguments, and the terminating MUST be l024 characters or less. In the examples below, lines preceded with "S:" refer to the sender and lines preceded with "R:" refer to the receiver. Lines in which the first non-whitespace character is a "#" are editorial comments and are not part of the protocol. 3.1.1 ABORT Mansour/Courtemanche/O'Leary 8 Expires August 1999 Internet Draft IRIP April 16, 1999 Arguments: none Data: none Result: 2.0 - success 2.2 - no command in progress The ABORT command is issued by the sender to stop a command whose latency time has been exceeded. When the latency time is specified on the SENDATA command, the receiver must issue a reply to the sender within the specified time. The reply may be a reply code indicating that the server has not yet processed the request. The sender must then tell the server whether to continue or abort. The Sender can issue the ABORT command at any time after the SENDATA command has been completed but before the sender receives a reply. Example: ... S: RECIPIENT irip://cal.example.com/abc R: 2.0 irip://cal.example.com/abc S: RECIPIENT def R: 2.0 S: SENDATA 10 R: 2.0.1 S: Content-Type:text/calendar; method=REQUEST; charset=US-ASCII S: Content-Transfer-Encoding: quoted-printable S: S: BEGIN:VCALENDAR S: ... S: END:VCALENDAR S: . # 10 seconds elapse... R: . R: 2.0.2 irip://cal.example.com/abc R: 2.0.2 irip://cal.example.com/def S: ABORT R: 2.0.3 S: The Receiver will issue the 8.2 reply code if it receives an ABORT when the SENDATA or DEQUEUE command is not in progress. This could happen if the Sender issues an ABORT command at a point in time after the Receiver has completed the operation and issued the reply code but before the Sender has actually received the reply code. For example: S: SENDATA 10 S: S: . # 10 seconds elapse... S: ABORT Mansour/Courtemanche/O'Leary 9 Expires August 1999 Internet Draft IRIP April 16, 1999 R: 2.0 R: 8.2 In this case, the reply code 2.0 is in response to the [ICAL] object and the reply code 8.2 is in response to the ABORT command. 3.1.2 AUTHENTICATE Arguments: [] Data: continuation data may be requested Result: 2.0 - Authenticate completed, now in authenticated state 6.0 - Failed authentication 6.1 - authenticate failure: unsupported authentication mechanism, credentials rejected 6.2 - Sender aborted authentication, authentication exchange cancelled 6.3 - Unsupported Authentication Mechanism 9.1 - Unexpected command. The AUTHENTICATE command is used by the client to identify the user to the server. iRIP uses the [SASL] specification for authentication. This allows iRIP users to choose from a variety of authentication mechanisms. The only iRIP commands which can be issued before authentication occurs are AUTHENTICATE, CAPABILITY, SWITCH and DISCONNECT. The AUTHENTICATE command initiates the authentication protocol exchange. is a registered SASL authentication mechanism. (Refer to [SASL] for information on obtaining a list of currently registered mechanisms.) is an optional parameter which can be used for mechanisms which require an initial Sender response. If the mechanism is not supported by the Receiver it must indicate this with a "." CRLF and the reply code 6.1 indicating that the authentication mechanism is not supported. Supported authentication mechanisms can be discovered using the CAPABILITY command. If the mechanism is supported an authentication protocol exchange takes place, in the form of a series of Receiver challenges and Sender responses. The Receiver terminates the exchange with the . sequence followed by a reply code. Successful authentication is indicated with the reply code 2.0, and unsuccessful authentication is indicated with the reply code 6.0. If the authentication was successful, but the authorization identity was not accepted the status code 6.3 is used. Upon successful authentication the protocol enters the Authenticated state, otherwise it remains in the Connected state. Mansour/Courtemanche/O'Leary 10 Expires August 1999 Internet Draft IRIP April 16, 1999 In the authentication protocol exchange both Receiver challenges and Sender responses consist of the authentication mechanism data transformed into BASE64 and followed by a CRLF. If the Sender wishes to cancel an authentication exchange, it issues the . sequence. Upon receipt of such an answer, the Receiver MUST indicate the end of the exchange the . sequence followed by reply code 6.2 indicating that the exchange was aborted. If a security layer was negotiated it comes into effect for the Receiver starting with the first octet transmitted after the CRLF which follows the 2.0 reply code, and for the Sender starting with the first octet after the CRLF that concludes the authentication exchange for the client. Data is transmitted as described in [SASL]. The service name specified by this protocol's profile of SASL is "irip". The following examples illustrate the various possiblities for an authentication protocol exchange using Kerberos Version 4. Successful authentication: S: AUTHENTICATE KERBEROS_V4 R: AmFYig== S: BAcAQU5EUkVXLkNNVS5FRFUAOCAsho84kLN3/IJmrMG+25a4DT R: or//EoAADZI= S: DiAF5A4gA+oOIALuBkAAmw== R: . R: 2.0 Failed authorization: S: AUTHENTICATE KERBEROS_V4 R: AmFYig== S: BAcAQU5EUkVXLkNNVS5FRFUAOCAsho84kLN3/IJmrMG+25a4DT R: or//EoAADZI= S: DiAF5A4gA+oOIALuBkAAmw== R: . R: 6.3 Failed authentication: S: AUTHENTICATE KERBEROS_V4 R: AmFYig== S: BAcAQU5EUkVXLkNNVS5FRFUAOCAsho84kLN3/IJmrMG+25a4DT R: . R: 6.0 Sender aborted authentication: S: AUTHENTICATE KERBEROS_V4 Mansour/Courtemanche/O'Leary 11 Expires August 1999 Internet Draft IRIP April 16, 1999 R: AmFYig== S: . R: . R: 6.2 Unsupported mechanism: S: AUTHENTICATE Experimental_Auth R: . R: 6.1 3.1.2.1 Authentication with Proxy Access Some [SASL] mechanisms allow the Sender to transmit an authorization identity which is different from the authentication identity. iRIP depends upon this ability in that it is servers who authenticate to each other in order to process requests for users. The user which the Sender is representing is transmitted as the authorization identity during the [SASL] exchange. This identity takes the form of a CALID. The authorization identity is used to administer the [ITIP] security paradigm. Thus in an iRIP session REQUESTs may be issued for events of which the authorized CALID is the Organizer, RESPONSEs or COUNTERs may be issued for events which the authorized caladdress is Attending, etc. 3.1.2.2 Selection of an Authentication Mechanism The authentication mechanisms which a Receiver supports may be discovered through use of the CAPABILITY. From the supplied list the Sender may choose its preferred mechanism. Not all mechanisms will be supported on all servers. There is no minimum level of security which an iRIP compliant server is required to support. This may result in iRIP servers which are unable to talk to each other through lack of a common mechanism. This issue is covered in more detail in the Security Considerations section of this document. 3.1.3 CAPABILITY Arguments: none Data: Server capability information as described below Result: 2.0 - authenticate completed, now in authenticated state The CAPABILITY command tells the server to return a list of capabilities it supports. The server must return a CAPABILITY Mansour/Courtemanche/O'Leary 12 Expires August 1999 Internet Draft IRIP April 16, 1999 response with "iRIPrev1" as one of the listed capabilities. The CAPABILITY command can be issued in any connection state. The response may differ depending on the current state of the connection. The responses may also differ depending upon the authenticated user. Sender implementations SHOULD NOT require any capability name beyond those defined in this specification, and MUST tolerate any unknown capability names. This command may return different results in the Connected states versus the Authenticated state. It may also return different results depending on the authenticated calendar user. The format of the capabilities response is a series of lines with the form [=]. Each name-value pair is delimited by a character sequence. Each line, including the terminating MUST be 1024 characters or less. The sequence . followed by a reply code terminates the response. The table below summarizes the information available in response to a CAPABILITY command. Capability Occurs Description --------------------- ------- ---------------------------------- iRIPrev1 1 Revision of iRIP, must be "iRIPrev1" AUTH 0+ Authentication mechanism(s) supported MAXICALOBJECTSIZE 0 or 1 An integer value that specifies the largest ICAL object (byte count) the server will accept. Objects larger than this will be rejected. MAXDATE 0 or 1 The datetime value beyond which the server cannot accept. MINDATE 0 or 1 The datetime value prior to which the server cannot accept. Examples: When executed from the Connected state the following occur: S: CAPABILITY R: iRIPrev1 R: AUTH=KERBEROS_V4 R: AUTH=PLAIN R: . R: 2.0 When executed from the Authenticated state the following occur: Mansour/Courtemanche/O'Leary 13 Expires August 1999 Internet Draft IRIP April 16, 1999 S: CAPABILITY R: CAPABILITY iRIPrev1 R: AUTH=KERBEROS_V4 R: AUTH=PLAIN R: MAXICALOBJECTSIZE=50000 R: . R: 2.0 3.1.4 CONTINUE Arguments: [latencyTime] Data: noneResult: results from the command in progress 2.0.2 reply pending. 9.1 unexpected command The CONTINUE command is issued by the sender to allow an SENDATA request to continue being processed. When the latency time is specified on the SENDATA command, the Receiver must issue a reply to the Sender within the specified time. The reply could be a reply code indicating that the server has not yet processed the request. The Sender must then tell the server whether to continue or abort the command in progress. The CONTINUE has the following form: CONTINUE [latencyTime] If the optional latencyTime is present, it is a positive integer that specifies the maximum number of seconds the client will wait for the next response. If it is omitted, the receiver waits an indefinite period of time for the response. In this example, the sender requests a response from the server every 10 seconds. ... S: RECIPIENT irip://A.example.com/sman R: 2.0 S: SENDATA 10 R: 2.0.1 S: Content-Type:text/calendar; method=REQUEST; charset=US-ASCII S: Content-Transfer-Encoding: 7bit S: S: BEGIN:VCALENDAR # etc... S: END:VCALENDAR S: . # after 10 seconds... Mansour/Courtemanche/O'Leary 14 Expires August 1999 Internet Draft IRIP April 16, 1999 R: . R: 2.0.2 Reply Pending S: CONTINUE 10 # less than 10 seconds elapse... R: 2.0.11 irip://A.example.com/sman R: Content-Type:text/calendar; method=REPLY; charset=US-ASCII R: Content-Transfer-Encoding: 7bit R: R: BEGIN:VCALENDAR # etc... R: END:VCALENDAR R: . 3.1.5 DEQUEUE Arguments: caluid [latencyTime] Data: a single queued itip message on success. Result: 2.0 success 2.0.2 reply pending. 2.0.8 no more messages 3.8 no authority to perform this operation 9.1 unexpected command The DEQUEUE command requests the Receiver to send a single queued message to the Sender. This differs from using the SWITCH command in several ways: - the SWITCH command results in the Connected state after the Sender and Receiver roles are reversed. This means that both the Sender and Receiver must be prepared to handle the AUTHENTICATE command. Using the DEQUEUE command, queued commands can be collected by the original Sender without it having to handle the AUTHENTICATE command. - Only one message is transferred per DEQUEUE command. - The single and implicit receiver of a DEQUEUE message is the currently authenticated Sender. If the Receiver has a queued message for the CALID and the authenticated user is allowed to access the queue, it will be sent as the reply to the DEQUEUE message. The message is followed by a (required) . and a (required) response code. Example: S: DEQUEUE irip://cal.example.com/sman R: Content-Type:text/calendar; method=REQUEST; charset=US-ASCII R: Content-Transfer-Encoding: 7bit Mansour/Courtemanche/O'Leary 15 Expires August 1999 Internet Draft IRIP April 16, 1999 R: R: BEGIN:VCALENDAR # etc... R: END:VCALENDAR R: . R: 2.0 irip://cal.example.com/sman S: DEQUEUE irip://cal.example.com/sman R: . R: 2.0.8 irip://cal.example.com/sman 3.1.6 DISCONNECT Arguments: none Data: none Result: 2.0 - success The DISCONNECT command signals the end of communication between the Sender and Receiver. It SHOULD be issued only from the Authenticated or Connected states. However, receiver implementations MUST be prepared to handle a DISCONNECT at any point in this state diagram. Example: S: DISCONNECT R: 2.0 3.1.7 RECIPIENT Arguments: caluid [latencyTime] Data: none Result: 2.0 - Found the calendar 2.0.4 - caluid is not on this irip server but an attempt will be made to deliver the request or reply to the Calendar anyway. A trust relationship exists with IRIP server for caluid. 2.0.5 - just like 2.0.4 except that the message MUST be queued. That is, it will not be possible for this request to be processed in real-time. 2.0.6 - The specified is not here but an attempt will be made to deliver the request or reply to anyway. Mansour/Courtemanche/O'Leary 16 Expires August 1999 Internet Draft IRIP April 16, 1999 There is not a trust relationship between the IRIP server and the IRIP server for the target calendar. 3.8 - the authenticated iRIP session does not have authority to perform [iTIP] activities on . 5.3 - IRIP services for the specified calid are not supported. 9.1 - Unexpected command 10.1 - is not supported by this iRIP service but can be found . Note that need not be of the IRIP scheme. The RECIPIENT command is used to identify a recipient of the iCalendar Object. Use multiple RECIPIENT commands to specify multiple recipients. A reply code will be returned for each calendar address supplied. A response code for each calendar address will also be returned after the SENDATA command completes. A reply code of 2.0 indicates that the calendar address is available for [ITIP] messages. If the receiver does not accept [ITIP] messages for the specified calendar address, it responds with [ITIP] reply code 5.3 to indicate that the calendar address is unknown. If the receiver has a referral calendar address it responds with reply code 10.1 and supplies the new calendar address. In either case, the iRIP server does not deliver the [ITIP] message when the reply code is 5.3 or 10.1. After the ITIP message has been sent, a reply code will be returned for each of the recipients. 3.1.7.1 Fanout Issues On RECIPIENT A receiver may be implemented such that it will fanout requests to other iRIP servers. That is, a sender connects to iRIP receiver at A.example.com and specifies a RECIPIENT calendar address on B.example1.com. If the iRIP server at A.example.com handles getting the request to the receiver at B.example1.com it supports fanout. iRIP iRIP Sender ----------- [A.example.com] ------------- [B.example.com] An iRIP server implementation can implement fanout in different ways. Mansour/Courtemanche/O'Leary 17 Expires August 1999 Internet Draft IRIP April 16, 1999 One way involves verifying remote recipient calendars in real-time. Another way saves up all remote recipient calendars and simply attempts to access them later. The advantage of verifying remote calendars in real-time is that the sender is notified immediately, via the reply code, whether or not the recipient calendar exists and is accessible. For example, suppose that the iRIP server on A.example.com just received the following command from Sender: RECIPIENT irip://b.example.com/sam If A.example.com immediately contacts B.example.com and issues a RECIPIENT irip://b.example.com/sman and returns the reply back to Sender, the sender will have an authoritative reply code (2.0 - success, 3.7 - invalid calendar, or 10.1 - referral). On the other hand, if A.example.com simply collects all the remote calendar addresses and attempt to access them later in the transaction the reply will be 2.0.4 (will attempt). The disadvantage of this approach is that the sender does not know the status of the target calendar during the RECIPIENT negotiation. 3.1.8 SENDATA Arguments: [latencyTime] Data: MIME encapsulated iCalendar object Result: 2.0.1 - Begin sending the MIME encapsulated iCalendar Object 9.1 - Unexpected command After sending the iCalendar object a result is returned for each recipient. These results can be the following: 2.0 - Success. [ITIP] message delivered. 2.0.2 - A timeout has occurred. 2.0.3 - In response to the client issuing an ABORT 2.0.7 - The message has been queued for delivery. 2.0.11 - Success. [ITIP] message delivered and a response follows. 8.0 A failure has occurred in the receiver that prevents the operation from succeeding. 8.1 Sent when a session cannot be established because the iRIP Receiver is too busy. 8.2 Used to signal that an ICAL object has exceeded the server's size limit. Mansour/Courtemanche/O'Leary 18 Expires August 1999 Internet Draft IRIP April 16, 1999 9.0 An unrecongnized command (METHOD) was received. 9.1 A command was issued in a manner inconsistent with the state diagram. For example, issuing the SENDATA command without having specified a RECIPIENT will cause this error. 10.2 The server is shutting down. 10.4 The operation has not be performed because it would cause the resources (memory, disk, CPU, etc) to exceed the allocated quota The SENDATA command is used to specify the iCalendar Object that is to be delivered to one or more recipients specified in the RECIPIENT command. The format of the command sequence is: S: SENDATA [latencyTime] R: 2.0.1 S: S: . R: # if the reply code above is 2.0.11 the following will also be sent: R: R: . The optional latencyTime value specifies the maximum number of seconds the sender will wait for a reply. If it is not present, the client places no time limit on the server for a reply. A reply code of 2.0.1 indicates that the [ITIP] message data can be sent. The data must be broken into lines that are 1024 characters (including the ending or less. When the entire message has been sent, the sender terminates sending data with the special sequence .. The receiver reply MAY contain an [ITIP] message. The reply MUST contain the special sequence . followed by a reply code for each RECIPIENT. The command sequence for an iRIP server that does not include an [ITIP] message in the reply might appear as follows: S: RECIPIENT irip://cal.example.com/johndoe R: 2.0 S: RECIPIENT irip://cal.othersystem.com/xyz R: 2.0.5 S: SENDATA R: 2.0.1 # lots of data S: . R: . R: 2.0 irip://cal.example.com/johndoe Mansour/Courtemanche/O'Leary 19 Expires August 1999 Internet Draft IRIP April 16, 1999 R: 2.0.7 irip://cal.othersystem.com/xyz If the reply code is 2.0.11, an [ITIP] message reply will follow. This message will be terminated by the . sequence. iRIP servers are not required to send [ITIP] messages in the reply to [ITIP] requests delivered via the SENDATA command. However, the protocol allows for high performance servers to do so. iRIP senders MUST accept the [ITIP] message if the receiver includes it the reply. 3.1.9 SWITCH Arguments: none Data: none Result: 2.0 Sender and receiver have switched roles. The connection is switched to the Connected State. 3.14 Unsupported command. That is, the receiver refuses to switch roles. The SWITCH command is used to allow the Sender and Receiver to change roles. After a switch command is executed and the new Sender authenticates, all queued commands that the new Sender has queued for the new Receiver will be delivered. The SWITCH command is useful in environments where the firewall of a Sender would not allow the Receiver to initiate a connection. The SWITCH command is issued by the Sender to give the Receiver the opportunity to take the role of the Sender. The Sender must be in the authenticated state before the SWITCH command can be used. The Receiver must respond in one of the following fashions: - send an OK reply and take on the role of Sender - send a error reply indicating refusal and retain the role of Receiver If program-A is currently the Sender and sends the SWITCH command and receives an OK reply then program-A becomes the Receiver. The IRIP connection returns to the Connected state. Program-A is then in its initial state and sends a service ready response code of 2.0. If program-B is currently the Receiver and sends an OK reply in response to a SWITCH command then program-B becomes the Sender. Program-B is then in the initial state (connected) as if it had just connected to Program-A, and expects to receive a response code of 2.0. 3.2 Fanout and Queued Transactions Mansour/Courtemanche/O'Leary 20 Expires August 1999 Internet Draft IRIP April 16, 1999 An iRIP server must be able to fanout requests targeted at other iRIP servers. An iRIP server may queue information targeted at other iRIP servers. There are several reasons for queing requests. One reason is that firewall issues may prevent one server from contacting another. iRIP servers can establish trust relationships between each other. A trusted relationship means: - one server must authenticate with the other - authenticated calendars on one server are trusted and treated as authenticated on the other. The trusted relationship need not be bi-directional. That is, the fact that iRIP server A trusts iRIP server B does not necessarily mean that B trusts A. A trusted relationship between two iRIP servers means that one server can queue transactions for the other server and deliver them some time later. If iRIP server B trusts A, then A can queue requests for B. If A does not trust B then B cannot accumulate requests for A. [Editors Note: do we really want to impose this restriction?] Certain requests may need to be delivered and replied to in real-time. In fact, a requester may wish to cancel the request if the reply cannot be delivered in real-time. In iRIP the reply code to the RECIPIENT command indicates whether or not a reply will be made in real-time (barring connection and hardware failures). This allows the sender to abort the request if necessary. 3.3 Bi-Directional Queue Operation It is possible that firewall configurations may not allow a connection between two iRIP servers in either direction. That is, in the diagram below, suppose there are two users, sender1 and sender2, who wish to exchange [ITIP] messages. Their calendar addresses are irip://B.foo.com/sender1 and irip://D.bar.com/sender2. The firewall in front of B.foo.com prevents incoming external connections on the iRIP server port. However, it allows outbound external connections on the iRIP server port to happen. Similarly, the firewall in front of D.bar.com also prevents inbound connections on the iRIP server port, but allows outbound connections. To allow sender1 and sender2 to exchange iRIP messages an intermediate iRIP server, C.foobar.com, is used to queue messages for both of their calendars. A trust relationship between the intermediate iRIP server and the endpoint servers (B.foo.com and D.bar.com) is desirable but not required. [Editors note: is desired but not required OK with everyone?] iRIP +-----------+ +-----------+ iRIP sender1 --------| B.foo.com |--#--+--#--| D.bar.com |------- sender2 +-----------+ | +-----------+ | +----------------+ Mansour/Courtemanche/O'Leary 21 Expires August 1999 Internet Draft IRIP April 16, 1999 | C.foobar.com | +----------------+ 3.4 Reply Codes iRIP error codes follow the format defined for Status Replies in [ITIP]. All Status Replies as defined in [ITIP] are valid error codes when returned by an iRIP command. In addition to those defined in [ITIP], iRIP defines the following error codes: REPLY CODE DESCRIPTION MEANING ------ ---------------------- -------------------------------------- 2.0 STATOK Operation was successfully performed. 2.0.1 START-SENDATA Start ICAL input; end with . 2.0.11 OK-DATAFOLLOWS The request was processed successfully. Reply data follows on the next line and terminates with . 2.0.2 REPLY-PENDING A timeout has occurred. The server is still working on the reply. Use CONTINUE to continue waiting for the reply or ABORT to terminate the command. 2.0.3 ABORTED In response to the client issuing an ABORT command, this reply code indicates that any command currently underway was successsfully aborted. 2.0.4 WILL-ATTEMPT The specified Calendar is not here but an attempt will be made to deliver the request or reply to the Calendar anyway. There is a trust relationship between this iRIP server and the iRIP server for the target calendar. 2.0.5 TRUSTED-WILL-QUEUE The specified Calendar cannot be contacted directly and a trust relationship exists between this server and the server on which the Calendar exists. The request or reply will be queued and delivered to the target calendar when its iRIP server contacts this server and issues the SWITCH command. Mansour/Courtemanche/O'Leary 22 Expires August 1999 Internet Draft IRIP April 16, 1999 2.0.6 WILL-ATTEMPT The specified Calendar is not here but an attempt will be made to deliver the request or reply to the Calendar anyway. There is not a trust relationship between the iRIP server and the iRIP server for the target calendar. 2.0.7 QUEUED The message has been queued for delivery. 2.0.8 QUEUE-EMPTY There are no more queued messages. 2.2 NO COMMAND IN PROGRESS An ABORT or CONTINUE was received when no command was in progress 6.1 AUTHENTICATE FAILURE Unsupported authentication mechanism, credentials rejected 6.2 AUTHENTICATION ABORTED Sender aborted authentication, authentication exchange cancelled 8.0 GENERAL FAILURE A failure has occurred in the Receiver that prevents the operation from succeeding. 8.1 SERVER TOO BUSY Sent when a session cannot be established because the iRIP Receiver is too busy. 8.2 ICAL OBJECT TOO BIG Used to signal that an ICAL object has exceeded the server's size limit. 8.3 DATE TOO LARGE A DATETIME value was too far in the future to be represented on this Calendar. 8.4 DATE TOO SMALL A DATETIME value was too far in the past to be represented on this Calendar. 9.0 INVALID iRIP COMMAND An unrecongnized command was received. 9.1 UNEXPECTED COMMAND A command was issued in a manner inconsistent with the state diagram. For example, issuing the SENDATA command without having specified any RECIPIENTs will cause this error. 10.1 REFERRAL Accompanied by an alternate address. The RECIPIENT specified should be contacted at the given alternate Mansour/Courtemanche/O'Leary 23 Expires August 1999 Internet Draft IRIP April 16, 1999 address. The referral address MUST follow the reply code. 10.2 SERVER SHUT DOWN The server is shutting down. 10.3 SERVER STOPPING FLOOD 2 10.4 EXCEEDED QUOTAS The operation has not be performed because it would cause the resources (memory, disk, CPU, etc) to exceed the allocated quota 10.5 QUEUED TOO LONG The ITIP message has been queued too long. Delivery has been aborted. 4 Implementation Considerations It is strongly recommended that when an iRIP implementation encounters an error requiring the communication channel between the Sender and Receiver to be dropped that the DISCONNECT command be issued rather than simply breaking the communication channel. 5 Security Considerations The security of iRIP with [SASL] support is highly dependent on the mechanism used to authenticate the client and whether or not the security layer is further negotiated. Without a robust security layer, iRIP transactions are subject to eavesdropping and the integrity of iRIP transactions may be compromised. Since iRIP is designed specifically for real time transactions, it is recommended that implementations use the highest degree of authentication and transmission security possible. 5.1 Security Threats and Recommendations In addition to the security risks detailed in [ITIP], the following sections discuss security risks in using iRIP as the transport binding. 5.1.1 Authentication Hacking Once authenticated, senders can re-authenticate from the Authenticated state. It is possible that, once authenticated, a sender could take advantage of this capability and repeatedly attempt to guess at calendar user credentials. It is recommended that implementations disconnect after a failed authentication attempt from the Authenticated state. Mansour/Courtemanche/O'Leary 24 Expires August 1999 Internet Draft IRIP April 16, 1999 5.1.2 Spoofing The [ITIP] paradigm allows any modifications to data by its Organizer, which maps to the [SASL] authorization identity. This means that authorizing with appropriate identities over iRIP will allow read and write access to any item in the Receiver's database. There are several ways to limit this security risk. The choice of accepted authentication mechanisms can reduce the security risk. The ANONYMOUS mechanism allows a greater level of interoperability, in that any Sender can connect anonymously, but greatly increases the security risk for the same reason. The method in which authorizations are accepted can also be modified to improve security. Some hosts may be trusted to authorize as any caladdress, while others may be only be trusted to authorize as users in their domain. [ITIP] data is transmitted in MIME containers, which provide a facility for digitally signing their data. A sender may use this scheme in order to provide a final security fallback. Finally, some implementations may decide to queue incoming iRIP commands for approval by the owner of the calendar, although this is certainly the least reliable of these security mechanisms. 5.1.3 Eavesdropping The use of SASL in iRIP allows the negotiation of an encrypted security layer, which greatly reduces the chances that a connection will be subject to eavesdropping. However, if another iRIP server is being used to relay iRIP data this relay server is privy to whatever information is being transmitted. For this reason it may be desirable to use MIME's encryption facility to protect the data. 5.1.4 Connection Flooding Servers should be configurable to timeout unused connections. 5.2 Security Interoperability Issues * minimum SASL mechanism [ed note: tbd Paul Hill to supply ] * add a failure case under 6.3 6 Examples 6.1 Unauthenticated Freebusy Request Mansour/Courtemanche/O'Leary 25 Expires August 1999 Internet Draft IRIP April 16, 1999 This examples shows an anonymous request for the freebusy time of irip://cal.example.com/sman. Note that once xyz is authenticated on the IRIP server either the fully qualified IRIP CALID or the relative CALID can be used to reference a Calendar. That is, "irip://cal.example.com/xyz" and "xyz" refer to the same calendar and can be used interchangeably. R: S: R: 2.0 S: AUTHENTICATE ANONYMOUS R: 2.0 S: RECIPIENT:irip://b.foo.bar/sman R: 2.0 S: SENDATA R: 2.0.1 S: Content-Type:text/calendar; method=REQUEST; charset=US-ASCII S: Content-Transfer-Encoding: 7bit S: S: BEGIN:VCALENDAR S: PRODID:-//ACME/DesktopCalendar//EN S: METHOD:REQUEST S: VERSION:2.0 S: BEGIN:VFREEBUSY S: ORGANIZER: irip://b.foo.bar/xyz S: ATTENDEE: irip://b.foo.bar/sman S: DTSTAMP:19971113T190000Z S: DTSTART:19971115T160000Z S: DTEND:19971116T040000Z S: UID:www.example.com-873970198738777@host.com S: END:VFREEBUSY S: END:VCALENDAR S: . # server looks up the freebusy time and builds a reply> R: 2.0.11 irip://cal.example.com/sman R: Content-Type:text/calendar; method=REPLY; charset=US-ASCII R: Content-Transfer-Encoding: 7bit R: R: BEGIN:VCALENDAR R: PRODID:-//EXAMPLE/DesktopCalendar//EN R: METHOD:REPLY R: VERSION:2.0 R: BEGIN:VFREEBUSY R: ORGANIZER:irip://cal.example.com/xyz R: ATTENDEE:irip://cal.example.com/sman R: DTSTAMP:19971113T190005Z R: DTSTART:19971115T160000Z R: DTEND:19971116T040000Z R: UID:www.example.com-873970198738777@host.com Mansour/Courtemanche/O'Leary 26 Expires August 1999 Internet Draft IRIP April 16, 1999 R: FREEBUSY:19971115T230000Z/PT1H,19971115T210000Z/PT30M R: END:VFREEBUSY R: END:VCALENDAR R: . S: DISCONNECT R: 2.0 R: S: 6.2 Busy Time Request In this example, the sender sends a Freebusy request to the iRIP server at B.foo.com for several calendars. Some of the calendars are on other calendar stores. The sender needs the information immediately and will abort any attempt to queue requests. R: S: R: 2.0 S: AUTHENTICATE KERBEROS_V4 93407205 # more authentication information R: 2.0 S: RECIPIENT:irip://B.foo.com/bill R: 2.0 S: RECIPIENT:irip://C.foobar.com/cathy R: 2.0.4 S: RECIPIENT:irip://D.bar.com/david R: 2.0.5 S: RECIPIENT:irip://E.barfoo.com/eddie R: 2.0.6 # the sender does not want this ITIP message to be queued request. # So, the current operation will be canceled. The operation will be # tried again with attendees that can be serviced in real-time. S: ABORT R: 2.0.3 S: RECIPIENT:irip://B.foo.com/bill R: 2.0 S: RECIPIENT:irip://C.foobar.com/cathy R: 2.0.4 S: RECIPIENT:irip://E.barfoo.com/eddie R: 2.0.6 S: SENDATA R: 2.0.1 S: Content-Type:text/calendar; method=REQUEST; charset=US-ASCII S: Content-Transfer-Encoding: 7bit S: S: BEGIN:VCALENDAR S: PRODID:-//ACME/DesktopCalendar//EN Mansour/Courtemanche/O'Leary 27 Expires August 1999 Internet Draft IRIP April 16, 1999 S: METHOD:REQUEST S: VERSION:2.0 S: BEGIN:VFREEBUSY S: ORGANIZER:irip://B.foo.com/bill S: ATTENDEE:irip://B.foo.com/bill S: ATTENDEE:irip://C.foobar.com/cathy S: ATTENDEE:irip://D.bar.com/david S: ATTENDEE:irip://E.barfoo.com/eddie S: DTSTAMP:19971113T190000Z S: DTSTART:19971115T160000Z S: DTEND:19971116T040000Z S: UID:www.example.com-873970198738777@host.com S: END:VFREEBUSY S: END:VCALENDAR S: . # server looks up the freebusy time for irip://B.foo.com/bill, # requests and receives the freebusy time for # irip://C.foobar.com/cathy and irip://E.barfoo.com/eddie. Then it # builds a reply R: 2.0.11 irip://B.foo.com/bill R: Content-Type:text/calendar; method=REPLY; charset=US-ASCII R: Content-Transfer-Encoding: 7bit R: R: BEGIN:VCALENDAR R: PRODID:-//EXAMPLE/DesktopCalendar//EN R: METHOD:REPLY R: VERSION:2.0 R: BEGIN:VFREEBUSY S: ORGANIZER:irip://B.foo.com/bill R: ATTENDEE:irip://B.foo.com/bill R: DTSTAMP:19971113T190005Z R: DTSTART:19971115T160000Z R: DTEND:19971116T040000Z R: UID:www.example.com-873970198738777@host.com R: FREEBUSY:19971115T200000Z/PT1H,19971116T030000Z/PT30M R: END:VFREEBUSY R: END:VCALENDAR R: . R: 2.0.11 irip://C.foobar.com/cathy R: Content-Type:text/calendar; method=REPLY; charset=US-ASCII R: Content-Transfer-Encoding: 7bit R: R: BEGIN:VCALENDAR R: PRODID:-//EXAMPLE/DesktopCalendar//EN R: METHOD:REPLY R: VERSION:2.0 R: BEGIN:VFREEBUSY S: ORGANIZER:irip://B.foo.com/bill R: ATTENDEE:irip://C.foobar.com/cathy R: DTSTAMP:19971113T190005Z Mansour/Courtemanche/O'Leary 28 Expires August 1999 Internet Draft IRIP April 16, 1999 R: DTSTART:19971115T160000Z R: DTEND:19971116T040000Z R: UID:www.example.com-873970198738777@host.com R: FREEBUSY:19971115T230000Z/PT1H,19971116T020000Z/PT30M R: END:VFREEBUSY R: END:VCALENDAR R: . R: 2.0.11 irip://E.barfoo.com/eddie R: Content-Type:text/calendar; method=REPLY; charset=US-ASCII R: Content-Transfer-Encoding: 7bit R: R: BEGIN:VCALENDAR R: PRODID:-//EXAMPLE/DesktopCalendar//EN R: METHOD:REPLY R: VERSION:2.0 R: BEGIN:VFREEBUSY S: ORGANIZER:irip://B.foo.com/bill R: ATTENDEE:irip://E.barfoo.com/eddie R: DTSTAMP:19971113T190005Z R: DTSTART:19971115T160000Z R: DTEND:19971116T040000Z R: UID:www.example.com-873970198738777@host.com R: FREEBUSY:19971115T230000Z/PT1H,19971116T020000Z/PT30M R: END:VFREEBUSY R: END:VCALENDAR R: . S: DISCONNECT R: 2.0 R: S: 6.3 Using Switch This session demonstrates how a poll can be accomplished using the SWITCH command. In this case, the receiver (A.example.com) becomes the sender after issuing the switch command. # receiver is currently A.example.com, the sender is B.xyz.com R: S: R: 2.0 S: AUTHENTICATE KERBEROS_V4 # more authentication... R: 2.0 S: SWITCH R: 2.0 # The connection state has returned to the Connected state. A.example.com # must now Authenticate with B.xyz.com Mansour/Courtemanche/O'Leary 29 Expires August 1999 Internet Draft IRIP April 16, 1999 S: 2.0 R: AUTHENTICATE KERBEROS_V4 # more authentication... R: 2.0 # Now that the switch has occurred, A.example.com is the sender and # B.xyz.com is the receiver. At this point, A.example.com sends all # queued commands for recipients on B.xyz.com S: RECIPIENT:irip://B.xyz.com/sman R: 2.0 S: SENDATA R: 2.0.1 S: Content-Type:text/calendar; method=REQUEST; charset=US-ASCII S: Content-Transfer-Encoding: 7bit S: S: BEGIN:VCALENDAR S: PRODID:-//ACME/DesktopCalendar//EN S: METHOD:REQUEST S: VERSION:2.0 S: BEGIN:VFREEBUSY S: ORGANIZER:irip://A.example.com/billybob S: ATTENDEE:irip://B.xyz.com/sman S: DTSTAMP:19981113T190000Z S: DTSTART:19981115T160000Z S: DTEND:19981116T160000Z S: UID:123456abcdef.1234.2314 S: END:VFREEBUSY S: END:VCALENDAR S: . # server looks up the freebusy time and builds a reply R: 2.0.11 irip://B.xyz.com/sman R: Content-Type:text/calendar; method=REPLY; charset=US-ASCII R: Content-Transfer-Encoding: 7bit R: R: BEGIN:VCALENDAR R: PRODID:-//EXAMPLE/DesktopCalendar//EN R: METHOD:REPLY R: VERSION:2.0 R: BEGIN:VFREEBUSY R: ORGANIZER:irip://cal.example.com/xyz R: ATTENDEE:irip://cal.example.com/sman R: DTSTAMP:19981113T190005Z R: DTSTART:19981115T160000Z R: DTEND:19981116T160000Z R: UID:123456abcdef.1234.2314 R: FREEBUSY:19981115T230000Z/PT1H,19981115T210000Z/PT30M R: END:VFREEBUSY R: END:VCALENDAR R: . Mansour/Courtemanche/O'Leary 30 Expires August 1999 Internet Draft IRIP April 16, 1999 # A.example.com has no more queued ITIP messages for B.xyz.com. # So, it disconnects... S: DISCONNECT R: 2.0 R: S: 6.4 Fanout Requests 6.4.1 Successful Fanout Request In the diagram below, sender has authenticated to the iRIP server B.foo.com and is attempting to deliver a request to calendars on B.foo.com and C.foobar.com. The iRIP server on B.foo.com supports fanout. It verifies remote calendars during the RECIPIENT negotiation with sender. +-----------+ +-----------+ sender ---------| B.foo.com |---------| D.bar.com | +-----------+ +-----------+ Connection between S and B.foo.com S = sender R = B.foo.com ----------------------------------- R: S: < connect to B.foo.com port 5228> R: 2.0 S: AUTHENTICATE KERBEROS_V4 93407205 # more authentication information R: 2.0 S: RECIPIENT:irip://B.foo.com/bill R: 2.0 S: RECIPIENT:irip://D.bar.com/david Connection B.foo.com to D.bar.com S = B.foo.com R = D.bar.com ---------------------------------- R: S: R: 2.0 S: R: 2.0 S: RECIPIENT:irip://D.bar.com/david R: 2.0 R: 2.0 Mansour/Courtemanche/O'Leary 31 Expires August 1999 Internet Draft IRIP April 16, 1999 S: SENDATA R: 2.0.1 S: S: . S: SENDATA R: 2.0.1 S: S: . R: . R: 2.0 irip://D.bar.com/david R: . R: 2.0 irip://B.foo.com/bill R: 2.0 irip://D.bar.com/david S: DISCONNECT R: 2.0 6.4.2 Referral On Fanout This example is just like the one above except that in this case the remote calendar no longer exists and a referral is returned. The sender cancels the transaction in the RECIPIENT phase (using ABORT) and starts a new transaction that uses the referral address. +-----------+ +-----------+ sender ---------| B.foo.com |----+----| D.bar.com | +-----------+ | +-----------+ | | +-----------+ +----| E.xyz.com | +-----------+ Connection between S and B.foo.com S = sender R = B.foo.com ==================================== S: < connect to B.foo.com port 5228> R: 2.0 S: AUTHENTICATE KERBEROS_V4 93407205 S: R: 2.0 S: RECIPIENT:irip://B.foo.com/bill R: 2.0 S: RECIPIENT:irip://D.bar.com/david Connection B.foo.com to D.bar.com S = B.foo.com R = D.bar.com =================================== R: Mansour/Courtemanche/O'Leary 32 Expires August 1999 Internet Draft IRIP April 16, 1999 S: R: 2.0 S: R: 2.0 S: RECIPIENT:irip://D.bar.com/david R: 10.1 irip://E.xyz.com/david99 R: 10.1 irip://E.xyz.com/david99 S: ABORT R: 2.0.3 S: RECIPIENT:irip://B.foo.com/bill R: 2.0 S: RECIPIENT irip://E.xyz.com/david99 Connection B.foo.com to E.xyz.com S = B.foo.com R = E.xyz.com =================================== S: R: 2.0 S: R: 2.0 S: RECIPIENT irip://E.xyz.com/david99 R: 2.0 R: 2.0 S: SENDATA R: 2.0.1 S: S: . S: SENDATA R: 2.0.1 S: S: . R: . R: 2.0 irip://E.xyz.com/david99 R: . R: 2.0 irip://B.foo.com/bill R: 2.0 irip://E.xyz.com/david99 S: DISCONNECT R: 2.0 6.5 Queued Requests In the diagram below, sender S has authenticated to the iRIP server B.foo.com. C.foobar.com, D.bar.com, and E.barfoo.com all have iRIP servers. The iRIP server on B.foo.com has a trusted relationship with iRIP servers on both C.foobar.com and D.bar.com. A firewall is in place that prohibits iRIP server B.foo.com from initiating a connection to the iRIP server on D.bar.com. However, iRIP server D.bar.com can connect to iRIP server B.foo.com. Mansour/Courtemanche/O'Leary 33 Expires August 1999 Internet Draft IRIP April 16, 1999 +--------------+ +------| C.foobar.com | | +--------------+ | +-----------+ | +-----------+ S ---------| B.foo.com |------#--| D.bar.com | +-----------+ | +-----------+ | | +--------------+ +------| E.barfoo.com | +--------------+ 6.5.1 Meeting Invitation In this example, S sends an event request to the iRIP server on B for calendars on B, C, D, and E. Note that C's address moved from foo.com to foobar.com and is reported to the sender during the RECIPIENT negotiation. R: S: R: 2.0 S: AUTHENTICATE KERBEROS_V4 93407205 S: R: 2.0 S: RECIPIENT irip://B.foo.com/bill R: 2.0 S: RECIPIENT irip://C.foobar.com/cathy R: 10.1 irip://C.foobar.com/cathy S: RECIPIENT irip://C.foobar.com/cathy R: 2.0.4 S: RECIPIENT irip://D.bar.com/david R: 2.0.5 S: RECIPIENT irip://E.barfoo.com/eddie R: 2.0.6 S: SENDATA 16 R: 2.0.1 S: Content-Type:text/calendar; method=REQUEST; charset=US-ASCII S: Content-Transfer-Encoding: 7bit S: S: BEGIN:VCALENDAR S: PRODID:-//ACME/DesktopCalendar//EN S: METHOD:REQUEST S: VERSION:2.0 S: BEGIN:VEVENT S: ORGANIZER:irip://B.foo.com/bill S: ATTENDEE;ROLE=CHAIR;PARTSTAT=ACCEPTED:irip://B.foo.com/bill S: ATTENDEE;RSVP=TRUE;TYPE=INDIVIDUAL:irip://C.foobar.com/cathy S: ATTENDEE;RSVP=TRUE;TYPE=INDIVIDUAL:irip://D.bar.com/david S: ATTENDEE;RSVP=TRUE;TYPE=INDIVIDUAL:irip://E.barfoo.com/eddie S: DTSTAMP:19981011T190000Z S: DTSTART:19981101T200000Z Mansour/Courtemanche/O'Leary 34 Expires August 1999 Internet Draft IRIP April 16, 1999 S: DTEND:19981101T2100000Z S: SUMMARY:Conference S: UID:calsrv.example.com-873970198738777@example.com S: SEQUENCE:0 S: STATUS:CONFIRMED S: END:VEVENT S: END:VCALENDAR S: . R: . R: 2.0 irip://B.foo.com/bill R: 2.0 irip://C.foobar.com/cathy R: 2.0.7 irip://D.bar.com/david R: 2.0 irip://E.barfoo.com/eddie S: DISCONNECT R: 2.0 R: S: The invitation is written to the calendar B.foo.com/bill. iRIP server B.foo.com authenticates to C.foobar.com and sends the event request, which is successfully written to C.foobar.com/cathy. The iRIP server on B.foo.com cannot contact D.bar.com, but a trust relationship exists between them and the request is queued for delivery. This request will be delivered the next time the iRIP server on D.bar.com connects to the iRIP server on B.foo.com and issues a SWITCH command. The iRIP server on B.foo.com connects to the iRIP server on E.barfoo.com and authenticates as anonymous since it has no trust relationship with E.barfoo.com. If the anonymous authentication is successful, the event request is delivered to E.barfoo.com/eddie. 7 Acknowledgments The following have participated in the drafting and discussion of this memo: Frank Dawson, Bruce Kahn, Doug Royer, Mugino Saeki 8 Bibliography [ICAL] F. Dawson, D. Stenerson, "Internet Calendaring and Scheduling Core Object Specification - iCalendar", RFC-2445, November 1998, http://www.imc.org/rfc2445. [ITIP] S. Silverberg, S. Mansour, F. Dawson, R. Hopson, "iCalendar Transport-Independent Interoperability Protocol (iTIP) : Scheduling Events, Busy Time, To-dos and Journal Entries", RFC-2446, November 1998, http://www.imc.org/rfc2446. [IMIP] F. Dawson, S. Mansour, S. Silverberg, "iCalendar Message-based Interoperability Protocol (iMIP), ", RFC-2447, November 1998, http://www.imc.org/rfc2447. [ID-UTF8] 3"UTF-8, a transformation format of ISO 10646. F. Yergeau.", Mansour/Courtemanche/O'Leary 35 Expires August 1999 Internet Draft IRIP April 16, 1999 RFC 2299, January 1998 [RFC-822] Crocker, D., "Standard for the Format of ARPA Internet Text Messages", STD 11, RFC 822, August 1982. [RFC-1847]. J. Galvin, S. Murphy, S. Crocker & N. Freed, "Security Multiparts for MIME: Multipart/Signed and Multipart/Encrypted", RFC 1847, October 1995. [RFC-2112] Levinson, E., "The MIME Multipart/Related Content-type," RFC 2112, March 1997. [RFC-2015] M. Elkins, "MIME Security with Pretty Good Privacy (PGP)," RFC 2015, October 1996. [RFC-2045] Freed, N., Borenstein, N., " Multipurpose Internet Mail Extensions (MIME) - Part One: Format of Internet Message Bodies", RFC 2045, November 1996. [RFC-2046] Freed, N., Borenstein, N., " Multipurpose Internet Mail Extensions (MIME) - Part Two: Media Types", RFC 2046, November 1996. [RFC-2047] Moore, K., "Multipurpose Internet Mail Extensions (MIME) - Part Three: Message Header Extensions for Non-ASCII Text", RFC 2047, November 1996. [RFC-2048] Freed, N., J. Klensin, J. Postel, "Multipurpose Internet Mail Extensions (MIME) - Part Four: Registration Procedures", RFC 2048, January 1997. [RFC-2222] J. Meyers, Simple Authentication and Security Layer (SASL)", RFC 2222, October 1997. [RFC2396] Berners-Lee, Fielding, Masinter, "Uniform Resource Identifiers (URI): Generic Syntax", RFC 2396, August 1998. [RFC-2445] Dawson, Stenerson, "Internet Calendaring and Scheduling Core Object Specification (iCalendar)", RFC 2445, November 1998 [RFC-2446] Silverberg, Mansour, Dawson, Hopson, "iCalendar Transport- Independent Interoperability Protocol (iTIP)", RFC 2446, November 1998 [RFC-2447] Dawson, Mansour, Silverberg, "iCalendar Message-Based Interoperability Protocol (iMIP)", RFC 2445, November 1998 9 Open Issues Registration of the [SASL] profile for iRIP with the IANA. Port Number registration 10 Author's Address Mansour/Courtemanche/O'Leary 36 Expires August 1999 Internet Draft IRIP April 16, 1999 The following address information is provided in a vCard v2.1, Electronic Business Card, format. BEGIN:VCARD VERSION:2.1 FN:Steve Mansour ORG:Netscape Communications Corporation ADR;WORK;POSTAL;PARCEL:;;501 East Middlefield Road;Mountain View;CA;94043;USA TEL;WORK;MSG:+1-650-937-2378 TEL;WORK;FAX:+1-650-937-2103 EMAIL;INTERNET:sman@netscape.com END:VCARD BEGIN:VCARD FN:Andre Courtemanche ORG:CS&T ADR;WORK;POSTAL;PARCEL:;;3333 Graham Boulevard;Montreal;QC;H3R 3L5;Canada TEL;WORK;MSG:+1-514-733-8500 TEL;WORK;FAX:+1-514-733-8788 EMAIL;INTERNET:andre@cst.ca END:VCARD BEGIN:VCARD FN:Pete O'Leary ORG:Amplitude ADR;WORK;POSTAL;PARCEL:;; TEL;WORK;MSG:+1-415-659-3511 TEL;WORK;FAX:+1-415-659-0006 EMAIL;INTERNET:pete@amplitude.com END:VCARD The iCalendar object is a result of the work of the Internet Engineering Task Force Calendaring and scheduling Working Group. The co-chair of that working group is: BEGIN:VCARD FN:Pat Egen ORG:Egen Consulting ADR;WORK;POSTAL;PARCEL:;;803 Creek Overlook;Chattanooga;TN;37415 TEL;WORK;MSG:+1-423.875.2652 TEL;WORK;FAX:+1-423.875.2017 EMAIL;INTERNET:pregen@engenconsulting.com END:VCARD 11 Full Copyright Statement Copyright (C) The Internet Society, January 2, 1999. All Rights Reserved. This document and translations of it MAY be copied and furnished to Mansour/Courtemanche/O'Leary 37 Expires August 1999 Internet Draft IRIP April 16, 1999 others, and derivative works that comment on or otherwise explain it or assist in its implmentation MAY be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself MAY NOT be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process MUST be followed, or as required to translate it into languages other than English. The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns. This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.