idnits 2.17.1 

draft-ietf-mmusic-sap-v2-02.txt:

  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

  ** Looks like you're using RFC 2026 boilerplate.  This must be updated to
     follow RFC 3978/3979, as updated by RFC 4748.


  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

  ** Missing expiration date.  The document expiration date should appear on
     the first and last page.

  ** The document is more than 15 pages and seems to lack a Table of Contents.

  == No 'Intended status' indicated for this document; assuming Proposed
     Standard

  == It seems as if not all pages are separated by form feeds - found 0 form
     feeds but 17 pages


  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

  ** The document seems to lack a Security Considerations section.

  ** The document seems to lack an IANA Considerations section.  (See Section
     2.2 of https://www.ietf.org/id-info/checklist for how to handle the case
     when there are no actions for IANA.)

  ** The document seems to lack separate sections for Informative/Normative
     References.  All references will be assumed normative when checking for
     downward references.

  ** There are 46 instances of too long lines in the document, the longest
     one being 4 characters in excess of 72.

  == There are 1 instance of lines with non-RFC6890-compliant IPv4 addresses
     in the document.  If these are example addresses, they should be changed.

  == There are 4 instances of lines with multicast IPv4 addresses in the
     document.  If these are generic example addresses, they should be changed
     to use the 233.252.0.x range defined in RFC 5771

  == There are 1 instance of lines with non-RFC3849-compliant IPv6 addresses
     in the document.  If these are example addresses, they should be changed.


  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  == Line 116 has weird spacing: '...d on an  addre...'

  == Line 191 has weird spacing: '...(eg: if  a new...'

  == Line 551 has weird spacing: '... Format  speci...'

  == Line 616 has weird spacing: '...ability  and c...'

  == Line 778 has weird spacing: '...Deutsch  and J...'

  == (2 more instances...)

  == The document seems to lack the recommended RFC 2119 boilerplate, even if
     it appears to use RFC 2119 keywords. 

     (The document does seem to have the reference to RFC 2119 which the
     ID-Checklist requires).
  -- The document seems to lack a disclaimer for pre-RFC5378 work, but may
     have content which was first submitted before 10 November 2008.  If you
     have contacted all the original authors and they are all willing to grant
     the BCP78 rights to the IETF Trust, then this is fine, and you can ignore
     this comment.  If not, you may need to add the pre-RFC5378 disclaimer. 
     (See the Legal Provisions document at
     https://trustee.ietf.org/license-info for more information.)

  -- The document date (23 August 1999) is 9013 days in the past.  Is this
     intentional?


  Checking references for intended status: Proposed Standard
  ----------------------------------------------------------------------------

     (See RFCs 3967 and 4897 for information about using normative references
     to lower-maturity documents in RFCs)

  ** Obsolete normative reference: RFC 2440 (ref. '2') (Obsoleted by RFC 4880)

  ** Downref: Normative reference to an Informational RFC: RFC 1950 (ref. '3')

  ** Obsolete normative reference: RFC 2327 (ref. '4') (Obsoleted by RFC 4566)

  -- Possible downref: Non-RFC (?) normative reference: ref. '5'

  ** Obsolete normative reference: RFC 1305 (ref. '8') (Obsoleted by RFC 5905)


     Summary: 11 errors (**), 0 flaws (~~), 12 warnings (==), 3 comments (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.

--------------------------------------------------------------------------------

1	INTERNET-DRAFT                              23 August 1999

3	                                              Mark Handley
4	                                                     ACIRI
5	                                             Colin Perkins
6	                                                       UCL
7	                                             Edmund Whelan
8	                                                       UCL

10	                Session Announcement Protocol
11	               draft-ietf-mmusic-sap-v2-02.txt

13	                    Status of this memo

15	This document is an Internet-Draft and is in full conformance with all
16	provisions of Section 10 of RFC2026.

18	Internet-Drafts are working documents of the Internet Engineering Task
19	Force (IETF), its areas, and its working groups.  Note that other groups
20	may also distribute working documents as Internet-Drafts.

22	Internet-Drafts are draft documents valid for a maximum of six months and
23	may be updated, replaced, or obsoleted by other documents at any time.  It
24	is inappropriate to use Internet-Drafts as reference material or to cite
25	them other than as "work in progress."

27	The list of current Internet-Drafts can be accessed at
28	http://www.ietf.org/ietf/1id-abstracts.txt

30	The list of Internet-Draft Shadow Directories can be accessed at
31	http://www.ietf.org/shadow.html.

33	This document is a product of the Multiparty Multimedia Session Control
34	working group of the Internet Engineering Task Force.  Comments are
35	solicited and should be addressed to the working group's mailing list at
36	confctrl@isi.edu and/or the authors.

38	                         Abstract

40	    This document describes version 2 of the multicast session directory
41	    announcement protocol, SAP, and the related issues affecting security
42	    and scalability that should be taken into account by the implementors
43	    of multicast session directory tools.

45	1  Introduction

47	In order to assist the advertisement of multicast multimedia conferences
48	and other multicast sessions, and to communicate the relevant session
49	setup information to prospective participants, a distributed session
50	directory may be used.  An instance of such a session directory periodically
51	multicasts packets containing a description of the session, and these
52	advertisements are received by potential participants who can use
53	the session description to start the tools required to participate
54	in the session.

56	This memo describes the issues involved in the multicast announcement
57	of session description information and defines an announcement protocol
58	to be used by session directory clients.  Sessions are described
59	using the session description protocol which is described in a companion
60	memo [4].

62	2  Terminology

64	A SAP announcer periodically multicasts an announcement packet to
65	a well known multicast address and port.  The announcement is multicast
66	with the same scope as the session it is announcing, ensuring that
67	the recipients of the announcement can also be potential recipients
68	of the session the announcement describes (bandwidth and other such
69	constraints permitting).  This is also important for the scalability
70	of the protocol, as it keeps local session announcements local.

72	A SAP listener learns of the multicast scopes it is within (for example,
73	using the Multicast-Scope Zone Announcement Protocol [5]) and listens
74	on the well known SAP address and port for those scopes.  In this
75	manner, it will eventually learn of all the sessions being announced,
76	allowing those sessions to be joined.

78	The key words `MUST', `MUST NOT', `REQUIRED', `SHALL', `SHALL NOT',
79	`SHOULD', `SHOULD NOT', `RECOMMENDED', `MAY', and `OPTIONAL' in this
80	document are to be interpreted as described in [1].

82	3  Session Announcement

84	As noted previously, a SAP announcer periodically sends an announcement
85	packet to a well known multicast address and port.  There is no rendezvous
86	mechanism - the SAP announcer is not aware of the presence or absence
87	of any SAP listeners - and no additional reliability is provided
88	over the standard best-effort UDP/IP semantics.

90	That announcement contains a session description and SHOULD contain
91	an authentication header.  The session description MAY be encrypted
92	although this is NOT RECOMMENDED (see section 8).

94	A SAP announcement is multicast with the same scope as the session
95	it is announcing, ensuring that the recipients of the announcement
96	can also be potential recipients of the session being advertised.
97	There are four possiblities:

99	IPv4 global scope sessions use multicast addresses in the range
100	    224.2.128.0 - 224.2.255.255 with SAP announcements being sent
101	    to 224.2.127.254 (note that 224.2.127.255 is used by the obsolete
102	    SAPv0 and MUST NOT be used).

104	IPv4 administrative scope sessions using administratively scoped
105	    IP multicast as defined in [7].  The multicast address to be
106	    used for announcements is the highest multicast address in the
107	    relevant administrative scope zone.  For example, if the scope
108	    range is 239.16.32.0 - 239.16.33.255, then 239.16.33.255 is used
109	    for SAP announcements.

111	IPv6 sessions are announced on the address FF0X:0:0:0:0:0:2:7FFE
112	    where X is the 4-bit scope value.  For example, an announcement
113	    for a link-local session assigned the address FF02:0:0:0:0:0:1234:5678,
114	    should be advertised on SAP address FF02:0:0:0:0:0:2:7FFE.

116	Directory sessions are announced on an  address which is itself announced
117	    by a SAP announcement.  See section 6 for details for directory
118	    sessions.

120	SAP announcements MUST be sent on port 9875 and SHOULD be sent with
121	an IP time-to-live of 255.

123	If a session uses addresses in multiple administrative scope ranges, it is
124	necessary for the announcer to send identical copies of the announcement to
125	each administrative scope range.  It is up to the listeners to parse such
126	multiple announcements as the same session (as identified by the SDP origin
127	field, for example).  The announcement rate for each administrative scope
128	range MUST be calculated separately, as if the multiple announcements were
129	separate.

131	Multiple announcers may announce a single session, as an aid to robustness
132	in the face of packet loss and failure of one or more announcers.  The rate
133	at which each announcer repeats its announcement MUST be scaled back such
134	that the total announcement rate is equal to that which a single server
135	would choose.  Announcements made in this manner MUST be identical.

137	If multiple announcements are being made for a session, then each
138	announcement MUST carry an authentication header signed by the same
139	key, or be treated as a completely separate announcement by listeners.

141	An IPv4 SAP listener SHOULD listen on the IPv4 global scope SAP address
142	and on the SAP addresses for each IPv4 administrative scope zone
143	it is within.  The discovery of administrative scope zones is outside
144	the scope of this memo, but it is assumed that each SAP listener
145	within a particular scope zone is aware of that scope zone.  A SAP
146	listener which supports IPv6 SHOULD also listen to the IPv6 SAP addresses.
147	Support for directory sessions is OPTIONAL.

149	3.1 Announcement Interval

151	The time period between repetitions of an announcement is chosen
152	such that the total bandwidth used by all announcements on a single
153	SAP group remains below a preconfigured limit.  If not otherwise
154	specified, the bandwidth limit SHOULD be assumed to be 4000 bits
155	per second.

157	Each announcer is expected to listen to other announcements in order
158	to determine the total number of sessions being announced on a particular
159	group.  Sessions are uniquely identified by the combination of the
160	message identifier hash and originating source fields of the SAP
161	header (note that SAP v0 clients always set the message identifier
162	hash to zero, and if such an announcement is received the entire
163	message MUST be compared to determine uniqueness).

165	Announcements are made by periodic multicast to the group.  The base
166	interval between announcements is derived from the number of announcements
167	being made in that group, the size of the announcement and the configured
168	bandwidth limit.  The actual transmission time is derived from this
169	base interval as follows:

171	  1.The announcer initialises the variable tp to be the last time
172	    a particular announcement was transmitted (or the current time
173	    if this is the first time this announcement is to be made).

175	  2.Given a configured bandwidth limit in bits/second and an announcement
176	    of ad_size bytes, the base announcement interval in seconds is

178	           interval = max(300; (8*no_of_ads*ad_size)/limit)

180	  3.An offset is calculated based on the base announcement interval

182	              offset = rand(interval* 2/3)-(interval/3)

184	  4.The next transmission time for an announcement derived as

186	                    tn = tp + interval + offset

188	The announcer then sets a timer to expire at tn and waits.  When
189	this timer expires, the announcement is transmitted.

191	If, at some time tc <tn, the no_of_ads changes (eg: if  a new announcer
192	starts up, or an existing announcement is deleted), the announcer
193	SHOULD recalculate the next transmission time.  If the new value
194	of tn is less than tc the announcement is sent immediately.  Otherwise
195	the transmission is rescheduled for the new tn.

197	4  Session Deletion

199	Sessions may be deleted in one of several ways:

201	Explicit Timeout The session description payload contains timestamp
202	    information which specifies a start and end time for the session.
203	    If the current time is later than the end-time for the session,
204	    then the session is deleted from the receiver's session cache.
205	    If an announcement packet arrives with an end-time before the
206	    current time, it is ignored.  If the payload is encrypted, and
207	    the receiver does not have the correct decryption key, the timeout
208	    field in the header should be used as an explicit timeout.

210	Implicit Timeout A session announcement message should be received
211	    periodically for each session description in a receiver's session
212	    cache.  The announcement period can be predicted by the receiver
213	    from the set of sessions currently being announced.  If a session
214	    announcement message has not been received for ten times the
215	    announcement period, or one hour, whichever is the greater, then
216	    the session is deleted from the receiver's session cache.  The
217	    one hour minimum is to allow for transient network partitionings.

219	Explicit Deletion A session deletion packet is received specifying
220	    the version of the session to be deleted.  The deletion packets
221	    should be ignored, unless they contain an authentication header
222	    which authenticates correctly and matches that used to authenticate
223	    the announcement which is being deleted.

225	5  Session Modification

227	A pre-announced session can be modified by simply announcing the
228	modified session description.  In this case, the version hash in
229	the SAP header MUST be changed to indicate to receivers that the
230	packet contents should be parsed (or decrypted and parsed if it is
231	encrypted).  The session itself, as distinct from the session announcement,
232	is uniquely identified by the payload and not by the message identifier
233	hash in the header.

235	The same rules apply for session modification as for session deletion:

237	  o Either the modified announcement must contain an authentication
238	    header signed by the same key as the cached session announcement
239	    it is modifying, or:

241	  o The cached session announcement must not contain an authentication
242	    header, and the session modification announcement must originate
243	    from the same host as the session it is modifying.

245	v=0
246	o=cperkins 2890844526 2890842807 IN IP4 126.16.64.4
247	s=Sample directory session
248	m=directory 9875 SAP application/sdp
249	c=IN IP4 224.2.127.12/255
250	t=2873397496 2873404696

252	        Figure 1:  Example SDP for a directory session

254	If an announcement is received containing an authentication header
255	and the cached announcement did not contain an authentication header,
256	or it contained a different authentication header, then the modified
257	announcement MUST be treated as a new and different announcement,
258	and displayed in addition to the un-authenticated announcement.  The
259	same should happen if a modified packet without an authentication
260	header is received from a different source than the original announcement.
261	These rules prevent an announcement having an authentication header
262	added by a malicious user and then being deleted using that header,
263	and it also prevents a denial-of-service attack by someone putting
264	out a spoof announcement which, due to packet loss, reaches some
265	participants before the original announcement.  Note that under such
266	circumstances, being able to authenticate the message originator is
267	the only way to discover which session is the correct session.

269	6  Directory Sessions

271	It is possible to announce sessions which describe other directories.
272	Such directory sessions should each announce a single directory.  Receivers
273	MUST ignore announcements which describe multiple directories.  Receivers
274	SHOULD ignore non-authenticated directory sessions.

276	Directory sessions may be described in SDP using the media type `directory'
277	with transport `SAP' (see figure 1 for example).  Directory sessions
278	SHOULD be announced with TTL 255 and SHOULD use port 9875.  Any SAP
279	announcer may announce sessions in an announced SAP group, there
280	is no explicit access control.

282	If the announcement of a directory is deleted, announcers of sessions
283	within that directory MUST stop announcing those sessions provided
284	the deletion packet authenticates with the same key as the original
285	announcement of the directory session.  If the deletion packet is
286	not authenticated, or is authenticated with a different key, then
287	it SHOULD be ignored.

289	If the announcement of a directory times out, announcers of sessions
290	within that directory SHOULD stop announcing those sessions.

292	If the announcement of the directory is modified to use a different
293	 0                   1                    2                   3
294	 0 1 2 3 4 5 6 7 8 9 0 1 2 3  4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
295	+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
296	| V=1 |A|R|T|E|C|   auth len    |         msg id hash           |
297	+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
298	|                                                               |
299	:                originating source (32 or 128 bits)            :
300	:                                                               :
301	+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
302	|                    optional authentication data               |
303	:                              ....                             :
304	+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
305	|                        optional timeout                       |
306	*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
307	|                      optional payload type                    |
308	+                                         +-+- - - - - - - - - -+
309	|                                         |0|                   |
310	+ - - - - - - - - - - - - - - - - - - - - +-+                   |
311	|                                                               |
312	:                            payload                            :
313	|                                                               |
314	+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

316	                  Figure 2: Packet format

318	address announcers of sessions within that directory MUST move their
319	announcement to the new directory, provided the modification packet
320	authenticates with the same key as the original announcement of the
321	directory session.  If the modification packet is not authenticated,
322	or is authenticated with a different key, then it SHOULD be ignored.

324	7  Packet Format

326	SAP data packets have the format described in figure 2.

328	V: Version Number. The version number field MUST be set to 1 (SAPv2
329	   announcements which use only SAPv1 features are backwards compatible,
330	   those which use new features can be detected by other means,
331	   so the SAP version number doesn't need to change).

333	A: Address type. If the A bit is 0, the originating source field
334	   contains a 32-bit IPv4 address.  If the A bit is 1, the originating
335	   source contains a 128-bit IPv6 address.

337	R: Reserved. SAP announcers MUST set this to 0,  SAP listeners MUST
338	   ignore the contents of this field.

340	T: Message Type. If the T field is set to 0 this is a session announcement
341	   packet, if 1 this is a session deletion packet.

343	E: Encryption Bit. If the encryption bit is set to 1, the payload
344	   of the SAP packet is encrypted and the timeout field MUST be
345	   added to the packet header.  If this bit is 0 the packet is
346	   not encrypted and the timeout MUST NOT be present.  See section
347	   8 for details of the encryption process.

349	C: Compressed bit. If the compressed bit is set to 1, the payload
350	   is compressed using the zlib compression algorithm [3].  If the
351	   payload is to be compressed and encrypted, the compression MUST
352	   be performed first.

354	Authentication Length. An 8 bit unsigned quantity giving the number
355	   of 32 bit words following the main SAP header that contain authentication
356	   data.  If it is zero, no authentication header is present.

358	Authentication data containing a digital signature of the packet,
359	   with length as specified by the authentication length header
360	   field.  See section 9 for details of the authentication process.

362	Message Identifier Hash. A 16 bit quantity that, used in combination
363	   with the originating source, provides a globally unique identifier
364	   indicating the precise version of this announcement.  The choice
365	   of value for this field is not specified here, except that it
366	   MUST be unique for each session announced by a particular SAP
367	   announcer and it MUST be changed if the session description is
368	   modified.

370	   Earlier versions of SAP used a value of zero to mean that the
371	   hash should be ignored and the payload should always be parsed.
372	   This had the unfortunate side-effect that SAP announcers had
373	   to study the payload data to determine how many unique sessions
374	   were being advertised, making the calculation of the announcement
375	   interval more complex that necessary.  In order to decouple the
376	   session announcement process from the contents of those announcements,
377	   SAP announcers SHOULD NOT set the message identifier hash to
378	   zero.

380	   SAP listeners MAY silently discard messages if the message identifier
381	   hash is set to zero.

383	Originating Source. This gives the IP address of the original source
384	   of the message.  This is an IPv4 address if the A field is set
385	   to zero, else it is an IPv6 address.  The address is stored
386	   in network byte order.

388	   SAPv0 permitted the originating source to be zero if the message
389	   identifier hash was also zero.  This practise is no longer legal,
390	   and SAP announcers SHOULD NOT set the originating source to zero.
391	   SAP listeners MAY silently discard packets with the originating
392	   source set to zero.

394	Timeout. When the session payload is encrypted the detailed timing
395	   fields in the payload are not available to listeners which are
396	   not trusted with the decryption key.  Under such circumstances,
397	   the header includes an additional 32-bit timestamp field stating
398	   when the session should be timed out.

400	   Note that the timeout field in the header is intended for use
401	   only by those listeners which do not have the correct key to
402	   decrypt the announcement.  A SAP listener which is capable of
403	   decrypting the announcement MUST determine when to timeout the
404	   session based on the payload information.

406	   The value is an unsigned quantity giving the NTP time [8] in
407	   seconds at which time the session is timed out.  It is in network
408	   byte order.

410	The header is followed by an optional payload type field and the
411	payload data itself.  If the E or C bits are set in the header both
412	the payload type and payload are encrypted and/or compressed.
413	The payload type field is a MIME content type specifier, describing
414	the format of the payload.  This is a variable length ASCII text
415	string, followed by a single zero byte (ASCII NUL). The payload type
416	SHOULD be included in all packets.  If the payload type is `application/sdp'
417	both the payload type and its terminating zero byte MAY be omitted,
418	although this is intended for backwards compatibility with SAP v1
419	listeners only.

421	The absence of a payload type field may be noted since the payload
422	section of such a packet will start with an SDP `v=0' field, which
423	is not a legal MIME content type specifier.

425	All implementations MUST support payloads of type `application/sdp'
426	[4].  Other formats MAY be supported although since there is no negotiation
427	in SAP an announcer which chooses to use a session description format
428	other than SDP cannot know that the listeners are able to understand
429	the announcement.  A proliferation of payload types in announcements
430	has the potential to lead to severe interoperability problems, and
431	for this reason, the use of non-SDP payloads is NOT RECOMMENDED.

433	If the packet is an announcement packet, the payload contains a session
434	description.

436	If the packet is a session deletion packet, the payload contains
437	a session deletion message.  If the payload format is `application/sdp'
438	the deletion message is a single SDP line consisting of the origin
439	field of the announcement to be deleted.

441	It is desirable for the payload to be sufficiently small that SAP
442	packets do not get fragmented by the underlying network.  Fragmentation
443	has a loss multiplier effect, which is known to significantly affect
444	the reliability of announcements.  It is RECOMMENDED that SAP packets
445	are smaller than 1kByte in length, although if it is known that
446	announcements
447	will use a network with a smaller MTU than this, then that SHOULD
448	be used as the maximum recommended packet size.

450	8  Encrypted Announcements

452	An announcement is received by all listeners in the scope to which
453	it is sent.  If an announcement is encrypted, and many of the receivers
454	do not have the encryption key, there is a considerable waste of
455	bandwidth since those receivers cannot use the announcement they have
456	received.  For this reason, the use of encrypted SAP announcements
457	is NOT RECOMMENDED on the global scope SAP group or on administrative
458	scope groups which may have many receivers which cannot decrypt those
459	announcements.

461	The opinion of the authors is that encrypted SAP is useful in special
462	cases only, and that the vast majority of scenarios where encrypted
463	SAP has been proposed may be better served by distributing session
464	details using another mechanism.  There are, however, certain scenarios
465	where encrypted announcements may be useful.  For this reason, the
466	encryption bit is included in the SAP header to allow experimentation
467	with encrypted announcements.

469	This memo does not specify details of the encryption algorithm to
470	be used or the means by which keys are generated and distributed.
471	An additional specification should define these, if it is desired
472	to use encrypted SAP.

474	Note that if an encrypted announcement is being announced via a proxy,
475	then there may be no way for the proxy to discover that the announcement
476	has been superseded, and so it may continue to relay the old announcement
477	in addition to the new announcement.  SAP provides no mechanism to
478	chain modified encrypted announcements, so it is advisable to announce
479	the unmodified session as deleted for a short time after the modification
480	has occurred.  This does not guarantee that all proxies have deleted
481	the session, and so receivers of encrypted sessions should be prepared
482	to discard old versions of session announcements that they may receive.
483	In most cases however, the only stateful proxy will be local to (and
484	known to) the sender, and an additional (local-area) protocol involving
485	a handshake for such session modifications can be used to avoid this
486	problem.

488	Session announcements that are encrypted with a symmetric algorithm
489	may allow a degree of privacy in the announcement of a session, but
490	it should be recognised that a user in possession of such a key can
491	pass it on to other users who should not be in possession of such
492	a key.  Thus announcements to such a group of key holders cannot
493	be assumed to have come from an authorised key holder unless there
494	is an appropriate authentication header signed by an authorised key
495	holder.  In addition the recipients of such encrypted announcements
496	cannot be assumed to only be authorised key holders.  Such encrypted
497	announcements do not provide any real security unless all of the
498	authorised key holders are trusted to maintain security of such session
499	directory keys.  This property is shared by the multicast session
500	tools themselves, where it is possible for an un-trustworthy member
501	of the session to pass on encryption keys to un-authorised users.
502	However it is likely that keys used for the session tools will be
503	more short lived than those used for session directories.

505	Similar considerations should apply when session announcements are
506	encrypted with an assymetric algorithm, but then it is possible to
507	restrict the possessor(s) of the private key, so that announcements
508	to a key-holder group can not be made, even if one of the untrusted
509	members of the group proves to be un-trustworthy.

511	9  Authenticated Announcements

513	The authentication header can be used for two purposes:

515	  o Verification that changes to a session description or deletion
516	    of a session are permitted.

518	  o Authentication of the identity of the session creator.

520	In some circumstances only verification is possible because a certificate
521	signed by a mutually trusted person or authority is not available.
522	However, under such circumstances, the session originator may still
523	be authenticated to be the same as the session originator of previous
524	sessions claiming to be from the same person.  This may or may not
525	be sufficient depending on the purpose of the session and the people
526	involved.

528	Clearly the key used for the authentication should not be trusted
529	to belong to the session originator unless it has been separately
530	authenticated by some other means, such as being certified by a trusted
531	third party.  Such certificates are not normally included in an SAP
532	header because they take more space than can normally be afforded
533	in an SAP packet, and such verification must therefore take place
534	by some other mechanism.  However, as certified public keys are normally
535	locally cached, authentication of a particular key only has to take
536	place once, rather than every time the session directory retransmits
537	the announcement.

539	SAP is not tied to any single authentication mechanism.  Authentication
540	data in the header is self-describing, but the precise format depends
541	on the authentication mechanism in use.  The generic format of the
542	authentication data is given in figure 3.  The structure of the format
543	specific authentication subheader, using both the PGP and the CMS
544	formats, is discussed in sections 9.1 and 9.2 respectively.

546	                     1                    2                    3
547	 0 1 2 3 4 5 6 7 8 9 0 1 2 3  4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
548	+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
549	| V=1 |P| Auth  |                                               |
550	+-+-+-+-+-+-+-+-+                                               |
551	|              Format  specific authentication subheader        |
552	:                        ..................                     :
553	+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

555	 Figure 3:  Format of the authentication data in the SAP header

557	Version Number, V:  The version number of the authentication format
558	    specified by this memo is 1.

560	Padding Bit, P:  If necessary the authentication data is padded
561	    to be a multiple of 32 bits and the padding bit is set.  In
562	    this case the last byte of the authentication data contains the
563	    number of padding bytes (including the last byte) that must be
564	    discarded.

566	Authentication Type, Auth: The authentication type is a  4 bit encoded
567	    field that denotes the authentication infrastructure the sender
568	    expects the recipients to use to check the authenticity and integrity
569	    of the information.  This defines the format of the authentication
570	    subheader and can take the values:  0 = PGP format, 1 = CMS
571	    format.  All other values are undefined and SHOULD be ignored.

573	If a SAP packet is to be compressed or encrypted, this MUST be done
574	before the authentication is added.

576	The digital signature in the authentication data MUST be calculated
577	over the entire packet, including the header.  The authentication
578	length MUST be set to zero and the authentication data excluded when
579	calculating the digitial signature.

581	9.1 PGP Authentication

583	Implementations which support authentication MUST support this format.

585	A full description of the PGP protocol can be found in [2].  When
586	using PGP for SAP authentication the basic format specific authentication
587	subheader comprises a digital signature packet as described in [2].
588	The signature type MUST be 0x01 which means the signature is that
589	of a canonical text document.

591	9.2 CMS Authentication

593	Support for this format is OPTIONAL.

595	A full description of the Cryptographic Message Syntax can be found
596	in [6].  The format specific authentication subheader will, in the
597	CMS case, have an ASN.1 ContentInfo type with the ContentType being
598	signedData.

600	Use is made of the option available in PKCS#7 to leave the content
601	itself blank as the content which is signed is already present in
602	the packet.  Inclusion of it within the SignedData type would duplicate
603	this data and increase the packet length unnecessarily.  In addition
604	this allows recipients with either no interest in the authentication,
605	or with no mechanism for checking it, to more easily skip the authentication
606	information.

608	There SHOULD be only one signerInfo and related fields corresponding
609	to the originator of the SAP announcement.  The signingTime SHOUD
610	be present as a signedAttribute.  However, due to the strict size
611	limitations on the size of SAP packets, certificates and CRLs SHOULD
612	NOT be included in the signedData structure.  It is expected that
613	users of the protocol will have other methods for certificate and
614	CRL distribution.

616	10 Scalability  and caching

618	SAP is intended to announce the existence of long-lived wide-area
619	multicast sessions.  It is not an especially timely protocol:  sessions
620	are announced by periodic multicast with a repeat rate on the order
621	of tens of minutes, and no enhanced reliability over UDP. This leads
622	to a long startup delay before a complete set of announcements is
623	heard by a listener.  This delay is clearly undesirable for interactive
624	browsing of announced sessions.

626	In order to reduce the delays inherent in SAP, it is recommended
627	that proxy caches are deployed.  A SAP proxy cache is expected to
628	listen to all SAP groups in its scope, and to maintain an up-to-date
629	list of all announced sessions along with the time each announcement
630	was last received.  When a new SAP listeners starts, it should contact
631	its local proxy to download this information, which is then sufficient
632	for it to process future announcements directly, as if it has been
633	continually listening.

635	The protocol by which a SAP listener contacts its local proxy cache
636	is not specified here.

638	11 Security  Considerations

640	SAP contains mechanisms for ensuring integrity of session announcements,
641	for authenticating the origin of an announcement and for encrypting
642	such announcements (sections 8 and 9).  These mechanisms have not
643	yet been subject to suitable peer-review, and this memo should not
644	be considered authoritative in this area at this time.

646	As stated in section 5, if a session modification announcement is
647	received that contains a valid authentication header, but which is
648	not signed by the original creator of the session, then the session
649	must be treated as a new session in addition to the original session
650	with the same SDP origin information unless the originator of one
651	of the session descriptions can be authenticated using a certificate
652	signed by a trusted third party.  If this were not done, there would
653	be a possible denial of service attack whereby a party listens for
654	new announcements, strips off the original authentication header,
655	modifies the session description, adds a new authentication header
656	and re-announces the session.  If a rule was imposed that such spoof
657	announcements were ignored, then if packet loss or late starting
658	of a session directory instance caused the original announcement to
659	fail to arrive at a site, but the spoof announcement did so, this
660	would then prevent the original announcement from being accepted at
661	that site.

663	A similar denial-of-service attack is possible if a session announcement
664	receiver relies completely on the originating source and hash fields
665	to indicate change, and fails to parse the remainder of announcements
666	for which it has seen the origin/hash combination before.

668	A denial of service attack is possible from a malicious site close
669	to a legitimate site which is making a session announcement.  This
670	can happen if the malicious site floods the legitimate site with
671	huge numbers of (illegal) low TTL announcements describing high TTL
672	sessions.  This may reduce the session announcement rate of the legitimate
673	announcement to below a tenth of the rate expected at remote sites
674	and therefore cause the session to time out.  Such an attack is likely
675	to be easily detectable, and we do not provide any mechanism here
676	to prevent it.

678	A  Summary of differences between SAPv0 and SAPv1

680	For this purpose SAPv0 is defined as the protocol in use by version
681	2.2 of the session directory tool, sdr.  SAPv1 is the protocol described
682	in the 19 November 1996 version of this memo (draft-ietf-mmusic-sap-00.txt).
683	The packet headers of SAP messages are the same in V0 and V1 in
684	that a V1 tool can parse a V0 announcement header but not vice-versa.

686	In SAPv0, the fields have the following values:

688	  o Version Number:  0

690	  o Message Type:  0 (Announcement)

692	  o Authentication Type:  0 (No Authentication)
693	  o Encryption Bit:  0 (No Encryption)

695	  o Compression Bit:  0 (No compression)

697	  o Message Id Hash:  0 (No Hash Specified)

699	  o Originating Source:  0 (No source specified, announcement has
700	    not been relayed)

702	B  Summary of differences between SAPv1 and SAPv2

704	The packet headers of SAP messages are the same in V1 and V2 in
705	that a V2 tool can parse a V1 announcement header but not necessarily
706	vice-versa.

708	  o The A bit has been added to the SAP header, replacing one of
709	    the bits of the SAPv1 message type field.  If set to zero the
710	    announcement is of an IPv4 session, and the packet is backwards
711	    compatible with SAPv1.  If set to one the announcement is of
712	    an IPv6 session, and SAPv1 clients (which do not support IPv6)
713	    will see this as an illegal message type (MT) field.

715	  o The second bit of the message type field in SAPv1 has been replaced
716	    by a reserved, must-be-zero, bit.  This bit was unused in SAPv1,
717	    so this change just codifies existing usage.

719	  o SAPv1 specified encryption of the payload.  SAPv2 includes the
720	    E bit in the SAP header to indicate that the payload is encrypted,
721	    but does not specify any details of the encryption.

723	  o SAPv1 allowed the message identifier hash and originating source
724	    fields to be set to zero, for backwards compatibility.  This
725	    is no longer legal.

727	  o SAPv1 specified gzip compression.  SAPv2 uses zlib (the only
728	    known implementation of SAP compression used zlib, and gzip compression
729	    was a mistake).

731	  o SAPv2 provides a more complete specification for authentication.

733	  o SAPv2 allows for non-SDP payloads to be transported.  SAPv1 required
734	    that the payload was SDP.

736	  o SAPv2 makes the concept of directory session explicit.

738	C  Acknowledgments

740	SAP and SDP were originally based on the protocol used by the sd
741	session directory from Van Jacobson at LBNL. Version 1 of SAP was
742	designed by Mark Handley as part of the European Commission MICE
743	(Esprit 7602) and MERCI (Telematics 1007) projects.  Version 2 includes
744	authentication features developed by Edmund Whelan, Goli Montasser-Kohsari
745	and Peter Kirstein as part of the European Commission ICE-TEL project
746	(Telematics 1005), and support for IPv6 developed by Maryann P. Maher
747	and Colin Perkins.  The idea of using SAP to announce other SAP sessions
748	is due to Ross Finlayson.

750	D  Authors' Addresses

752	Mark Handley <mjh@aciri.org>
753	AT&T Center for Internet Research at ICSI,
754	International Computer Science Institute,
755	1947 Center Street, Suite 600,
756	Berkeley, CA 94704, USA

758	Colin Perkins <c.perkins@cs.ucl.ac.uk>
759	Department of Computer Science,
760	University College London,
761	Gower Street,
762	London, WC1E 6BT, UK

764	Edmund Whelan <e.whelan@cs.ucl.ac.uk>
765	Department of Computer Science,
766	University College London,
767	Gower Street,
768	London, WC1E 6BT, UK

770	References

772	[1] S. Bradner. Key words for use in RFCs to indicate requirement levels,
773	    March 1997. RFC2119.

775	[2] J. Callas,  L. Donnerhacke, H. Finney, and R. Thayer.  OpenPGP message
776	    format, November 1998. RFC2440.

778	[3] P. Deutsch  and J.-L. Gailly. Zlib compressed data format specification
779	    version  3.3, May 1996. RFC1950.

781	[4] M. Handley  and V. Jacobson. SDP: Session Description Protocol, April
782	    1998. RFC2327.

784	[5] M. Handley,  D. Thaler, and R. Kermode. Multicast-scope zone
785	    announcement  protocol (MZAP)(, February 1999.   Work in progress.

787	[6] R. Housley.  Cryptographic message syntax.  Work in progress,
788	    April 1999.  draft-ietf-smime-cms-13.txt.

790	[7] D. Mayer. Administratively scoped IP multicast, July 1998. RFC2365.

792	[8] D. Mills. Network time protocol version 3, March 1992.  RFC1305.