RFC 7285
Application-Layer Traffic Optimization (ALTO) Protocol
12. Use Cases
The sections below depict typical use cases. While these use cases focus on peer-to-peer applications, ALTO can be applied to other environments such as Content Distribution Networks (CDNs) [ALTO-USE-CASES].
12.1. ALTO Client Embedded in P2P Tracker
Many deployed P2P systems use a tracker to manage swarms and perform peer selection. Such a P2P tracker can already use a variety of information to perform peer selection to meet application-specific goals. By acting as an ALTO client, the P2P tracker can use ALTO information as an additional information source to enable more network-efficient traffic patterns and improve application performance. A particular requirement of many P2P trackers is that they must handle a large number of P2P clients. A P2P tracker can obtain and locally store ALTO information (e.g., ALTO network maps and cost maps) from the ISPs containing the P2P clients, and benefit from the same aggregation of network locations done by ALTO servers. .---------. (1) Get Network Map .---------------. | | <----------------------> | | | ALTO | | P2P Tracker | | Server | (2) Get Cost Map | (ALTO client) | | | <----------------------> | | `---------' `---------------' ^ | (3) Get Peers | | (4) Selected Peer | v List .---------. .-----------. | Peer 1 | <-------------- | P2P | `---------' | Client | . (5) Connect to `-----------' . Selected Peers / .---------. / | Peer 50 | <------------------ `---------' Figure 4: ALTO Client Embedded in P2P Tracker Figure 4 shows an example use case where a P2P tracker is an ALTO client and applies ALTO information when selecting peers for its P2P clients. The example proceeds as follows: 1. The P2P tracker requests from the ALTO server a network map, so that it locally map P2P clients into PIDs. 2. The P2P tracker requests from the ALTO server the cost map amongst all PIDs identified in the preceding step. 3. A P2P client joins the swarm, and requests a peer list from the P2P tracker.
4. The P2P tracker returns a peer list to the P2P client. The
returned peer list is computed based on the network map and the
cost map returned by the ALTO server, and possibly other
information sources. Note that it is possible that a tracker may
use only the network map to implement hierarchical peer selection
by preferring peers within the same PID and ISP.
5. The P2P client connects to the selected peers.
Note that the P2P tracker may provide peer lists to P2P clients
distributed across multiple ISPs. In such a case, the P2P tracker
may communicate with multiple ALTO servers.
12.2. ALTO Client Embedded in P2P Client: Numerical Costs
P2P clients may also utilize ALTO information themselves when
selecting from available peers. It is important to note that not all
P2P systems use a P2P tracker for peer discovery and selection.
Furthermore, even when a P2P tracker is used, the P2P clients may
rely on other sources, such as peer exchange and DHTs, to discover
peers.
When a P2P client uses ALTO information, it typically queries only
the ALTO server servicing its own ISP. The "my-Internet view"
provided by its ISP's ALTO server can include preferences to all
potential peers.
.---------. (1) Get Network Map .---------------.
| | <----------------------> | |
| ALTO | | P2P Client |
| Server | (2) Get Cost Map | (ALTO client) |
| | <----------------------> | | .---------.
`---------' `---------------' <- | P2P |
.---------. / | ^ ^ | Tracker |
| Peer 1 | <-------------- | | \ `---------'
`---------' | (3) Gather Peers
. (4) Select Peers | | \
. and Connect / .--------. .--------.
.---------. / | P2P | | DHT |
| Peer 50 | <---------------- | Client | `--------'
`---------' | (PEX) |
`--------'
Figure 5: ALTO Client Embedded in P2P Client
Figure 5 shows an example use case where a P2P client locally applies
ALTO information to select peers. The use case proceeds as follows:
1. The P2P client requests the network map covering all PIDs from
the ALTO server servicing its own ISP.
2. The P2P client requests the cost map providing path costs amongst
all PIDs from the ALTO server. The cost map by default specifies
numerical costs.
3. The P2P client discovers peers from sources such as peer exchange
(PEX) from other P2P clients, distributed hash tables (DHT), and
P2P trackers.
4. The P2P client uses ALTO information as part of the algorithm for
selecting new peers and connects to the selected peers.
12.3. ALTO Client Embedded in P2P Client: Ranking
It is also possible for a P2P client to offload the selection and
ranking process to an ALTO server. In this use case, the ALTO client
embedded in the P2P client gathers a list of known peers in the
swarm, and asks the ALTO server to rank them. This document limits
the use case to when the P2P client and the ALTO server are deployed
by the same entity; hence, the P2P client uses the ranking provided
by the ALTO server directly.
As in the use case using numerical costs, the P2P client typically
only queries the ALTO server servicing its own ISP.
.---------. .---------------.
| | | |
| ALTO | (2) Get Endpoint Ranking | P2P Client |
| Server | <----------------------> | (ALTO client) |
| | | | .---------.
`---------' `---------------' <- | P2P |
.---------. / | ^ ^ | Tracker |
| Peer 1 | <-------------- | | \ `---------'
`---------' | (1) Gather Peers
. (3) Connect to | | \
. Selected Peers / .--------. .--------.
.---------. / | P2P | | DHT |
| Peer 50 | <---------------- | Client | `--------'
`---------' | (PEX) |
`--------'
Figure 6: ALTO Client Embedded in P2P Client: Ranking
Figure 6 shows an example of this scenario. The use case proceeds as follows: 1. The P2P client discovers peers from sources such as Peer Exchange (PEX) from other P2P clients, Distributed Hash Tables (DHT), and P2P trackers. 2. The P2P client queries the ALTO server's ranking service (i.e., the ECS Service), by including the discovered peers as the set of destination endpoints, and indicating the "ordinal" cost mode. The response indicates the ranking of the candidate peers. 3. The P2P client connects to the peers in the order specified in the ranking.13. Discussions
13.1. Discovery
The discovery mechanism by which an ALTO client locates an appropriate ALTO server is out of scope for this document. This document assumes that an ALTO client can discover an appropriate ALTO server. Once it has done so, the ALTO client may use the information resource directory (see Section 9.2) to locate an information resource with the desired ALTO information.13.2. Hosts with Multiple Endpoint Addresses
In practical deployments, a particular host can be reachable using multiple addresses (e.g., a wireless IPv4 connection, a wireline IPv4 connection, and a wireline IPv6 connection). In general, the particular network path followed when sending packets to the host will depend on the address that is used. Network providers may prefer one path over another. An additional consideration may be how to handle private address spaces (e.g., behind carrier-grade NATs). To support such behavior, this document allows multiple endpoint addresses and address types. With this support, the ALTO Protocol allows an ALTO service provider the flexibility to indicate preferences for paths from an endpoint address of one type to an endpoint address of a different type.
13.3. Network Address Translation Considerations
In this day and age of NAT v4<->v4, v4<->v6 [RFC6144], and possibly v6<->v6 [RFC6296], a protocol should strive to be NAT friendly and minimize carrying IP addresses in the payload or provide a mode of operation where the source IP address provides the information necessary to the server. The protocol specified in this document provides a mode of operation where the source network location is computed by the ALTO server (i.e., the Endpoint Cost Service) from the source IP address found in the ALTO client query packets. This is similar to how some P2P trackers (e.g., BitTorrent trackers -- see "Tracker HTTP/HTTPS Protocol" in [BitTorrent]) operate. There may be cases in which an ALTO client needs to determine its own IP address, such as when specifying a source endpoint address in the Endpoint Cost Service. It is possible that an ALTO client has multiple network interface addresses, and that some or all of them may require NAT for connectivity to the public Internet. If a public IP address is required for a network interface, the ALTO client SHOULD use the Session Traversal Utilities for NAT (STUN) [RFC5389]. If using this method, the host MUST use the "Binding Request" message and the resulting "XOR-MAPPED-ADDRESS" parameter that is returned in the response. Using STUN requires cooperation from a publicly accessible STUN server. Thus, the ALTO client also requires configuration information that identifies the STUN server, or a domain name that can be used for STUN server discovery. To be selected for this purpose, the STUN server needs to provide the public reflexive transport address of the host. ALTO clients should be cognizant that the network path between endpoints can depend on multiple factors, e.g., source address and destination address used for communication. An ALTO server provides information based on endpoint addresses (more generally, network locations), but the mechanisms used for determining existence of connectivity or usage of NAT between endpoints are out of scope of this document.13.4. Endpoint and Path Properties
An ALTO server could make available many properties about endpoints beyond their network location or grouping. For example, connection type, geographical location, and others may be useful to applications. This specification focuses on network location and grouping, but the protocol may be extended to handle other endpoint properties.
14. IANA Considerations
This document defines registries for application/alto-* media types, ALTO cost metrics, ALTO endpoint property types, ALTO address types, and ALTO error codes. Initial values for the registries and the process of future assignments are given below.14.1. application/alto-* Media Types
This document registers multiple media types, listed in Table 2. +-------------+------------------------------+-------------------+ | Type | Subtype | Specification | +-------------+------------------------------+-------------------+ | application | alto-directory+json | Section 9.2.1 | | application | alto-networkmap+json | Section 11.2.1.1 | | application | alto-networkmapfilter+json | Section 11.3.1.1 | | application | alto-costmap+json | Section 11.2.3.1 | | application | alto-costmapfilter+json | Section 11.3.2.1 | | application | alto-endpointprop+json | Section 11.4.1.1 | | application | alto-endpointpropparams+json | Section 11.4.1.1 | | application | alto-endpointcost+json | Section 11.5.1.1 | | application | alto-endpointcostparams+json | Section 11.5.1.1 | | application | alto-error+json | Section 8.5.1 | +-------------+------------------------------+-------------------+ Table 2: ALTO Protocol Media Types Type name: application Subtype name: This documents registers multiple subtypes, as listed in Table 2. Required parameters: n/a Optional parameters: n/a Encoding considerations: Encoding considerations are identical to those specified for the "application/json" media type. See [RFC7159]. Security considerations: Security considerations relating to the generation and consumption of ALTO Protocol messages are discussed in Section 15. Interoperability considerations: This document specifies format of conforming messages and the interpretation thereof.
Published specification: This document is the specification for
these media types; see Table 2 for the section documenting each
media type.
Applications that use this media type: ALTO servers and ALTO clients
either stand alone or are embedded within other applications.
Additional information:
Magic number(s): n/a
File extension(s): This document uses the mime type to refer to
protocol messages and thus does not require a file extension.
Macintosh file type code(s): n/a
Person & email address to contact for further information: See
Authors' Addresses section.
Intended usage: COMMON
Restrictions on usage: n/a
Author: See Authors' Addresses section.
Change controller: Internet Engineering Task Force
(mailto:iesg@ietf.org).
14.2. ALTO Cost Metric Registry
IANA has created and now maintains the "ALTO Cost Metric Registry",
listed in Table 3.
+-------------+---------------------+
| Identifier | Intended Semantics |
+-------------+---------------------+
| routingcost | See Section 6.1.1.1 |
| priv: | Private use |
+-------------+---------------------+
Table 3: ALTO Cost Metrics
This registry serves two purposes. First, it ensures uniqueness of
identifiers referring to ALTO cost metrics. Second, it provides
references to particular semantics of allocated cost metrics to be
applied by both ALTO servers and applications utilizing ALTO clients.
New ALTO cost metrics are assigned after IETF Review [RFC5226] to ensure that proper documentation regarding ALTO cost metric semantics and security considerations has been provided. The RFCs documenting the new metrics should be detailed enough to provide guidance to both ALTO service providers and applications utilizing ALTO clients as to how values of the registered ALTO cost metric should be interpreted. Updates and deletions of ALTO cost metrics follow the same procedure. Registered ALTO cost metric identifiers MUST conform to the syntactical requirements specified in Section 10.6. Identifiers are to be recorded and displayed as strings. As specified in Section 10.6, identifiers prefixed with "priv:" are reserved for Private Use. Requests to add a new value to the registry MUST include the following information: o Identifier: The name of the desired ALTO cost metric. o Intended Semantics: ALTO costs carry with them semantics to guide their usage by ALTO clients. For example, if a value refers to a measurement, the measurement units must be documented. For proper implementation of the ordinal cost mode (e.g., by a third-party service), it should be documented whether higher or lower values of the cost are more preferred. o Security Considerations: ALTO costs expose information to ALTO clients. As such, proper usage of a particular cost metric may require certain information to be exposed by an ALTO service provider. Since network information is frequently regarded as proprietary or confidential, ALTO service providers should be made aware of the security ramifications related to usage of a cost metric. This specification requests registration of the identifier "routingcost". Semantics for the this cost metric are documented in Section 6.1.1.1, and security considerations are documented in Section 15.3.
14.3. ALTO Endpoint Property Type Registry
IANA has created and now maintains the "ALTO Endpoint Property Type Registry", listed in Table 4. +------------+--------------------+ | Identifier | Intended Semantics | +------------+--------------------+ | pid | See Section 7.1.1 | | priv: | Private use | +------------+--------------------+ Table 4: ALTO Endpoint Property Types The maintenance of this registry is similar to that of the preceding ALTO cost metrics. That is, the registry is maintained by IANA, subject to the description in Section 10.8.2. New endpoint property types are assigned after IETF Review [RFC5226] to ensure that proper documentation regarding ALTO endpoint property type semantics and security considerations has been provided. Updates and deletions of ALTO endpoint property types follow the same procedure. Registered ALTO endpoint property type identifiers MUST conform to the syntactical requirements specified in Section 10.8.1. Identifiers are to be recorded and displayed as strings. As specified in Section 10.8.1, identifiers prefixed with "priv:" are reserved for Private Use. Requests to add a new value to the registry MUST include the following information: o Identifier: The name of the desired ALTO endpoint property type. o Intended Semantics: ALTO endpoint properties carry with them semantics to guide their usage by ALTO clients. Hence, a document defining a new type should provide guidance to both ALTO service providers and applications utilizing ALTO clients as to how values of the registered ALTO endpoint property should be interpreted. For example, if a value refers to a measurement, the measurement units must be documented. o Security Considerations: ALTO endpoint properties expose information to ALTO clients. ALTO service providers should be made aware of the security ramifications related to the exposure of an endpoint property.
In particular, the request should discuss the sensitivity of the
information, and why such sensitive information is required for ALTO-
based operations. It may recommend that ISP provide mechanisms for
users to grant or deny consent to such information sharing.
Limitation to a trust domain being a type of consent bounding.
A request defining new endpoint properties should focus on exposing
attributes of endpoints that are related to the goals of ALTO --
optimization of application-layer traffic -- as opposed to more
general properties of endpoints. Maintaining this focus on
technical, network-layer data will also help extension developers
avoid the privacy concerns associated with publishing information
about endpoints. For example:
o An extension to indicate the capacity of a server would likely be
appropriate, since server capacities can be used by a client to
choose between multiple equivalent servers. In addition, these
properties are unlikely to be viewed as private information.
o An extension to indicate the geolocation of endpoints might be
appropriate. In some cases, a certain level of geolocation (e.g.,
to the country level) can be useful for selecting content sources.
More precise geolocation, however, is not relevant to content
delivery, and is typically considered private.
o An extension indicating demographic attributes of the owner of an
endpoint (e.g., age, sex, income) would not be appropriate,
because these attributes are not related to delivery optimization,
and because they are clearly private data.
This specification requests registration of the identifier "pid".
Semantics for this property are documented in Section 7.1.1, and
security considerations are documented in Section 15.4.
14.4. ALTO Address Type Registry
IANA has created and now maintains the "ALTO Address Type Registry", listed in Table 5. +------------+-----------------+-----------------+------------------+ | Identifier | Address | Prefix Encoding | Mapping to/from | | | Encoding | | IPv4/v6 | +------------+-----------------+-----------------+------------------+ | ipv4 | See Section | See Section | Direct mapping | | | 10.4.3 | 10.4.4 | to IPv4 | | ipv6 | See Section | See Section | Direct mapping | | | 10.4.3 | 10.4.4 | to IPv6 | +------------+-----------------+-----------------+------------------+ Table 5: ALTO Address Types This registry serves two purposes. First, it ensures uniqueness of identifiers referring to ALTO address types. Second, it states the requirements for allocated address type identifiers. New ALTO address types are assigned after IETF Review [RFC5226] to ensure that proper documentation regarding the new ALTO address types and their security considerations has been provided. RFCs defining new address types should indicate how an address of a registered type is encoded as an EndpointAddr and, if possible, a compact method (e.g., IPv4 and IPv6 prefixes) for encoding a set of addresses as an EndpointPrefix. Updates and deletions of ALTO address types follow the same procedure. Registered ALTO address type identifiers MUST conform to the syntactical requirements specified in Section 10.4.2. Identifiers are to be recorded and displayed as strings. Requests to add a new value to the registry MUST include the following information: o Identifier: The name of the desired ALTO address type. o Endpoint Address Encoding: The procedure for encoding an address of the registered type as an EndpointAddr (see Section 10.4.3). o Endpoint Prefix Encoding: The procedure for encoding a set of addresses of the registered type as an EndpointPrefix (see Section 10.4.4). If no such compact encoding is available, the same encoding used for a singular address may be used. In such a case, it must be documented that sets of addresses of this type always have exactly one element.
o Mapping to/from IPv4/IPv6 Addresses: If possible, a mechanism to
map addresses of the registered type to and from IPv4 or IPv6
addresses should be specified.
o Security Considerations: In some usage scenarios, endpoint
addresses carried in ALTO Protocol messages may reveal information
about an ALTO client or an ALTO service provider. Applications
and ALTO service providers using addresses of the registered type
should be made aware of how (or if) the addressing scheme relates
to private information and network proximity.
This specification requests registration of the identifiers "ipv4"
and "ipv6", as shown in Table 5.
14.5. ALTO Error Code Registry
IANA has created and now maintains the "ALTO Error Code Registry".
Initial values are listed in Table 1, and recommended usage of the
error codes is specified in Section 8.5.2.
Although the error codes defined in Table 1 are already quite
complete, future extensions may define new error codes. The "ALTO
Error Code Registry" ensures the uniqueness of error codes when new
error codes are added.
New ALTO error codes are assigned after IETF Review [RFC5226] to
ensure that proper documentation regarding the new ALTO error codes
and their usage has been provided.
A request to add a new ALTO error code to the registry MUST include
the following information:
o Error Code: A string starting with E_ to indicate the error.
o Intended Usage: ALTO error codes carry with them semantics to
guide their usage by ALTO servers and clients. In particular, if
a new error code indicates conditions that overlap with those of
an existing ALTO error code, recommended usage of the new error
code should be specified.
15. Security Considerations
Some environments and use cases of ALTO require consideration of
security attacks on ALTO servers and clients. In order to support
those environments interoperably, the ALTO requirements document
[RFC6708] outlines minimum-to-implement authentication and other
security requirements. This document considers the following threats
and protection strategies.
15.1. Authenticity and Integrity of ALTO Information
15.1.1. Risk Scenarios
An attacker may want to provide false or modified ALTO information resources or an information resource directory to ALTO clients to achieve certain malicious goals. As an example, an attacker may provide false endpoint properties. For example, suppose that a network supports an endpoint property named "hasQuota", which reports whether an endpoint has usage quota. An attacker may want to generate a false reply to lead to unexpected charges to the endpoint. An attack may also want to provide a false cost map. For example, by faking a cost map that highly prefers a small address range or a single address, the attacker may be able to turn a distributed application into a Distributed-Denial-of-Service (DDoS) tool. Depending on the network scenario, an attacker can attack authenticity and integrity of ALTO information resources using various techniques, including, but not limited to, sending forged DHCP replies in an Ethernet, DNS poisoning, and installing a transparent HTTP proxy that does some modifications.15.1.2. Protection Strategies
ALTO protects the authenticity and integrity of ALTO information (both information directory and individual information resources) by leveraging the authenticity and integrity mechanisms in TLS (see Section 8.3.5). ALTO service providers who request server certificates and certification authorities who issue ALTO-specific certificates SHOULD consider the recommendations and guidelines defined in [RFC6125]. Software engineers developing and service providers deploying ALTO should make themselves familiar with possibly updated standards documents as well as up-to-date Best Current Practices on configuring HTTP over TLS.15.1.3. Limitations
The protection of HTTP over TLS for ALTO depends on that the domain name in the URI for the information resources is not comprised. This will depend on the protection implemented by service discovery. A deployment scenario may require redistribution of ALTO information to improve scalability. When authenticity and integrity of ALTO information are still required, then ALTO clients obtaining ALTO information through redistribution must be able to validate the
received ALTO information. Support for this validation is not provided in this document, but it may be provided by extension documents.15.2. Potential Undesirable Guidance from Authenticated ALTO Information
15.2.1. Risk Scenarios
The ALTO services make it possible for an ALTO service provider to influence the behavior of network applications. An ALTO service provider may be hostile to some applications and, hence, try to use ALTO information resources to achieve certain goals [RFC5693]: ...redirecting applications to corrupted mediators providing malicious content, or applying policies in computing cost maps based on criteria other than network efficiency. See [ALTO-DEPLOYMENT] for additional discussions on faked ALTO guidance. A related scenario is that an ALTO server could unintentionally give "bad" guidance. For example, if many ALTO clients follow the cost map or the Endpoint Cost Service guidance without doing additional sanity checks or adaptation, more preferable hosts and/or links could get overloaded while less preferable ones remain idle; see AR-14 of [RFC6708] for related application considerations.15.2.2. Protection Strategies
To protect applications from undesirable ALTO information resources, it is important to note that there is no protocol mechanism to require conforming behaviors on how applications use ALTO information resources. An application using ALTO may consider including a mechanism to detect misleading or undesirable results from using ALTO information resources. For example, if throughput measurements do not show "better-than-random" results when using an ALTO cost map to select resource providers, the application may want to disable ALTO usage or switch to an external ALTO server provided by an "independent organization" (see AR-20 and AR-21 in [RFC6708]). If the first ALTO server is provided by the access network service provider and the access network service provider tries to redirect access to the external ALTO server back to the provider's ALTO server or try to tamper with the responses, the preceding authentication and integrity protection can detect such a behavior.
15.3. Confidentiality of ALTO Information
15.3.1. Risk Scenarios
In many cases, although ALTO information resources may be regarded as non-confidential information, there are deployment cases in which ALTO information resources can be sensitive information that can pose risks if exposed to unauthorized parties. This document discusses the risks and protection strategies for such deployment scenarios. For example, an attacker may infer details regarding the topology, status, and operational policies of a network through its ALTO network and cost maps. As a result, a sophisticated attacker may be able to infer more fine-grained topology information than an ISP hosting an ALTO server intends to disclose. The attacker can leverage the information to mount effective attacks such as focusing on high-cost links. Revealing some endpoint properties may also reveal additional information than the provider intended. For example, when adding the line bitrate as one endpoint property, such information may be potentially linked to the income of the habitants at the network location of an endpoint. In Section 5.2.1 of [RFC6708], three types of risks associated with the confidentiality of ALTO information resources are identified: risk type (1) Excess disclosure of the ALTO service provider's data to an authorized ALTO client; risk type (2) Disclosure of the ALTO service provider's data (e.g., network topology information or endpoint addresses) to an unauthorized third party; and risk type (3) Excess retrieval of the ALTO service provider's data by collaborating ALTO clients. [ALTO-DEPLOYMENT] also discusses information leakage from ALTO.15.3.2. Protection Strategies
To address risk types (1) and (3), the provider of an ALTO server must be cognizant that the network topology and provisioning information provided through ALTO may lead to attacks. ALTO does not require any particular level of details of information disclosure; hence, the provider should evaluate how much information is revealed and the associated risks. To address risk type (2), the ALTO Protocol needs confidentiality. Since ALTO requires that HTTP over TLS must be supported, the confidentiality mechanism is provided by HTTP over TLS.
For deployment scenarios where client authentication is desired to address risk type (2), ALTO requires that HTTP Digestion Authentication is supported to achieve ALTO client authentication to limit the number of parties with whom ALTO information is directly shared. TLS client authentication may also be supported. Depending on the use case and scenario, an ALTO server may apply other access control techniques to restrict access to its services. Access control can also help to prevent Denial-of-Service attacks by arbitrary hosts from the Internet. See [ALTO-DEPLOYMENT] for a more detailed discussion on this issue. See Section 14.3 on guidelines when registering endpoint properties to protect endpoint privacy.15.3.3. Limitations
ALTO information providers should be cognizant that encryption only protects ALTO information until it is decrypted by the intended ALTO client. Digital Rights Management (DRM) techniques and legal agreements protecting ALTO information are outside of the scope of this document.15.4. Privacy for ALTO Users
15.4.1. Risk Scenarios
The ALTO Protocol provides mechanisms in which the ALTO client serving a user can send messages containing network location identifiers (IP addresses or fine-grained PIDs) to the ALTO server. This is particularly true for the Endpoint Property, the Endpoint Cost, and the fine-grained Filtered Map services. The ALTO server or a third party who is able to intercept such messages can store and process obtained information in order to analyze user behaviors and communication patterns. The analysis may correlate information collected from multiple clients to deduce additional application/ content information. Such analysis can lead to privacy risks. For a more comprehensive classification of related risk scenarios, see cases 4, 5, and 6 in [RFC6708], Section 5.2.15.4.2. Protection Strategies
To protect user privacy, an ALTO client should be cognizant about potential ALTO server tracking through client queries, e.g., by using HTTP cookies. The ALTO Protocol as defined by this document does not rely on HTTP cookies. ALTO clients MAY decide not to return cookies received from the server, in order to make tracking more difficult. However, this might break protocol extensions that are beyond the scope of this document.
An ALTO client may consider the possibility of relying only on ALTO network maps for PIDs and cost maps amongst PIDs to avoid passing IP addresses of other endpoints (e.g., peers) to the ALTO server. When specific IP addresses are needed (e.g., when using the Endpoint Cost Service), an ALTO client SHOULD minimize the amount of information sent in IP addresses. For example, the ALTO client may consider obfuscation techniques such as specifying a broader address range (i.e., a shorter prefix length) or by zeroing out or randomizing the last few bits of IP addresses. Note that obfuscation may yield less accurate results.15.5. Availability of ALTO Services
15.5.1. Risk Scenarios
An attacker may want to disable the ALTO services of a network as a way to disable network guidance to large scale applications. In particular, queries that can be generated with low effort but result in expensive workloads at the ALTO server could be exploited for Denial-of-Service attacks. For instance, a simple ALTO query with n source network locations and m destination network locations can be generated fairly easily but results in the computation of n*m path costs between pairs by the ALTO server (see Section 5.2).15.5.2. Protection Strategies
The ALTO service provider should be cognizant of the workload at the ALTO server generated by certain ALTO Queries, such as certain queries to the Map Service, the Map-Filtering Service and the Endpoint Cost (Ranking) Service. One way to limit Denial-of-Service attacks is to employ access control to the ALTO server. The ALTO server can also indicate overload and reject repeated requests that can cause availability problems. More advanced protection schemes such as computational puzzles [SIP] may be considered in an extension document. An ALTO service provider should also leverage the fact that the Map Service allows ALTO servers to pre-generate maps that can be distributed to many ALTO clients.16. Manageability Considerations
This section details operations and management considerations based on existing deployments and discussions during protocol development. It also indicates where extension documents are expected to provide appropriate functionality discussed in [RFC5706] as additional deployment experience becomes available.
16.1. Operations
16.1.1. Installation and Initial Setup
The ALTO Protocol is based on HTTP. Thus, configuring an ALTO server may require configuring the underlying HTTP server implementation to define appropriate security policies, caching policies, performance settings, etc. Additionally, an ALTO service provider will need to configure the ALTO information to be provided by the ALTO server. The granularity of the topological map and the cost maps is left to the specific policies of the ALTO service provider. However, a reasonable default may include two PIDs, one to hold the endpoints in the provider's network and the second PID to represent full IPv4 and IPv6 reachability (see Section 11.2.2), with the cost between each source/ destination PID set to 1. Another operational issue that the ALTO service provider needs to consider is that the filtering service can degenerate into a full map service when the filtering input is empty. Although this choice as the degeneration behavior provides continuity, the computational and network load of serving full maps to a large number of ALTO clients should be considered. Implementers employing an ALTO client should attempt to automatically discover an appropriate ALTO server. Manual configuration of the ALTO server location may be used where automatic discovery is not appropriate. Methods for automatic discovery and manual configuration are discussed in [ALTO-SERVER-DISC]. Specifications for underlying protocols (e.g., TCP, HTTP, TLS) should be consulted for their available settings and proposed default configurations.16.1.2. Migration Path
This document does not detail a migration path for ALTO servers since there is no previous standard protocol providing the similar functionality. There are existing applications making use of network information discovered from other entities such as whois, geo-location databases, or round-trip time measurements, etc. Such applications should consider using ALTO as an additional source of information; ALTO need not be the sole source of network information.
16.1.3. Dependencies on Other Protocols and Functional Components
The ALTO Protocol assumes that HTTP client and server implementations exist. It also assumes that JSON encoder and decoder implementations exist. An ALTO server assumes that it can gather sufficient information to populate Network and Cost maps. "Sufficient information" is dependent on the information being exposed, but likely includes information gathered from protocols such as IGP and EGP Routing Information Bases (see Figure 1). Specific mechanisms have been proposed (e.g., [ALTO-SVR-APIS]) and are expected to be provided in extension documents.16.1.4. Impact and Observation on Network Operation
ALTO presents a new opportunity for managing network traffic by providing additional information to clients. In particular, the deployment of an ALTO server may shift network traffic patterns, and the potential impact to network operation can be large. An ALTO service provider should ensure that appropriate information is being exposed. Privacy implications for ISPs are discussed in Section 15.3. An ALTO service provider should consider how to measure impacts on (or integration with) traffic engineering, in addition to monitoring correctness and responsiveness of ALTO servers. The measurement of impacts can be challenging because ALTO-enabled applications may not provide related information back to the ALTO service provider. Furthermore, the measurement of an ALTO service provider may show that ALTO clients are not bound to ALTO server guidance as ALTO is only one source of information. While it can be challenging to measure the impact of ALTO guidance, there exist some possible techniques. In certain trusted deployment environments, it may be possible to collect information directly from ALTO clients. It may also be possible to vary or selectively disable ALTO guidance for a portion of ALTO clients either by time, geographical region, or some other criteria to compare the network traffic characteristics with and without ALTO. Both ALTO service providers and those using ALTO clients should be aware of the impact of incorrect or faked guidance (see [ALTO-DEPLOYMENT]).
16.2. Management
16.2.1. Management Interoperability
A common management API would be desirable given that ALTO servers may typically be configured with dynamic data from various sources, and ALTO servers are intended to scale horizontally for fault- tolerance and reliability. A specific API or protocol is outside the scope of this document, but may be provided by an extension document. Logging is an important functionality for ALTO servers and, depending on the deployment, ALTO clients. Logging should be done via syslog [RFC5424].16.2.2. Management Information
A Management Information Model (see Section 3.2 of [RFC5706]) is not provided by this document, but should be included or referenced by any extension documenting an ALTO-related management API or protocol.16.2.3. Fault Management
An ALTO service provider should monitor whether any ALTO servers have failed. See Section 16.2.5 for related metrics that may indicate server failures.16.2.4. Configuration Management
Standardized approaches and protocols to configuration management for ALTO are outside the scope of this document, but this document does outline high-level principles suggested for future standardization efforts. An ALTO server requires at least the following logical inputs: o Data sources from which ALTO information resources is derived. This can be either raw network information (e.g., from routing elements) or pre-processed ALTO-level information in the forms of network maps, cost maps, etc. o Algorithms for computing the ALTO information returned to clients. These could return either information from a database or information customized for each client. o Security policies mapping potential clients to the information that they have privilege to access.
Multiple ALTO servers can be deployed for scalability. A centralized configuration database may be used to ensure they are providing the desired ALTO information with appropriate security controls. The ALTO information (e.g., network maps and cost maps) being served by each ALTO server, as well as security policies (HTTP authentication, TLS client and server authentication, TLS encryption parameters) intended to serve the same information should be monitored for consistency.16.2.5. Performance Management
An exhaustive list of desirable performance information from ALTO servers and ALTO clients are outside of the scope of this document. The following is a list of suggested ALTO-specific metrics to be monitored based on the existing deployment and protocol development experience: o Requests and responses for each service listed in an information directory (total counts and size in bytes); o CPU and memory utilization; o ALTO map updates; o Number of PIDs; o ALTO map sizes (in-memory size, encoded size, number of entries).16.2.6. Security Management
Section 15 documents ALTO-specific security considerations. Operators should configure security policies with those in mind. Readers should refer to HTTP [RFC7230] and TLS [RFC5246] and related documents for mechanisms available for configuring security policies. Other appropriate security mechanisms (e.g., physical security, firewalls, etc.) should also be considered.17. References
17.1. Normative References
[RFC1812] Baker, F., "Requirements for IP Version 4 Routers", RFC 1812, June 1995. [RFC2046] Freed, N. and N. Borenstein, "Multipurpose Internet Mail Extensions (MIME) Part Two: Media Types", RFC 2046, November 1996.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform Resource Identifier (URI): Generic Syntax", STD 66, RFC 3986, January 2005. [RFC4632] Fuller, V. and T. Li, "Classless Inter-domain Routing (CIDR): The Internet Address Assignment and Aggregation Plan", BCP 122, RFC 4632, August 2006. [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA Considerations Section in RFCs", BCP 26, RFC 5226, May 2008. [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security (TLS) Protocol Version 1.2", RFC 5246, August 2008. [RFC5389] Rosenberg, J., Mahy, R., Matthews, P., and D. Wing, "Session Traversal Utilities for NAT (STUN)", RFC 5389, October 2008. [RFC5424] Gerhards, R., "The Syslog Protocol", RFC 5424, March 2009. [RFC5952] Kawamura, S. and M. Kawashima, "A Recommendation for IPv6 Address Text Representation", RFC 5952, August 2010. [RFC6125] Saint-Andre, P. and J. Hodges, "Representation and Verification of Domain-Based Application Service Identity within Internet Public Key Infrastructure Using X.509 (PKIX) Certificates in the Context of Transport Layer Security (TLS)", RFC 6125, March 2011. [RFC7230] Fielding, R. and J. Reschke, "Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing", RFC 7230, June 2014.17.2. Informative References
[ALTO-DEPLOYMENT] Stiemerling, M., Ed., Kiesel, S., Ed., Previdi, S., and M. Scharf, "ALTO Deployment Considerations", Work in Progress, February 2014. [ALTO-INFOEXPORT] Shalunov, S., Penno, R., and R. Woundy, "ALTO Information Export Service", Work in Progress, October 2008.
[ALTO-MULTI-PS] Das, S., Narayanan, V., and L. Dondeti, "ALTO: A Multi Dimensional Peer Selection Problem", Work in Progress, October 2008. [ALTO-QUERYRESPONSE] Das, S. and V. Narayanan, "A Client to Service Query Response Protocol for ALTO", Work in Progress, March 2009. [ALTO-SERVER-DISC] Kiesel, S., Stiemerling, M., Schwan, N., Scharf, M., and H. Song, "ALTO Server Discovery", Work in Progress, September 2013. [ALTO-SVR-APIS] Medved, J., Ward, D., Peterson, J., Woundy, R., and D. McDysan, "ALTO Network-Server and Server-Server APIs", Work in Progress, March 2011. [ALTO-USE-CASES] Niven-Jenkins, B., Watson, G., Bitar, N., Medved, J., and S. Previdi, "Use Cases for ALTO within CDNs", Work in Progress, June 2012. [BitTorrent] "Bittorrent Protocol Specification v1.0", <http://wiki.theory.org/BitTorrentSpecification>. [Fielding-Thesis] Fielding, R., "Architectural Styles and the Design of Network-based Software Architectures", University of California, Irvine, Dissertation 2000, 2000. [IEEE.754.2008] Institute of Electrical and Electronics Engineers, "Standard for Binary Floating-Point Arithmetic", IEEE Standard 754, August 2008. [P4P-FRAMEWORK] Alimi, R., Pasko, D., Popkin, L., Wang, Y., and Y. Yang, "P4P: Provider Portal for P2P Applications", Work in Progress, November 2008. [P4P-SIGCOMM08] Xie, H., Yang, Y., Krishnamurthy, A., Liu, Y., and A. Silberschatz, "P4P: Provider Portal for (P2P) Applications", SIGCOMM 2008, August 2008.
[P4P-SPEC] Wang, Y., Alimi, R., Pasko, D., Popkin, L., and Y. Yang, "P4P Protocol Specification", Work in Progress, March 2009. [PROXIDOR] Akonjang, O., Feldmann, A., Previdi, S., Davie, B., and D. Saucez, "The PROXIDOR Service", Work in Progress, March 2009. [RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818, May 2000. [RFC5693] Seedorf, J. and E. Burger, "Application-Layer Traffic Optimization (ALTO) Problem Statement", RFC 5693, October 2009. [RFC5706] Harrington, D., "Guidelines for Considering Operations and Management of New Protocols and Protocol Extensions", RFC 5706, November 2009. [RFC6144] Baker, F., Li, X., Bao, C., and K. Yin, "Framework for IPv4/IPv6 Translation", RFC 6144, April 2011. [RFC6296] Wasserman, M. and F. Baker, "IPv6-to-IPv6 Network Prefix Translation", RFC 6296, June 2011. [RFC6708] Kiesel, S., Previdi, S., Stiemerling, M., Woundy, R., and Y. Yang, "Application-Layer Traffic Optimization (ALTO) Requirements", RFC 6708, September 2012. [RFC7159] Bray, T., "The JavaScript Object Notation (JSON) Data Interchange Format", RFC 7159, March 2014. [RFC7231] Fielding, R. and J. Reschke, "Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content", RFC 7231, June 2014. [SIP] Jennings, C., "Computational Puzzles for SPAM Reduction in SIP", Work in Progress, July 2007.
Appendix A. Acknowledgments
Thank you to Jan Seedorf (NEC) for substantial contributions to the Security Considerations section. Ben Niven-Jenkins (Velocix), Michael Scharf, and Sabine Randriamasy (Alcatel-Lucent) gave substantial feedback and suggestions on the protocol design. We would like to thank the following people whose input and involvement was indispensable in achieving this merged proposal: Obi Akonjang (DT Labs/TU Berlin), Saumitra M. Das (Qualcomm Inc.), Syon Ding (China Telecom), Doug Pasko (Verizon), Laird Popkin (Pando Networks), Satish Raghunath (Juniper Networks), Albert Tian (Ericsson/Redback), Yu-Shun Wang (Microsoft), David Zhang (PPLive), Yunfei Zhang (China Mobile). We would also like to thank the following additional people who were involved in the projects that contributed to this merged document: Alex Gerber (ATT), Chris Griffiths (Comcast), Ramit Hora (Pando Networks), Arvind Krishnamurthy (University of Washington), Marty Lafferty (DCIA), Erran Li (Bell Labs), Jin Li (Microsoft), Y. Grace Liu (IBM Watson), Jason Livingood (Comcast), Michael Merritt (ATT), Ingmar Poese (DT Labs/TU Berlin), James Royalty (Pando Networks), Damien Saucez (UCL), Thomas Scholl (ATT), Emilio Sepulveda (Telefonica), Avi Silberschatz (Yale University), Hassan Sipra (Bell Canada), Georgios Smaragdakis (DT Labs/TU Berlin), Haibin Song (Huawei), Oliver Spatscheck (ATT), See-Mong Tang (Microsoft), Jia Wang (ATT), Hao Wang (Yale University), Ye Wang (Yale University), Haiyong Xie (Yale University). Stanislav Shalunov would like to thank BitTorrent, where he worked while contributing to ALTO development.
Appendix B. Design History and Merged Proposals
The ALTO Protocol specified in this document consists of contributions from o P4P [P4P-FRAMEWORK], [P4P-SIGCOMM08], [P4P-SPEC]; o ALTO Info-Export [ALTO-INFOEXPORT]; o Query/Response [ALTO-QUERYRESPONSE], [ALTO-MULTI-PS]; and o Proxidor [PROXIDOR].Authors' Addresses
Richard Alimi (editor) Google 1600 Amphitheatre Parkway Mountain View, CA 94043 USA EMail: ralimi@google.com Reinaldo Penno (editor) Cisco Systems, Inc. 170 West Tasman Dr San Jose, CA 95134 USA EMail: repenno@cisco.com Y. Richard Yang (editor) Yale University 51 Prospect St New Haven, CT 06511 USA EMail: yry@cs.yale.edu
Sebastian Kiesel University of Stuttgart Information Center Networks and Communication Systems Department Allmandring 30 Stuttgart 70550 Germany EMail: ietf-alto@skiesel.de Stefano Previdi Cisco Systems, Inc. Via Del Serafico, 200 Rome 00142 Italy EMail: sprevidi@cisco.com Wendy Roome Alcatel-Lucent 600 Mountain Ave. Murray Hill, NJ 07974 USA EMail: w.roome@alcatel-lucent.com Stanislav Shalunov Open Garden 751 13th St San Francisco, CA 94130 USA EMail: shalunov@shlang.com Richard Woundy Comcast Cable Communications One Comcast Center 1701 John F. Kennedy Boulevard Philadelphia, PA 19103 USA EMail: Richard_Woundy@cable.comcast.com