idnits 2.17.1 draft-ietf-nfsv4-federated-fs-reqts-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1 on line 20. -- Found old boilerplate from RFC 3978, Section 5.5, updated by RFC 4748 on line 1046. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 1057. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 1064. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 1070. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust Copyright Line does not match the current year -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (September 26, 2008) is 5662 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 3530 (Obsoleted by RFC 7530) ** Obsolete normative reference: RFC 4346 (Obsoleted by RFC 5246) Summary: 4 errors (**), 0 flaws (~~), 1 warning (==), 7 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group D. Ellard 3 Internet-Draft BBN Technologies 4 Intended status: Standards Track C. Everhart 5 Expires: March 30, 2009 J. Lentini 6 NetApp 7 R. Tewari 8 M. Naik 9 IBM Almaden 10 September 26, 2008 12 Requirements for Federated File Systems 13 draft-ietf-nfsv4-federated-fs-reqts-00.txt 15 Status of this Memo 17 By submitting this Internet-Draft, each author represents that any 18 applicable patent or other IPR claims of which he or she is aware 19 have been or will be disclosed, and any of which he or she becomes 20 aware will be disclosed, in accordance with Section 6 of BCP 79. 22 Internet-Drafts are working documents of the Internet Engineering 23 Task Force (IETF), its areas, and its working groups. Note that 24 other groups may also distribute working documents as Internet- 25 Drafts. 27 Internet-Drafts are draft documents valid for a maximum of six months 28 and may be updated, replaced, or obsoleted by other documents at any 29 time. It is inappropriate to use Internet-Drafts as reference 30 material or to cite them other than as "work in progress." 32 The list of current Internet-Drafts can be accessed at 33 http://www.ietf.org/ietf/1id-abstracts.txt. 35 The list of Internet-Draft Shadow Directories can be accessed at 36 http://www.ietf.org/shadow.html. 38 This Internet-Draft will expire on March 30, 2009. 40 Copyright Notice 42 Copyright (C) The IETF Trust (2008). 44 Abstract 46 This draft describes and lists the functional requirements of a 47 federated file system and defines related terms. Our intent is to 48 use this draft as a starting point and refine it, with input and 49 feedback from the file system community and other interested parties, 50 until we reach general agreement. We will then begin, again with the 51 help of any interested parties, to define standard, open federated 52 file system protocols that satisfy these requirements and are 53 suitable for implementation and deployment. 55 Table of Contents 57 1. Requirements notation . . . . . . . . . . . . . . . . . . . . 3 58 2. Draft Goals . . . . . . . . . . . . . . . . . . . . . . . . . 4 59 3. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 60 4. Purpose . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 61 5. Examples and Discussion . . . . . . . . . . . . . . . . . . . 8 62 5.1. Create a Fileset and its FSL(s) . . . . . . . . . . . . . 8 63 5.1.1. Creating a Fileset and a FSN . . . . . . . . . . . . . 8 64 5.1.2. Adding a Replica of a Fileset . . . . . . . . . . . . 9 65 5.2. Junction Resolution . . . . . . . . . . . . . . . . . . . 9 66 5.3. Junction Creation . . . . . . . . . . . . . . . . . . . . 11 67 6. Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 68 7. Proposed Requirements . . . . . . . . . . . . . . . . . . . . 15 69 7.1. Basic Assumptions . . . . . . . . . . . . . . . . . . . . 15 70 7.2. Requirements . . . . . . . . . . . . . . . . . . . . . . . 18 71 8. Non-Requirements . . . . . . . . . . . . . . . . . . . . . . . 24 72 9. IANA Requirements . . . . . . . . . . . . . . . . . . . . . . 25 73 10. Security Considerations . . . . . . . . . . . . . . . . . . . 26 74 11. References . . . . . . . . . . . . . . . . . . . . . . . . . . 27 75 11.1. Normative References . . . . . . . . . . . . . . . . . . . 27 76 11.2. Informational References . . . . . . . . . . . . . . . . . 27 77 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 28 78 Intellectual Property and Copyright Statements . . . . . . . . . . 30 80 1. Requirements notation 82 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 83 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 84 document are to be interpreted as described in [RFC2119]. 86 Note, that this is a requirements document, and in many instances 87 where these words are used in this document they refer to qualities 88 of a specification for a system that satisfies the document, or 89 requirements of a system that matches that specification. These 90 cases are distinguished when there is potential for ambiguity. 92 2. Draft Goals 94 This draft describes and lists the functional requirements of a 95 federated file system and defines related terms. Our intent is to 96 use this draft as a starting point and refine it, with input and 97 feedback from the file system community and other interested parties, 98 until we reach general agreement. We will then begin, again with the 99 help of any interested parties, to define standard, open federated 100 file system protocols that satisfy these requirements and are 101 suitable for implementation and deployment. 103 We do not describe the mechanisms that might be used to implement 104 this functionality except in cases where specific mechanisms, in our 105 opinion, follow inevitably from the requirements. Our focus is on 106 the interfaces between the entities of the system, not on the 107 protocols or their implementations. 109 For the first version of this document, we are focused on the 110 following questions: 112 o Are any "MUST" requirements missing? 114 o Are there any "MUST" requirements that should be "SHOULD" or 115 "MAY"? 117 o Are there any "SHOULD" requirements that should be "MAY"? 119 o Are there better ways to articulate the requirements? 121 3. Overview 123 Today, there are collections of fileservers that inter-operate to 124 provide a single namespace comprised of filesystem resources provided 125 by different members of the collection, joined together with inter- 126 filesystem junctions. The namespace can either be assembled at the 127 fileservers, the clients, or by an external namespace service -- the 128 mechanisms used to assemble the namespace may vary depending on the 129 filesystem access protocol used by the client. 131 These fileserver collections are, in general, administered by a 132 single administrative entity. This administrator builds the 133 namespace out of the filesystem resources and junctions. There are 134 also singleton servers that export some or all of their filesystem 135 resources, but which do not contain junctions to other filesystems. 137 Current server collections that provide a shared namespace usually do 138 so by means of a service that maps filesystem names to filesystem 139 locations. We refer to this as a namespace database service (NSDB). 140 In some distributed file systems, this service is embodied as a 141 volume location database (VLDB), and may be implemented by LDAP, NIS, 142 or any number of other mechanisms. 144 We use the term "fileset" to represent the abstraction of a 145 filesystem. The fileset abstraction implies very little about how 146 the fileset is implemented, although in the simplest case a fileset 147 can be implemented by an exported filesystem. A fileset is a 148 directory tree that may contain files and references, called 149 "junction", to other filesets. Each fileset has a fileset globally 150 unique name (FSN) that is used as an identifier for the fileset. 151 Each implementation of a given fileset is specified by its fileset 152 location (FSL). 154 The primary purpose of the NSDB service is to provide a level of 155 indirection between the FSN the FSLs. If the NSDB service permits 156 updates to the set of mappings, then the FSLs may be changed (e.g., 157 moved or replicated) in a manner that is transparent to the referring 158 fileset and its server(s). 160 Current approaches are unsuitable to build common namespaces across 161 systems with multiple administrative domains and multiple NSDB nodes. 162 An approach which requires changing existing NSDB nodes to 163 collaborate or replacing them with a single NSDB node, while 164 possible, is not desirable. 166 Figure Figure 1 shows an example of a federation. This federation 167 has two members, named ALPHA and BETA. Federation members may 168 contain an arbitrary number of file servers and NSDB nodes; in this 169 illustration ALPHA and BETA each have three servers and one NSDB 170 node. 172 A federation with two members, ALPHA and BETA. ALPHA and BETA each 173 have their own NSDB node and several file servers, but are 174 administered separately. 176 Figure 1 178 4. Purpose 180 Our objective is to specify a set of interfaces (and corresponding 181 protocols) by which such fileservers and collections of fileservers, 182 with different administrators, can form a federation of fileservers 183 and NSDB nodes that provides a namespace composed of the filesets 184 hosted on the different fileservers and fileserver collections. 186 It should be possible, using a system that implements the interfaces, 187 to share a common namespace across all the fileservers in the 188 federation. It should also be possible for different fileservers in 189 the federation to project different namespaces and enable clients to 190 traverse them. 192 Such a federation may contain an arbitrary number of NSDB nodes, each 193 belonging to a different administrative entity, and each providing 194 the mappings that define a part of a namespace. Such a federation 195 may also have an arbitrary number of administrative entities, each 196 responsible for administering a subset of the servers and NSDB nodes. 197 Acting in concert, the administrators should be able to build and 198 administer this multi-fileserver, multi-collection namespace. 200 Each singleton server can be presumed to provide its own NSDB node, 201 for example with a trivial mapping to local FSLs. 203 It is not the intent of the federation to guarantee namespace 204 consistency across all client views. Since different parts of the 205 namespace may be administered by different entities, it is possible 206 that a client could be accessing a stale area of the namespace 207 managed by one entity because a part of the namespace above it, 208 managed by another entity, has changed. 210 5. Examples and Discussion 212 In this section we provide examples and discussion of the basic 213 operations facilitated by the federated file system protocol: 214 creating a fileset, adding a replica of a fileset, resolving a 215 junction, and creating a junction. 217 5.1. Create a Fileset and its FSL(s) 219 A fileset is the abstraction of a set of files and their containing 220 directory tree. The fileset abstraction is the fundamental unit of 221 data management in the federation. This abstraction is implemented 222 by an actual directory tree whose root location is specified by a 223 fileset location (FSL). 225 In this section, we describe the basic requirements for starting with 226 a directory tree and creating a fileset that can be used in the 227 federation protocols. Note that we do not assume that the process of 228 creating a fileset requires any transformation of the files or the 229 directory hierarchy. The only thing that is required by this process 230 is assigning the fileset a fileset name (FSN) and expressing the 231 location(s) of the implementation of the fileset as FSL(s). 233 There are many possible variations to this procedure, depending on 234 how the FSN that binds the FSL is created, and whether other replicas 235 of the fileset exist, are known to the federation, and need to be 236 bound to the same FSN. 238 It is easiest to describe this in terms of how to create the initial 239 implementation of the fileset, and then describe how to add replicas. 241 5.1.1. Creating a Fileset and a FSN 243 1. Choose the NSDB node that will keep track of the FSL(s) and 244 related information for the fileset. 246 2. Request that the NSDB node register a new FSN for the fileset. 248 The FSN may either be chosen by the NSDB node or by the server. 249 The latter case is used if the fileset is being restored, perhaps 250 as part of disaster recovery, and the server wishes to specify 251 the FSN in order to permit existing junctions that reference that 252 FSN to work again. 254 At this point, the FSN exists, but its location is unspecified. 256 3. Send the FSN, the local volume path, the export path, and the 257 export options for the local implementation of the fileset to the 258 NSDB node. Annotations about the FSN or the location may also be 259 sent. 261 The NSDB node records this info and creates the initial FSL for 262 the fileset. 264 5.1.2. Adding a Replica of a Fileset 266 Adding a replica is straightforward: the NSDB node and the FSN are 267 already known. The only remaining step is to add another FSL. 269 Note that the federation interfaces do not include methods for 270 creating or managing replicas: this is assumed to be a platform- 271 dependent operation (at least at this time). The only interface 272 required is the ability to register or remove the registration of 273 replicas for a fileset. 275 5.2. Junction Resolution 277 A fileset may contain references to other filesets. These references 278 are represented by junctions. If a client requests access to a 279 fileset object that is a junction, the server resolves the junction 280 to discover the FSL(s) that implements the referenced fileset. 282 There are many possible variations to this procedure, depending on 283 how the junctions are represented and how the information necessary 284 to perform resolution is represented by the server. In this example, 285 we assume that the only thing directly expressed by the junction is 286 the junction key; its mapping to FSN can be kept local to the server 287 hosting the junction. 289 Step 5 is the only step that interacts directly with the federation 290 interfaces. The rest of the steps may use platform-specific 291 interfaces. 293 1. The server determines that the object being accessed is a 294 junction. 296 2. The server determines the junction key for the junction. 298 3. Using the junction key, the server does a local lookup to find 299 the FSN of the target fileset. 301 4. Using the FSN, the server finds the NSDB node responsible for the 302 target object. 304 5. The server contacts that NSDB node and asks for the set of FSLs 305 that implement the target FSN. The NSDB node responds with a set 306 of FSLs. 308 6. The server converts the FSL to the location type used by the 309 client (e.g., fs_location for NFSv4, as described in [RFC3530]). 311 7. The server redirects (in whatever manner is appropriate for the 312 client) the client to the location(s). 314 These steps are illustrated in Figure 2. The client sends request 1 315 to server X, in federation member ALPHA, in an attempt to reference 316 an object (which appears to the client as a directory). Server X 317 recognizes that the referenced object is actually a junction that 318 refers to a directory in a different fileset. Server X finds, from 319 the FSN in the junction, that the NSDB responsible for knowing the 320 location of the target of the junction is the NSDB of federation 321 member BETA. Server X sends request 2 to the NSDB of BETA, asking 322 for the current location of the directory. The NSDB sends response 3 323 to server X, telling the server that the directory is located on 324 server Y. Server X sends response 4 to the client, indicating that 325 the directory is in a "new" location on server Y. The client then 326 sends request 5 to server Y, repeating the initial request. 328 Given the current requirements and definitions, this resolution 329 method MUST work. However, there is no requirement that this is the 330 only resolution method that can be used. This method may be used as 331 the fallback when all else fails (or, for a simple implementation, it 332 could be the only method). This is a degenerate implementation of 333 the NSDB service as a simple composition of NSDB nodes; we expect 334 that large federations will use more sophisticated methods to share 335 the FSN and FSL information among multiple NSDB nodes. 337 Figure 2 339 5.3. Junction Creation 341 Given a local path, a remote export and a path relative to that 342 export, create a junction from the local path to the path within the 343 remote export. 345 There are many possible variations to this procedure, depending on 346 how the junctions are represented and how the information necessary 347 to perform resolution is represented by the server. In this example, 348 we assume that the only thing directly expressed by the junction is 349 the junction key; its mapping to FSN can be kept local to the server 350 hosting the junction. 352 Step 1 is the only step that uses the federation interfaces. The 353 rest of the steps may use platform-specific interfaces. 355 1. Contact the server named by the export and ask for the FSN for 356 the fileset, given its path relative to that export. 358 2. Create a new local junction key. 360 3. Insert, in the local junction info table, a mapping from the 361 local junction key to the FSN. 363 4. Insert the junction, at the given path, into the local 364 filesystem. 366 6. Glossary 368 The phrase "USING THE FEDERATION INTERFACES" implies that the 369 subsequent requirement must be satisfied, in its entirety, via the 370 federation interfaces. 372 Administrator: user with the necessary authority to initiate 373 administrative tasks on one or more servers. 375 Admin entity: A server or agent that administers a collection of 376 fileservers and persistently stores the namespace information. 378 Client: Any client that accesses the fileserver data using a 379 supported filesystem access protocol. 381 Federation: A set of server collections and singleton servers that 382 use a common set of interfaces and protocols in order to provide 383 to their clients a federated namespace accessible through a 384 filesystem access protocol. 386 Fileserver: A server exporting a filesystem via a network filesystem 387 access protocol. 389 Fileset: The abstraction of a set of files and their containing 390 directory tree. A fileset is the fundamental unit of data 391 management in the federation. 393 Note that all files within a fileset are descendants of one 394 directory, and that filesets do not span filesystems. 396 Filesystem: A self-contained unit of export for a fileserver, and 397 the mechanism used to implement filesets. The fileset does not 398 need to be rooted at the root of the filesystem, nor at the export 399 point for the filesystem. 401 A single filesystem MAY implement more than one fileset, if the 402 client protocol and the fileserver permit this. 404 Filesystem access protocol: A network filesystem access protocol 405 such as NFSv2 [RFC1094], NFSv3 [RFC1813], NFSv4 [RFC3530], or 406 CIFS. 408 FSL (Fileset location): The location of the implementation of a 409 fileset at a particular moment in time. A FSL MUST be something 410 that can be translated into a protocol-specific description of a 411 resource that a client can access directly, such as a fs_location 412 (for NFSv4), or share name (for CIFS). Note that not all FSLs 413 need to be explicitly exported as long as they are contained 414 within an exported path on the fileserver. 416 FSN (Fileset name): A platform-independent and globally unique name 417 for a fileset. Two FSLs that implement replicas of the same 418 fileset MUST have the same FSN, and if a fileset is migrated from 419 one location to another, the FSN of that fileset MUST remain the 420 same. 422 Junction: A filesystem object used to link a directory name in the 423 current fileset with an object within another fileset. The 424 server-side "link" from a leaf node in one fileset to the root of 425 another fileset. 427 Junction key: The UUID of a fileset, used as a key to lookup an FSN 428 within an NSDB node or a local table of information about 429 junctions. 431 Namespace: A filename/directory tree that a sufficiently-authorized 432 client can observe. 434 NSDB (Namespace Database Service): A service that maps FSNs to FSLs. 435 The NSDB may also be used to store other information, such as 436 annotations for these mappings and their components. 438 NSDB Node: The name or location of a server that implements part of 439 the NSDB service and is responsible for keeping track of the FSLs 440 (and related info) that implement a given partition of the FSNs. 442 Referral: A server response to a client access that directs the 443 client to evaluate the current object as a reference to an object 444 at a different location (specified by an FSL) in another fileset, 445 and possibly hosted on another fileserver. The client re-attempts 446 the access to the object at the new location. 448 Replica: A replica is a redundant implementation of a fileset. Each 449 replica shares the same FSN, but has a different FSL. 451 Replicas may be used to increase availability or performance. 452 Updates to replicas of the same fileset MUST appear to occur in 453 the same order, and therefore each replica is self-consistent at 454 any moment. 456 We do not assume that updates to each replica occur simultaneously 457 If a replica is offline or unreachable, the other replicas may be 458 updated. 460 Server Collection: A set of fileservers administered as a unit. A 461 server collection may be administered with vendor-specific 462 software. 464 The namespace provided by a server collection could be part of the 465 federated namespace. 467 Singleton Server: A server collection containing only one server; a 468 stand-alone fileserver. 470 7. Proposed Requirements 472 Note that the requirements are described in terms of correct behavior 473 by all entities. We do not address the requirements of the system in 474 the presence of faults. 476 7.1. Basic Assumptions 478 Several of the requirements are so fundamental that we treat them as 479 basic assumptions; if any of these assumptions are violated, the rest 480 of the requirements must be reviewed in their entirety. 482 A1: The federation protocols do not require any changes to existing 483 client-facing protocols, and MAY be extended to incorporate new 484 client-facing protocols. 486 A2: A client SHOULD NOT require any a priori knowledge of the 487 general structure or composition of the federation. 489 The client may require some specific knowledge in order to find 490 and access an instance of the fileset that defines the root of 491 its view of the namespace. As the client traverses the 492 namespace, the client discovers the information it needs in 493 order to locate the filesets it accesses. 495 A3: All requirements MUST be satisfiable via the federation 496 protocols and the standard protocols used by the fileservers 497 (i.e., NFS, CIFS, DNS, etc). 499 USING THE FEDERATION INTERFACES, a federation operation that 500 requires an interaction between two (or more) entities that are 501 members of the federation MUST be possible without requiring any 502 proprietary protocols. 504 A4: All the entities participating in a federation operation MUST be 505 able to authenticate each other. 507 All principals (clients, users, administrator of a singleton or 508 server collection, hosts, NSDB nodes, etc) that can assume a 509 role defined by the federation protocol can identify themselves 510 to each other via an authentication mechanism. This mechanism 511 is not defined or further described in this document. 513 The authority of a principal to request that a second principal 514 perform a specific operation is ultimately determined by the 515 second. Authorization may be partitioned by server collection 516 or set of servers as well as by operation. For example, if a 517 user has administrative privileges on one server in the 518 federation, this does not imply that they have administrative 519 privileges (or, for that matter, any privileges whatsoever) on 520 any other server in the federation. 522 In order to access the functionality provided by the federation 523 interfaces, it may be necessary to have elevated privileges or 524 authorization. The authority required by different operations 525 may be different. For example, the authority required to query 526 the NSDB about the FSLs bound to an FSN may be different than 527 the authority required to change the bindings of that FSN. 529 An operation attempted by an unauthorized entity MUST fail in a 530 manner that indicates that the failure was due to insufficient 531 authorization. 533 This document does not enumerate the authorization necessary for 534 any operation. 536 A5: The federation protocols MUST NOT require changes to existing 537 authentication/authorization mechanisms in use at the 538 fileservers for client-facing protocols. 540 A user's view of the namespace may be limited by the 541 authentication and authorization privileges it has on the 542 different fileservers in the federation. As such, users may 543 only be able to traverse the parts of the namespace that they 544 have access to. 546 The federation protocols do not impose any restrictions on how 547 users are represented within the federation. For example, a 548 single enterprise could employ a common identity for users 549 across the federation. A grid environment could utilize user 550 mapping or translations across different administrative domains. 552 A6: In a federated system, we assume that a FSN MUST express, or can 553 be used to discover, the following two pieces of information: 555 1. The location of the NSDB node that is responsible for 556 knowing the filesystem location(s) (FSLs) of the named 557 fileset. 559 The NSDB node must be specified because there may be many 560 NSDB nodes in a federation. We do not assume that any 561 single entity knows the location of all of the NSDB nodes, 562 and therefore exhaustive search is not an option. 564 There are several ways in which a fileserver can locate the 565 NSDB node responsible for a given fileset. One approach, 566 given a DNS infrastructure, is to specify the location of 567 the NSDB node by the FQDN of the server hosting the NSDB 568 node. Another approach is to use a separate DNS-style 569 hierarchy to resolve the location of the NSDB node. 571 2. The junction key. 573 The junction key is the index used by the NSDB node to 574 identify the FSN of the target fileset. 576 There are several ways to represent junction keys. One 577 approach could use 128-bit UUIDs as described described in 578 [RFC4122]. 580 As an example, an FSN could be represented by a URL of the form 581 nsdb.example.com/UUID where nsdb.example.com is the FQDN of the 582 server hosting the NSDB node and UUID is the string 583 representation of the junction key. 585 Note that it is not assumed that it is always required for a 586 server to contact the NSDB node specified by the FSN in order to 587 find the FSLs. The relevant information stored in that NSDB 588 node may also be cached local to the server or on a proxy NSDB 589 node "near" the server. 591 A7: All federation servers and NSDB nodes are assumed to execute the 592 federation protocols correctly. The behavior of the federation 593 is undefined in the case of Byzantine behavior by any federation 594 server or NSDB node. 596 A8: The locations of federation services (such as NSDBs and FSLs) 597 can be specified in a manner such that they can be correctly 598 interpreted by all members of the federation that will access 599 them. 601 For example, if an NSDB node is specified by a FQDN, then this 602 implies that every member of the federation that needs to access 603 this NSDB node can resolve this FQDN to an IP address for that 604 NSDB node. (It is not necessary that the FQDN always resolve to 605 the same address; the same service may appear at different 606 addresses on different networks.) 608 It is the responsibility of each federation member to ensure 609 that the resources it wishes to expose have accessible network 610 locations and that the necessary resolution mechanisms (i.e., 611 DNS) are given the necessary data to perform the resolution 612 correctly. 614 7.2. Requirements 616 R1: Requirements of each FSN: 618 a. Each FSN MUST be globally unique. 620 b. The FSN MUST be sufficiently descriptive to locate an 621 instance of the fileset it names within the federation at 622 any time. 624 c. An FSN is a name of a fileset. (An FSL is not the name of 625 a fileset, but only a locator of an instance of a fileset 626 at some point in time. For example, the same FSL may 627 implement different filesets at different times.) 629 + If a fileset instance is moved to a new location, it 630 will have a new FSL, but its FSN is unchanged. 632 + An instance of a different fileset may be placed at a 633 FSL previously occupied by an instance of a different 634 fileset. 636 d. If a fileset instance is migrated to another location, the 637 FSN remains the same in the new location. 639 e. If the fileset is replicated using the federation 640 interfaces, then all of the replicas have the same FSN. 642 Not all filesets in the federation are required to have a FSN 643 or be reachable by a FSL. Only those filesets that are the 644 target of a junction (as described in R3) are required to have 645 an FSN. 647 NOTE: this requirement has been called into question. 649 R2: USING THE FEDERATION INTERFACES, it MUST be possible to create 650 an FSN for a fileset, and it must be possible to bind an FSL to 651 that FSN. These operations are NSDB operations and do not 652 require any action on the part of an NFS server. 654 It is possible to create an FSN for a fileset that has not 655 actually been created. It is also possible to bind a 656 nonexistant FSL to an FSN. It is also possible to create a 657 fileset without assigning it an FSN. The binding between an 658 FSN and an FSL is defined entirely within the context of the 659 NSDB; the servers do not "know" whether the filesets they host 660 have been assigned FSNs (or, if so, what those FSNs are). 662 The requirement that filesets can exist prior to being assigned 663 an FSN, and the requirement that FSNs can exist independent of 664 filesets are intended to simplify the construction of the 665 namespace in a convenient manner. For example, they permit an 666 admin to assign FSNs to existing filesets and thereby 667 incorporate existing filesets into the namespace. They also 668 permit the structure of the namespace to be defined prior to 669 creation of the component filesets. In either case, it is the 670 responsibility of the entity updating the NSDB with FSNs and 671 FSN-to-FSL mappings to ensure that the namespace is constructed 672 in a consistent manner. (The simplest way to accomplish this 673 is to ensure that the FSN and FSN-to-FSL mappings are always 674 recorded in the NSDB prior to the creation of any junctions 675 that refer to that FSN.) 677 a. An administrator MAY specify the entire FSN (including both 678 the NSDB node location and the junction key) of the newly- 679 created FSL, or the administrator MAY specify only the NSDB 680 node and have the system choose the junction key. 682 The admin can choose to specify the FSN explicitly in order 683 to recreate a lost fileset with a given FSN (for example, 684 as part of disaster recovery). It is an error to assign an 685 FSN that is already in use by an active fileset. 687 Note that creating a replica of an existing filesystem is 688 NOT accomplished by assigning the FSN of the filesystem you 689 wish to replicate to a new filesystem. 691 b. USING THE FEDERATION INTERFACES, it MUST be possible to 692 create a federation FSL by specifying a specific local 693 volume, path, export path, and export options. 695 R3: USING THE FEDERATION INTERFACES, and given the FSN of a target 696 fileset, it MUST be possible to create a junction to that 697 fileset at a named place in another fileset. 699 After a junction has been created, clients that access the 700 junction transparently interpret it as a reference to the 701 FSL(s) that implement the FSN associated with the junction. 703 a. It SHOULD be possible to have more than one junction whose 704 target is a given fileset. In other words, it SHOULD be 705 possible to mount a fileset at multiple named places. 707 b. If the fileset in which the junction is created is 708 replicated, then the junction MUST eventually appear in all 709 of its replicas. 711 The operation of creating a junction within a fileset is 712 treated as an update to the fileset, and therefore obey the 713 general rules about updates to replicated filesets. 715 R4: USING THE FEDERATION INTERFACES, it MUST be possible to delete 716 a specific junction from a fileset. 718 If a junction is deleted, clients who are already viewing the 719 fileset referred to by the junction after traversing the 720 junction MAY continue to view the old namespace. They might 721 not discover that the junction no longer exists (or has been 722 deleted and replaced with a new junction, possibly referring to 723 a different FSN). 725 After a junction is deleted, another object with the same name 726 (another junction, or an ordinary filesystem object) may be 727 created. 729 The operation of deleting a junction within a fileset is 730 treated as an update to the fileset, and therefore obey the 731 general rules about updates to replicated filesets. 733 R5: USING THE FEDERATION INTERFACES, it MUST be possible to 734 invalidate an FSN. 736 a. If a junction refers to an FSN that is invalid, attempting 737 to traverse the junction MUST fail. 739 An FSN that has been invalidated MAY become valid again if the 740 FSN is recreated (i.e., as part of a disaster recovery 741 process). 743 If an FSN is invalidated, clients who are already viewing the 744 fileset named by the FSN MAY continue to view the old 745 namespace. They might not discover that the FSN is no longer 746 valid until they try to traverse a junction that refers to it. 748 R6: USING THE FEDERATION INTERFACES, it MUST be possible to 749 invalidate a FSL. 751 a. An invalid FSL MUST NOT be returned as the result of 752 resolving a junction. 754 An FSL that has been invalidated MAY become valid again if the 755 FSL is recreated (i.e., as part of a disaster recovery 756 process). 758 If an FSL is invalidated, clients who are already viewing the 759 fileset implemented by the FSL MAY continue to use that FSL. 760 They might not discover that the FSL is no longer valid until 761 they try to traverse a junction that refers to the fileset 762 implemented by the FSL. 764 Note that invalidating an FSL does not imply that the 765 underlying export or share (depending on the file access 766 protocol in use) is changed in any way -- it only changes the 767 mappings from FSNs to FSLs on the NSDB. 769 R7: It MUST be possible for the federation of servers to provide 770 multiple namespaces. 772 R8: USING THE FEDERATION INTERFACES, it MUST be possible to perform 773 queries about the state of objects relevant to the 774 implementation of the federation namespace. 776 It MUST be possible to query the fileserver named in an FSL to 777 discover whether a junction exists at a given path within that 778 FSL. 780 R9: The projected namespace (and the objects named by the 781 namespace) MUST be accessible to clients via at least one 782 standard filesystem access protocol. 784 a. The namespace SHOULD be accessible to clients via the CIFS 785 protocol. 787 b. The namespace SHOULD be accessible to clients via the NFSv4 788 protocol as described in [RFC3530]. 790 c. The namespace SHOULD be accessible to clients via the NFSv3 791 protocol as described in [RFC1813]. 793 d. The namespace SHOULD be accessible to clients via the NFSv2 794 protocol as described in [RFC1094]. 796 It must be understood that some of these protocols, such as 797 NFSv3 and NFSv2, have no innate ability to access a namespace 798 of this kind. Where such protocols have been augmented with 799 other protocols and mechanisms (such as autofs or amd for 800 NFSv3) to provide an extended namespace, we propose that these 801 protocols and mechanisms may be used, or extended, in order to 802 satisfy the requirements given in this draft, and different 803 clients may use different mechanisms. 805 R10: USING THE FEDERATION INTERFACES, it MUST be possible to modify 806 the NSDB mapping from an FSN to a set of FSLs to reflect the 807 migration from one FSL to another. 809 R11: FSL migration SHOULD have little or no impact on the clients, 810 but this is not guaranteed across all federation members. 812 Whether FSL migration is performed transparently depends on 813 whether the source and destination servers are able to do so. 814 It is the responsibility of the administrator to recognize 815 whether or not the migration will be transparent, and advise 816 the system accordingly. The federation, in turn, MUST advise 817 the servers to notify their clients, if necessary. 819 For example, on some systems, it may be possible to migrate a 820 fileset from one system to another with minimal client impact 821 because all client-visible metadata (inode numbers, etc) are 822 preserved during migration. On other systems, migration might 823 be quite disruptive. 825 R12: USING THE FEDERATION INTERFACES, it MUST be possible to modify 826 the NSDB mapping from an FSN to a set of FSLs to reflect the 827 addition/removal of a replica at a given FSL. 829 R13: Replication SHOULD have little or no negative impact on the 830 clients. 832 Whether FSL replication is performed transparently depends on 833 whether the source and destination servers are able to do so. 834 It is the responsibility of the administrator initiating the 835 replication to recognize whether or not the replication will be 836 transparent, and advise the federation accordingly. The 837 federation MUST advise the servers to notify their clients, if 838 necessary. 840 For example, on some systems, it may be possible to mount any 841 FSL of an FSN read/write, while on other systems, there may be 842 any number of read-only replicas but only one FSL that can be 843 mounted read-write. 845 R14: USING THE FEDERATION INTERFACES, it SHOULD be possible to 846 annotate the objects and relations managed by the federation 847 protocol with arbitrary name/value pairs. 849 These annotations are not used by the federation protocols -- 850 they are intended for use by higher-level protocols. For 851 example, an annotation that might be useful for a system 852 administrator browsing the federation would be the "owner" of 853 each FSN (i.e., "this FSN is for the home directory of Joe 854 Smith."). As another example, the annotations may express 855 hints used by the clients (such as priority information for 856 NFSv4.1). 858 Both FSNs and FSLs may be annotated. For example, an FSN 859 property might be "This is Joe Smith's home directory", and an 860 FSL property might be "This instance of the FSN is at the 861 remote backup site." 863 a. USING THE FEDERATION INTERFACES, it MUST be possible to 864 query the system to find the annotations for a junction. 866 b. USING THE FEDERATION INTERFACES, it MUST be possible to 867 query the system to find the annotations for a FSN. 869 c. USING THE FEDERATION INTERFACES, it MUST be possible to 870 query the system to find the annotations for a FSL. 872 8. Non-Requirements 874 N1: It is not necessary for the namespace to be known by any 875 specific fileserver. 877 In the same manner that clients do not need to have a priori 878 knowledge of the structure of the namespace or its mapping onto 879 federation members, the projected namespace can exist without 880 individual fileservers knowing the entire organizational 881 structure, or, indeed, without knowing exactly where in the 882 projected namespace the filesets they host exist. 884 Fileservers do need to be able to handle referrals from other 885 fileservers, but they do not need to know what path the client 886 was accessing when the referral was generated. 888 N2: It is not necessary for updates and accesses to the federation 889 data to occur in transaction or transaction-like contexts. 891 One possible requirement that is omitted from our current list 892 is that updates and accesses to the data stored in the NSDB (or 893 individual NSDB nodes) occur within a transaction context. We 894 were not able to agree whether the benefits of transactions are 895 worth the complexity they add (both to the specification and its 896 eventual implementation) but this topic is open for discussion. 898 Below is the the draft of a proposed requirement that provides 899 transactional semantics: 901 "There MUST be a way to ensure that sequences of operations, 902 including observations of the namespace (including finding 903 the locations corresponding to a set of FSNs) and changes to 904 the namespace or related data stored in the system (including 905 the creation, renaming, or deletion of junctions, and the 906 creation, altering, or deletion of mappings between FSN and 907 filesystem locations), can be performed in a manner that 908 provides predictable semantics for the relationship between 909 the observed values and the effect of the changes." 911 "It MUST be possible to protect sequences of operations by 912 transactions with NSDB-wide or server-wide ACID semantics." 914 9. IANA Requirements 916 This document has no actions for IANA. 918 10. Security Considerations 920 Assuming the Internet threat model, the federated resolution 921 mechanism described in this document MUST be implemented in such a 922 way to prevent loss of CONFIDENTIALITY, DATA INTEGRITY and PEER 923 ENTITY AUTHENTICATION, as described in [RFC3552]. 925 CONFIDENTIALITY may be violated if an unauthorized party is able to 926 eavesdrop on the communication between authorized servers and NSDB 927 nodes and thereby learn the locations or other information about FSNs 928 that they would not be authorized to discover via direct queries. 929 DATA INTEGRITY may be compromised if a third party is able to 930 undetectably alter the contents of the communication between servers 931 and NSDB nodes. PEER ENTITY AUTHENTICATION is defeated if one server 932 can masquerade as another server without proper authority, or if an 933 arbitrary host can masquerade as a NSDB node. 935 Well-established techniques for providing authenticated channels may 936 be used to defeat these attacks, and the protocol MUST support at 937 least one of them. 939 For example, if LDAP is used to implement the query mechanism 940 [RFC4511], then TLS may be used to provide both authentication and 941 integrity [RFC4346] [RFC4513]. If the query protocol is implemented 942 on top of ONC/RPC, then RPCSEC_GSS may be used to fill the same role 943 [RFC2203] [RFC2743]. 945 11. References 947 11.1. Normative References 949 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 950 Requirement Levels", BCP 14, RFC 2119, March 1997. 952 [RFC2203] Eisler, M., Chiu, A., and L. Ling, "RPCSEC_GSS Protocol 953 Specification", RFC 2203, September 1997. 955 [RFC2743] Linn, J., "Generic Security Service Application Program 956 Interface Version 2, Update 1", RFC 2743, January 2000. 958 [RFC3530] Shepler, S., Callaghan, B., Robinson, D., Thurlow, R., 959 Beame, C., Eisler, M., and D. Noveck, "Network File System 960 (NFS) version 4 Protocol", RFC 3530, April 2003. 962 [RFC3552] Rescorla, E. and B. Korver, "Guidelines for Writing RFC 963 Text on Security Considerations", BCP 72, RFC 3552, 964 July 2003. 966 [RFC4122] Leach, P., Mealling, M., and R. Salz, "A Universally 967 Unique IDentifier (UUID) URN Namespace", RFC 4122, 968 July 2005. 970 [RFC4346] Dierks, T. and E. Rescorla, "The Transport Layer Security 971 (TLS) Protocol Version 1.1", RFC 4346, April 2006. 973 [RFC4511] Sermersheim, J., "Lightweight Directory Access Protocol 974 (LDAP): The Protocol", RFC 4511, June 2006. 976 [RFC4513] Harrison, R., "Lightweight Directory Access Protocol 977 (LDAP): Authentication Methods and Security Mechanisms", 978 RFC 4513, June 2006. 980 11.2. Informational References 982 [RFC1094] Nowicki, B., "NFS: Network File System Protocol 983 specification", RFC 1094, March 1989. 985 [RFC1813] Callaghan, B., Pawlowski, B., and P. Staubach, "NFS 986 Version 3 Protocol Specification", RFC 1813, June 1995. 988 Authors' Addresses 990 Daniel Ellard 991 BBN Technologies 992 10 Moulton Street 993 Cambridge, MA 02138 994 US 996 Phone: +1 617-873-8000 997 Email: ellard@gmail.com 999 Craig Everhart 1000 NetApp 1001 7301 Kit Creek Rd 1002 Research Triangle Park, NC 27709 1003 US 1005 Phone: +1 919-476-5320 1006 Email: everhart@netapp.com 1008 James Lentini 1009 NetApp 1010 1601 Trapelo Rd, Suite 16 1011 Waltham, MA 02451 1012 US 1014 Phone: +1 781-768-5359 1015 Email: jlentini@netapp.com 1017 Renu Tewari 1018 IBM Almaden 1019 650 Harry Rd 1020 San Jose, CA 95120 1021 US 1023 Email: tewarir@us.ibm.com 1024 Manoj Naik 1025 IBM Almaden 1026 650 Harry Rd 1027 San Jose, CA 95120 1028 US 1030 Email: manoj@almaden.ibm.com 1032 Full Copyright Statement 1034 Copyright (C) The IETF Trust (2008). 1036 This document is subject to the rights, licenses and restrictions 1037 contained in BCP 78, and except as set forth therein, the authors 1038 retain all their rights. 1040 This document and the information contained herein are provided on an 1041 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 1042 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND 1043 THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS 1044 OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF 1045 THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 1046 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 1048 Intellectual Property 1050 The IETF takes no position regarding the validity or scope of any 1051 Intellectual Property Rights or other rights that might be claimed to 1052 pertain to the implementation or use of the technology described in 1053 this document or the extent to which any license under such rights 1054 might or might not be available; nor does it represent that it has 1055 made any independent effort to identify any such rights. Information 1056 on the procedures with respect to rights in RFC documents can be 1057 found in BCP 78 and BCP 79. 1059 Copies of IPR disclosures made to the IETF Secretariat and any 1060 assurances of licenses to be made available, or the result of an 1061 attempt made to obtain a general license or permission for the use of 1062 such proprietary rights by implementers or users of this 1063 specification can be obtained from the IETF on-line IPR repository at 1064 http://www.ietf.org/ipr. 1066 The IETF invites any interested party to bring to its attention any 1067 copyrights, patents or patent applications, or other proprietary 1068 rights that may cover technology that may be required to implement 1069 this standard. Please address the information to the IETF at 1070 ietf-ipr@ietf.org. 1072 Acknowledgment 1074 Funding for the RFC Editor function is provided by the IETF 1075 Administrative Support Activity (IASA).