tech-invite   World Map     

IETF     RFCs     Groups     SIP     ABNFs    |    3GPP     Specs     Gloss.     Arch.     IMS     UICC    |    Misc.    |    search     info

RFC 7285

 
 
 

Application-Layer Traffic Optimization (ALTO) Protocol

Part 4 of 4, p. 64 to 91
Prev RFC Part

 


prevText      Top      Up      ToC       Page 64 
12.  Use Cases

   The sections below depict typical use cases.  While these use cases
   focus on peer-to-peer applications, ALTO can be applied to other
   environments such as Content Distribution Networks (CDNs)
   [ALTO-USE-CASES].

Top      Up      ToC       Page 65 
12.1.  ALTO Client Embedded in P2P Tracker

   Many deployed P2P systems use a tracker to manage swarms and perform
   peer selection.  Such a P2P tracker can already use a variety of
   information to perform peer selection to meet application-specific
   goals.  By acting as an ALTO client, the P2P tracker can use ALTO
   information as an additional information source to enable more
   network-efficient traffic patterns and improve application
   performance.

   A particular requirement of many P2P trackers is that they must
   handle a large number of P2P clients.  A P2P tracker can obtain and
   locally store ALTO information (e.g., ALTO network maps and cost
   maps) from the ISPs containing the P2P clients, and benefit from the
   same aggregation of network locations done by ALTO servers.

       .---------.   (1) Get Network Map    .---------------.
       |         | <----------------------> |               |
       |  ALTO   |                          |  P2P Tracker  |
       | Server  |   (2) Get Cost Map       | (ALTO client) |
       |         | <----------------------> |               |
       `---------'                          `---------------'
                                               ^     |
                                 (3) Get Peers |     | (4) Selected Peer
                                               |     v     List
                 .---------.                 .-----------.
                 | Peer 1  | <-------------- |   P2P     |
                 `---------'                 |  Client   |
                     .      (5) Connect to   `-----------'
                     .        Selected Peers     /
                 .---------.                    /
                 | Peer 50 | <------------------
                 `---------'

               Figure 4: ALTO Client Embedded in P2P Tracker

   Figure 4 shows an example use case where a P2P tracker is an ALTO
   client and applies ALTO information when selecting peers for its P2P
   clients.  The example proceeds as follows:

   1.  The P2P tracker requests from the ALTO server a network map, so
       that it locally map P2P clients into PIDs.

   2.  The P2P tracker requests from the ALTO server the cost map
       amongst all PIDs identified in the preceding step.

   3.  A P2P client joins the swarm, and requests a peer list from the
       P2P tracker.

Top      Up      ToC       Page 66 
   4.  The P2P tracker returns a peer list to the P2P client.  The
       returned peer list is computed based on the network map and the
       cost map returned by the ALTO server, and possibly other
       information sources.  Note that it is possible that a tracker may
       use only the network map to implement hierarchical peer selection
       by preferring peers within the same PID and ISP.

   5.  The P2P client connects to the selected peers.

   Note that the P2P tracker may provide peer lists to P2P clients
   distributed across multiple ISPs.  In such a case, the P2P tracker
   may communicate with multiple ALTO servers.

12.2.  ALTO Client Embedded in P2P Client: Numerical Costs

   P2P clients may also utilize ALTO information themselves when
   selecting from available peers.  It is important to note that not all
   P2P systems use a P2P tracker for peer discovery and selection.
   Furthermore, even when a P2P tracker is used, the P2P clients may
   rely on other sources, such as peer exchange and DHTs, to discover
   peers.

   When a P2P client uses ALTO information, it typically queries only
   the ALTO server servicing its own ISP.  The "my-Internet view"
   provided by its ISP's ALTO server can include preferences to all
   potential peers.

   .---------.   (1) Get Network Map    .---------------.
   |         | <----------------------> |               |
   |  ALTO   |                          |  P2P Client   |
   | Server  |   (2) Get Cost Map       | (ALTO client) |
   |         | <----------------------> |               |    .---------.
   `---------'                          `---------------' <- |  P2P    |
             .---------.                 /  |      ^    ^    | Tracker |
             | Peer 1  | <--------------    |      |     \   `---------'
             `---------'                    |    (3) Gather Peers
                 .      (4) Select Peers    |      |       \
                 .        and Connect      /   .--------.  .--------.
             .---------.                  /    |  P2P   |  |  DHT   |
             | Peer 50 | <----------------     | Client |  `--------'
             `---------'                       | (PEX)  |
                                               `--------'

               Figure 5: ALTO Client Embedded in P2P Client

   Figure 5 shows an example use case where a P2P client locally applies
   ALTO information to select peers.  The use case proceeds as follows:

Top      Up      ToC       Page 67 
   1.  The P2P client requests the network map covering all PIDs from
       the ALTO server servicing its own ISP.

   2.  The P2P client requests the cost map providing path costs amongst
       all PIDs from the ALTO server.  The cost map by default specifies
       numerical costs.

   3.  The P2P client discovers peers from sources such as peer exchange
       (PEX) from other P2P clients, distributed hash tables (DHT), and
       P2P trackers.

   4.  The P2P client uses ALTO information as part of the algorithm for
       selecting new peers and connects to the selected peers.

12.3.  ALTO Client Embedded in P2P Client: Ranking

   It is also possible for a P2P client to offload the selection and
   ranking process to an ALTO server.  In this use case, the ALTO client
   embedded in the P2P client gathers a list of known peers in the
   swarm, and asks the ALTO server to rank them.  This document limits
   the use case to when the P2P client and the ALTO server are deployed
   by the same entity; hence, the P2P client uses the ranking provided
   by the ALTO server directly.

   As in the use case using numerical costs, the P2P client typically
   only queries the ALTO server servicing its own ISP.

   .---------.                          .---------------.
   |         |                          |               |
   |  ALTO   | (2) Get Endpoint Ranking |  P2P Client   |
   | Server  | <----------------------> | (ALTO client) |
   |         |                          |               |    .---------.
   `---------'                          `---------------' <- |  P2P    |
             .---------.                 /  |      ^    ^    | Tracker |
             | Peer 1  | <--------------    |      |     \   `---------'
             `---------'                    |    (1) Gather Peers
                 .      (3) Connect to      |      |       \
                 .        Selected Peers   /   .--------.  .--------.
             .---------.                  /    |  P2P   |  |  DHT   |
             | Peer 50 | <----------------     | Client |  `--------'
             `---------'                       | (PEX)  |
                                               `--------'

           Figure 6: ALTO Client Embedded in P2P Client: Ranking

Top      Up      ToC       Page 68 
   Figure 6 shows an example of this scenario.  The use case proceeds as
   follows:

   1.  The P2P client discovers peers from sources such as Peer Exchange
       (PEX) from other P2P clients, Distributed Hash Tables (DHT), and
       P2P trackers.

   2.  The P2P client queries the ALTO server's ranking service (i.e.,
       the ECS Service), by including the discovered peers as the set of
       destination endpoints, and indicating the "ordinal" cost mode.
       The response indicates the ranking of the candidate peers.

   3.  The P2P client connects to the peers in the order specified in
       the ranking.

13.  Discussions

13.1.  Discovery

   The discovery mechanism by which an ALTO client locates an
   appropriate ALTO server is out of scope for this document.  This
   document assumes that an ALTO client can discover an appropriate ALTO
   server.  Once it has done so, the ALTO client may use the information
   resource directory (see Section 9.2) to locate an information
   resource with the desired ALTO information.

13.2.  Hosts with Multiple Endpoint Addresses

   In practical deployments, a particular host can be reachable using
   multiple addresses (e.g., a wireless IPv4 connection, a wireline IPv4
   connection, and a wireline IPv6 connection).  In general, the
   particular network path followed when sending packets to the host
   will depend on the address that is used.  Network providers may
   prefer one path over another.  An additional consideration may be how
   to handle private address spaces (e.g., behind carrier-grade NATs).

   To support such behavior, this document allows multiple endpoint
   addresses and address types.  With this support, the ALTO Protocol
   allows an ALTO service provider the flexibility to indicate
   preferences for paths from an endpoint address of one type to an
   endpoint address of a different type.

Top      Up      ToC       Page 69 
13.3.  Network Address Translation Considerations

   In this day and age of NAT v4<->v4, v4<->v6 [RFC6144], and possibly
   v6<->v6 [RFC6296], a protocol should strive to be NAT friendly and
   minimize carrying IP addresses in the payload or provide a mode of
   operation where the source IP address provides the information
   necessary to the server.

   The protocol specified in this document provides a mode of operation
   where the source network location is computed by the ALTO server
   (i.e., the Endpoint Cost Service) from the source IP address found in
   the ALTO client query packets.  This is similar to how some P2P
   trackers (e.g., BitTorrent trackers -- see "Tracker HTTP/HTTPS
   Protocol" in [BitTorrent]) operate.

   There may be cases in which an ALTO client needs to determine its own
   IP address, such as when specifying a source endpoint address in the
   Endpoint Cost Service.  It is possible that an ALTO client has
   multiple network interface addresses, and that some or all of them
   may require NAT for connectivity to the public Internet.

   If a public IP address is required for a network interface, the ALTO
   client SHOULD use the Session Traversal Utilities for NAT (STUN)
   [RFC5389].  If using this method, the host MUST use the "Binding
   Request" message and the resulting "XOR-MAPPED-ADDRESS" parameter
   that is returned in the response.  Using STUN requires cooperation
   from a publicly accessible STUN server.  Thus, the ALTO client also
   requires configuration information that identifies the STUN server,
   or a domain name that can be used for STUN server discovery.  To be
   selected for this purpose, the STUN server needs to provide the
   public reflexive transport address of the host.

   ALTO clients should be cognizant that the network path between
   endpoints can depend on multiple factors, e.g., source address and
   destination address used for communication.  An ALTO server provides
   information based on endpoint addresses (more generally, network
   locations), but the mechanisms used for determining existence of
   connectivity or usage of NAT between endpoints are out of scope of
   this document.

13.4.  Endpoint and Path Properties

   An ALTO server could make available many properties about endpoints
   beyond their network location or grouping.  For example, connection
   type, geographical location, and others may be useful to
   applications.  This specification focuses on network location and
   grouping, but the protocol may be extended to handle other endpoint
   properties.

Top      Up      ToC       Page 70 
14.  IANA Considerations

   This document defines registries for application/alto-* media types,
   ALTO cost metrics, ALTO endpoint property types, ALTO address types,
   and ALTO error codes.  Initial values for the registries and the
   process of future assignments are given below.

14.1.  application/alto-* Media Types

   This document registers multiple media types, listed in Table 2.

    +-------------+------------------------------+-------------------+
    | Type        | Subtype                      | Specification     |
    +-------------+------------------------------+-------------------+
    | application | alto-directory+json          | Section 9.2.1     |
    | application | alto-networkmap+json         | Section 11.2.1.1  |
    | application | alto-networkmapfilter+json   | Section 11.3.1.1  |
    | application | alto-costmap+json            | Section 11.2.3.1  |
    | application | alto-costmapfilter+json      | Section 11.3.2.1  |
    | application | alto-endpointprop+json       | Section 11.4.1.1  |
    | application | alto-endpointpropparams+json | Section 11.4.1.1  |
    | application | alto-endpointcost+json       | Section 11.5.1.1  |
    | application | alto-endpointcostparams+json | Section 11.5.1.1  |
    | application | alto-error+json              | Section 8.5.1     |
    +-------------+------------------------------+-------------------+

                    Table 2: ALTO Protocol Media Types

   Type name:  application

   Subtype name:  This documents registers multiple subtypes, as listed
      in Table 2.

   Required parameters:  n/a

   Optional parameters:  n/a

   Encoding considerations:  Encoding considerations are identical to
      those specified for the "application/json" media type.  See
      [RFC7159].

   Security considerations:  Security considerations relating to the
      generation and consumption of ALTO Protocol messages are discussed
      in Section 15.

   Interoperability considerations:  This document specifies format of
      conforming messages and the interpretation thereof.

Top      Up      ToC       Page 71 
   Published specification:  This document is the specification for
      these media types; see Table 2 for the section documenting each
      media type.

   Applications that use this media type:  ALTO servers and ALTO clients
      either stand alone or are embedded within other applications.

   Additional information:

      Magic number(s):  n/a

      File extension(s):  This document uses the mime type to refer to
         protocol messages and thus does not require a file extension.

      Macintosh file type code(s):  n/a

   Person & email address to contact for further information:  See
      Authors' Addresses section.

   Intended usage:  COMMON

   Restrictions on usage:  n/a

   Author:  See Authors' Addresses section.

   Change controller:  Internet Engineering Task Force
      (mailto:iesg@ietf.org).

14.2.  ALTO Cost Metric Registry

   IANA has created and now maintains the "ALTO Cost Metric Registry",
   listed in Table 3.

                   +-------------+---------------------+
                   | Identifier  | Intended Semantics  |
                   +-------------+---------------------+
                   | routingcost | See Section 6.1.1.1 |
                   | priv:       | Private use         |
                   +-------------+---------------------+

                        Table 3: ALTO Cost Metrics

   This registry serves two purposes.  First, it ensures uniqueness of
   identifiers referring to ALTO cost metrics.  Second, it provides
   references to particular semantics of allocated cost metrics to be
   applied by both ALTO servers and applications utilizing ALTO clients.

Top      Up      ToC       Page 72 
   New ALTO cost metrics are assigned after IETF Review [RFC5226] to
   ensure that proper documentation regarding ALTO cost metric semantics
   and security considerations has been provided.  The RFCs documenting
   the new metrics should be detailed enough to provide guidance to both
   ALTO service providers and applications utilizing ALTO clients as to
   how values of the registered ALTO cost metric should be interpreted.
   Updates and deletions of ALTO cost metrics follow the same procedure.

   Registered ALTO cost metric identifiers MUST conform to the
   syntactical requirements specified in Section 10.6.  Identifiers are
   to be recorded and displayed as strings.

   As specified in Section 10.6, identifiers prefixed with "priv:" are
   reserved for Private Use.

   Requests to add a new value to the registry MUST include the
   following information:

   o  Identifier: The name of the desired ALTO cost metric.

   o  Intended Semantics: ALTO costs carry with them semantics to guide
      their usage by ALTO clients.  For example, if a value refers to a
      measurement, the measurement units must be documented.  For proper
      implementation of the ordinal cost mode (e.g., by a third-party
      service), it should be documented whether higher or lower values
      of the cost are more preferred.

   o  Security Considerations: ALTO costs expose information to ALTO
      clients.  As such, proper usage of a particular cost metric may
      require certain information to be exposed by an ALTO service
      provider.  Since network information is frequently regarded as
      proprietary or confidential, ALTO service providers should be made
      aware of the security ramifications related to usage of a cost
      metric.

   This specification requests registration of the identifier
   "routingcost".  Semantics for the this cost metric are documented in
   Section 6.1.1.1, and security considerations are documented in
   Section 15.3.

Top      Up      ToC       Page 73 
14.3.  ALTO Endpoint Property Type Registry

   IANA has created and now maintains the "ALTO Endpoint Property Type
   Registry", listed in Table 4.

                    +------------+--------------------+
                    | Identifier | Intended Semantics |
                    +------------+--------------------+
                    | pid        | See Section 7.1.1  |
                    | priv:      | Private use        |
                    +------------+--------------------+

                   Table 4: ALTO Endpoint Property Types

   The maintenance of this registry is similar to that of the preceding
   ALTO cost metrics.  That is, the registry is maintained by IANA,
   subject to the description in Section 10.8.2.

   New endpoint property types are assigned after IETF Review [RFC5226]
   to ensure that proper documentation regarding ALTO endpoint property
   type semantics and security considerations has been provided.
   Updates and deletions of ALTO endpoint property types follow the same
   procedure.

   Registered ALTO endpoint property type identifiers MUST conform to
   the syntactical requirements specified in Section 10.8.1.
   Identifiers are to be recorded and displayed as strings.

   As specified in Section 10.8.1, identifiers prefixed with "priv:" are
   reserved for Private Use.

   Requests to add a new value to the registry MUST include the
   following information:

   o  Identifier: The name of the desired ALTO endpoint property type.

   o  Intended Semantics: ALTO endpoint properties carry with them
      semantics to guide their usage by ALTO clients.  Hence, a document
      defining a new type should provide guidance to both ALTO service
      providers and applications utilizing ALTO clients as to how values
      of the registered ALTO endpoint property should be interpreted.
      For example, if a value refers to a measurement, the measurement
      units must be documented.

   o  Security Considerations: ALTO endpoint properties expose
      information to ALTO clients.  ALTO service providers should be
      made aware of the security ramifications related to the exposure
      of an endpoint property.

Top      Up      ToC       Page 74 
   In particular, the request should discuss the sensitivity of the
   information, and why such sensitive information is required for ALTO-
   based operations.  It may recommend that ISP provide mechanisms for
   users to grant or deny consent to such information sharing.
   Limitation to a trust domain being a type of consent bounding.

   A request defining new endpoint properties should focus on exposing
   attributes of endpoints that are related to the goals of ALTO --
   optimization of application-layer traffic -- as opposed to more
   general properties of endpoints.  Maintaining this focus on
   technical, network-layer data will also help extension developers
   avoid the privacy concerns associated with publishing information
   about endpoints.  For example:

   o  An extension to indicate the capacity of a server would likely be
      appropriate, since server capacities can be used by a client to
      choose between multiple equivalent servers.  In addition, these
      properties are unlikely to be viewed as private information.

   o  An extension to indicate the geolocation of endpoints might be
      appropriate.  In some cases, a certain level of geolocation (e.g.,
      to the country level) can be useful for selecting content sources.
      More precise geolocation, however, is not relevant to content
      delivery, and is typically considered private.

   o  An extension indicating demographic attributes of the owner of an
      endpoint (e.g., age, sex, income) would not be appropriate,
      because these attributes are not related to delivery optimization,
      and because they are clearly private data.

   This specification requests registration of the identifier "pid".
   Semantics for this property are documented in Section 7.1.1, and
   security considerations are documented in Section 15.4.

Top      Up      ToC       Page 75 
14.4.  ALTO Address Type Registry

   IANA has created and now maintains the "ALTO Address Type Registry",
   listed in Table 5.

   +------------+-----------------+-----------------+------------------+
   | Identifier | Address         | Prefix Encoding | Mapping to/from  |
   |            | Encoding        |                 | IPv4/v6          |
   +------------+-----------------+-----------------+------------------+
   | ipv4       | See Section     | See Section     | Direct mapping   |
   |            | 10.4.3          | 10.4.4          | to IPv4          |
   | ipv6       | See Section     | See Section     | Direct mapping   |
   |            | 10.4.3          | 10.4.4          | to IPv6          |
   +------------+-----------------+-----------------+------------------+

                        Table 5: ALTO Address Types

   This registry serves two purposes.  First, it ensures uniqueness of
   identifiers referring to ALTO address types.  Second, it states the
   requirements for allocated address type identifiers.

   New ALTO address types are assigned after IETF Review [RFC5226] to
   ensure that proper documentation regarding the new ALTO address types
   and their security considerations has been provided.  RFCs defining
   new address types should indicate how an address of a registered type
   is encoded as an EndpointAddr and, if possible, a compact method
   (e.g., IPv4 and IPv6 prefixes) for encoding a set of addresses as an
   EndpointPrefix.  Updates and deletions of ALTO address types follow
   the same procedure.

   Registered ALTO address type identifiers MUST conform to the
   syntactical requirements specified in Section 10.4.2.  Identifiers
   are to be recorded and displayed as strings.

   Requests to add a new value to the registry MUST include the
   following information:

   o  Identifier: The name of the desired ALTO address type.

   o  Endpoint Address Encoding: The procedure for encoding an address
      of the registered type as an EndpointAddr (see Section 10.4.3).

   o  Endpoint Prefix Encoding: The procedure for encoding a set of
      addresses of the registered type as an EndpointPrefix (see
      Section 10.4.4).  If no such compact encoding is available, the
      same encoding used for a singular address may be used.  In such a
      case, it must be documented that sets of addresses of this type
      always have exactly one element.

Top      Up      ToC       Page 76 
   o  Mapping to/from IPv4/IPv6 Addresses: If possible, a mechanism to
      map addresses of the registered type to and from IPv4 or IPv6
      addresses should be specified.

   o  Security Considerations: In some usage scenarios, endpoint
      addresses carried in ALTO Protocol messages may reveal information
      about an ALTO client or an ALTO service provider.  Applications
      and ALTO service providers using addresses of the registered type
      should be made aware of how (or if) the addressing scheme relates
      to private information and network proximity.

   This specification requests registration of the identifiers "ipv4"
   and "ipv6", as shown in Table 5.

14.5.  ALTO Error Code Registry

   IANA has created and now maintains the "ALTO Error Code Registry".
   Initial values are listed in Table 1, and recommended usage of the
   error codes is specified in Section 8.5.2.

   Although the error codes defined in Table 1 are already quite
   complete, future extensions may define new error codes.  The "ALTO
   Error Code Registry" ensures the uniqueness of error codes when new
   error codes are added.

   New ALTO error codes are assigned after IETF Review [RFC5226] to
   ensure that proper documentation regarding the new ALTO error codes
   and their usage has been provided.

   A request to add a new ALTO error code to the registry MUST include
   the following information:

   o  Error Code: A string starting with E_ to indicate the error.

   o  Intended Usage: ALTO error codes carry with them semantics to
      guide their usage by ALTO servers and clients.  In particular, if
      a new error code indicates conditions that overlap with those of
      an existing ALTO error code, recommended usage of the new error
      code should be specified.

15.  Security Considerations

   Some environments and use cases of ALTO require consideration of
   security attacks on ALTO servers and clients.  In order to support
   those environments interoperably, the ALTO requirements document
   [RFC6708] outlines minimum-to-implement authentication and other
   security requirements.  This document considers the following threats
   and protection strategies.

Top      Up      ToC       Page 77 
15.1.  Authenticity and Integrity of ALTO Information

15.1.1.  Risk Scenarios

   An attacker may want to provide false or modified ALTO information
   resources or an information resource directory to ALTO clients to
   achieve certain malicious goals.  As an example, an attacker may
   provide false endpoint properties.  For example, suppose that a
   network supports an endpoint property named "hasQuota", which reports
   whether an endpoint has usage quota.  An attacker may want to
   generate a false reply to lead to unexpected charges to the endpoint.
   An attack may also want to provide a false cost map.  For example, by
   faking a cost map that highly prefers a small address range or a
   single address, the attacker may be able to turn a distributed
   application into a Distributed-Denial-of-Service (DDoS) tool.

   Depending on the network scenario, an attacker can attack
   authenticity and integrity of ALTO information resources using
   various techniques, including, but not limited to, sending forged
   DHCP replies in an Ethernet, DNS poisoning, and installing a
   transparent HTTP proxy that does some modifications.

15.1.2.  Protection Strategies

   ALTO protects the authenticity and integrity of ALTO information
   (both information directory and individual information resources) by
   leveraging the authenticity and integrity mechanisms in TLS (see
   Section 8.3.5).

   ALTO service providers who request server certificates and
   certification authorities who issue ALTO-specific certificates SHOULD
   consider the recommendations and guidelines defined in [RFC6125].

   Software engineers developing and service providers deploying ALTO
   should make themselves familiar with possibly updated standards
   documents as well as up-to-date Best Current Practices on configuring
   HTTP over TLS.

15.1.3.  Limitations

   The protection of HTTP over TLS for ALTO depends on that the domain
   name in the URI for the information resources is not comprised.  This
   will depend on the protection implemented by service discovery.

   A deployment scenario may require redistribution of ALTO information
   to improve scalability.  When authenticity and integrity of ALTO
   information are still required, then ALTO clients obtaining ALTO
   information through redistribution must be able to validate the

Top      Up      ToC       Page 78 
   received ALTO information.  Support for this validation is not
   provided in this document, but it may be provided by extension
   documents.

15.2.  Potential Undesirable Guidance from Authenticated ALTO
       Information

15.2.1.  Risk Scenarios

   The ALTO services make it possible for an ALTO service provider to
   influence the behavior of network applications.  An ALTO service
   provider may be hostile to some applications and, hence, try to use
   ALTO information resources to achieve certain goals [RFC5693]:

      ...redirecting applications to corrupted mediators providing
      malicious content, or applying policies in computing cost maps
      based on criteria other than network efficiency.

   See [ALTO-DEPLOYMENT] for additional discussions on faked ALTO
   guidance.

   A related scenario is that an ALTO server could unintentionally give
   "bad" guidance.  For example, if many ALTO clients follow the cost
   map or the Endpoint Cost Service guidance without doing additional
   sanity checks or adaptation, more preferable hosts and/or links could
   get overloaded while less preferable ones remain idle; see AR-14 of
   [RFC6708] for related application considerations.

15.2.2.  Protection Strategies

   To protect applications from undesirable ALTO information resources,
   it is important to note that there is no protocol mechanism to
   require conforming behaviors on how applications use ALTO information
   resources.  An application using ALTO may consider including a
   mechanism to detect misleading or undesirable results from using ALTO
   information resources.  For example, if throughput measurements do
   not show "better-than-random" results when using an ALTO cost map to
   select resource providers, the application may want to disable ALTO
   usage or switch to an external ALTO server provided by an
   "independent organization" (see AR-20 and AR-21 in [RFC6708]).  If
   the first ALTO server is provided by the access network service
   provider and the access network service provider tries to redirect
   access to the external ALTO server back to the provider's ALTO server
   or try to tamper with the responses, the preceding authentication and
   integrity protection can detect such a behavior.

Top      Up      ToC       Page 79 
15.3.  Confidentiality of ALTO Information

15.3.1.  Risk Scenarios

   In many cases, although ALTO information resources may be regarded as
   non-confidential information, there are deployment cases in which
   ALTO information resources can be sensitive information that can pose
   risks if exposed to unauthorized parties.  This document discusses
   the risks and protection strategies for such deployment scenarios.

   For example, an attacker may infer details regarding the topology,
   status, and operational policies of a network through its ALTO
   network and cost maps.  As a result, a sophisticated attacker may be
   able to infer more fine-grained topology information than an ISP
   hosting an ALTO server intends to disclose.  The attacker can
   leverage the information to mount effective attacks such as focusing
   on high-cost links.

   Revealing some endpoint properties may also reveal additional
   information than the provider intended.  For example, when adding the
   line bitrate as one endpoint property, such information may be
   potentially linked to the income of the habitants at the network
   location of an endpoint.

   In Section 5.2.1 of [RFC6708], three types of risks associated with
   the confidentiality of ALTO information resources are identified:
   risk type (1) Excess disclosure of the ALTO service provider's data
   to an authorized ALTO client; risk type (2) Disclosure of the ALTO
   service provider's data (e.g., network topology information or
   endpoint addresses) to an unauthorized third party; and risk type (3)
   Excess retrieval of the ALTO service provider's data by collaborating
   ALTO clients.  [ALTO-DEPLOYMENT] also discusses information leakage
   from ALTO.

15.3.2.  Protection Strategies

   To address risk types (1) and (3), the provider of an ALTO server
   must be cognizant that the network topology and provisioning
   information provided through ALTO may lead to attacks.  ALTO does not
   require any particular level of details of information disclosure;
   hence, the provider should evaluate how much information is revealed
   and the associated risks.

   To address risk type (2), the ALTO Protocol needs confidentiality.
   Since ALTO requires that HTTP over TLS must be supported, the
   confidentiality mechanism is provided by HTTP over TLS.

Top      Up      ToC       Page 80 
   For deployment scenarios where client authentication is desired to
   address risk type (2), ALTO requires that HTTP Digestion
   Authentication is supported to achieve ALTO client authentication to
   limit the number of parties with whom ALTO information is directly
   shared.  TLS client authentication may also be supported.  Depending
   on the use case and scenario, an ALTO server may apply other access
   control techniques to restrict access to its services.  Access
   control can also help to prevent Denial-of-Service attacks by
   arbitrary hosts from the Internet.  See [ALTO-DEPLOYMENT] for a more
   detailed discussion on this issue.

   See Section 14.3 on guidelines when registering endpoint properties
   to protect endpoint privacy.

15.3.3.  Limitations

   ALTO information providers should be cognizant that encryption only
   protects ALTO information until it is decrypted by the intended ALTO
   client.  Digital Rights Management (DRM) techniques and legal
   agreements protecting ALTO information are outside of the scope of
   this document.

15.4.  Privacy for ALTO Users

15.4.1.  Risk Scenarios

   The ALTO Protocol provides mechanisms in which the ALTO client
   serving a user can send messages containing network location
   identifiers (IP addresses or fine-grained PIDs) to the ALTO server.
   This is particularly true for the Endpoint Property, the Endpoint
   Cost, and the fine-grained Filtered Map services.  The ALTO server or
   a third party who is able to intercept such messages can store and
   process obtained information in order to analyze user behaviors and
   communication patterns.  The analysis may correlate information
   collected from multiple clients to deduce additional application/
   content information.  Such analysis can lead to privacy risks.  For a
   more comprehensive classification of related risk scenarios, see
   cases 4, 5, and 6 in [RFC6708], Section 5.2.

15.4.2.  Protection Strategies

   To protect user privacy, an ALTO client should be cognizant about
   potential ALTO server tracking through client queries, e.g., by using
   HTTP cookies.  The ALTO Protocol as defined by this document does not
   rely on HTTP cookies.  ALTO clients MAY decide not to return cookies
   received from the server, in order to make tracking more difficult.
   However, this might break protocol extensions that are beyond the
   scope of this document.

Top      Up      ToC       Page 81 
   An ALTO client may consider the possibility of relying only on ALTO
   network maps for PIDs and cost maps amongst PIDs to avoid passing IP
   addresses of other endpoints (e.g., peers) to the ALTO server.  When
   specific IP addresses are needed (e.g., when using the Endpoint Cost
   Service), an ALTO client SHOULD minimize the amount of information
   sent in IP addresses.  For example, the ALTO client may consider
   obfuscation techniques such as specifying a broader address range
   (i.e., a shorter prefix length) or by zeroing out or randomizing the
   last few bits of IP addresses.  Note that obfuscation may yield less
   accurate results.

15.5.  Availability of ALTO Services

15.5.1.  Risk Scenarios

   An attacker may want to disable the ALTO services of a network as a
   way to disable network guidance to large scale applications.  In
   particular, queries that can be generated with low effort but result
   in expensive workloads at the ALTO server could be exploited for
   Denial-of-Service attacks.  For instance, a simple ALTO query with n
   source network locations and m destination network locations can be
   generated fairly easily but results in the computation of n*m path
   costs between pairs by the ALTO server (see Section 5.2).

15.5.2.  Protection Strategies

   The ALTO service provider should be cognizant of the workload at the
   ALTO server generated by certain ALTO Queries, such as certain
   queries to the Map Service, the Map-Filtering Service and the
   Endpoint Cost (Ranking) Service.  One way to limit Denial-of-Service
   attacks is to employ access control to the ALTO server.  The ALTO
   server can also indicate overload and reject repeated requests that
   can cause availability problems.  More advanced protection schemes
   such as computational puzzles [SIP] may be considered in an extension
   document.

   An ALTO service provider should also leverage the fact that the Map
   Service allows ALTO servers to pre-generate maps that can be
   distributed to many ALTO clients.

16.  Manageability Considerations

   This section details operations and management considerations based
   on existing deployments and discussions during protocol development.
   It also indicates where extension documents are expected to provide
   appropriate functionality discussed in [RFC5706] as additional
   deployment experience becomes available.

Top      Up      ToC       Page 82 
16.1.  Operations

16.1.1.  Installation and Initial Setup

   The ALTO Protocol is based on HTTP.  Thus, configuring an ALTO server
   may require configuring the underlying HTTP server implementation to
   define appropriate security policies, caching policies, performance
   settings, etc.

   Additionally, an ALTO service provider will need to configure the
   ALTO information to be provided by the ALTO server.  The granularity
   of the topological map and the cost maps is left to the specific
   policies of the ALTO service provider.  However, a reasonable default
   may include two PIDs, one to hold the endpoints in the provider's
   network and the second PID to represent full IPv4 and IPv6
   reachability (see Section 11.2.2), with the cost between each source/
   destination PID set to 1.  Another operational issue that the ALTO
   service provider needs to consider is that the filtering service can
   degenerate into a full map service when the filtering input is empty.
   Although this choice as the degeneration behavior provides
   continuity, the computational and network load of serving full maps
   to a large number of ALTO clients should be considered.

   Implementers employing an ALTO client should attempt to automatically
   discover an appropriate ALTO server.  Manual configuration of the
   ALTO server location may be used where automatic discovery is not
   appropriate.  Methods for automatic discovery and manual
   configuration are discussed in [ALTO-SERVER-DISC].

   Specifications for underlying protocols (e.g., TCP, HTTP, TLS) should
   be consulted for their available settings and proposed default
   configurations.

16.1.2.  Migration Path

   This document does not detail a migration path for ALTO servers since
   there is no previous standard protocol providing the similar
   functionality.

   There are existing applications making use of network information
   discovered from other entities such as whois, geo-location databases,
   or round-trip time measurements, etc.  Such applications should
   consider using ALTO as an additional source of information; ALTO need
   not be the sole source of network information.

Top      Up      ToC       Page 83 
16.1.3.  Dependencies on Other Protocols and Functional Components

   The ALTO Protocol assumes that HTTP client and server implementations
   exist.  It also assumes that JSON encoder and decoder implementations
   exist.

   An ALTO server assumes that it can gather sufficient information to
   populate Network and Cost maps.  "Sufficient information" is
   dependent on the information being exposed, but likely includes
   information gathered from protocols such as IGP and EGP Routing
   Information Bases (see Figure 1).  Specific mechanisms have been
   proposed (e.g., [ALTO-SVR-APIS]) and are expected to be provided in
   extension documents.

16.1.4.  Impact and Observation on Network Operation

   ALTO presents a new opportunity for managing network traffic by
   providing additional information to clients.  In particular, the
   deployment of an ALTO server may shift network traffic patterns, and
   the potential impact to network operation can be large.  An ALTO
   service provider should ensure that appropriate information is being
   exposed.  Privacy implications for ISPs are discussed in
   Section 15.3.

   An ALTO service provider should consider how to measure impacts on
   (or integration with) traffic engineering, in addition to monitoring
   correctness and responsiveness of ALTO servers.  The measurement of
   impacts can be challenging because ALTO-enabled applications may not
   provide related information back to the ALTO service provider.
   Furthermore, the measurement of an ALTO service provider may show
   that ALTO clients are not bound to ALTO server guidance as ALTO is
   only one source of information.

   While it can be challenging to measure the impact of ALTO guidance,
   there exist some possible techniques.  In certain trusted deployment
   environments, it may be possible to collect information directly from
   ALTO clients.  It may also be possible to vary or selectively disable
   ALTO guidance for a portion of ALTO clients either by time,
   geographical region, or some other criteria to compare the network
   traffic characteristics with and without ALTO.

   Both ALTO service providers and those using ALTO clients should be
   aware of the impact of incorrect or faked guidance (see
   [ALTO-DEPLOYMENT]).

Top      Up      ToC       Page 84 
16.2.  Management

16.2.1.  Management Interoperability

   A common management API would be desirable given that ALTO servers
   may typically be configured with dynamic data from various sources,
   and ALTO servers are intended to scale horizontally for fault-
   tolerance and reliability.  A specific API or protocol is outside the
   scope of this document, but may be provided by an extension document.

   Logging is an important functionality for ALTO servers and, depending
   on the deployment, ALTO clients.  Logging should be done via syslog
   [RFC5424].

16.2.2.  Management Information

   A Management Information Model (see Section 3.2 of [RFC5706]) is not
   provided by this document, but should be included or referenced by
   any extension documenting an ALTO-related management API or protocol.

16.2.3.  Fault Management

   An ALTO service provider should monitor whether any ALTO servers have
   failed.  See Section 16.2.5 for related metrics that may indicate
   server failures.

16.2.4.  Configuration Management

   Standardized approaches and protocols to configuration management for
   ALTO are outside the scope of this document, but this document does
   outline high-level principles suggested for future standardization
   efforts.

   An ALTO server requires at least the following logical inputs:

   o  Data sources from which ALTO information resources is derived.
      This can be either raw network information (e.g., from routing
      elements) or pre-processed ALTO-level information in the forms of
      network maps, cost maps, etc.

   o  Algorithms for computing the ALTO information returned to clients.
      These could return either information from a database or
      information customized for each client.

   o  Security policies mapping potential clients to the information
      that they have privilege to access.

Top      Up      ToC       Page 85 
   Multiple ALTO servers can be deployed for scalability.  A centralized
   configuration database may be used to ensure they are providing the
   desired ALTO information with appropriate security controls.  The
   ALTO information (e.g., network maps and cost maps) being served by
   each ALTO server, as well as security policies (HTTP authentication,
   TLS client and server authentication, TLS encryption parameters)
   intended to serve the same information should be monitored for
   consistency.

16.2.5.  Performance Management

   An exhaustive list of desirable performance information from ALTO
   servers and ALTO clients are outside of the scope of this document.
   The following is a list of suggested ALTO-specific metrics to be
   monitored based on the existing deployment and protocol development
   experience:

   o  Requests and responses for each service listed in an information
      directory (total counts and size in bytes);

   o  CPU and memory utilization;

   o  ALTO map updates;

   o  Number of PIDs;

   o  ALTO map sizes (in-memory size, encoded size, number of entries).

16.2.6.  Security Management

   Section 15 documents ALTO-specific security considerations.
   Operators should configure security policies with those in mind.
   Readers should refer to HTTP [RFC7230] and TLS [RFC5246] and related
   documents for mechanisms available for configuring security policies.
   Other appropriate security mechanisms (e.g., physical security,
   firewalls, etc.) should also be considered.

17.  References

17.1.  Normative References

   [RFC1812]  Baker, F., "Requirements for IP Version 4 Routers", RFC
              1812, June 1995.

   [RFC2046]  Freed, N. and N. Borenstein, "Multipurpose Internet Mail
              Extensions (MIME) Part Two: Media Types", RFC 2046,
              November 1996.

Top      Up      ToC       Page 86 
   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.

   [RFC3986]  Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
              Resource Identifier (URI): Generic Syntax", STD 66, RFC
              3986, January 2005.

   [RFC4632]  Fuller, V. and T. Li, "Classless Inter-domain Routing
              (CIDR): The Internet Address Assignment and Aggregation
              Plan", BCP 122, RFC 4632, August 2006.

   [RFC5226]  Narten, T. and H. Alvestrand, "Guidelines for Writing an
              IANA Considerations Section in RFCs", BCP 26, RFC 5226,
              May 2008.

   [RFC5246]  Dierks, T. and E. Rescorla, "The Transport Layer Security
              (TLS) Protocol Version 1.2", RFC 5246, August 2008.

   [RFC5389]  Rosenberg, J., Mahy, R., Matthews, P., and D. Wing,
              "Session Traversal Utilities for NAT (STUN)", RFC 5389,
              October 2008.

   [RFC5424]  Gerhards, R., "The Syslog Protocol", RFC 5424, March 2009.

   [RFC5952]  Kawamura, S. and M. Kawashima, "A Recommendation for IPv6
              Address Text Representation", RFC 5952, August 2010.

   [RFC6125]  Saint-Andre, P. and J. Hodges, "Representation and
              Verification of Domain-Based Application Service Identity
              within Internet Public Key Infrastructure Using X.509
              (PKIX) Certificates in the Context of Transport Layer
              Security (TLS)", RFC 6125, March 2011.

   [RFC7230]  Fielding, R. and J. Reschke, "Hypertext Transfer Protocol
              (HTTP/1.1): Message Syntax and Routing", RFC 7230, June
              2014.

17.2.  Informative References

   [ALTO-DEPLOYMENT]
              Stiemerling, M., Ed., Kiesel, S., Ed., Previdi, S., and M.
              Scharf, "ALTO Deployment Considerations", Work in
              Progress, February 2014.

   [ALTO-INFOEXPORT]
              Shalunov, S., Penno, R., and R. Woundy, "ALTO Information
              Export Service", Work in Progress, October 2008.

Top      Up      ToC       Page 87 
   [ALTO-MULTI-PS]
              Das, S., Narayanan, V., and L. Dondeti, "ALTO: A Multi
              Dimensional Peer Selection Problem", Work in Progress,
              October 2008.

   [ALTO-QUERYRESPONSE]
              Das, S. and V. Narayanan, "A Client to Service Query
              Response Protocol for ALTO", Work in Progress, March 2009.

   [ALTO-SERVER-DISC]
              Kiesel, S., Stiemerling, M., Schwan, N., Scharf, M., and
              H. Song, "ALTO Server Discovery", Work in Progress,
              September 2013.

   [ALTO-SVR-APIS]
              Medved, J., Ward, D., Peterson, J., Woundy, R., and D.
              McDysan, "ALTO Network-Server and Server-Server APIs",
              Work in Progress, March 2011.

   [ALTO-USE-CASES]
              Niven-Jenkins, B., Watson, G., Bitar, N., Medved, J., and
              S. Previdi, "Use Cases for ALTO within CDNs", Work in
              Progress, June 2012.

   [BitTorrent]
              "Bittorrent Protocol Specification v1.0",
              <http://wiki.theory.org/BitTorrentSpecification>.

   [Fielding-Thesis]
              Fielding, R., "Architectural Styles and the Design of
              Network-based Software Architectures", University of
              California, Irvine, Dissertation 2000, 2000.

   [IEEE.754.2008]
              Institute of Electrical and Electronics Engineers,
              "Standard for Binary Floating-Point Arithmetic", IEEE
              Standard 754, August 2008.

   [P4P-FRAMEWORK]
              Alimi, R., Pasko, D., Popkin, L., Wang, Y., and Y. Yang,
              "P4P: Provider Portal for P2P Applications", Work in
              Progress, November 2008.

   [P4P-SIGCOMM08]
              Xie, H., Yang, Y., Krishnamurthy, A., Liu, Y., and A.
              Silberschatz, "P4P: Provider Portal for (P2P)
              Applications", SIGCOMM 2008, August 2008.

Top      Up      ToC       Page 88 
   [P4P-SPEC] Wang, Y., Alimi, R., Pasko, D., Popkin, L., and Y. Yang,
              "P4P Protocol Specification", Work in Progress, March
              2009.

   [PROXIDOR] Akonjang, O., Feldmann, A., Previdi, S., Davie, B., and D.
              Saucez, "The PROXIDOR Service", Work in Progress, March
              2009.

   [RFC2818]  Rescorla, E., "HTTP Over TLS", RFC 2818, May 2000.

   [RFC5693]  Seedorf, J. and E. Burger, "Application-Layer Traffic
              Optimization (ALTO) Problem Statement", RFC 5693, October
              2009.

   [RFC5706]  Harrington, D., "Guidelines for Considering Operations and
              Management of New Protocols and Protocol Extensions", RFC
              5706, November 2009.

   [RFC6144]  Baker, F., Li, X., Bao, C., and K. Yin, "Framework for
              IPv4/IPv6 Translation", RFC 6144, April 2011.

   [RFC6296]  Wasserman, M. and F. Baker, "IPv6-to-IPv6 Network Prefix
              Translation", RFC 6296, June 2011.

   [RFC6708]  Kiesel, S., Previdi, S., Stiemerling, M., Woundy, R., and
              Y. Yang, "Application-Layer Traffic Optimization (ALTO)
              Requirements", RFC 6708, September 2012.

   [RFC7159]  Bray, T., "The JavaScript Object Notation (JSON) Data
              Interchange Format", RFC 7159, March 2014.

   [RFC7231]  Fielding, R. and J. Reschke, "Hypertext Transfer Protocol
              (HTTP/1.1): Semantics and Content", RFC 7231, June 2014.

   [SIP]      Jennings, C., "Computational Puzzles for SPAM Reduction in
              SIP", Work in Progress, July 2007.

Top      Up      ToC       Page 89 
Appendix A.  Acknowledgments

   Thank you to Jan Seedorf (NEC) for substantial contributions to the
   Security Considerations section.  Ben Niven-Jenkins (Velocix),
   Michael Scharf, and Sabine Randriamasy (Alcatel-Lucent) gave
   substantial feedback and suggestions on the protocol design.

   We would like to thank the following people whose input and
   involvement was indispensable in achieving this merged proposal:

      Obi Akonjang (DT Labs/TU Berlin),

      Saumitra M.  Das (Qualcomm Inc.),

      Syon Ding (China Telecom),

      Doug Pasko (Verizon),

      Laird Popkin (Pando Networks),

      Satish Raghunath (Juniper Networks),

      Albert Tian (Ericsson/Redback),

      Yu-Shun Wang (Microsoft),

      David Zhang (PPLive),

      Yunfei Zhang (China Mobile).

   We would also like to thank the following additional people who were
   involved in the projects that contributed to this merged document:
   Alex Gerber (ATT), Chris Griffiths (Comcast), Ramit Hora (Pando
   Networks), Arvind Krishnamurthy (University of Washington), Marty
   Lafferty (DCIA), Erran Li (Bell Labs), Jin Li (Microsoft), Y.  Grace
   Liu (IBM Watson), Jason Livingood (Comcast), Michael Merritt (ATT),
   Ingmar Poese (DT Labs/TU Berlin), James Royalty (Pando Networks),
   Damien Saucez (UCL), Thomas Scholl (ATT), Emilio Sepulveda
   (Telefonica), Avi Silberschatz (Yale University), Hassan Sipra (Bell
   Canada), Georgios Smaragdakis (DT Labs/TU Berlin), Haibin Song
   (Huawei), Oliver Spatscheck (ATT), See-Mong Tang (Microsoft), Jia
   Wang (ATT), Hao Wang (Yale University), Ye Wang (Yale University),
   Haiyong Xie (Yale University).

   Stanislav Shalunov would like to thank BitTorrent, where he worked
   while contributing to ALTO development.

Top      Up      ToC       Page 90 
Appendix B.  Design History and Merged Proposals

   The ALTO Protocol specified in this document consists of
   contributions from

   o  P4P [P4P-FRAMEWORK], [P4P-SIGCOMM08], [P4P-SPEC];

   o  ALTO Info-Export [ALTO-INFOEXPORT];

   o  Query/Response [ALTO-QUERYRESPONSE], [ALTO-MULTI-PS]; and

   o  Proxidor [PROXIDOR].

Authors' Addresses

   Richard Alimi (editor)
   Google
   1600 Amphitheatre Parkway
   Mountain View, CA  94043
   USA

   EMail: ralimi@google.com


   Reinaldo Penno (editor)
   Cisco Systems, Inc.
   170 West Tasman Dr
   San Jose, CA  95134
   USA

   EMail: repenno@cisco.com


   Y. Richard Yang (editor)
   Yale University
   51 Prospect St
   New Haven, CT  06511
   USA

   EMail: yry@cs.yale.edu

Top      Up      ToC       Page 91 
   Sebastian Kiesel
   University of Stuttgart Information Center
   Networks and Communication Systems Department
   Allmandring 30
   Stuttgart  70550
   Germany

   EMail: ietf-alto@skiesel.de


   Stefano Previdi
   Cisco Systems, Inc.
   Via Del Serafico, 200
   Rome  00142
   Italy

   EMail: sprevidi@cisco.com


   Wendy Roome
   Alcatel-Lucent
   600 Mountain Ave.
   Murray Hill, NJ  07974
   USA

   EMail: w.roome@alcatel-lucent.com


   Stanislav Shalunov
   Open Garden
   751 13th St
   San Francisco, CA  94130
   USA

   EMail: shalunov@shlang.com


   Richard Woundy
   Comcast Cable Communications
   One Comcast Center
   1701 John F. Kennedy Boulevard
   Philadelphia, PA  19103
   USA

   EMail: Richard_Woundy@cable.comcast.com