ALTO M. Stiemerling Internet-Draft NEC Europe Ltd. Intended status: Informational S. Kiesel Expires: September 15, 2011 University of Stuttgart March 14, 2011 ALTO Deployment Considerations draft-ietf-alto-deployments-01 Abstract Many Internet applications are used to access resources, such as pieces of information or server processes, which are available in several equivalent replicas on different hosts. This includes, but is not limited to, peer-to-peer file sharing applications. The goal of Application-Layer Traffic Optimization (ALTO) is to provide guidance to these applications, which have to select one or several hosts from a set of candidates, that are able to provide a desired resource. The protocol is under specification in the ALTO working group. This memo discusses deployment related issues of ALTO for peer-to-peer and CDNs, some preliminary security considerations, and also initial guidance for application designers using ALTO. Status of this Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on September 15, 2011. Copyright Notice Copyright (c) 2011 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents Stiemerling & Kiesel Expires September 15, 2011 [Page 1] Internet-Draft Deployment Considerations March 2011 (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Stiemerling & Kiesel Expires September 15, 2011 [Page 2] Internet-Draft Deployment Considerations March 2011 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 2. General Considerations . . . . . . . . . . . . . . . . . . . . 5 2.1. General Placement of ALTO . . . . . . . . . . . . . . . . 5 2.2. Relationship between ALTO and Applications . . . . . . . . 7 2.3. Provided Guidance . . . . . . . . . . . . . . . . . . . . 7 2.3.1. Keeping Traffic Local in Network . . . . . . . . . . . 8 2.3.2. Off-Loading Traffic from Network . . . . . . . . . . . 8 2.3.3. Intra-Network Localization/Bottleneck Off-Loading . . 9 2.4. Provisiong ALTO Maps . . . . . . . . . . . . . . . . . . . 11 3. Using ALTO for P2P . . . . . . . . . . . . . . . . . . . . . . 12 3.1. Using ALTO for Tracker-based Peer-to-Peer Applications . . 14 3.2. Expectations of ALTO . . . . . . . . . . . . . . . . . . . 16 4. Using ALTO for CDNs . . . . . . . . . . . . . . . . . . . . . 17 5. Advanced Features . . . . . . . . . . . . . . . . . . . . . . 18 5.1. Cascading ALTO Servers . . . . . . . . . . . . . . . . . . 18 5.2. ALTO for IPv4 and IPv6 . . . . . . . . . . . . . . . . . . 19 5.3. Monitoring ALTO . . . . . . . . . . . . . . . . . . . . . 19 6. Known Limitations of ALTO . . . . . . . . . . . . . . . . . . 20 6.1. Limitations of Map-based Approaches . . . . . . . . . . . 20 6.2. Limitiations of Non-Map-based Approaches . . . . . . . . . 21 6.3. General Challenges . . . . . . . . . . . . . . . . . . . . 21 7. Extensions to the ALTO Protocol . . . . . . . . . . . . . . . 23 7.1. Host Group Descriptors . . . . . . . . . . . . . . . . . . 23 7.2. Rating Criteria . . . . . . . . . . . . . . . . . . . . . 23 7.2.1. Distance-related Rating Criteria . . . . . . . . . . . 23 7.2.2. Charging-related Rating Criteria . . . . . . . . . . . 24 7.2.3. Performance-related Rating Criteria . . . . . . . . . 24 7.2.4. Inappropriate Rating Criteria . . . . . . . . . . . . 25 8. API between ALTO Client and Application . . . . . . . . . . . 26 9. Security Considerations . . . . . . . . . . . . . . . . . . . 27 9.1. Information Leakage from the ALTO Server . . . . . . . . . 27 9.2. ALTO Server Access . . . . . . . . . . . . . . . . . . . . 27 9.3. Faking ALTO Guidance . . . . . . . . . . . . . . . . . . . 28 10. Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . 29 11. References . . . . . . . . . . . . . . . . . . . . . . . . . . 30 11.1. Normative References . . . . . . . . . . . . . . . . . . . 30 11.2. Informative References . . . . . . . . . . . . . . . . . . 30 Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . . 32 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 33 Stiemerling & Kiesel Expires September 15, 2011 [Page 3] Internet-Draft Deployment Considerations March 2011 1. Introduction Many Internet applications are used to access resources, such as pieces of information or server processes, which are available in several equivalent replicas on different hosts. This includes, but is not limited to, peer-to-peer file sharing applications and Content Delivery Networks (CDNs). The goal of Application-Layer Traffic Optimization (ALTO) is to provide guidance to applications, which have to select one or several hosts from a set of candidates, that are able to provide a desired resource. The basic ideas of ALTO are described in the problem space of ALTO is described in [RFC5693] and the set of requirements is discussed in [I-D.ietf-alto-reqs]. However, there are no considerations about what operational issues are to be expected once ALTO will be deployed. This includes, but is not limited to, location of the ALTO server, imposed load to the ALTO server, or from whom the queries are performed. Comments and discussions about this memo should be directed to the ALTO working group: alto@ietf.org. Stiemerling & Kiesel Expires September 15, 2011 [Page 4] Internet-Draft Deployment Considerations March 2011 2. General Considerations The ALTO protocol is a client/server protocol, operating between a number of ALTO clients and an ALTO server, as sketched in Figure 1. The ALTO working groups defines the ALTO protocol [I-D.ietf-alto-protocol]. +----------+ | ALTO | | Server | +----------+ ^ _.-----|------. ,-'' | `--. ,' | `. ( Network | ) `. | ,' `--. | _.-' `------|-----'' v +----------+ +----------+ +----------+ | ALTO | | ALTO |...| ALTO | | Client | | Client | | Client | +----------+ +----------+ +----------+ Figure 1: Network Overview of ALTO Protocol 2.1. General Placement of ALTO The ALTO server and ALTO clients can be situated at various entities in a network deployment. The first differentiation is whether the ALTO client is located on the actual host that runs the application, as shown in Figure 2, (e.g., peer-to-peer filesharing application) or if the ALTO client is located on resource directory, as shown in Figure 3 (e.g., a tracker in peer-to-peer filesharing). Stiemerling & Kiesel Expires September 15, 2011 [Page 5] Internet-Draft Deployment Considerations March 2011 +-----+ =====| |** ==== +-----+ * ==== * * ==== * * +-----+ +------+===== +-----+ * | |.....| |======================| | * +-----+ +------+===== +-----+ * Source of ALTO ==== * * topological service ==== * * information ==== +-----+ * =====| |** +-----+ Legend: === ALTO client protocol *** Application protocol ... Provisioning protocol Figure 2: Overview of protocol interaction between ALTO elements,scenario without tracker Figure 2 shows the operational model for applications that do not use a tracker, such as, edonky, or in if the tracker should be the querying party. This use case also holds true for CDNs. The ALTO server can also be queried by CDNs to get a guidance about where the a particular client accessing data in the CDN is exactly located in the ISP's network. Stiemerling & Kiesel Expires September 15, 2011 [Page 6] Internet-Draft Deployment Considerations March 2011 +-----+ **| |** ** +-----+ * ** * * ** * * +-----+ +------+ +-----+** +-----+ * | |.....| |=====| |**********| | * +-----+ +------+ +-----+** +-----+ * Source of ALTO Resource ** * * topological service directory ** * * information ("tracker") ** +-----+ * **| |** +-----+ Peers Legend: === ALTO client protocol *** Application protocol ... Provisioning protocol Figure 3: Overview of protocol interaction between ALTO elements, scenario with tracker However, Figure 3 does not denote where the ALTO elements are actually located, i.e., if the tracker and the ALTO server are in the same ISP's domain, or if the tracker and the ALTO server are managed/ owned/located in different domains. The latter is the typical use case, e.g., taking Pirate Bay as example that serves Bittorrent peers world-wide. 2.2. Relationship between ALTO and Applications ALTO is intended to be used by a wide-range of applications. However, any application using ALTO must also work if no ALTO servers can be found or if no responses to ALTO queries are received, e.g., due to connectivity problems or overload situation (see also [I-D.ietf-alto-reqs]). (Editor's note: better text needed here!) 2.3. Provided Guidance ALTO gives guidance to applications on what IP addresses or IP prefixes, and such which hosts are to be preferred according to the operator of the ALTO server. The general assumption of the ALTO WG is that a network operator would always express to prefer hosts in its own network while hosts located outside its own network are to be avoided (are undesired to be considered by the applications). This might be applicable in some cases but may not be applicable in the general case. The ALTO protocol gives only the means to let the ALTO server operator to express is preference, whatever this preference Stiemerling & Kiesel Expires September 15, 2011 [Page 7] Internet-Draft Deployment Considerations March 2011 is. This section explores this space. 2.3.1. Keeping Traffic Local in Network ALTO guidance can be used to let applications prefer other peers within the same network operator's network instead of randomly connecting to other peers which are located in another operator's network. Figure 4 shows such a scenario where peers prefer peers in the same network (e.g., Peer 1 and Peer 2 in ISP1 and Peer 3 and Peer 4 in ISP2). ,-------. +-----------+ ,---. ,-' `-. | Peer 1 | ,-' `-. / ISP 1 ########|ALTO Client| / \ / # \ +-----------+ / ISP X \ | # | +-----------+ / \ \ ########| Peer 2 | ; +----------------------------|ALTO Client| | | | `-. ,-' +-----------+ | | | `-------' | | | ,-------. +-----------+ : | ; ,-' `########| Peer 3 | \ | / / ISP 2 # \ |ALTO Client| \ | / / # \ +-----------+ \ +---------+ # | +-----------+ `-. ,-' \ | ########| Peer 4 | `---' \ +------------------|ALTO Client| `-. ,-' +-----------+ `-------' Legend: ### preferred "connections" --- non-preferred "connections" Figure 4: ALTO Traffic Network Localization TBD: Describes limits of this approach (e.g., traffic localization guidance is of less use if the peers cannot upload); describe how maps would look like. 2.3.2. Off-Loading Traffic from Network Another scenario where the use of ALTO can be beneficial is in mobile broadband networks, e.g., CDMA200 or UMTS, but where the network operator may have the desire to guide peers in its own network to use peers in remote networks. One reason can be that the wireless network is not made for the load cause by, e.g., peer-to-peer Stiemerling & Kiesel Expires September 15, 2011 [Page 8] Internet-Draft Deployment Considerations March 2011 applications, and the operator has the need that peers fetch their data from remote peers in other parts of the Internet. ,-------. +-----------+ ,---. ,-' `-. | Peer 1 | ,-' `-. / ISP 1 +-------|ALTO Client| / \ / | \ +-----------+ / ISP X \ | | | +-----------+ / \ \ +-------| Peer 2 | ; #-###########################|ALTO Client| | # | `-. ,-' +-----------+ | # | `-------' | # | ,-------. +-----------+ : # ; ,-' `+-------| Peer 3 | \ # / / ISP 2 | \ |ALTO Client| \ # / / | \ +-----------+ \ ########### | | +-----------+ `-. ,-' \ # +-------| Peer 4 | `---' \ ###################|ALTO Client| `-. ,-' +-----------+ `-------' Legend: === preferred "connections" --- non-preferred "connections" Figure 5: ALTO Traffic Network De-Localization Figure 5 shows the result of such a guidance process where Peer 2 prefers a connection with Peer4 instead of Peer 1, as shown in Figure 4. TBD: Limits of this approach in general and with respect to p2p. describe how maps would look like. 2.3.3. Intra-Network Localization/Bottleneck Off-Loading The above sections described the results of the ALTO guidance on an inter-network level. However, ALTO can also be used to guide peers on which internal peers are to be preferred. For instance, to guide Peers on a remote network side to prefer to connect to each other, instead of crossing a bottleneck link, a backhaul link to connect the side to the network core. Figure 6 shows such a scenario where Peer 1 and Peer 2 are located in Net 2 of ISP1 and connect via a low capacity link to the core (Net 1) of the same ISP1. Peer1 and Peer 2 would both exchange their data with remote peers, probably clogging the bottleneck link. Stiemerling & Kiesel Expires September 15, 2011 [Page 9] Internet-Draft Deployment Considerations March 2011 ,-------. +-----------+ ,---. ,-' `-. | Peer 1 | ,-' `-. / ISP 1 #########|ALTO Client| / \ / Net 2 # \ +-----------+ / ISP 1 \ | ######### | +-----------+ / Net 1 \ \ # / | Peer 2 | ; ###; \ # ##########|ALTO Client| | X~~~~~~~~~~~~X#######,-' +-----------+ | ### | ^ `-------' | | | : ; | \ / Bottleneck \ / \ / `-. ,-' `---' Legend: ### peer "connections" ~~~ bottleneck link Figure 6: Without Intra-Network ALTO Traffic Localization The operator can guide the peers in such a situation to try first local peers in the same network islands, avoiding or at least lowering the effect on the bottleneck link, as shown in Figure 7. ,-------. +-----------+ ,---. ,-' `-. | Peer 1 | ,-' `-. / ISP 1 #########|ALTO Client| / \ / Net 2 # \ +-----------+ / ISP 1 \ | # | +-----------+ / Net 1 \ \ #########| Peer 2 | ; ; \ ##########|ALTO Client| | #~~~~~~~~~~~########,-' +-----------+ | ### | ^ `-------' | | | : ; | \ / Bottleneck \ / \ / `-. ,-' `---' Legend: ### peer "connections" ~~~ bottleneck link Figure 7: With Intra-Network ALTO Traffic Localization Stiemerling & Kiesel Expires September 15, 2011 [Page 10] Internet-Draft Deployment Considerations March 2011 TBD: describe how maps would look like. 2.4. Provisiong ALTO Maps This section will describe how ALTO maps in the protocol can be populated before using them. Stiemerling & Kiesel Expires September 15, 2011 [Page 11] Internet-Draft Deployment Considerations March 2011 3. Using ALTO for P2P ,-------. ,---. ,-' `-. +-----------+ ,-' `-. / ISP 1 \ | Peer 1 |***** / \ / +-------------+ \ | | * / ISP X \ +=====>+ ALTO Server | )+-----------+ * / \ = \ +-------------+ / +-----------+ * ; +-----------+ : = \ / | Peer 2 | * | | Tracker |<====+ `-. ,-' | |***** | |ALTO Client|<====+ `-------' +-----------+ ** | +-----------+ | = ,-------. ** : * ; = ,-' `-. +-----------+ ** \ * / = / ISP 2 \ | Peer 3 | ** \ * / = / +-------------+ \ | |***** \ * / +=====>| ALTO Server | )+-----------+ *** `-. * ,-' \ +-------------+ / +-----------+ *** `-*-' \ / | Peer 4 |***** * `-. ,-' | | **** * `-------' +-----------+ **** * **** * **** ***********************************************<****** Legend: === ALTO client protocol *** Application protocol Figure 8: Global tracker accessing ALTO server at various ISPs Figure 8 depicts a tracker-based system, where the tracker embeds the ALTO client. The tracker itself is hosted and operated by an entity different than the ISP hosting and operating the ALTO server. Initially, the tracker has to look-up the ALTO server in charge for each peer where it receives a ALTO query for. Therefore, the ALTO server has to discover the handling ALTO server, as described in [I-D.kiesel-alto-3pdisc]. However, the peers do not have any way to query the server themselves. This setting allows to give the peers a better selection of candidate peers for their operation at an initial time, but does not consider peers learned through direct peer-to-peer knowledge exchange, AKA peer exchange in various peer-to-peer protocols. Stiemerling & Kiesel Expires September 15, 2011 [Page 12] Internet-Draft Deployment Considerations March 2011 ,-------. +-----------+ ,---. ,-' `-. +==>| Peer 1 |***** ,-' `-. / ISP 1 \ = |ALTO Client| * / \ / +-------------+<=+ +-----------+ * / ISP X \ | + ALTO Server |<=+ +-----------+ * / \ \ +-------------+ /= | Peer 2 | * ; +---------+ : \ / +==>|ALTO Client|***** | | Global | | `-. ,-' +-----------+ ** | | Tracker | | `-------' ** | +---------+ | ,-------. +-----------+ ** : * ; ,-' `-. +==>| Peer 3 | ** \ * / / ISP 2 \ = |ALTO Client|***** \ * / / +-------------+<=+ +-----------+ *** \ * / | | ALTO Server |<=+ +-----------+ *** `-. * ,-' \ +-------------+ /= | Peer 4 |***** `-*-' \ / +==>|ALTO Client| **** * `-. ,-' +-----------+ **** * `-------' **** * **** ***********************************************<**** Legend: === ALTO client protocol *** Application protocol Figure 9: Global Tracker - Local ALTO Servers The scenario in Figure 9 lets the peers directly communicate with their ISP's ALTO server (i.e., ALTO client embedded in the peers), giving thus the peers the most control on which information they query for, as they can integrate information received from trackers and through direct peer-to-peer knowledge exchange. Stiemerling & Kiesel Expires September 15, 2011 [Page 13] Internet-Draft Deployment Considerations March 2011 ,-------. +-----------+ ,---. ,-' ISP 1 `-. ***>| Peer 1 | ,-' `-. /+-------------+\ * | | / \ / + Tracker |<** +-----------+ / ISP X \ | +-----===-----+<** +-----------+ / \ \ +-----===-----+ /* | Peer 2 | ; +---------+ : \+ ALTO Server |/ ***>| | | | Global | | +-------------+ +-----------+ | | Tracker | | `-------' | +---------+ | +-----------+ : ^ ; ,-------. | Peer 3 | \ * / ,-' ISP 2 `-. ***>| | \ * / /+-------------+\ * +-----------+ \ * / / + Tracker |<** +-----------+ `-. *,-' | +-----===-----+ | | Peer 4 |<* `---* \ +-----===-----+ / | | * * \+ ALTO Server |/ +-----------+ * * +-------------+ * * `-------' * *********************************************** Legend: === ALTO client protocol *** Application protocol Figure 10: P4P approach with local tracker and local ALTO server There are some attempts to let ISP's to deploy their own trackers, as shown in Figure 10. In this case, the client has no chance to get guidance from the ALTO server, other than talking to the ISP's tracker. However, the peers would have still chance the contact other trackers, deployed by entities other than the peer's ISP. Figure 10 and Figure 8 ostensibly take peers the possibility to directly query the ALTO server, if the communication with the ALTO server is not permitted for any reason. However, considering the plethora of different applications of ALTO, e.g., multiple tracker and non-tracker based P2P systems and or applications searching for relays, it seems to be beneficial for all participants to let the peers directly query the ALTO server. The peers are also the single point having all operational knowledge to decide whether to use the ALTO guidance and how to use the ALTO guidance. This is a preference for the scenario depicted in Figure Figure 9. 3.1. Using ALTO for Tracker-based Peer-to-Peer Applications Stiemerling & Kiesel Expires September 15, 2011 [Page 14] Internet-Draft Deployment Considerations March 2011 ............................. ............................. : Tracker : : Peer : : ______ : : : : +-______-+ : : k good : : | | +--------+ : P2P App. : +--------+ peers +------+ : : | N | | random | : Protocol : | ALTO- |------>| data | : : | known |====>| pre- |*************>| biased | | ex- | : : | peers, | | selec- | : transmit : | peer |------>| cha- | : : | M good | | tion | : n peer : | select | n-k | nge | : : +-______-+ +--------+ : IDs : +--------+ bad p.+------+ : :...........................: :.....^.....................: | | ALTO | client protocol __|___ +-______-+ | | | ALTO | | server | +-______-+ Figure 11: Tracker-based P2P Application with random peer preselection ............................. ............................. : Tracker : : Peer : : ______ : : : : +-______-+ : : : : | | +--------+ : P2P App. : k good peers & +------+ : : | N | | ALTO- | : Protocol : n-k bad peers | data | : : | known |====>| biased |******************************>| ex- | : : | peers, | | peer | : transmit : | cha- | : : | M good | | select | : n peer : | nge | : : +-______-+ +--------+ : IDs : +------+ : :.....................^.....: :...........................: | | ALTO | client protocol __|___ +-______-+ | | | ALTO | | server | +-______-+ Figure 12: Tracker-based P2P Application with ALTO client in tracker Stiemerling & Kiesel Expires September 15, 2011 [Page 15] Internet-Draft Deployment Considerations March 2011 TBD: explain why Figure 12 usually will yield better results wrt. peer selection than Figure 11. 3.2. Expectations of ALTO This section hints to some recent experiments conducted with ALTO- like deployments in Internet Service Provider (ISP) network's. NTT performed tests with their HINT server implementation and dummy nodes to gain insight on how an ALTO-like service influence a peer-to-peer systems [I-D.kamei-p2p-experiments-japan]. The results of an early experiment conducted in the Comcast network are documented here[RFC5632] Stiemerling & Kiesel Expires September 15, 2011 [Page 16] Internet-Draft Deployment Considerations March 2011 4. Using ALTO for CDNs Section 2 discussed the placement and usage of ALTO for P2P systems, but not beyond. This section discuss the usage of ALTO for Content Delivery Networks (CDNs). CDNs are used to bring a service (e.g., a web page, videos, etc) closer to the location of the user - where close refers to shorten the distance between the client and the server in the IP topology. CDNs use several techniques to decide which server is closest to a client requesting a service. One common way to do so, is relying on the DNS system, but there are many other ways, see [RFC3568]. The general issue for CDNs, independent of DNS or HTTP Redirect based approaches (see, for instance, [I-D.penno-alto-cdn]), is that the CDN logic has to match the client's IP address with the closest CDN cache. This matching is not trivial, for instance, in DNS based approaches, where the IP address of the DNS original requester is unknown (see [I-D.vandergaast-edns-client-ip] for a discussion of this and a solution approach). Stiemerling & Kiesel Expires September 15, 2011 [Page 17] Internet-Draft Deployment Considerations March 2011 5. Advanced Features 5.1. Cascading ALTO Servers The main assumptions of ALTO seems to be each ISP operates its own ALTO server independently, irrespectively of the ISP's situation. This may true for most envisioned deployments of ALTO but there are certain deployments that may have different settings. Figure 13 shows such setting, were for example, a university network is connected to two upstream providers. ISP2 if the national research network and ISP1 is a commercial upstream provider to this university network. The university, as well as ISP1, are operating their own ALTO server. The ALTO clients, located on the peers will contact the ALTO server located at the university. +-----------+ | ISP1 | | ALTO | | Server | +----------=+ ,-------= ,------. ,-' =`-. ,-' `-. / Upstream= \ / Upstream \ ( ISP1 = ) ( ISP2 ) \ = / \ / `-. =,-' `-. ,-' `---+---= `+------' | = | | ======================= |,-------------. | = ,-+ `-+ +-----------+ ,' University `. |University | ( Network ) | ALTO | `. =======================| Server | `-= +-' +-----------+ =`+------------'| = | | +--------+-+ +-+--------+ | Peer1 | | PeerN | +----------+ +----------+ Figure 13: Cascaded ALTO Server In this setting all "destinations" useful for the peers within ISP2 are free-of-charge for the peers located in the university network (i.e., they are preferred in the rating of the ALTO server). However, all traffic that is not towards ISP2 will be handled by the Stiemerling & Kiesel Expires September 15, 2011 [Page 18] Internet-Draft Deployment Considerations March 2011 ISP1 upstream provider. Therefore, the ALTO server at the university has also to include the guidance given by the ISP1 ALTO server in its replies to the ALTO clients. This can be called cascaded ALTO servers. 5.2. ALTO for IPv4 and IPv6 TBD 5.3. Monitoring ALTO TBD Stiemerling & Kiesel Expires September 15, 2011 [Page 19] Internet-Draft Deployment Considerations March 2011 6. Known Limitations of ALTO This section describes some known limitations of ALTO in general or specific mechanisms in ALTO. 6.1. Limitations of Map-based Approaches The specification of the ALTO protocol [I-D.ietf-alto-protocol] uses, amongst others mechanism, so-called network maps. The network map approach uses Host Group Descriptors that group one or multiple subnetworks (i.e., IP prefixes) to a single Host Group Descriptor. A set of IP prefixes is called partition and the associated Host Group Descriptor is called partition ID. The "costs" between the various partition IDs is stored in a second map, the cost map. Map-based approaches are chosen as they lower the signaling load on the server, as the maps have only to be retrieved if they are changed. The main assumption for map-based approaches is that the information provided in these maps is static for a longer period of time, where this period of time refers to days, but not hours or even minutes. This assumption is fine, as long as the network operator does not change any parameter, e.g., routing within the network and to the upstream peers, IP address assignment stays stable (and thus the mapping to the partitions). However, there are several cases where this assumption is not valid, as: 1. ISPs reallocate IPv4 subnets from time to time; 2. ISPs reallocate IPv4 subnets on short notice; 3. IP prefix blocks may be assigned to a single DSLAM which serves a variety of access networks. For 1): ISPs reallocate IPv4 subnets within their infrastructure from time to time, partly to ensure the efficient usage of IPv4 addresses (a scarce resource), and partly to enable efficient route tables within their network routers. The frequency of these "renumbering events" depend on the growth in number of subscribers and the availability of address space within the ISP. As a result, a subscriber's household device could retain an IPv4 address for as short as a few minutes, or for months at a time or even longer. Some folks have suggested that ISPs providing ALTO services could sub-divide their subscribers' devices into different IPv4 subnets (or certain IPv4 address ranges) based on the purchased service tier, as well as based on the location in the network topology. The problem is that this sub-allocation of IPv4 subnets tends to decrease the efficiency of IPv4 address allocation. A growing ISP Stiemerling & Kiesel Expires September 15, 2011 [Page 20] Internet-Draft Deployment Considerations March 2011 that needs to maintain high efficiency of IPv4 address utilization may be reluctant to jeopardize their future acquisition of IPv4 address space. However, this is not an issue for map-based approaches if changes are applied in the order of days. For 2): ISPs can use techniques, such as ODAP (XXX) that allow the reallocation of IP prefixes on very short notice, i.e., within minutes. An IP prefix that has no IP address assignment to a host anymore can be reallocate to areas where there is currently a high demand for IP addresses. For 3): In DSL-based access networks, IP prefixes are assigned to DSLAMs which are the first IP-hop in the access-network between the CPE and the Internet. The access-network between CPE and DSLAM (called aggregation network) can have varying characteristics (and thus associated costs), but still using the same IP prefix. For instance one IP addresses IP11 out of a IP prefix IP1 can be assigned to a VDSL (e.g., 2 MBit/s uplink) access-line while the subsequent IP address IP12 is assigned to a slow ADSL line (e.g., 128 kbit/s uplink). These IP addresses are assigned on a first come first served basis, i.e., the a single IP address out of the same IP prefix can change its associated costs quite fast. This may not be an issue with respect to the used upstream provider (thus the cross ISP traffic) but depending on the capacity of the aggregation-network this may raise to an issue. 6.2. Limitiations of Non-Map-based Approaches The specification of the ALTO protocol [I-D.ietf-alto-protocol] uses, amongst others mechanism, a mechanism called Endpoint Cost Service. ALTO clients can ask guidance for specific IP addresses to the ALTO server. However, asking for IP addresses, asking with long lists of IP addresses, and asking quite frequent may overload the ALTO server. The server has to rank each received IP address which causes load at the server. This may be amplified by the fact that not only a single ALTO client is asking for guidance, but a larger number of them. Caching of IP addresses at the ALTO client or the usage of the H12 approach [I-D.kiesel-alto-h12] in conjunction with caching may lower the query load on the ALTO server. 6.3. General Challenges An ALTO server stores information about preferences (e.g., a list of preferred autonomous systems, IP ranges, etc) and ALTO clients can retrieve these preferences. However, there are basically two Stiemerling & Kiesel Expires September 15, 2011 [Page 21] Internet-Draft Deployment Considerations March 2011 different approaches on where the preferences are actually processed: 1. The ALTO server has a list of preferences and clients can retrieve this list via the ALTO protocol. This preference list can be partially updated by the server. The actual processing of the data is done on the client and thus there is no data of the client's operation revealed to the ALTO server . 2. The ALTO server has a list of preferences or preferences calculated during runtime and the ALTO client is sending information of its operation (e.g., a list of IP addresses) to the server. The server is using this operational information to determine its preferences and returns these preferences (e.g., a sorted list of the IP addresses) back to the ALTO client. Approach 1 (we call it H1) has the advantage (seen from the client) that all operational information stays within the client and is not revealed to the provider of the server. On the other hand, does approach 1 require that the provider of the ALTO server, i.e., the network operator, reveals information about its network structure (e.g., AS numbers, IP ranges, topology information in general) to the ALTO client. Approach 2 (we call it H2) has the advantage (seen from the operator) that all operational information stays with the ALTO server and is not revealed to the ALTO client. On the other hand, does approach 2 require that the clients send their operational information to the server. Both approaches have their pros and cons and are extensively discussed on the ALTO mailing list. But there is basically a dilemma: Approach 1 is seen as the only working solution by peer-to- peer software vendors and approach 2 is seen as the only working by the network operators. But neither the software vendors nor the operators seem to willing to change their position. However, there is the need to get both sides on board, to come to a solution. Stiemerling & Kiesel Expires September 15, 2011 [Page 22] Internet-Draft Deployment Considerations March 2011 7. Extensions to the ALTO Protocol 7.1. Host Group Descriptors Host group descriptors are used in the ALTO client protocol to describe the location of a host in the network topology. The ALTO client protocol specification defines a basic set of host group descriptor types, which have to be supported by all implementations, and an extension procedure for adding new descriptor types . The following list gives an overview on further host group descriptor types that have been proposed in the past, or which are in use by ALTO-related prototype implementations. This list is not intended as normative text. Instead, the only purpose of the following list is to document the descriptor types that have been proposed so far, and to solicit further feedback and discussion: o Autonomous System (AS) number o Protocol-specific group identifiers, which expand to a set of IP address ranges (CIDR) and/or AS numbers. In one specific solution proposal, these are called Partition ID (PID). 7.2. Rating Criteria Rating criteria are used in the ALTO client protocol to express topology- or connectivity-related properties, which are evaluated in order to generate the ALTO guidance. The ALTO client protocol specification defines a basic set of rating criteria, which have to be supported by all implementations, and an extension procedure for adding new criteria . The following list gives an overview on further rating criteria that have been proposed in the past, or which are in use by ALTO-related prototype implementations. This list is not intended as normative text. Instead, the only purpose of the following list is to document the rating criteria that have been proposed so far, and to solicit further feedback and discussion: 7.2.1. Distance-related Rating Criteria o Relative topological distance: relative means that a larger numerical value means greater distance, but it is up to the ALTO service how to compute the values, and the ALTO client will not be informed about the nature of the information. One way of generating this kind of information MAY be counting AS hops, but when querying this parameter, the ALTO client MUST NOT assume that the numbers actually are AS hops. o Absolute topological distance, expressed in the number of traversed autonomous systems (AS). Stiemerling & Kiesel Expires September 15, 2011 [Page 23] Internet-Draft Deployment Considerations March 2011 o Absolute topological distance, expressed in the number of router hops (i.e., how much the TTL value of an IP packet will be decreased during transit). o Absolute physical distance, based on knowledge of the approximate geolocation (continent, country) of an IP address. 7.2.2. Charging-related Rating Criteria o Traffic volume caps, in case the Internet access of the resource consumer is not charged by "flat rate". For each candidate resource provider, the ALTO service could indicate the amount of data that may be transferred from/to this resource provider until a given point in time, and how much of this amount has already been consumed. Furthermore, it would have to be indicated how excess traffic would be handled (e.g., blocked, throttled, or charged separately at an indicated price). The interaction of several applications running on a host, out of which some use this criterion while others don't, as well as the evaluation of this criterion in resource directories, which issue ALTO queries on behalf of other peers, are for further study. 7.2.3. Performance-related Rating Criteria The following rating criteria are subject to the remarks below. o The minimum achievable throughput between the resource consumer and the candidate resource provider, which is considered useful by the application (only in ALTO queries), or o An arbitrary upper bound for the throughput from/to the candidate resource provider (only in ALTO responses). This may be, but is not necessarily the provisioned access bandwidth of the candidate resource provider. o The maximum round-trip time (RTT) between resource consumer and the candidate resource provider, which is acceptable for the application for useful communication with the candidate resource provider (only in ALTO queries), or o An arbitrary lower bound for the RTT between resource consumer and the candidate resource provider (only in ALTO responses). This may be, for example, based on measurements of the propagation delay in a completely unloaded network. The ALTO client MUST be aware, that with high probability, the actual performance values differ significantly from these upper and lower bounds. In particular, an ALTO client MUST NOT consider the "upper Stiemerling & Kiesel Expires September 15, 2011 [Page 24] Internet-Draft Deployment Considerations March 2011 bound for throughput" parameter as a permission to send data at the indicated rate without using congestion control mechanisms. The discrepancies are due to various reasons, including, but not limited to the facts that o the ALTO service is not an admission control system o the ALTO service may not know the instantaneous congestion status of the network o the ALTO service may not know all link bandwidths, i.e., where the bottleneck really is, and there may be shared bottlenecks o the ALTO service may not know whether the candidate peer itself is overloaded o the ALTO service may not know whether the candidate peer throttles the bandwidth it devotes for the considered application o the ALTO service may not know whether the candidate peer will throttle the data it sends to us (e.g., because of some fairness algorithm, such as tit-for-tat) Because of these inaccuracies and the lack of complete, instantaneous state information, which are inherent to the ALTO service, the application must use other mechanisms (such as passive measurements on actual data transmissions) to assess the currently achievable throughput, and it MUST use appropriate congestion control mechanisms in order to avoid a congestion collapse. Nevertheless, these rating criteria may provide a useful shortcut for quickly excluding candidate resource providers from such probing, if it is known in advance that connectivity is in any case worse than what is considered the minimum useful value by the respective application. 7.2.4. Inappropriate Rating Criteria Rating criteria that SHOULD NOT be defined for and used by the ALTO service include: o Performance metrics that are closely related to the instantaneous congestion status. The definition of alternate approaches for congestion control is explicitly out of the scope of ALTO. Instead, other appropriate means, such as using TCP based transport, have to be used to avoid congestion. Stiemerling & Kiesel Expires September 15, 2011 [Page 25] Internet-Draft Deployment Considerations March 2011 8. API between ALTO Client and Application This sections gives some informational guidance on how the interface between the actual application using the ALTO guidance and the ALTO client can look like. This is still TBD. Stiemerling & Kiesel Expires September 15, 2011 [Page 26] Internet-Draft Deployment Considerations March 2011 9. Security Considerations The ALTO protocol itself, as well as, the ALTO client and server raise new security issues beyond the one mentioned in [I-D.ietf-alto-protocol] and issues related to message transport over the Internet. For instance, Denial of Service (DoS) is of interest for the ALTO server and also for the ALTO client. A server can get overloaded if too many TCP requests hit the server, or if the query load of the server surpasses the maximum computing capacity. An ALTO client can get overloaded if the responses from the sever are, either intentionally or due to an implementation mistake, too large to be handled by that particular client. 9.1. Information Leakage from the ALTO Server The ALTO server will be provisioned with information about the owning ISP's network and very likely also with information about neighboring ISPs. This information (e.g., network topology, business relations, etc) is consider to be confidential to the ISP and must not be revealed. The ALTO server will naturally reveal parts of that information in small doses to peers, as the guidance given will depend on the above mentioned information. This is seen beneficial for both parties, i.e., the ISP's and the peer's. However, there is the chance that one or multiple peers are querying an ALTO server with the goal to gather information about network topology or any other data considered confidential or at least sensitive. It is unclear whether this is a real technical security risk or whether this is more a perceived security risk. 9.2. ALTO Server Access Depending on the use case of ALTO, several access restrictions to an ALTO server may or may not apply. For an ALTO server that is solely accessible by peers from the ISP network (as shown in Figure 9), for instance, the source IP address can be used to grant only access from that ISP network to the server. This will "limit" the number of peers able to attack the server to the user's of the ISP (however, including botnet computers). On the other hand, if the ALTO server has to be accessible by parties not located in the ISP's network (see Figure Figure 8), e.g., by a third-party tracker or by a CDN system outside the ISP's network, the access restrictions have to be more loose. In the extreme case, i.e., no access restrictions, each and every host in the Internet can access the ALTO server. This might no the intention of the ISP, as the server is not only subject to more possible attacks, but also on Stiemerling & Kiesel Expires September 15, 2011 [Page 27] Internet-Draft Deployment Considerations March 2011 the load imposed to the server, i.e., possibly more ALTO clients to serve and thus more work load. 9.3. Faking ALTO Guidance It has not yet been investigated how a faked or wrong ALTO guidance by an ALTO server can impact the operation of the network and also the peers. Here is a list of examples how the ALTO guidance could be faked and what possible consequences may arise: Sorting An attacker could change to sorting order of the ALTO guidance (given that the order is of importance, otherwise the ranking mechanism is of interest), i.e., declaring peers located outside the ISP as peers to be preferred. This will not pose a big risk to the network or peers, as it would mimic the "regular" peer operation without traffic localization, apart from the communication/processing overhead for ALTO. However, it could mean that ALTO is reaching the opposite goal of shuffling more data across ISP boundaries, incurring more costs for the ISP. Preference of a single peer A single IP address (thus a peer) could be marked as to be preferred all over other peers. This peer can be located within the local ISP or also in other parts of the Internet (e.g., a web server). This could lead to the case that quite a number of peers to trying to contact this IP address, possibly causing a Denial of Service (DoS) attack. This section is solely giving a first shot on security issues related to ALTO deployments. Stiemerling & Kiesel Expires September 15, 2011 [Page 28] Internet-Draft Deployment Considerations March 2011 10. Conclusion This is the first version of the deployment considerations and for sure the considerations are yet incomplete and imprecise. Stiemerling & Kiesel Expires September 15, 2011 [Page 29] Internet-Draft Deployment Considerations March 2011 11. References 11.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC3568] Barbir, A., Cain, B., Nair, R., and O. Spatscheck, "Known Content Network (CN) Request-Routing Mechanisms", RFC 3568, July 2003. 11.2. Informative References [I-D.ietf-alto-protocol] Alimi, R., Penno, R., and Y. Yang, "ALTO Protocol", draft-ietf-alto-protocol-06 (work in progress), October 2010. [I-D.ietf-alto-reqs] Previdi, S., Stiemerling, M., Woundy, R., and Y. Yang, "Application-Layer Traffic Optimization (ALTO) Requirements", draft-ietf-alto-reqs-08 (work in progress), March 2011. [I-D.kamei-p2p-experiments-japan] Kamei, S., Momose, T., and T. Inoue, "ALTO-Like Activities and Experiments in P2P Network Experiment Council", draft-kamei-p2p-experiments-japan-05 (work in progress), March 2011. [I-D.kiesel-alto-3pdisc] Kiesel, S., Tomsu, M., Schwan, N., Scharf, M., and M. Stiemerling, "ALTO Server Discovery Protocol", draft-kiesel-alto-3pdisc-04 (work in progress), October 2010. [I-D.kiesel-alto-h12] Kiesel, S. and M. Stiemerling, "ALTO H12", draft-kiesel-alto-h12-02 (work in progress), March 2010. [I-D.penno-alto-cdn] Penno, R., Raghunath, S., Medved, J., Alimi, R., Yang, R., and S. Previdi, "ALTO and Content Delivery Networks", draft-penno-alto-cdn-02 (work in progress), October 2010. [I-D.vandergaast-edns-client-ip] Contavalli, C., Gaast, W., Leach, S., and D. Rodden, "Client IP information in DNS requests", Stiemerling & Kiesel Expires September 15, 2011 [Page 30] Internet-Draft Deployment Considerations March 2011 draft-vandergaast-edns-client-ip-01 (work in progress), May 2010. [RFC5632] Griffiths, C., Livingood, J., Popkin, L., Woundy, R., and Y. Yang, "Comcast's ISP Experiences in a Proactive Network Provider Participation for P2P (P4P) Technical Trial", RFC 5632, September 2009. [RFC5693] Seedorf, J. and E. Burger, "Application-Layer Traffic Optimization (ALTO) Problem Statement", RFC 5693, October 2009. Stiemerling & Kiesel Expires September 15, 2011 [Page 31] Internet-Draft Deployment Considerations March 2011 Appendix A. Acknowledgments Martin Stiemerling is partially supported by the NAPA-WINE project (Network-Aware P2P-TV Application over Wise Networks, http://www.napa-wine.org), a research project supported by the European Commission under its 7th Framework Program (contract no. 214412). The views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies or endorsements, either expressed or implied, of the NAPA-WINE project or the European Commission. Stiemerling & Kiesel Expires September 15, 2011 [Page 32] Internet-Draft Deployment Considerations March 2011 Authors' Addresses Martin Stiemerling NEC Laboratories Europe Kurfuerstenanlage 36 Heidelberg 69115 Germany Phone: +49 6221 4342 113 Fax: +49 6221 4342 155 Email: martin.stiemerling@neclab.eu URI: http://ietf.stiemerling.org Sebastian Kiesel University of Stuttgart, Computing Center Allmandring 30 Stuttgart 70550 Germany Email: ietf-alto@skiesel.de Stiemerling & Kiesel Expires September 15, 2011 [Page 33]