CDN Interconnection
MetadataVelocix (Alcatel-Lucent)3 Ely RoadMiltonCambridgeCB24 6AAUKben@velocix.comVelocix (Alcatel-Lucent)3 Ely RoadMiltonCambridgeCB24 6AAUKrmurray@velocix.comCisco Systems1414 Massachusetts AvenueBoxboroughMA01719USA+1 978 936 9307mcaulfie@cisco.comEricsson43 Nagog ParkActonMA01720USA+1 978-844-5100kevin.j.ma@ericsson.comThe Content Delivery Networks Interconnection (CDNI) metadata
interface enables interconnected Content Delivery Networks (CDNs) to
exchange content distribution metadata in order to enable content
acquisition and delivery. The CDNI metadata associated with a piece of
content provides a downstream CDN with sufficient information for the
downstream CDN to service content requests on behalf of an upstream CDN.
This document describes both a base set of CDNI metadata and the
protocol for exchanging that metadata.The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119.Content Delivery Networks Interconnection (CDNI) enables a downstream Content Delivery Network (dCDN)
to service content requests on behalf of an upstream CDN (uCDN).The CDNI metadata interface is discussed in
along with four other interfaces that can be used to compose a CDNI
solution (CDNI Control interface, CDNI Request Routing Redirection
interface, CDNI Footprint & Capabilities Advertisement interface and
CDNI Logging interface). describes each
interface and the relationships between them. The requirements for the
CDNI metadata interface are specified in .The CDNI metadata associated with a piece of content (or with a set
of content) provides a dCDN with sufficient information for servicing
content requests on behalf of an uCDN, in accordance with the policies
defined by the uCDN.This document defines the CDNI metadata interface which enables a
dCDN to obtain CDNI metadata from an uCDN so that the dCDN can properly
process and respond to:Redirection requests received over the CDNI Request Routing
Redirection interface .Content requests received directly from User Agents.Specifically, this document specifies:A data structure for mapping content requests and redirection
requests to CDNI metadata objects ( and
).An initial set of CDNI Generic metadata objects ().A HTTP web service for the transfer of CDNI metadata ().This document reuses the terminology defined in .Additionally, the following terms are used throughout this document
and are defined as follows:Object - a collection of properties.Property - a key and value pair where the key is a property
name and the value is the property value or another object.This document uses the phrase "[Object] A contains [Object]
B" for simplicity when a strictly accurate phrase would be "[Object] A
contains or references (via a Link object) [Object] B".Only the metadata for a small set of initial capabilities is
specified in this document. This set provides the minimum amount of
metadata for basic CDN interoperability while still meeting the
requirements set forth by .The following high-level functionality can be configured via the
CDNI metadata objects specified in :Acquisition Source: Metadata for allowing a dCDN to fetch
content from a uCDN.Delivery Access Control: Metadata for restricting (or
permitting) access to content based on any of the following
factors:LocationTime WindowDelivery ProtocolDelivery Authorization: Metadata for authorizing dCDN user
agent requests.Cache Control: Metadata for controlling cache behavior of the
dCDN.The metadata encoding described by this document is extensible in
order to allow for future additions to this list.The set of metadata specified in this document covers the
initial capabilities above. It is only intended to support CDN
interconnection for the delivery of content by a dCDN using HTTP/1.1
and for a dCDN to be able to acquire content
from a uCDN using either HTTP/1.1 or HTTP/1.1 over TLS .Supporting CDN interconnection for the delivery of content using
unencrypted HTTP/2 (as well as for a dCDN
to acquire content using unencrypted HTTP/2 or HTTP/2 over TLS)
requires the registration of these protocol names in the CDNI Metadata
Protocol Types registry .Supporting CDN interconnection for the delivery of content using
HTTP/1.1 over TLS or HTTP/2 over TLS requires specifying additional
metadata objects to carry the properties required to establish a TLS
session, for example metadata to describe the certificate to use as
part of the TLS handshake.The CDNI metadata interface was designed to achieve the following
objectives:Cacheability of CDNI metadata objects;Deterministic mapping from redirection requests and content
requests to CDNI metadata properties;Support for DNS redirection as well as application-specific
redirection (for example HTTP redirection);Minimal duplication of CDNI metadata; andLeveraging of existing protocols.Cacheability can decrease the latency of acquiring metadata while
maintaining its freshness, and therefore decrease the latency of serving
content requests and redirection requests, without sacrificing accuracy.
The CDNI metadata interface uses HTTP and its existing caching
mechanisms to achieve CDNI metadata cacheability.Deterministic mappings from content to metadata properties eliminates
ambiguity and ensures that policies are applied consistently by all
dCDNs.Support for both HTTP and DNS redirection ensures that the CDNI
metadata
meets the same design principles for both HTTP and DNS based redirection
schemes.Minimal duplication of CDNI metadata improves storage efficiency
in the CDNs.Leveraging existing protocols avoids reinventing common mechanisms
such as data structure encoding (by leveraging I-JSON ) and data transport (by leveraging HTTP ).The CDNI metadata object model describes a data structure for mapping
redirection requests and content requests to metadata properties.
Metadata properties describe how to acquire content from an uCDN,
authorize access to content, and deliver content from a dCDN. The object
model relies on the assumption that these metadata properties can be
aggregated based on the hostname of the content and subsequently on the
resource path (URI) of the content. The object model associates a set of
CDNI metadata properties with a Hostname to form a default set of
metadata properties for content delivered on behalf of that Hostname.
That default set of metadata properties can be overridden by properties
that apply to specific paths within a URI.Different Hostnames and URI paths will be associated with different
sets of CDNI metadata properties in order to describe the required
behaviour when a dCDN surrogate or request router is processing User
Agent requests for content at that Hostname and URI path. As a result of
this structure, significant commonality could exist between the CDNI
metadata properties specified for different Hostnames, different URI
paths within a Hostname and different URI paths on different Hostnames.
For example the definition of which User Agent IP addresses should be
grouped together into a single network or geographic
location is likely to be common for a number of different Hostnames;
although a uCDN is likely to have several
different policies configured to express geo-blocking rules, it is
likely that a single geo-blocking policy could be applied to multiple
Hostnames delivered through the CDN.In order to enable the CDNI metadata for a given Hostname and URI Path
to be decomposed into reusable sets of CDNI metadata properties,
the CDNI metadata interface
splits the CDNI metadata into separate
objects. Efficiency is improved by enabling a single CDNI metadata
object (that is shared across Hostname and/or URI paths) to be retrieved
and stored by a dCDN once, even if it is referenced by the CDNI metadata
for multiple Hostnames and/or URI paths.Important Note: Any CDNI metadata object A that contains another CDNI
metadata object B can
include a Link object specifying a URI that can be
used to retrieve object B,
instead of embedding object B within object A.
The remainder of this document uses the phrase
"[Object] A contains [Object] B" for simplicity when a strictly accurate
phrase would be "[Object] A contains or references (via a Link object)
[Object] B". It is generally a deployment choice for the uCDN
implementation to decide when to embed CDNI metadata objects
and when to reference separate resources via Link objects. introduces a high level description
of the HostIndex, HostMatch, HostMetadata, PathMatch, PatternMatch and
PathMetadata objects, and describes the relationships between them. introduces a high level
description of the CDNI GenericMetadata object which represents the
level at which CDNI metadata override occurs between HostMetadata and
PathMetadata objects. describes in detail
the specific CDNI metadata objects and properties specified by this
document which can be contained within a CDNI GenericMetadata
object.The relationships between the HostIndex, HostMatch, HostMetadata,
PathMatch, PatternMatch and PathMetadata objects are described in
.A HostIndex object (see ) contains a list
of HostMatch objects (see ) that contain
Hostnames (and/or IP addresses) for which content requests might be
delegated to the dCDN. The HostIndex is the starting point for
accessing the uCDN CDNI metadata data store. It enables the dCDN to
deterministically discover
which CDNI metadata objects it requires in order to
deliver a given piece of content.The HostIndex links Hostnames (and/or IP addresses) to HostMetadata
objects (see ) via HostMatch objects. A
HostMatch object defines a Hostname (or IP address) to match against a
requested host and contains a HostMetadata object.HostMetadata objects contain the default
GenericMetadata objects (see )
required to serve content for that host. When looking up CDNI
metadata, the dCDN looks up the requested Hostname (or IP address)
against the HostMatch entries in the HostIndex, from there it can find
HostMetadata which describes the default metadata properties for each host as
well as PathMetadata objects (see ), via
PathMatch objects (see ). PathMatch objects
define patterns, contained inside PatternMatch objects (see ), to match against the requested URI
path. PatternMatch objects contain the pattern strings and
flags that describe the URI path that a PathMatch applies to.
PathMetadata objects contain the GenericMetadata objects
that apply to content requests matching the defined URI
path pattern. PathMetadata properties override properties
previously defined in HostMetadata or less specific PathMatch
paths. PathMetadata objects can contain additional PathMatch
objects to recursively define more specific URI paths to which
GenericMetadata properties might be applied.A GenericMetadata object contains individual CDNI metadata objects
which define the specific policies and attributes needed to properly
deliver the associated content. For example, a GenericMetadata object
could describe the source from which a CDN can acquire a piece of
content. The GenericMetadata object is an atomic unit that can be
referenced by HostMetadata or PathMetadata objects.For example, if "example.com" is a content provider, a HostMatch
object could include an entry for "example.com" with the URI of the
associated HostMetadata object. The HostMetadata object for
"example.com" describes the metadata properties which apply to
"example.com" and could contain PathMatches for "example.com/movies/*"
and "example.com/music/*", which in turn reference corresponding
PathMetadata objects that contain the properties for those
more specific URI paths. The PathMetadata object for
"example.com/movies/*" describes the properties which apply to that URI
path. It could also contain a PathMatch object for
"example.com/movies/hd/*" which would reference the corresponding
PathMetadata object for the "example.com/movies/hd/" path prefix.The relationships in are
also represented in tabular format in below.Data ObjectObjects it contains or referencesHostIndex0 or more HostMatch objects.HostMatch1 HostMetadata object.HostMetadata0 or more PathMatch objects. 0 or more GenericMetadata
objects.PathMatch1 PatternMatch object. 1 PathMetadata object.PatternMatchDoes not contain or reference any other objects.PathMetadata0 or more PathMatch objects. 0 or more GenericMetadata
objects.The HostMetadata and PathMetadata objects contain other CDNI
metadata objects that contain properties which describe how User Agent
requests for content should be processed, for example where to acquire
the content from, authorization rules that should be applied,
geo-blocking restrictions, and so on. Each such CDNI metadata object is
a specialization of a CDNI GenericMetadata object. The GenericMetadata
object abstracts the basic information required for metadata override
and metadata distribution, from the specifics of any given property
(i.e., property semantics, enforcement options, etc.).The GenericMetadata object defines the properties contained
within it as well as whether or not the properties are
"mandatory-to-enforce". If the dCDN does not understand or support a
"mandatory-to-enforce" property, the
dCDN MUST NOT serve the content. If the property is
not "mandatory-to-enforce", then that GenericMetadata object can be
safely ignored and the dCDN MUST process the content request in
accordance with the rest of the CDNI metadata.Although a CDN MUST NOT serve content to a User Agent if a
"mandatory-to-enforce" property cannot be enforced, it could still be
"safe-to-redistribute" that metadata to another CDN without
modification. For example, in the cascaded CDN case, a transit CDN
(tCDN) could pass through "mandatory-to-enforce" metadata to a dCDN. For
metadata which does not require customization or translation (i.e.,
metadata that is "safe-to-redistribute"), the data representation
received off the wire MAY be stored and redistributed without being
understood or supported by the transit CDN. However, for
metadata which requires translation, transparent redistribution of the
uCDN metadata values might not be appropriate. Certain metadata can be
safely, though perhaps not optimally, redistributed unmodified. For
example, source acquisition address might not be optimal if
transparently redistributed, but it might still work.Redistribution safety MUST be specified for each
GenericMetadata property.
If a CDN does not understand or support a given GenericMetadata
property that is not "safe-to-redistribute",
the CDN MUST set the
"incomprehensible" flag to true for that GenericMetadata object
before redistributing the metadata. The
"incomprehensible" flag signals to a dCDN that the metadata was not
properly transformed by the transit CDN. A CDN MUST NOT attempt to use
metadata that has been marked as "incomprehensible" by a uCDN.Transit CDNs MUST NOT change the value of "mandatory-to-enforce" or
"safe-to-redistribute" when propagating metadata to a dCDN. Although a
transit CDN can set the value of "incomprehensible" to true, a transit
CDN MUST NOT change the value of "incomprehensible" from true to
false. describes the action to be taken by a
transit CDN (tCDN) for the different combinations of
"mandatory-to-enforce" (MtE) and "safe-to-redistribute" (StR)
properties, when the tCDN either does or does not understand the
metadata in question:MtEStRMetadata Understood by tCDNActionFalseTrueTrueCan serve and redistribute.FalseTrueFalseCan serve and redistribute.FalseFalseFalseCan serve. MUST set "incomprehensible" to True when
redistributing.FalseFalseTrueCan serve. Can redistribute after transforming the
metadata (if the CDN knows how to do so safely), otherwise MUST set
"incomprehensible" to True when redistributing.TrueTrueTrueCan serve and redistribute.TrueTrueFalseMUST NOT serve but can redistribute.TrueFalseTrueCan serve. Can redistribute after transforming the
metadata (if the CDN knows how to do so safely), otherwise MUST set
"incomprehensible" to True when redistributing.TrueFalseFalseMUST NOT serve. MUST set "incomprehensible" to True when
redistributing. describes the action to be taken by a
dCDN for the different combinations of "mandatory-to-enforce" (MtE)
and "incomprehensible" (Incomp) properties, when the dCDN either does
or does not understand the metadata in question:MtEIncompMetadata Understood by dCDNActionFalseFalseTrueCan serve.FalseTrueTrueCan serve but MUST NOT interpret/apply any metadata marked
incomprehensible.FalseFalseFalseCan serve.FalseTrueFalseCan serve but MUST NOT interpret/apply any metadata marked
incomprehensible.TrueFalseTrueCan serve.TrueTrueTrueMUST NOT serve.TrueFalseFalseMUST NOT serve.TrueTrueFalseMUST NOT serve.In the metadata object model, a HostMetadata object can contain
multiple PathMetadata objects (via PathMatch objects). Each
PathMetadata object can in turn contain other PathMetadata objects.
HostMetadata and PathMetadata objects form an inheritance tree where
each node in the tree inherits or overrides the property values set by
its parent.GenericMetadata objects of a given type override all
GenericMetadata objects of the same type previously defined by any
parent object in the tree. GenericMetadata objects of a given type
previously defined by a parent object in the tree are inherited when
no object of the same type is defined by the child object. For
example, if HostMetadata for the host "example.com" contains
GenericMetadata objects of type LocationACL and TimeWindowACL, while a
PathMetadata object which applies to "example.com/movies/*" defines an
alternate GenericMetadata object of type TimeWindowACL, then: the TimeWindowACL defined in the PathMetadata would override
the TimeWindowACL defined in the HostMetadata for all User Agent
requests for content under "example.com/movies/", andthe LocationACL defined in the HostMetadata would be inherited
for all User Agent requests for content under
"example.com/movies/".A single HostMetadata or PathMetadata object MUST NOT contain
multiple GenericMetadata objects of the same type. If a list of
GenericMetadata contains objects of duplicate types, the receiver MUST
ignore all but the first object of each type. provides the definitions of each
metadata object type introduced in . These
metadata objects are described as structural metadata objects as they
provide the structure for host and URI path-based inheritance and identify which
GenericMetadata objects apply to a given User Agent content
request. provides the definitions for a base
set of core metadata objects which can be contained within a
GenericMetadata object. These metadata objects govern how User Agent
requests for content are handled. GenericMetadata objects can contain
other GenericMetadata as properties; these can be referred to as
sub-objects). As with all CDNI metadata objects, the
value of the GenericMetadata sub-objects can be either a complete
serialized representation of the sub-object, or a Link object that
contains a URI that can be dereferenced to retrieve the complete
serialized representation of the property sub-object. discusses the ability to extend the
base set of GenericMetadata objects specified in this document with
additional standards-based or vendor specific GenericMetadata objects
that might be defined in the future in separate documents.dCDNs and tCDNs MUST support parsing of all CDNI metadata objects
specified in this document. A dCDN does not have to implement the
underlying functionality represented by non-structural GenericMetadata objects (though that
might restrict the content that a given dCDN will be able to
serve). uCDNs as
generators of CDNI metadata only need to support generating the CDNI
metadata that they need in order to express the policies
required by the content they are describing.CDNI metadata objects MUST be encoded as I-JSON objects containing a dictionary of (key,value) pairs where
the keys are the property names and the values are the associated
property values. See for more details of the
specific encoding rules for CDNI metadata objects.Note: In the following sections, the term "mandatory-to-specify" is
used to convey which properties MUST be included for a given structural
or GenericMetadata object. When mandatory-to-specify is specified as
"Yes" for an individual property, it means that if the
object containing that property is included in a metadata response, then
the mandatory-to-specify property MUST also be included (directly or by
reference) in the response, e.g., a HostMatch property object without a
host to match against does not make sense, therefore, the host property
is mandatory-to-specify inside a HostMatch object.Each of the sub-sections below describe the structural objects
introduced in .The HostIndex object is the entry point into the CDNI metadata
hierarchy. It contains a list of HostMatch objects. An incoming
content request is checked against the Hostname (or IP address)
specified by each of the listed HostMatch objects to find the
HostMatch object which applies to the request.Property: hostsDescription: List of HostMatch objects. Hosts (HostMatch
objects) MUST be evaluated in the order they appear and the
first HostMatch object that matches the content request
being processed MUST be used.Type: List of HostMatch objectsMandatory-to-Specify: Yes.Example HostIndex object containing two HostMatch objects, where
the first HostMatch object is embedded and the second HostMatch
object is referenced:The HostMatch object contains a Hostname or IP address to match
against content requests. The HostMatch object also contains a
HostMetadata object to apply if a match is found.Property: hostDescription: Hostname or IP address to match
against the requested host. In order for a Hostname or IP
address in a content request to match the Hostname or IP
address in the host property the value from the
content request when converted to
lowercase MUST be identical to the
value of the host property when converted to lowercase.Type: EndpointMandatory-to-Specify: Yes.Property: host-metadataDescription: CDNI metadata to apply when delivering
content that matches this host.Type: HostMetadataMandatory-to-Specify: Yes.Example HostMatch object with an embedded HostMetadata
object:Example HostMatch object referencing (via a Link object, see
) a HostMetadata object:A HostMetadata object contains the CDNI metadata properties for
content served for a particular host (defined in the HostMatch
object) and possibly child PathMatch objects.Property: metadataDescription: List of host related metadata.Type: List of GenericMetadata objectsMandatory-to-Specify: Yes.Property: pathsDescription: Path specific rules. Path patterns
(PathMatch objects) MUST be evaluated in the order they
appear and the first PathMatch object that matches the
content request being processed MUST be used.Type: List of PathMatch objectsMandatory-to-Specify: No.Example HostMetadata object containing a number of embedded
GenericMetadata objects that will describe the default metadata for
the host and an embedded PathMatch object that contains a
path for which metadata exists that overrides the default metadata
for the host:A PathMatch object contains PatternMatch
object with a path to match against a resource's URI path,
as well as a
PathMetadata object with GenericMetadata to apply if the
resource's URI path matches the
pattern within the PatternMatch object.Property: path-patternDescription: Pattern to match against the requested
resource's URI path, i.e., against the path-absolute.Type: PatternMatchMandatory-to-Specify: Yes.Property: path-metadataDescription: CDNI metadata to apply when delivering
content that matches the associated PatternMatch.Type: PathMetadataMandatory-to-Specify: Yes.Example PathMatch object referencing the PathMetadata object to
use for URIs that match the case-sensitive URI path pattern
"/movies/*" (contained within an embedded PatternMatch object):A PatternMatch object contains the pattern string and flags that
describe the pattern expression.Property: patternDescription: A pattern for string matching. The pattern
can contain the wildcards * and ?, where * matches any
sequence of characters (including the empty string) and ?
matches exactly one character. The three literals $, * and ?
should be escaped as $$, $* and $?. All other characters are
treated as literals.Type: StringMandatory-to-Specify: Yes.Property: case-sensitiveDescription: Flag indicating whether or not
case-sensitive matching should be used.Type: BooleanMandatory-to-Specify: No. Default is case-insensitive
match.Property: ignore-query-stringDescription: List of query parameters which should be
ignored when searching for a pattern match. Matching against
query parameters to ignore MUST be case-insensitive. If all
query parameters should be ignored then the list MUST be
empty.Type: List of StringMandatory-to-Specify: No. Default is to include query
strings when matching.Example PatternMatch object that matches the case-sensitive URI
path pattern "/movies/*". All query parameters will be ignored when
matching URIs requested from surrogates by content clients against
this path pattern:Example PatternMatch object that matches the case-sensitive URI
path pattern "/movies/*". The query parameter "sessionid" will be
ignored when matching URIs requested from surrogates by content
clients against this path pattern:A PathMetadata object contains the CDNI metadata properties for
content requests that match against the associated URI path (defined
in a PathMatch object).Note that if DNS-based redirection is employed, then a dCDN will
be unable to evaulate any metadata at the PathMetadata level or
below because only the hostname of the content request is available
at request routing time. dCDNs SHOULD still process all PathMetadata
for the host before responding to the redirection
request to detect if any unsupported metadata is specifed.
If any metadata not supported by the dCDN is marked as
"mandatory-to-enforce", the dCDN SHOULD NOT accept
the content redirection request, in order to avoid
receiving content requests that it will not be able to satisfy/serve.Property: metadataDescription: List of path related metadata.Type: List of GenericMetadata objectsMandatory-to-Specify: Yes.Property: pathsDescription: Path specific rules. First match
applies.Type: List of PathMatch objectsMandatory-to-Specify: No.Example PathMetadata object containing a number of embedded
GenericMetadata objects that describe the metadata to apply for the
URI path defined in the parent PathMatch object, as well as
a more specific PathMatch object.A GenericMetadata object is a wrapper for managing individual
CDNI metadata properties in an opaque manner.Property: generic-metadata-typeDescription: Case-insensitive CDNI metadata object
type.Type: String containing the CDNI Payload Type
of the object
contained in the generic-metadata-value property
(see ).Mandatory-to-Specify: Yes.Property: generic-metadata-valueDescription: CDNI metadata object.Type: Format/Type is defined by the value of
generic-metadata-type property above. Note:
generic-metadata-values MUST NOT name any properties
"href" (see ).Mandatory-to-Specify: Yes.Property: mandatory-to-enforceDescription: Flag identifying whether or not the
enforcement of the property metadata is required.Type: BooleanMandatory-to-Specify: No. Default is to treat metadata as
mandatory to enforce (i.e., a value of True).Property: safe-to-redistributeDescription: Flag identifying whether or not the property
metadata can be safely redistributed without
modification.Type: BooleanMandatory-to-Specify: No. Default is allow transparent
redistribution (i.e., a value of True).Property: incomprehensibleDescription: Flag identifying whether or not any CDN in
the chain of delegation has failed to understand and/or
failed to properly transform this metadata object. Note:
This flag only applies to metadata objects whose
safe-to-redistribute property has a value of False.Type: BooleanMandatory-to-Specify: No. Default is comprehensible
(i.e., a value of False).Example GenericMetadata object containing a metadata object that
applies to the applicable URI path and/or host (within a parent
PathMetadata and/or HostMetadata object, respectively):The objects defined below are intended to be used in the
GenericMetadata object generic-metadata-value field as defined in
and their generic-metadata-type
property MUST be set to the appropriate CDNI Payload Type as defined in .Source metadata provides the dCDN with information about content
acquisition, i.e., how to contact an uCDN Surrogate or an Origin
Server to obtain the content to be served. The sources are not
necessarily the actual Origin Servers operated by the CSP but might
be a set of Surrogates in the uCDN.Property: sourcesDescription: Sources from which the dCDN can acquire
content, listed in order of preference.Type: List of Source objects (see )Mandatory-to-Specify: No. Default is to use static
configuration, out-of-band from the metadata interface.Example SourceMetadata object (which contains two Source objects)
that describes which servers the dCDN should use for acquiring
content for the applicable URI path and/or host:A Source object describes the source to be used by the dCDN for
content acquisition (e.g., a Surrogate within the uCDN or an
alternate Origin Server), the protocol to be used, and any
authentication method to be used when contacting that source.Endpoints within a Source object MUST be treated as
equivalent/equal. A uCDN can specify a list of sources in
preference order within a SourceMetadata objecct, and then
for each preference ranked Source object, a uCDN can
specify a list of endpoints that are equivalent (e.g., a pool of
servers that are not behind a load balancer).Property: acquisition-authDescription: Authentication method to use when
requesting content from this source.Type: Auth (see )Mandatory-to-Specify: No. Default is no authentication
required.Property: endpointsDescription: Origins from which the dCDN can acquire
content. If multiple endpoints are specified they are all
equal, i.e., the list is not in preference order (e.g.,
a pool of servers behind a load balancer).Type: List of Endpoint objects (See )Mandatory-to-Specify: Yes.Property: protocolDescription: Network retrieval protocol to use when
requesting content from this source.Type: Protocol (see )Mandatory-to-Specify: Yes.Example Source object that describes a pair of endpoints
(servers) the dCDN can use for acquiring content for the
applicable host and/or URI path:LocationACL metadata defines which locations a User Agent needs
to be in, in order to be able to receive the associated content.A LocationACL which does not include a locations property results
in an action of allow all, meaning that delivery can be performed
regardless of the User Agent's location, otherwise a CDN
MUST take the action from the first
footprint to match against the User Agent's location.
If two or more footprints overlap, the first
footprint that matches against the User Agent's location determines
the action a CDN MUST take. If the locations property is included
but is empty, or if none of the listed footprints matches the User
Agent's location, then the result is an action of deny.Although the LocationACL, TimeWindowACL (see ), and ProtocolACL (see ) are independent GenericMetadata objects,
they can provide conflicting information to a dCDN, e.g., a content
request which is simultaneously allowed based on the LocationACL and
denied based on the TimeWindowACL. The dCDN MUST use the logical AND
of all ACLs (where 'allow' is true and 'deny' is false) to determine
whether or not a request should be allowed.Property: locationsDescription: Access control list which allows or denies
(blocks) delivery based on the User Agent's location.Type: List of LocationRule objects (see )Mandatory-to-Specify: No. Default is allow all
locations.Example LocationACL object that allows the dCDN to deliver
content to any location/IP address:Example LocationACL object (which contains a LocationRule object
which itself contains a Footprint object) that only allows the dCDN
to deliver content to User Agents in the USA:A LocationRule contains or references a list of Footprint
objects and the corresponding action.Property: footprintsDescription: List of footprints to which the rule
applies.Type: List of Footprint objects (see )Mandatory-to-Specify: Yes.Property: actionDescription: Defines whether the rule specifies
locations to allow or deny.Type: Enumeration [allow|deny] encoded as a lowercase
stringMandatory-to-Specify: No. Default is deny.Example LocationRule object (which contains a Footprint object)
that allows the dCDN to deliver content to clients in the USA:A Footprint object describes the footprint to which a
LocationRule can be applied to, e.g., an IPv4 address range or a
geographic location.Property: footprint-typeDescription: Registered footprint type (see
). The footprint
types specified by this document are: "ipv4cidr"
(IPv4CIDR, see ), "ipv6cidr"
(IPv6CIDR, see ), "asn"
(Autonomous System Number, see ) and
"countrycode" (Country Code, see ).Type: Lowercase StringMandatory-to-Specify: Yes.Property: footprint-valueDescription: List of footprint values conforming to the
specification associated with the registered footprint
type. Footprint values can be simple strings
(e.g., IPv4CIDR, IPv6CIDR, ASN, and CountryCode),
however, other Footprint objects can be defined in
the future, along with a more complex encoding
(e.g., GPS coordinate tuples).Type: List of footprintsMandatory-to-Specify: Yes.Example Footprint object describing a footprint covering the
USA:Example Footprint object describing a footprint covering the IP
address ranges 192.0.2.0/24 and 198.51.100.0/24:TimeWindowACL metadata defines time-based restrictions.A TimeWindowACL which does not include a times property results
in an action of allow all, meaning that delivery can be performed
regardless of the time of the User Agent's request,
otherwise a CDN MUST take the action from
the first window to match against the current time.
If two or more windows overlap, the first window that
matches against the current time determines the action a CDN MUST
take. If the times property is included but is empty, or if none of
the listed windows matches the current time, then the result is an
action of deny.Although the LocationACL (see ), TimeWindowACL, and ProtocolACL (see ) are
independent GenericMetadata objects, they can provide conflicting
information to a dCDN, e.g., a content request which is
simultaneously allowed based on the LocationACL and denied based on
the TimeWindowACL. The dCDN MUST use the logical AND of all ACLs
(where 'allow' is true and 'deny' is false) to determine whether or
not a request should be allowed.Property: timesDescription: Access control list which allows or denies
(blocks) delivery based on the time of a User Agent's
request.Type: List of TimeWindowRule objects (see )Mandatory-to-Specify: No. Default is allow all time
windows.Example TimeWIndowACL object (which contains a TimeWindowRule
object which itself contains a TimeWIndow object) that only allows
the dCDN to deliver content to clients between 09:00 01/01/2000
UTC and 17:00 01/01/2000 UTC:A TimeWindowRule contains or references a list of TimeWindow
objects and the corresponding action.Property: windowsDescription: List of time windows to which the rule
applies.Type: List of TimeWindow objects (see )Mandatory-to-Specify: Yes.Property: actionDescription: Defines whether the rule specifies time
windows to allow or deny.Type: Enumeration [allow|deny] encoded as a lowercase
stringMandatory-to-Specify: No. Default is deny.Example TimeWIndowRule object (which contains a TimeWIndow
object) that only allows the dCDN to deliver content to clients
between 09:00 01/01/2000 UTC and 17:00 01/01/2000 UTC:A TimeWindow object describes a time range which can be applied
by an TimeWindowACL, e.g., start 946717200 (i.e., 09:00
01/01/2000 UTC), end: 946746000 (i.e., 17:00 01/01/2000
UTC).Property: startDescription: The start time of the window.Type: Time (see )Mandatory-to-Specify: Yes.Property: endDescription: The end time of the window.Type: Time (see )Mandatory-to-Specify: Yes.Example TimeWIndow object that describes a time window from
09:00 01/01/2000 UTC to 17:00 01/01/2000 UTC:ProtocolACL metadata defines delivery protocol restrictions.A ProtocolACL which does not include a protocol-acl property
results in an action of allow all, meaning that delivery can be
performed regardless of the protocol in the User Agent's request,
otherwise a CDN MUST take the action from the first protocol
to match against the request protocol.
If two or more request
protocols overlap, the first protocol that matches the request
protocol determines the action a CDN MUST take. If the protocol-acl
property is included but is empty, or if none of the listed protocol
matches the request protocol, then the result is an action of
deny.Although the LocationACL, TimeWindowACL, and ProtocolACL are
independent GenericMetadata objects, they can provide conflicting
information to a dCDN, e.g., a content request which is
simultaneously allowed based on the ProtocolACL and denied based on
the TimeWindowACL. The dCDN MUST use the logical AND of all ACLs
(where 'allow' is true and 'deny' is false) to determine whether or
not a request should be allowed.Property: protocol-aclDescription: Description: Access control list which
allows or denies (blocks) delivery based on delivery
protocol.Type: List of ProtocolRule objects (see )Mandatory-to-Specify: No. Default is allow all
protocols.Example ProtocolACL object (which contains a ProtocolRule object)
that only allows the dCDN to deliver content using HTTP/1.1:A ProtocolRule contains or references a list of Protocol
objects and the corresponding action.Property: protocolsDescription: List of protocols to which the rule
applies.Type: List of Protocols (see )Mandatory-to-Specify: Yes.Property: actionDescription: Defines whether the rule specifies
protocols to allow or deny.Type: Enumeration [allow|deny] encoded as a lowercase
stringMandatory-to-Specify: No. Default is deny.Example ProtocolRule object (which contains a ProtocolRule
object) that allows the dCDN to deliver content using HTTP/1.1:Delivery Authorization defines authorization methods for the
delivery of content to User Agents.Property: delivery-auth-methodsDescription: Options for authorizing content requests.
Delivery for a content request is authorized if any of the
authorization methods in the list is satisfied for that
request.Type: List of Auth objects (see )Mandatory-to-Specify: No. Default is no authorization
required.Example DeliveryAuthorization object (which contains an Auth object):A Cache object describes the cache control parameters to be
applied to the content by intermediate caches.Property: ignore-query-stringDescription: Allows a Surrogate to ignore URI query
string parameters when comparing the requested URI against
the URIs in its cache for equivalence. Matching
query parameters to ignore MUST be case-insensitive. Each
query parameter to ignore is specified in the list. If all
query parameters should be ignored, then the list MUST be
specified and MUST be empty.Type: List of StringMandatory-to-Specify: No. Default is to consider query
string parameters when comparing URIs.Example Cache object that instructs the dCDN to ignore all query
parameters:Example Cache object that instructs the dCDN to ignore the
(case-insensitive) query parameters named "sessionid" and
"random":An Auth object defines authentication and authorization methods
to be used during content acquisition and content delivery,
respectively.Property: auth-typeDescription: Registered Auth type ().Type: StringMandatory-to-Specify: Yes.Property: auth-valueDescription: An object conforming to the specification
associated with the Registered Auth type.Type: GenericMetadata ObjectMandatory-to-Specify: Yes.Example Auth object:A Grouping object identifies a group of content to which a
given asset belongs.Property: ccidDescription: Content Collection identifier for an
application-specific purpose such as logging aggregation.Type: StringMandatory-to-Specify: No. Default is an empty string.Example Grouping object that specifies a Content Collection
Identifier for the content associated with
the Grouping object's parent HostMetdata and PathMetadata:This section describes the simple data types that are used for
properties of CDNI metadata objects.A Link object can be used in place of any of the objects or
properties described above. Link objects can be used to avoid
duplication if the same metadata information is repeated within the
metadata tree. When a Link object replaces another object, its href
property is set to the URI of the resource and its type property is
set to the CDNI Payload Type of the object it is replacing.dCDNs can detect the presence of a Link object
by detecting the presence of a property named "href"
within the object. This means that GenericMetadata types MUST NOT
contain a property named "href" because doing so would conflict with
the ability for dCDNs to detect Link objects being used to reference
a GenericMetadata object.Property: hrefDescription: The URI of the addressable object being
referenced.Type: StringMandatory-to-Specify: Yes.Property: typeDescription: The type of the object being referenced.Type: StringMandatory-to-Specify: No. If the container
specifies the type (e.g., the HostIndex object contains a list
of HostMatch objects, so a Link object in the list of
HostMatch objects must reference a HostMatch), then
it is not necessary to explicitly specify a type.Example Link object referencing a HostMatch object:Example Link object referencing a HostMatch object,
without an explicit type, inside a HostIndex object:Protocol objects are used to specify registered protocols for
content acquisition or delivery (see ).Type: StringExample:A Hostname (with optional port) or an IP address (with optional
port).Note: All implementations MUST support IPv4 addresses encoded as
specified by the 'IPv4address' rule in Section 3.2.2 of . IPv6 addresses MUST be encoded in one of the
IPv6 address formats specified in although
receivers MUST support all IPv6 address formats specified in .Type: StringExample Hostname:Example IPv4 address:Example IPv6 address (with port number):A time value expressed in seconds since the Unix epoch in the UTC
timezone.Type: IntegerExample Time representing 09:00 01/01/2000 UTC:An IPv4address CIDR block encoded as specified by the
'IPv4address' rule in Section 3.2.2 of
followed by a / followed by an unsigned integer representing the
leading bits of the routing prefix (i.e., IPv4 CIDR notation). Single
IP addresses can be expressed as /32.Type: StringExample IPv4 CIDR:An IPv6address CIDR block encoded in one of the IPv6 address
formats specified in followed by a /
followed by an unsigned integer representing the leading bits of the
routing prefix (i.e., IPv6 CIDR notation). Single IP addresses can be
expressed as /128.Type: StringExample IPv6 CIDR:An Autonomous System Number encoded as a string consisting of the
characters "as" (in lowercase) followed by the Autonomous System
number.Type: StringExample ASN:An ISO 3166-1 alpha-2 code in
lowercase.Type: StringExample Country Code representing the USA:CDNI metadata is used to convey information pertaining to content
delivery from uCDN to dCDN. For optional metadata, it can be useful for
the uCDN to know if the dCDN supports the underlying functionality
described by the metadata, prior to delegating any content requests to
the dCDN. If some metadata is "mandatory-to-enforce", and the dCDN does
not support it, any delegated requests for content that requires that
metadata will fail. The uCDN will likely want to avoid delegating those
requests to that dCDN. Likewise, for any metadata which might be assigned
optional values, it could be useful for the uCDN to know which values a
dCDN supports, prior to delegating any content requests to that dCDN. If
the optional value assigned to a given piece of content's metadata is
not supported by the dCDN, any delegated requests for that content can
fail, so again the uCDN is likely to want to avoid delegating those
requests to that dCDN.The CDNI Footprint and Capabilities Interface (FCI)
provides a means of advertising capabilities from
dCDN to uCDN .
Support for optional metadata types and values
can be advertised using the FCI.This section specifies an interface to enable a dCDN to retrieve CDNI
metadata objects from a uCDN.The interface can be used by a dCDN to retrieve CDNI metadata objects
either:Dynamically as required by the dCDN to process received requests.
For example in response to a query from an uCDN over the CDNI
Request Routing Redirection interface (RI) or in response to receiving a
request for content from a User Agent. Or;In advance of being required. For example in the case of
pre-positioned CDNI metadata acquisition, initiated through
the "CDNI Control interface / Triggers" (CI/T) interface
.The CDNI metadata interface is built on the principles of HTTP web
services. In particular, this means that requests and responses over the
interface are built around the transfer of representations of
hyperlinked resources. A resource in the context of the CDNI metadata
interface is any object in the object model (as described in and ).To retrieve CDNI metadata, a CDNI metadata client (i.e., a client in
the dCDN) first makes a HTTP GET request for the URI of the HostIndex
which provides the CDNI metadata client with a list of Hostnames for
which the uCDN can delegate content delivery to the dCDN. The CDNI
metadata client can then obtain any other CDNI metadata objects by
making a HTTP GET requests for any linked metadata objects it
requires.CDNI metadata servers (i.e., servers in the uCDN) are free to assign
whatever structure they desire to the URIs for CDNI metadata objects and
CDNI metadata clients MUST NOT make any assumptions regarding the
structure of CDNI metadata URIs or the mapping between CDNI metadata
objects and their associated URIs. Therefore any URIs present in the
examples in this document are purely illustrative and are not intended
to impose a definitive structure on CDNI metadata interface
implementations.The CDNI metadata interface uses HTTP as the underlying protocol
transport.The HTTP Method in the request defines the operation the request
would like to perform. A server implementation of the CDNI metadata
interface MUST support the HTTP GET and HEAD methods.The corresponding HTTP Response returns the status of the operation
in the HTTP Status Code and returns the current representation of the
resource (if appropriate) in the Response Body. HTTP Responses that contain a
response body SHOULD include an ETag to enable validation of cached
versions of returned resources.The CDNI metadata interface specified in this document is a
read-only interface. Therefore support for other HTTP methods such as
PUT, POST, DELETE, etc. is not specified. A server implementation of
the CDNI metadata interface SHOULD reject all methods other than GET
and HEAD.As the CDNI metadata interface builds on top of HTTP, CDNI metadata
server implementations MAY make use of any HTTP feature when
implementing the CDNI metadata interface, for example, a CDNI metadata
server MAY make use of HTTP's caching mechanisms to indicate that the
returned response/representation can be reused without re-contacting
the CDNI metadata server.In the general case, a CDNI metadata server makes CDNI metadata
objects available via a unique URIs and thus, in order to retrieve
CDNI metadata, a CDNI metadata client first makes a HTTP GET request
for the URI of the HostIndex which provides
a list of Hostnames for which the uCDN can delegate content
delivery to the dCDN.In order to retrieve the CDNI metadata for a particular request the
CDNI metadata client processes the received HostIndex object and finds
the corresponding HostMetadata entry (by matching the hostname in the
request against the hostnames listed in the HostMatch objects). If the
HostMetadata is linked (rather than embedded), the CDNI metadata
client then makes a GET request for the URI specified in the href
property of the Link object which points to the HostMetadata object
itself.In order to retrieve the most specific metadata for a particular
request, the CDNI metadata client inspects the HostMetadata for
references to more specific PathMetadata objects (by matching the URI
path in the request against the path-patterns in any PathMatch
objects listed in the HostMetadata object). If
any PathMetadata are found to match (and are linked rather than
embedded), the CDNI metadata client makes another GET request for the
PathMetadata. Each PathMetadata object can also include references to
yet more specific metadata. If this is the case, the CDNI metadata
client continues requesting PathMatch and PathMetadata objects
recursively. The CDNI metadata client repeats this approach of
processing metadata objects and retrieving (via HTTP GETs) any linked
objects until it has all the metadata objects it requires in order to
process the redirection request from an uCDN or the content request from a
User Agent.In cases where a dCDN is not able to retrieve the entire set of
CDNI metadata associated with a User Agent request, for example
because the uCDN is unreachable or returns a HTTP 4xx or 5xx status
in response to some or all of the dCDN's CDNI metadata requests, the
dCDN MUST NOT serve the requested content unless the dCDN has stale
versions of all the required metadata and the stale-if-error
Cache-Control extension was included in all
previous responses that are required but cannot currently be
retrieved. The dCDN can continue to serve other content for which it
can retrieve (or for which it has fresh responses cached) all the
required metadata even if some non-applicable part of the metadata
tree is missing.Where a dCDN is interconnected with multiple uCDNs, the dCDN needs
to determine which uCDN's CDNI metadata should be used to handle a
particular User Agent request.When application level redirection (e.g., HTTP 302 redirects) is
being used between CDNs, it is expected that the dCDN will be able to
determine the uCDN that redirected a particular request from
information contained in the received request (e.g., via the URI).
With knowledge of which uCDN routed the request, the dCDN can choose
the correct uCDN from which to obtain the HostIndex. Note that the
HostIndexes served by each uCDN can be unique.In the case of DNS redirection there is not always sufficient
information carried in the DNS request from User Agents to determine
the uCDN that redirected a particular request (e.g., when content from
a given host is redirected to a given dCDN by more than one uCDN) and
therefore dCDNs will have to apply local policy when deciding which
uCDN's metadata to apply.The URI for the HostIndex object of a given uCDN needs to be either
configured in, or discovered by, the dCDN. All other objects/resources
are then discoverable from the HostIndex object by following any links
in the HostIndex object and through the referenced HostMetadata and
PathMetadata objects and their GenericMetadata sub-objects.If the URI for the HostIndex object is not manually configured in
the dCDN then the HostIndex URI could be discovered. A mechanism
allowing the dCDN to discover the URI of the HostIndex is outside the
scope of this document.CDNI metadata objects MUST be encoded as I-JSON objects containing a dictionary of (key,value) pairs where
the keys are the property names and the values are the associated
property values.The keys of the dictionary are the names of the properties
associated with the object and are therefore dependent on the specific
object being encoded (i.e., dependent on the CDNI Payload Type of the
returned resource). Likewise, the values associated with each property
(dictionary key) are dependent on the specific object being encoded
(i.e., dependent on the CDNI Payload Type of the returned resource).Dictionary keys (properties) in I-JSON are case sensitive. By
convention, any dictionary key (property) defined by this document (for
example, the names of CDNI metadata object properties) MUST be
lowercase.The set of GenericMetadata objects can be extended with additional
(standards based or vendor specific) metadata objects through the
specification of new GenericMetadata objects. The GenericMetadata
object defined in specifies a type
field and a type-specific value field that allows any metadata to be
included in either the HostMetadata or PathMetadata lists.As with the initial GenericMetadata types defined in , future GenericMetadata types MUST specify
the information necessary for constructing and decoding the
GenericMetadata object.Any document which defines a new GenericMetadata type MUST:Specify and register the CDNI Payload Type
used to identify the new GenericMetadata
type being specified.Define the set of properties associated with the new
GenericMetadata object. GenericMetadata
MUST NOT contain a property named "href" because doing so would
conflict with the ability to detect Link objects
(see ).Define a name, description, type, and
whether or not the property is mandatory-to-specify.Describe the semantics of the new type including its purpose
and example of a use case to which it applies including an example
encoded in I-JSON.Note: In the case of vendor specific extensions,
vendor-identifying CDNI Payload Type names will decrease the
possibility of GenericMetadata type collisions.At any given time, the set of GenericMetadata types supported by
the uCDN might not match the set of GenericMetadata types supported by
the dCDN.In cases where a uCDN sends metadata containing a
GenericMetadata type that a dCDN does not support, the dCDN MUST
enforce the semantics of the "mandatory-to-enforce" property. If
a dCDN does not understand or is unable to perform the functions
associated with any "mandatory-to-enforce" metadata, the dCDN
MUST NOT service any requests for the corresponding content.Note: Ideally, uCDNs would not delegate content requests to a dCDN
that does not support the "mandatory-to-enforce" metadata associated
with the content being requested. However, even if the uCDN has a
priori knowledge of the metadata supported by the dCDN (e.g., via the
FCI or through out-of-band negotiation between
CDN operators), metadata support can fluctuate or be inconsistent
(e.g., due to mis-communication, mis-configuration, or temporary
outage). Thus, the dCDN MUST always evaluate all metadata associated
with redirection and content requests and reject any requests
where "mandatory-to-enforce" metadata associated with the content
cannot be enforced.It is possible that new metadata definitions will obsolete or
conflict with existing GenericMetadata (e.g., a future revision of the
CDNI metadata interface could redefine the Auth GenericMetadata object
or a custom vendor extension could implement an alternate Auth metadata
option). If multiple metadata (e.g., MI.Auth.v2, vendor1.Auth, and
vendor2.Auth) all conflict with an existing GenericMetadata object
(i.e., MI.Auth) and all are marked as "mandatory-to-enforce", it could
be ambiguous which metadata should be applied, especially if the
functionality of the metadata overlap.As described in , metadata
override only applies to metadata objects of the same exact type
found in HostMetadata and nested PathMetadata structures. The CDNI
metadata interface does not support enforcement of dependencies
between different metadata types. It is the responsibility of the CSP
and the CDN operators to ensure that metadata assigned to a given
piece of content do not conflict.Note: Because metadata is inherently ordered in
HostMetadata and PathMetadata
lists, as well as in the PathMatch hierarchy,
multiple conflicting metadata types MAY be used, however, metadata
hierarchies SHOULD ensure that independent PathMatch root objects are
used to prevent ambiguous or conflicting metadata definitions.The version of CDNI metadata objects is conveyed inside the
CDNI Payload Type that is included in the HTTP Content-Type
header, for example: "Content-Type: application/cdni;
ptype=MI.HostIndex". We intentionally omit the ".v1" on the
initial versions of metadata, for simplicity. Subsequent
versions of those metadata MUST postpend a version string
(e.g., ".v2"). Upon responding
to a request for an object, a CDNI metadata server MUST include a
Content-Type header with the CDNI Payload Type containing the
version number (or implicitly, version 1)
of the object. HTTP requests sent to a metadata server SHOULD include
an Accept header with the CDNI Payload Type (which includes the version) of
the expected object. Metadata clients can specify multiple CDNI Payload Types
in the Accept header, for example if a metadata client is capable of
processing two different versions of the same type of object (defined
by different CDNI Payload Types) it might decide to include both in the Accept
header.All CDNI metadata objects use the Media Type
"application/cdni". The CDNI Payload Type for each object then contains the
object name of that object as defined by this document,
prefixed with "MI.". lists the CDNI
Paylod Type for the metadata objects (resources) specified in this
document.Data ObjectCDNI Payload TypeHostIndexMI.HostIndexHostMatchMI.HostMatchHostMetadataMI.HostMetadataPathMatchMI.PathMatchPatternMatchMI.PatternMatchPathMetadataMI.PathMetadataSourceMetadataMI.SourceMetadataSourceMI.SourceLocationACLMI.LocationACLLocationRuleMI.LocationRuleFootprintMI.FootprintTimeWindowACLMI.TimeWindowACLTimeWindowRuleMI.TimeWindowRuleTimeWindowMI.TineWindowProtocolACLMI.ProtocolACLProtocolRuleMI.ProtocolRuleDeliveryAuthorizationMI.DeliveryAuthorizationCacheMI.CacheAuthMI.AuthGroupingMI.GroupingA dCDN requests the HostIndex and receive the following object
with a CDNI payload type of "MI.HostIndex":If the incoming request has a Host header with "video.example.com"
then the dCDN would fetch the HostMetadata object from
"http://metadata.ucdn.example/host1234" expecting a CDNI payload type of
"MI.HostMetadata":Suppose the path of the requested resource matches the
"/video/movies/*" pattern, the next metadata requested would be for
"http://metadata.ucdn.example/host1234/pathDCE" with an
expected CDNI payload type
of "MI.PathMetadata":Finally, if the path of the requested resource also matches the
"/videos/movies/hd/*" pattern, the dCDN would also fetch the following
object from "http://metadata.ucdn.example/host1234/pathDEF/path123" with
CDNI payload type "MI.PathMetadata":The final set of metadata which applies to the requested
resource includes a SourceMetadata, a LocationACL, a ProtocolACL,
and a TimeWindowACL.This document requests the registration of the following CDNI
Payload Types under the IANA CDNI Payload Type registry:Payload TypeSpecificationMI.HostIndexRFCthisMI.HostMatchRFCthisMI.HostMetadataRFCthisMI.PathMatchRFCthisMI.PatternMatchRFCthisMI.PathMetadataRFCthisMI.SourceMetadataRFCthisMI.SourceRFCthisMI.LocationACLRFCthisMI.LocationRuleRFCthisMI.FootprintRFCthisMI.TimeWindowACLRFCthisMI.TimeWindowRuleRFCthisMI.TimeWindowRFCthisMI.ProtocolACLRFCthisMI.ProtocolRuleRFCthisMI.DeliveryAuthorizationRFCthisMI.CacheRFCthisMI.AuthRFCthisMI.GroupingRFCthis[RFC Editor: Please replace RFCthis with the published RFC
number for this document.]Purpose: The purpose of this payload type is to
distinguish HostIndex MI objects (and any associated capabilitiy
advertisement)Interface: MI/FCIEncoding: see Purpose: The purpose of this payload type is to
distinguish HostMatch MI objects (and any associated capabilitiy
advertisement)Interface: MI/FCIEncoding: see Purpose: The purpose of this payload type is to
distinguish HostMetadata MI objects (and any associated capabilitiy
advertisement)Interface: MI/FCIEncoding: see Purpose: The purpose of this payload type is to
distinguish PathMatch MI objects (and any associated capabilitiy
advertisement)Interface: MI/FCIEncoding: see Purpose: The purpose of this payload type is to
distinguish PatternMatch MI objects (and any associated capabilitiy
advertisement)Interface: MI/FCIEncoding: see Purpose: The purpose of this payload type is to
distinguish PathMetadata MI objects (and any associated capabilitiy
advertisement)Interface: MI/FCIEncoding: see Purpose: The purpose of this payload type is to
distinguish SourceMetadata MI objects (and any associated capabilitiy
advertisement)Interface: MI/FCIEncoding: see Purpose: The purpose of this payload type is to
distinguish Source MI objects (and any associated capabilitiy
advertisement)Interface: MI/FCIEncoding: see Purpose: The purpose of this payload type is to
distinguish LocationACL MI objects (and any associated capabilitiy
advertisement)Interface: MI/FCIEncoding: see Purpose: The purpose of this payload type is to
distinguish LocationRule MI objects (and any associated capabilitiy
advertisement)Interface: MI/FCIEncoding: see Purpose: The purpose of this payload type is to
distinguish Footprint MI objects (and any associated capabilitiy
advertisement)Interface: MI/FCIEncoding: see Purpose: The purpose of this payload type is to
distinguish TimeWindowACL MI objects (and any associated capabilitiy
advertisement)Interface: MI/FCIEncoding: see Purpose: The purpose of this payload type is to
distinguish TimeWindowRule MI objects (and any associated capabilitiy
advertisement)Interface: MI/FCIEncoding: see Purpose: The purpose of this payload type is to
distinguish TimeWindow MI objects (and any associated capabilitiy
advertisement)Interface: MI/FCIEncoding: see Purpose: The purpose of this payload type is to
distinguish ProtocolACL MI objects (and any associated capabilitiy
advertisement)Interface: MI/FCIEncoding: see Purpose: The purpose of this payload type is to
distinguish ProtocolRule MI objects (and any associated capabilitiy
advertisement)Interface: MI/FCIEncoding: see Purpose: The purpose of this payload type is to
distinguish DeliveryAuthorization MI objects (and any associated capabilitiy
advertisement)Interface: MI/FCIEncoding: see Purpose: The purpose of this payload type is to
distinguish Cache MI objects (and any associated capabilitiy
advertisement)Interface: MI/FCIEncoding: see Purpose: The purpose of this payload type is to
distinguish Auth MI objects (and any associated capabilitiy
advertisement)Interface: MI/FCIEncoding: see Purpose: The purpose of this payload type is to
distinguish Grouping MI objects (and any associated capabilitiy
advertisement)Interface: MI/FCIEncoding: see The IANA is requested to create a new "CDNI Metadata Footprint
Types" subregistry in the "Content Delivery Networks
Interconnection (CDNI) Parameters" registry. The "CDNI
Metadata Footprint Types" namespace defines the valid
Footprint object type values used by the Footprint object in
. Additions to the Footprint type namespace
conform to the "Specification Required" policy as defined in . The designated expert will verify that new type
definitions do not duplicate existing type definitions and prevent
gratuitous additions to the namespace. New registrations are
required to provide a clear description of how to interpret
new footprint types.The following table defines the initial Footprint Registry
values:Footprint TypeDescriptionSpecificationipv4cidrIPv4 CIDR address blockRFCthisipv6cidrIPv6 CIDR address blockRFCthisasnAutonomous System (AS) NumberRFCthiscountrycodeISO 3166-1 alpha-2 codeRFCthis[RFC Editor: Please replace RFCthis with the published RFC
number for this document.]The IANA is requested to create a new "CDNI Metadata Protocol
Types" subregistry in the "Content Delivery Networks
Interconnection (CDNI) Parameters" registry. The "CDNI
Metadata Protocol Types" namespace defines the valid Protocol
object values in , used by the
SourceMetadata and ProtocolACL objects. Additions to the Protocol
namespace conform to the "Specification Required" policy as
defined in , where the specification
defines the Protocol Type and the protocol to which it is
associated. The designated expert will
verify that new protocol definitions do not duplicate
existing protocol definitions and prevent gratuitous additions
to the namespace.The following table defines the initial Protocol values
corresponding to the HTTP and HTTPS protocols:Protocol TypeDescriptionType SpecificationProtocol Specificationhttp/1.1Hypertext Transfer Protocol -- HTTP/1.1RFCthisRFC7230https/1.1HTTP/1.1 Over TLSRFCthisRFC2818[RFC Editor: Please replace RFCthis with the published RFC
number for this document.]The IANA is requested to create a new "CDNI Metadata Auth Types"
subregistry in the "Content Delivery Networks Interconnection
(CDNI) Parameters" registry. The "CDNI Metadata Auth Type"
namespace defines the valid Auth object types used by the Auth
object in . Additions to the Auth Type
namespace conform to the "Specification Required" policy as
defined in . The designated expert
will verify that new type definitions do not duplicate existing type
definitions and prevent gratuitous additions to the
namespace. New registrations are
required to provide a clear description of what information
the uCDN is required to provide to the dCDN, as well as the
procedures the dCDN is required to perform to authorize and/or
authenticate content requests.The registry will initially be unpopulated:Auth TypeDescriptionSpecificationUnauthorized access to metadata could result in denial of service.
A malicious metadata server, proxy server, or an attacker performing a
"man in the middle" attack could provide malicious metadata to a dCDN
that either:Denies service for one or more pieces of content to one or more
User Agents; orDirects dCDNs to contact malicious origin servers instead of
the actual origin servers.Unauthorized access to metadata could also enable a malicious
metadata client to continuously issue metadata requests in order
to overload a uCDN's metadata server(s).Unauthorized access to metadata could result in leakage of private
information. A malicious metadata client could request metadata in
order to gain access to origin servers, as well as information
pertaining to content restrictions.An implementation of the CDNI metadata interface SHOULD use mutual
authentication to prevent unauthorized access to metadata.Unauthorized viewing of metadata could result in leakage of private
information. A third party could intercept metadata transactions in
order to gain access to origin servers, as well as information
pertaining to content restrictions.An implementation of the CDNI metadata interface SHOULD use strong
encryption to prevent unauthorized interception of metadata.Unauthorized modification of metadata could result in denial of
service. A malicious metadata server, proxy server, or an attacker
performing a "man in the middle" attack could modify metadata
destined to a dCDN in order to deny service for one or more pieces of
content to one or more user agents. A malicious metadata server, proxy
server, or an attacker performing a "Man in the middle" attack could
also modify metadata so that dCDNs are directed to contact to malicious
origin servers instead of the actual origin servers.An implementation of the CDNI metadata interface SHOULD use strong
encryption and mutual authentication to prevent unauthorized
modification of metadata.Content provider origin and policy information is conveyed through
the CDNI metadata interface. The distribution of this information to
another CDN could introduce potential privacy concerns for some content
providers, for example, dCDNs accepting content requests for a
content provider's content might be able to obtain additional
information and usage patterns relating to the users of a content
provider's services. Content providers with such concerns can instruct
their CDN partners not to use CDN interconnects when delivering that
content provider's content.An attacker performing a "man in the middle" attack could
monitor metadata in order to obtain
usage patterns relating to the users of a content
provider's services.An implementation of the CDNI metadata interface SHOULD use strong
encryption and mutual authentication to prevent unauthorized
monitoring of metadata.An implementation of the CDNI metadata interface MUST support TLS
transport as per and . The use of TLS for transport of the CDNI metadata
interface messages allows:The dCDN and uCDN to authenticate each other.and, once they have mutually authenticated each other, it
allows:The dCDN and uCDN to authorize each other (to ensure they are
transmitting/receiving CDNI metadata requests and responses from
an authorized CDN);CDNI metadata interface requests and responses to be
transmitted with confidentiality; andThe integrity of the CDNI metadata interface requests and
responses to be protected during the exchange.In an environment where any such protection is required, TLS MUST
be used (including authentication of the remote end) by the
server-side (uCDN) and the client-side (dCDN) of the CDNI metadata
interface unless alternate methods are used for ensuring the
confidentiality of the information in the CDNI metadata interface
requests and responses (such as setting up an IPsec tunnel between the
two CDNs or using a physically secured internal network between two
CDNs that are owned by the same corporate entity).When TLS is used, the general TLS usage guidance in MUST be followed.The authors would like to thank David Ferguson, Francois Le Faucheur,
Jan Seedorf and Matt Miller for their valuable comments and input to
this document.[RFC Editor Note: Please move the contents of this section to the
Authors' Addresses section prior to publication as an RFC.]https://www.iso.org/obp/ui/#search