Tech-invite3GPPspaceIETF RFCsSIP
929190898887868584838281807978777675747372717069686766656463626160595857565554535251504948474645444342414039383736353433323130292827262524232221201918171615141312111009080706050403020100
in Index   Prev   Next

RFC 7285

Application-Layer Traffic Optimization (ALTO) Protocol

Pages: 91
Proposed Standard
Errata
Updated by:  9274
Part 4 of 4 – Pages 64 to 91
First   Prev   None

Top   ToC   RFC7285 - Page 64   prevText

12. Use Cases

The sections below depict typical use cases. While these use cases focus on peer-to-peer applications, ALTO can be applied to other environments such as Content Distribution Networks (CDNs) [ALTO-USE-CASES].
Top   ToC   RFC7285 - Page 65

12.1. ALTO Client Embedded in P2P Tracker

Many deployed P2P systems use a tracker to manage swarms and perform peer selection. Such a P2P tracker can already use a variety of information to perform peer selection to meet application-specific goals. By acting as an ALTO client, the P2P tracker can use ALTO information as an additional information source to enable more network-efficient traffic patterns and improve application performance. A particular requirement of many P2P trackers is that they must handle a large number of P2P clients. A P2P tracker can obtain and locally store ALTO information (e.g., ALTO network maps and cost maps) from the ISPs containing the P2P clients, and benefit from the same aggregation of network locations done by ALTO servers. .---------. (1) Get Network Map .---------------. | | <----------------------> | | | ALTO | | P2P Tracker | | Server | (2) Get Cost Map | (ALTO client) | | | <----------------------> | | `---------' `---------------' ^ | (3) Get Peers | | (4) Selected Peer | v List .---------. .-----------. | Peer 1 | <-------------- | P2P | `---------' | Client | . (5) Connect to `-----------' . Selected Peers / .---------. / | Peer 50 | <------------------ `---------' Figure 4: ALTO Client Embedded in P2P Tracker Figure 4 shows an example use case where a P2P tracker is an ALTO client and applies ALTO information when selecting peers for its P2P clients. The example proceeds as follows: 1. The P2P tracker requests from the ALTO server a network map, so that it locally map P2P clients into PIDs. 2. The P2P tracker requests from the ALTO server the cost map amongst all PIDs identified in the preceding step. 3. A P2P client joins the swarm, and requests a peer list from the P2P tracker.
Top   ToC   RFC7285 - Page 66
   4.  The P2P tracker returns a peer list to the P2P client.  The
       returned peer list is computed based on the network map and the
       cost map returned by the ALTO server, and possibly other
       information sources.  Note that it is possible that a tracker may
       use only the network map to implement hierarchical peer selection
       by preferring peers within the same PID and ISP.

   5.  The P2P client connects to the selected peers.

   Note that the P2P tracker may provide peer lists to P2P clients
   distributed across multiple ISPs.  In such a case, the P2P tracker
   may communicate with multiple ALTO servers.

12.2. ALTO Client Embedded in P2P Client: Numerical Costs

P2P clients may also utilize ALTO information themselves when selecting from available peers. It is important to note that not all P2P systems use a P2P tracker for peer discovery and selection. Furthermore, even when a P2P tracker is used, the P2P clients may rely on other sources, such as peer exchange and DHTs, to discover peers. When a P2P client uses ALTO information, it typically queries only the ALTO server servicing its own ISP. The "my-Internet view" provided by its ISP's ALTO server can include preferences to all potential peers. .---------. (1) Get Network Map .---------------. | | <----------------------> | | | ALTO | | P2P Client | | Server | (2) Get Cost Map | (ALTO client) | | | <----------------------> | | .---------. `---------' `---------------' <- | P2P | .---------. / | ^ ^ | Tracker | | Peer 1 | <-------------- | | \ `---------' `---------' | (3) Gather Peers . (4) Select Peers | | \ . and Connect / .--------. .--------. .---------. / | P2P | | DHT | | Peer 50 | <---------------- | Client | `--------' `---------' | (PEX) | `--------' Figure 5: ALTO Client Embedded in P2P Client Figure 5 shows an example use case where a P2P client locally applies ALTO information to select peers. The use case proceeds as follows:
Top   ToC   RFC7285 - Page 67
   1.  The P2P client requests the network map covering all PIDs from
       the ALTO server servicing its own ISP.

   2.  The P2P client requests the cost map providing path costs amongst
       all PIDs from the ALTO server.  The cost map by default specifies
       numerical costs.

   3.  The P2P client discovers peers from sources such as peer exchange
       (PEX) from other P2P clients, distributed hash tables (DHT), and
       P2P trackers.

   4.  The P2P client uses ALTO information as part of the algorithm for
       selecting new peers and connects to the selected peers.

12.3. ALTO Client Embedded in P2P Client: Ranking

It is also possible for a P2P client to offload the selection and ranking process to an ALTO server. In this use case, the ALTO client embedded in the P2P client gathers a list of known peers in the swarm, and asks the ALTO server to rank them. This document limits the use case to when the P2P client and the ALTO server are deployed by the same entity; hence, the P2P client uses the ranking provided by the ALTO server directly. As in the use case using numerical costs, the P2P client typically only queries the ALTO server servicing its own ISP. .---------. .---------------. | | | | | ALTO | (2) Get Endpoint Ranking | P2P Client | | Server | <----------------------> | (ALTO client) | | | | | .---------. `---------' `---------------' <- | P2P | .---------. / | ^ ^ | Tracker | | Peer 1 | <-------------- | | \ `---------' `---------' | (1) Gather Peers . (3) Connect to | | \ . Selected Peers / .--------. .--------. .---------. / | P2P | | DHT | | Peer 50 | <---------------- | Client | `--------' `---------' | (PEX) | `--------' Figure 6: ALTO Client Embedded in P2P Client: Ranking
Top   ToC   RFC7285 - Page 68
   Figure 6 shows an example of this scenario.  The use case proceeds as
   follows:

   1.  The P2P client discovers peers from sources such as Peer Exchange
       (PEX) from other P2P clients, Distributed Hash Tables (DHT), and
       P2P trackers.

   2.  The P2P client queries the ALTO server's ranking service (i.e.,
       the ECS Service), by including the discovered peers as the set of
       destination endpoints, and indicating the "ordinal" cost mode.
       The response indicates the ranking of the candidate peers.

   3.  The P2P client connects to the peers in the order specified in
       the ranking.

13. Discussions

13.1. Discovery

The discovery mechanism by which an ALTO client locates an appropriate ALTO server is out of scope for this document. This document assumes that an ALTO client can discover an appropriate ALTO server. Once it has done so, the ALTO client may use the information resource directory (see Section 9.2) to locate an information resource with the desired ALTO information.

13.2. Hosts with Multiple Endpoint Addresses

In practical deployments, a particular host can be reachable using multiple addresses (e.g., a wireless IPv4 connection, a wireline IPv4 connection, and a wireline IPv6 connection). In general, the particular network path followed when sending packets to the host will depend on the address that is used. Network providers may prefer one path over another. An additional consideration may be how to handle private address spaces (e.g., behind carrier-grade NATs). To support such behavior, this document allows multiple endpoint addresses and address types. With this support, the ALTO Protocol allows an ALTO service provider the flexibility to indicate preferences for paths from an endpoint address of one type to an endpoint address of a different type.
Top   ToC   RFC7285 - Page 69

13.3. Network Address Translation Considerations

In this day and age of NAT v4<->v4, v4<->v6 [RFC6144], and possibly v6<->v6 [RFC6296], a protocol should strive to be NAT friendly and minimize carrying IP addresses in the payload or provide a mode of operation where the source IP address provides the information necessary to the server. The protocol specified in this document provides a mode of operation where the source network location is computed by the ALTO server (i.e., the Endpoint Cost Service) from the source IP address found in the ALTO client query packets. This is similar to how some P2P trackers (e.g., BitTorrent trackers -- see "Tracker HTTP/HTTPS Protocol" in [BitTorrent]) operate. There may be cases in which an ALTO client needs to determine its own IP address, such as when specifying a source endpoint address in the Endpoint Cost Service. It is possible that an ALTO client has multiple network interface addresses, and that some or all of them may require NAT for connectivity to the public Internet. If a public IP address is required for a network interface, the ALTO client SHOULD use the Session Traversal Utilities for NAT (STUN) [RFC5389]. If using this method, the host MUST use the "Binding Request" message and the resulting "XOR-MAPPED-ADDRESS" parameter that is returned in the response. Using STUN requires cooperation from a publicly accessible STUN server. Thus, the ALTO client also requires configuration information that identifies the STUN server, or a domain name that can be used for STUN server discovery. To be selected for this purpose, the STUN server needs to provide the public reflexive transport address of the host. ALTO clients should be cognizant that the network path between endpoints can depend on multiple factors, e.g., source address and destination address used for communication. An ALTO server provides information based on endpoint addresses (more generally, network locations), but the mechanisms used for determining existence of connectivity or usage of NAT between endpoints are out of scope of this document.

13.4. Endpoint and Path Properties

An ALTO server could make available many properties about endpoints beyond their network location or grouping. For example, connection type, geographical location, and others may be useful to applications. This specification focuses on network location and grouping, but the protocol may be extended to handle other endpoint properties.
Top   ToC   RFC7285 - Page 70

14. IANA Considerations

This document defines registries for application/alto-* media types, ALTO cost metrics, ALTO endpoint property types, ALTO address types, and ALTO error codes. Initial values for the registries and the process of future assignments are given below.

14.1. application/alto-* Media Types

This document registers multiple media types, listed in Table 2. +-------------+------------------------------+-------------------+ | Type | Subtype | Specification | +-------------+------------------------------+-------------------+ | application | alto-directory+json | Section 9.2.1 | | application | alto-networkmap+json | Section 11.2.1.1 | | application | alto-networkmapfilter+json | Section 11.3.1.1 | | application | alto-costmap+json | Section 11.2.3.1 | | application | alto-costmapfilter+json | Section 11.3.2.1 | | application | alto-endpointprop+json | Section 11.4.1.1 | | application | alto-endpointpropparams+json | Section 11.4.1.1 | | application | alto-endpointcost+json | Section 11.5.1.1 | | application | alto-endpointcostparams+json | Section 11.5.1.1 | | application | alto-error+json | Section 8.5.1 | +-------------+------------------------------+-------------------+ Table 2: ALTO Protocol Media Types Type name: application Subtype name: This documents registers multiple subtypes, as listed in Table 2. Required parameters: n/a Optional parameters: n/a Encoding considerations: Encoding considerations are identical to those specified for the "application/json" media type. See [RFC7159]. Security considerations: Security considerations relating to the generation and consumption of ALTO Protocol messages are discussed in Section 15. Interoperability considerations: This document specifies format of conforming messages and the interpretation thereof.
Top   ToC   RFC7285 - Page 71
   Published specification:  This document is the specification for
      these media types; see Table 2 for the section documenting each
      media type.

   Applications that use this media type:  ALTO servers and ALTO clients
      either stand alone or are embedded within other applications.

   Additional information:

      Magic number(s):  n/a

      File extension(s):  This document uses the mime type to refer to
         protocol messages and thus does not require a file extension.

      Macintosh file type code(s):  n/a

   Person & email address to contact for further information:  See
      Authors' Addresses section.

   Intended usage:  COMMON

   Restrictions on usage:  n/a

   Author:  See Authors' Addresses section.

   Change controller:  Internet Engineering Task Force
      (mailto:iesg@ietf.org).

14.2. ALTO Cost Metric Registry

IANA has created and now maintains the "ALTO Cost Metric Registry", listed in Table 3. +-------------+---------------------+ | Identifier | Intended Semantics | +-------------+---------------------+ | routingcost | See Section 6.1.1.1 | | priv: | Private use | +-------------+---------------------+ Table 3: ALTO Cost Metrics This registry serves two purposes. First, it ensures uniqueness of identifiers referring to ALTO cost metrics. Second, it provides references to particular semantics of allocated cost metrics to be applied by both ALTO servers and applications utilizing ALTO clients.
Top   ToC   RFC7285 - Page 72
   New ALTO cost metrics are assigned after IETF Review [RFC5226] to
   ensure that proper documentation regarding ALTO cost metric semantics
   and security considerations has been provided.  The RFCs documenting
   the new metrics should be detailed enough to provide guidance to both
   ALTO service providers and applications utilizing ALTO clients as to
   how values of the registered ALTO cost metric should be interpreted.
   Updates and deletions of ALTO cost metrics follow the same procedure.

   Registered ALTO cost metric identifiers MUST conform to the
   syntactical requirements specified in Section 10.6.  Identifiers are
   to be recorded and displayed as strings.

   As specified in Section 10.6, identifiers prefixed with "priv:" are
   reserved for Private Use.

   Requests to add a new value to the registry MUST include the
   following information:

   o  Identifier: The name of the desired ALTO cost metric.

   o  Intended Semantics: ALTO costs carry with them semantics to guide
      their usage by ALTO clients.  For example, if a value refers to a
      measurement, the measurement units must be documented.  For proper
      implementation of the ordinal cost mode (e.g., by a third-party
      service), it should be documented whether higher or lower values
      of the cost are more preferred.

   o  Security Considerations: ALTO costs expose information to ALTO
      clients.  As such, proper usage of a particular cost metric may
      require certain information to be exposed by an ALTO service
      provider.  Since network information is frequently regarded as
      proprietary or confidential, ALTO service providers should be made
      aware of the security ramifications related to usage of a cost
      metric.

   This specification requests registration of the identifier
   "routingcost".  Semantics for the this cost metric are documented in
   Section 6.1.1.1, and security considerations are documented in
   Section 15.3.
Top   ToC   RFC7285 - Page 73

14.3. ALTO Endpoint Property Type Registry

IANA has created and now maintains the "ALTO Endpoint Property Type Registry", listed in Table 4. +------------+--------------------+ | Identifier | Intended Semantics | +------------+--------------------+ | pid | See Section 7.1.1 | | priv: | Private use | +------------+--------------------+ Table 4: ALTO Endpoint Property Types The maintenance of this registry is similar to that of the preceding ALTO cost metrics. That is, the registry is maintained by IANA, subject to the description in Section 10.8.2. New endpoint property types are assigned after IETF Review [RFC5226] to ensure that proper documentation regarding ALTO endpoint property type semantics and security considerations has been provided. Updates and deletions of ALTO endpoint property types follow the same procedure. Registered ALTO endpoint property type identifiers MUST conform to the syntactical requirements specified in Section 10.8.1. Identifiers are to be recorded and displayed as strings. As specified in Section 10.8.1, identifiers prefixed with "priv:" are reserved for Private Use. Requests to add a new value to the registry MUST include the following information: o Identifier: The name of the desired ALTO endpoint property type. o Intended Semantics: ALTO endpoint properties carry with them semantics to guide their usage by ALTO clients. Hence, a document defining a new type should provide guidance to both ALTO service providers and applications utilizing ALTO clients as to how values of the registered ALTO endpoint property should be interpreted. For example, if a value refers to a measurement, the measurement units must be documented. o Security Considerations: ALTO endpoint properties expose information to ALTO clients. ALTO service providers should be made aware of the security ramifications related to the exposure of an endpoint property.
Top   ToC   RFC7285 - Page 74
   In particular, the request should discuss the sensitivity of the
   information, and why such sensitive information is required for ALTO-
   based operations.  It may recommend that ISP provide mechanisms for
   users to grant or deny consent to such information sharing.
   Limitation to a trust domain being a type of consent bounding.

   A request defining new endpoint properties should focus on exposing
   attributes of endpoints that are related to the goals of ALTO --
   optimization of application-layer traffic -- as opposed to more
   general properties of endpoints.  Maintaining this focus on
   technical, network-layer data will also help extension developers
   avoid the privacy concerns associated with publishing information
   about endpoints.  For example:

   o  An extension to indicate the capacity of a server would likely be
      appropriate, since server capacities can be used by a client to
      choose between multiple equivalent servers.  In addition, these
      properties are unlikely to be viewed as private information.

   o  An extension to indicate the geolocation of endpoints might be
      appropriate.  In some cases, a certain level of geolocation (e.g.,
      to the country level) can be useful for selecting content sources.
      More precise geolocation, however, is not relevant to content
      delivery, and is typically considered private.

   o  An extension indicating demographic attributes of the owner of an
      endpoint (e.g., age, sex, income) would not be appropriate,
      because these attributes are not related to delivery optimization,
      and because they are clearly private data.

   This specification requests registration of the identifier "pid".
   Semantics for this property are documented in Section 7.1.1, and
   security considerations are documented in Section 15.4.
Top   ToC   RFC7285 - Page 75

14.4. ALTO Address Type Registry

IANA has created and now maintains the "ALTO Address Type Registry", listed in Table 5. +------------+-----------------+-----------------+------------------+ | Identifier | Address | Prefix Encoding | Mapping to/from | | | Encoding | | IPv4/v6 | +------------+-----------------+-----------------+------------------+ | ipv4 | See Section | See Section | Direct mapping | | | 10.4.3 | 10.4.4 | to IPv4 | | ipv6 | See Section | See Section | Direct mapping | | | 10.4.3 | 10.4.4 | to IPv6 | +------------+-----------------+-----------------+------------------+ Table 5: ALTO Address Types This registry serves two purposes. First, it ensures uniqueness of identifiers referring to ALTO address types. Second, it states the requirements for allocated address type identifiers. New ALTO address types are assigned after IETF Review [RFC5226] to ensure that proper documentation regarding the new ALTO address types and their security considerations has been provided. RFCs defining new address types should indicate how an address of a registered type is encoded as an EndpointAddr and, if possible, a compact method (e.g., IPv4 and IPv6 prefixes) for encoding a set of addresses as an EndpointPrefix. Updates and deletions of ALTO address types follow the same procedure. Registered ALTO address type identifiers MUST conform to the syntactical requirements specified in Section 10.4.2. Identifiers are to be recorded and displayed as strings. Requests to add a new value to the registry MUST include the following information: o Identifier: The name of the desired ALTO address type. o Endpoint Address Encoding: The procedure for encoding an address of the registered type as an EndpointAddr (see Section 10.4.3). o Endpoint Prefix Encoding: The procedure for encoding a set of addresses of the registered type as an EndpointPrefix (see Section 10.4.4). If no such compact encoding is available, the same encoding used for a singular address may be used. In such a case, it must be documented that sets of addresses of this type always have exactly one element.
Top   ToC   RFC7285 - Page 76
   o  Mapping to/from IPv4/IPv6 Addresses: If possible, a mechanism to
      map addresses of the registered type to and from IPv4 or IPv6
      addresses should be specified.

   o  Security Considerations: In some usage scenarios, endpoint
      addresses carried in ALTO Protocol messages may reveal information
      about an ALTO client or an ALTO service provider.  Applications
      and ALTO service providers using addresses of the registered type
      should be made aware of how (or if) the addressing scheme relates
      to private information and network proximity.

   This specification requests registration of the identifiers "ipv4"
   and "ipv6", as shown in Table 5.

14.5. ALTO Error Code Registry

IANA has created and now maintains the "ALTO Error Code Registry". Initial values are listed in Table 1, and recommended usage of the error codes is specified in Section 8.5.2. Although the error codes defined in Table 1 are already quite complete, future extensions may define new error codes. The "ALTO Error Code Registry" ensures the uniqueness of error codes when new error codes are added. New ALTO error codes are assigned after IETF Review [RFC5226] to ensure that proper documentation regarding the new ALTO error codes and their usage has been provided. A request to add a new ALTO error code to the registry MUST include the following information: o Error Code: A string starting with E_ to indicate the error. o Intended Usage: ALTO error codes carry with them semantics to guide their usage by ALTO servers and clients. In particular, if a new error code indicates conditions that overlap with those of an existing ALTO error code, recommended usage of the new error code should be specified.

15. Security Considerations

Some environments and use cases of ALTO require consideration of security attacks on ALTO servers and clients. In order to support those environments interoperably, the ALTO requirements document [RFC6708] outlines minimum-to-implement authentication and other security requirements. This document considers the following threats and protection strategies.
Top   ToC   RFC7285 - Page 77

15.1. Authenticity and Integrity of ALTO Information

15.1.1. Risk Scenarios

An attacker may want to provide false or modified ALTO information resources or an information resource directory to ALTO clients to achieve certain malicious goals. As an example, an attacker may provide false endpoint properties. For example, suppose that a network supports an endpoint property named "hasQuota", which reports whether an endpoint has usage quota. An attacker may want to generate a false reply to lead to unexpected charges to the endpoint. An attack may also want to provide a false cost map. For example, by faking a cost map that highly prefers a small address range or a single address, the attacker may be able to turn a distributed application into a Distributed-Denial-of-Service (DDoS) tool. Depending on the network scenario, an attacker can attack authenticity and integrity of ALTO information resources using various techniques, including, but not limited to, sending forged DHCP replies in an Ethernet, DNS poisoning, and installing a transparent HTTP proxy that does some modifications.

15.1.2. Protection Strategies

ALTO protects the authenticity and integrity of ALTO information (both information directory and individual information resources) by leveraging the authenticity and integrity mechanisms in TLS (see Section 8.3.5). ALTO service providers who request server certificates and certification authorities who issue ALTO-specific certificates SHOULD consider the recommendations and guidelines defined in [RFC6125]. Software engineers developing and service providers deploying ALTO should make themselves familiar with possibly updated standards documents as well as up-to-date Best Current Practices on configuring HTTP over TLS.

15.1.3. Limitations

The protection of HTTP over TLS for ALTO depends on that the domain name in the URI for the information resources is not comprised. This will depend on the protection implemented by service discovery. A deployment scenario may require redistribution of ALTO information to improve scalability. When authenticity and integrity of ALTO information are still required, then ALTO clients obtaining ALTO information through redistribution must be able to validate the
Top   ToC   RFC7285 - Page 78
   received ALTO information.  Support for this validation is not
   provided in this document, but it may be provided by extension
   documents.

15.2. Potential Undesirable Guidance from Authenticated ALTO Information

15.2.1. Risk Scenarios

The ALTO services make it possible for an ALTO service provider to influence the behavior of network applications. An ALTO service provider may be hostile to some applications and, hence, try to use ALTO information resources to achieve certain goals [RFC5693]: ...redirecting applications to corrupted mediators providing malicious content, or applying policies in computing cost maps based on criteria other than network efficiency. See [ALTO-DEPLOYMENT] for additional discussions on faked ALTO guidance. A related scenario is that an ALTO server could unintentionally give "bad" guidance. For example, if many ALTO clients follow the cost map or the Endpoint Cost Service guidance without doing additional sanity checks or adaptation, more preferable hosts and/or links could get overloaded while less preferable ones remain idle; see AR-14 of [RFC6708] for related application considerations.

15.2.2. Protection Strategies

To protect applications from undesirable ALTO information resources, it is important to note that there is no protocol mechanism to require conforming behaviors on how applications use ALTO information resources. An application using ALTO may consider including a mechanism to detect misleading or undesirable results from using ALTO information resources. For example, if throughput measurements do not show "better-than-random" results when using an ALTO cost map to select resource providers, the application may want to disable ALTO usage or switch to an external ALTO server provided by an "independent organization" (see AR-20 and AR-21 in [RFC6708]). If the first ALTO server is provided by the access network service provider and the access network service provider tries to redirect access to the external ALTO server back to the provider's ALTO server or try to tamper with the responses, the preceding authentication and integrity protection can detect such a behavior.
Top   ToC   RFC7285 - Page 79

15.3. Confidentiality of ALTO Information

15.3.1. Risk Scenarios

In many cases, although ALTO information resources may be regarded as non-confidential information, there are deployment cases in which ALTO information resources can be sensitive information that can pose risks if exposed to unauthorized parties. This document discusses the risks and protection strategies for such deployment scenarios. For example, an attacker may infer details regarding the topology, status, and operational policies of a network through its ALTO network and cost maps. As a result, a sophisticated attacker may be able to infer more fine-grained topology information than an ISP hosting an ALTO server intends to disclose. The attacker can leverage the information to mount effective attacks such as focusing on high-cost links. Revealing some endpoint properties may also reveal additional information than the provider intended. For example, when adding the line bitrate as one endpoint property, such information may be potentially linked to the income of the habitants at the network location of an endpoint. In Section 5.2.1 of [RFC6708], three types of risks associated with the confidentiality of ALTO information resources are identified: risk type (1) Excess disclosure of the ALTO service provider's data to an authorized ALTO client; risk type (2) Disclosure of the ALTO service provider's data (e.g., network topology information or endpoint addresses) to an unauthorized third party; and risk type (3) Excess retrieval of the ALTO service provider's data by collaborating ALTO clients. [ALTO-DEPLOYMENT] also discusses information leakage from ALTO.

15.3.2. Protection Strategies

To address risk types (1) and (3), the provider of an ALTO server must be cognizant that the network topology and provisioning information provided through ALTO may lead to attacks. ALTO does not require any particular level of details of information disclosure; hence, the provider should evaluate how much information is revealed and the associated risks. To address risk type (2), the ALTO Protocol needs confidentiality. Since ALTO requires that HTTP over TLS must be supported, the confidentiality mechanism is provided by HTTP over TLS.
Top   ToC   RFC7285 - Page 80
   For deployment scenarios where client authentication is desired to
   address risk type (2), ALTO requires that HTTP Digestion
   Authentication is supported to achieve ALTO client authentication to
   limit the number of parties with whom ALTO information is directly
   shared.  TLS client authentication may also be supported.  Depending
   on the use case and scenario, an ALTO server may apply other access
   control techniques to restrict access to its services.  Access
   control can also help to prevent Denial-of-Service attacks by
   arbitrary hosts from the Internet.  See [ALTO-DEPLOYMENT] for a more
   detailed discussion on this issue.

   See Section 14.3 on guidelines when registering endpoint properties
   to protect endpoint privacy.

15.3.3. Limitations

ALTO information providers should be cognizant that encryption only protects ALTO information until it is decrypted by the intended ALTO client. Digital Rights Management (DRM) techniques and legal agreements protecting ALTO information are outside of the scope of this document.

15.4. Privacy for ALTO Users

15.4.1. Risk Scenarios

The ALTO Protocol provides mechanisms in which the ALTO client serving a user can send messages containing network location identifiers (IP addresses or fine-grained PIDs) to the ALTO server. This is particularly true for the Endpoint Property, the Endpoint Cost, and the fine-grained Filtered Map services. The ALTO server or a third party who is able to intercept such messages can store and process obtained information in order to analyze user behaviors and communication patterns. The analysis may correlate information collected from multiple clients to deduce additional application/ content information. Such analysis can lead to privacy risks. For a more comprehensive classification of related risk scenarios, see cases 4, 5, and 6 in [RFC6708], Section 5.2.

15.4.2. Protection Strategies

To protect user privacy, an ALTO client should be cognizant about potential ALTO server tracking through client queries, e.g., by using HTTP cookies. The ALTO Protocol as defined by this document does not rely on HTTP cookies. ALTO clients MAY decide not to return cookies received from the server, in order to make tracking more difficult. However, this might break protocol extensions that are beyond the scope of this document.
Top   ToC   RFC7285 - Page 81
   An ALTO client may consider the possibility of relying only on ALTO
   network maps for PIDs and cost maps amongst PIDs to avoid passing IP
   addresses of other endpoints (e.g., peers) to the ALTO server.  When
   specific IP addresses are needed (e.g., when using the Endpoint Cost
   Service), an ALTO client SHOULD minimize the amount of information
   sent in IP addresses.  For example, the ALTO client may consider
   obfuscation techniques such as specifying a broader address range
   (i.e., a shorter prefix length) or by zeroing out or randomizing the
   last few bits of IP addresses.  Note that obfuscation may yield less
   accurate results.

15.5. Availability of ALTO Services

15.5.1. Risk Scenarios

An attacker may want to disable the ALTO services of a network as a way to disable network guidance to large scale applications. In particular, queries that can be generated with low effort but result in expensive workloads at the ALTO server could be exploited for Denial-of-Service attacks. For instance, a simple ALTO query with n source network locations and m destination network locations can be generated fairly easily but results in the computation of n*m path costs between pairs by the ALTO server (see Section 5.2).

15.5.2. Protection Strategies

The ALTO service provider should be cognizant of the workload at the ALTO server generated by certain ALTO Queries, such as certain queries to the Map Service, the Map-Filtering Service and the Endpoint Cost (Ranking) Service. One way to limit Denial-of-Service attacks is to employ access control to the ALTO server. The ALTO server can also indicate overload and reject repeated requests that can cause availability problems. More advanced protection schemes such as computational puzzles [SIP] may be considered in an extension document. An ALTO service provider should also leverage the fact that the Map Service allows ALTO servers to pre-generate maps that can be distributed to many ALTO clients.

16. Manageability Considerations

This section details operations and management considerations based on existing deployments and discussions during protocol development. It also indicates where extension documents are expected to provide appropriate functionality discussed in [RFC5706] as additional deployment experience becomes available.
Top   ToC   RFC7285 - Page 82

16.1. Operations

16.1.1. Installation and Initial Setup

The ALTO Protocol is based on HTTP. Thus, configuring an ALTO server may require configuring the underlying HTTP server implementation to define appropriate security policies, caching policies, performance settings, etc. Additionally, an ALTO service provider will need to configure the ALTO information to be provided by the ALTO server. The granularity of the topological map and the cost maps is left to the specific policies of the ALTO service provider. However, a reasonable default may include two PIDs, one to hold the endpoints in the provider's network and the second PID to represent full IPv4 and IPv6 reachability (see Section 11.2.2), with the cost between each source/ destination PID set to 1. Another operational issue that the ALTO service provider needs to consider is that the filtering service can degenerate into a full map service when the filtering input is empty. Although this choice as the degeneration behavior provides continuity, the computational and network load of serving full maps to a large number of ALTO clients should be considered. Implementers employing an ALTO client should attempt to automatically discover an appropriate ALTO server. Manual configuration of the ALTO server location may be used where automatic discovery is not appropriate. Methods for automatic discovery and manual configuration are discussed in [ALTO-SERVER-DISC]. Specifications for underlying protocols (e.g., TCP, HTTP, TLS) should be consulted for their available settings and proposed default configurations.

16.1.2. Migration Path

This document does not detail a migration path for ALTO servers since there is no previous standard protocol providing the similar functionality. There are existing applications making use of network information discovered from other entities such as whois, geo-location databases, or round-trip time measurements, etc. Such applications should consider using ALTO as an additional source of information; ALTO need not be the sole source of network information.
Top   ToC   RFC7285 - Page 83

16.1.3. Dependencies on Other Protocols and Functional Components

The ALTO Protocol assumes that HTTP client and server implementations exist. It also assumes that JSON encoder and decoder implementations exist. An ALTO server assumes that it can gather sufficient information to populate Network and Cost maps. "Sufficient information" is dependent on the information being exposed, but likely includes information gathered from protocols such as IGP and EGP Routing Information Bases (see Figure 1). Specific mechanisms have been proposed (e.g., [ALTO-SVR-APIS]) and are expected to be provided in extension documents.

16.1.4. Impact and Observation on Network Operation

ALTO presents a new opportunity for managing network traffic by providing additional information to clients. In particular, the deployment of an ALTO server may shift network traffic patterns, and the potential impact to network operation can be large. An ALTO service provider should ensure that appropriate information is being exposed. Privacy implications for ISPs are discussed in Section 15.3. An ALTO service provider should consider how to measure impacts on (or integration with) traffic engineering, in addition to monitoring correctness and responsiveness of ALTO servers. The measurement of impacts can be challenging because ALTO-enabled applications may not provide related information back to the ALTO service provider. Furthermore, the measurement of an ALTO service provider may show that ALTO clients are not bound to ALTO server guidance as ALTO is only one source of information. While it can be challenging to measure the impact of ALTO guidance, there exist some possible techniques. In certain trusted deployment environments, it may be possible to collect information directly from ALTO clients. It may also be possible to vary or selectively disable ALTO guidance for a portion of ALTO clients either by time, geographical region, or some other criteria to compare the network traffic characteristics with and without ALTO. Both ALTO service providers and those using ALTO clients should be aware of the impact of incorrect or faked guidance (see [ALTO-DEPLOYMENT]).
Top   ToC   RFC7285 - Page 84

16.2. Management

16.2.1. Management Interoperability

A common management API would be desirable given that ALTO servers may typically be configured with dynamic data from various sources, and ALTO servers are intended to scale horizontally for fault- tolerance and reliability. A specific API or protocol is outside the scope of this document, but may be provided by an extension document. Logging is an important functionality for ALTO servers and, depending on the deployment, ALTO clients. Logging should be done via syslog [RFC5424].

16.2.2. Management Information

A Management Information Model (see Section 3.2 of [RFC5706]) is not provided by this document, but should be included or referenced by any extension documenting an ALTO-related management API or protocol.

16.2.3. Fault Management

An ALTO service provider should monitor whether any ALTO servers have failed. See Section 16.2.5 for related metrics that may indicate server failures.

16.2.4. Configuration Management

Standardized approaches and protocols to configuration management for ALTO are outside the scope of this document, but this document does outline high-level principles suggested for future standardization efforts. An ALTO server requires at least the following logical inputs: o Data sources from which ALTO information resources is derived. This can be either raw network information (e.g., from routing elements) or pre-processed ALTO-level information in the forms of network maps, cost maps, etc. o Algorithms for computing the ALTO information returned to clients. These could return either information from a database or information customized for each client. o Security policies mapping potential clients to the information that they have privilege to access.
Top   ToC   RFC7285 - Page 85
   Multiple ALTO servers can be deployed for scalability.  A centralized
   configuration database may be used to ensure they are providing the
   desired ALTO information with appropriate security controls.  The
   ALTO information (e.g., network maps and cost maps) being served by
   each ALTO server, as well as security policies (HTTP authentication,
   TLS client and server authentication, TLS encryption parameters)
   intended to serve the same information should be monitored for
   consistency.

16.2.5. Performance Management

An exhaustive list of desirable performance information from ALTO servers and ALTO clients are outside of the scope of this document. The following is a list of suggested ALTO-specific metrics to be monitored based on the existing deployment and protocol development experience: o Requests and responses for each service listed in an information directory (total counts and size in bytes); o CPU and memory utilization; o ALTO map updates; o Number of PIDs; o ALTO map sizes (in-memory size, encoded size, number of entries).

16.2.6. Security Management

Section 15 documents ALTO-specific security considerations. Operators should configure security policies with those in mind. Readers should refer to HTTP [RFC7230] and TLS [RFC5246] and related documents for mechanisms available for configuring security policies. Other appropriate security mechanisms (e.g., physical security, firewalls, etc.) should also be considered.

17. References

17.1. Normative References

[RFC1812] Baker, F., "Requirements for IP Version 4 Routers", RFC 1812, June 1995. [RFC2046] Freed, N. and N. Borenstein, "Multipurpose Internet Mail Extensions (MIME) Part Two: Media Types", RFC 2046, November 1996.
Top   ToC   RFC7285 - Page 86
   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.

   [RFC3986]  Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
              Resource Identifier (URI): Generic Syntax", STD 66, RFC
              3986, January 2005.

   [RFC4632]  Fuller, V. and T. Li, "Classless Inter-domain Routing
              (CIDR): The Internet Address Assignment and Aggregation
              Plan", BCP 122, RFC 4632, August 2006.

   [RFC5226]  Narten, T. and H. Alvestrand, "Guidelines for Writing an
              IANA Considerations Section in RFCs", BCP 26, RFC 5226,
              May 2008.

   [RFC5246]  Dierks, T. and E. Rescorla, "The Transport Layer Security
              (TLS) Protocol Version 1.2", RFC 5246, August 2008.

   [RFC5389]  Rosenberg, J., Mahy, R., Matthews, P., and D. Wing,
              "Session Traversal Utilities for NAT (STUN)", RFC 5389,
              October 2008.

   [RFC5424]  Gerhards, R., "The Syslog Protocol", RFC 5424, March 2009.

   [RFC5952]  Kawamura, S. and M. Kawashima, "A Recommendation for IPv6
              Address Text Representation", RFC 5952, August 2010.

   [RFC6125]  Saint-Andre, P. and J. Hodges, "Representation and
              Verification of Domain-Based Application Service Identity
              within Internet Public Key Infrastructure Using X.509
              (PKIX) Certificates in the Context of Transport Layer
              Security (TLS)", RFC 6125, March 2011.

   [RFC7230]  Fielding, R. and J. Reschke, "Hypertext Transfer Protocol
              (HTTP/1.1): Message Syntax and Routing", RFC 7230, June
              2014.

17.2. Informative References

[ALTO-DEPLOYMENT] Stiemerling, M., Ed., Kiesel, S., Ed., Previdi, S., and M. Scharf, "ALTO Deployment Considerations", Work in Progress, February 2014. [ALTO-INFOEXPORT] Shalunov, S., Penno, R., and R. Woundy, "ALTO Information Export Service", Work in Progress, October 2008.
Top   ToC   RFC7285 - Page 87
   [ALTO-MULTI-PS]
              Das, S., Narayanan, V., and L. Dondeti, "ALTO: A Multi
              Dimensional Peer Selection Problem", Work in Progress,
              October 2008.

   [ALTO-QUERYRESPONSE]
              Das, S. and V. Narayanan, "A Client to Service Query
              Response Protocol for ALTO", Work in Progress, March 2009.

   [ALTO-SERVER-DISC]
              Kiesel, S., Stiemerling, M., Schwan, N., Scharf, M., and
              H. Song, "ALTO Server Discovery", Work in Progress,
              September 2013.

   [ALTO-SVR-APIS]
              Medved, J., Ward, D., Peterson, J., Woundy, R., and D.
              McDysan, "ALTO Network-Server and Server-Server APIs",
              Work in Progress, March 2011.

   [ALTO-USE-CASES]
              Niven-Jenkins, B., Watson, G., Bitar, N., Medved, J., and
              S. Previdi, "Use Cases for ALTO within CDNs", Work in
              Progress, June 2012.

   [BitTorrent]
              "Bittorrent Protocol Specification v1.0",
              <http://wiki.theory.org/BitTorrentSpecification>.

   [Fielding-Thesis]
              Fielding, R., "Architectural Styles and the Design of
              Network-based Software Architectures", University of
              California, Irvine, Dissertation 2000, 2000.

   [IEEE.754.2008]
              Institute of Electrical and Electronics Engineers,
              "Standard for Binary Floating-Point Arithmetic", IEEE
              Standard 754, August 2008.

   [P4P-FRAMEWORK]
              Alimi, R., Pasko, D., Popkin, L., Wang, Y., and Y. Yang,
              "P4P: Provider Portal for P2P Applications", Work in
              Progress, November 2008.

   [P4P-SIGCOMM08]
              Xie, H., Yang, Y., Krishnamurthy, A., Liu, Y., and A.
              Silberschatz, "P4P: Provider Portal for (P2P)
              Applications", SIGCOMM 2008, August 2008.
Top   ToC   RFC7285 - Page 88
   [P4P-SPEC] Wang, Y., Alimi, R., Pasko, D., Popkin, L., and Y. Yang,
              "P4P Protocol Specification", Work in Progress, March
              2009.

   [PROXIDOR] Akonjang, O., Feldmann, A., Previdi, S., Davie, B., and D.
              Saucez, "The PROXIDOR Service", Work in Progress, March
              2009.

   [RFC2818]  Rescorla, E., "HTTP Over TLS", RFC 2818, May 2000.

   [RFC5693]  Seedorf, J. and E. Burger, "Application-Layer Traffic
              Optimization (ALTO) Problem Statement", RFC 5693, October
              2009.

   [RFC5706]  Harrington, D., "Guidelines for Considering Operations and
              Management of New Protocols and Protocol Extensions", RFC
              5706, November 2009.

   [RFC6144]  Baker, F., Li, X., Bao, C., and K. Yin, "Framework for
              IPv4/IPv6 Translation", RFC 6144, April 2011.

   [RFC6296]  Wasserman, M. and F. Baker, "IPv6-to-IPv6 Network Prefix
              Translation", RFC 6296, June 2011.

   [RFC6708]  Kiesel, S., Previdi, S., Stiemerling, M., Woundy, R., and
              Y. Yang, "Application-Layer Traffic Optimization (ALTO)
              Requirements", RFC 6708, September 2012.

   [RFC7159]  Bray, T., "The JavaScript Object Notation (JSON) Data
              Interchange Format", RFC 7159, March 2014.

   [RFC7231]  Fielding, R. and J. Reschke, "Hypertext Transfer Protocol
              (HTTP/1.1): Semantics and Content", RFC 7231, June 2014.

   [SIP]      Jennings, C., "Computational Puzzles for SPAM Reduction in
              SIP", Work in Progress, July 2007.
Top   ToC   RFC7285 - Page 89

Appendix A. Acknowledgments

Thank you to Jan Seedorf (NEC) for substantial contributions to the Security Considerations section. Ben Niven-Jenkins (Velocix), Michael Scharf, and Sabine Randriamasy (Alcatel-Lucent) gave substantial feedback and suggestions on the protocol design. We would like to thank the following people whose input and involvement was indispensable in achieving this merged proposal: Obi Akonjang (DT Labs/TU Berlin), Saumitra M. Das (Qualcomm Inc.), Syon Ding (China Telecom), Doug Pasko (Verizon), Laird Popkin (Pando Networks), Satish Raghunath (Juniper Networks), Albert Tian (Ericsson/Redback), Yu-Shun Wang (Microsoft), David Zhang (PPLive), Yunfei Zhang (China Mobile). We would also like to thank the following additional people who were involved in the projects that contributed to this merged document: Alex Gerber (ATT), Chris Griffiths (Comcast), Ramit Hora (Pando Networks), Arvind Krishnamurthy (University of Washington), Marty Lafferty (DCIA), Erran Li (Bell Labs), Jin Li (Microsoft), Y. Grace Liu (IBM Watson), Jason Livingood (Comcast), Michael Merritt (ATT), Ingmar Poese (DT Labs/TU Berlin), James Royalty (Pando Networks), Damien Saucez (UCL), Thomas Scholl (ATT), Emilio Sepulveda (Telefonica), Avi Silberschatz (Yale University), Hassan Sipra (Bell Canada), Georgios Smaragdakis (DT Labs/TU Berlin), Haibin Song (Huawei), Oliver Spatscheck (ATT), See-Mong Tang (Microsoft), Jia Wang (ATT), Hao Wang (Yale University), Ye Wang (Yale University), Haiyong Xie (Yale University). Stanislav Shalunov would like to thank BitTorrent, where he worked while contributing to ALTO development.
Top   ToC   RFC7285 - Page 90

Appendix B. Design History and Merged Proposals

The ALTO Protocol specified in this document consists of contributions from o P4P [P4P-FRAMEWORK], [P4P-SIGCOMM08], [P4P-SPEC]; o ALTO Info-Export [ALTO-INFOEXPORT]; o Query/Response [ALTO-QUERYRESPONSE], [ALTO-MULTI-PS]; and o Proxidor [PROXIDOR].

Authors' Addresses

Richard Alimi (editor) Google 1600 Amphitheatre Parkway Mountain View, CA 94043 USA EMail: ralimi@google.com Reinaldo Penno (editor) Cisco Systems, Inc. 170 West Tasman Dr San Jose, CA 95134 USA EMail: repenno@cisco.com Y. Richard Yang (editor) Yale University 51 Prospect St New Haven, CT 06511 USA EMail: yry@cs.yale.edu
Top   ToC   RFC7285 - Page 91
   Sebastian Kiesel
   University of Stuttgart Information Center
   Networks and Communication Systems Department
   Allmandring 30
   Stuttgart  70550
   Germany

   EMail: ietf-alto@skiesel.de


   Stefano Previdi
   Cisco Systems, Inc.
   Via Del Serafico, 200
   Rome  00142
   Italy

   EMail: sprevidi@cisco.com


   Wendy Roome
   Alcatel-Lucent
   600 Mountain Ave.
   Murray Hill, NJ  07974
   USA

   EMail: w.roome@alcatel-lucent.com


   Stanislav Shalunov
   Open Garden
   751 13th St
   San Francisco, CA  94130
   USA

   EMail: shalunov@shlang.com


   Richard Woundy
   Comcast Cable Communications
   One Comcast Center
   1701 John F. Kennedy Boulevard
   Philadelphia, PA  19103
   USA

   EMail: Richard_Woundy@cable.comcast.com