Internet Engineering Task Force (IETF) B. Niven-Jenkins Request for Comments: 8006 R. Murray Category: Standards Track Nokia ISSN: 2070-1721 M. Caulfield Cisco Systems K. Ma Ericsson December 2016 Content Delivery Network Interconnection (CDNI) MetadataAbstract
The Content Delivery Network Interconnection (CDNI) Metadata interface enables interconnected Content Delivery Networks (CDNs) to exchange content distribution metadata in order to enable content acquisition and delivery. The CDNI Metadata associated with a piece of content provides a downstream CDN with sufficient information for the downstream CDN to service content requests on behalf of an upstream CDN. This document describes both a base set of CDNI Metadata and the protocol for exchanging that metadata. Status of This Memo This is an Internet Standards Track document. This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 7841. Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc8006.
Copyright Notice Copyright (c) 2016 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
Table of Contents
1. Introduction ....................................................5 1.1. Terminology ................................................5 1.2. Supported Metadata Capabilities ............................6 2. Design Principles ...............................................7 3. CDNI Metadata Object Model ......................................8 3.1. HostIndex, HostMatch, HostMetadata, PathMatch, PatternMatch, and PathMetadata Objects .....................9 3.2. Generic CDNI Metadata Objects .............................11 3.3. Metadata Inheritance and Override .........................14 4. CDNI Metadata Objects ..........................................15 4.1. Definitions of the CDNI Structural Metadata Objects .......16 4.1.1. HostIndex ..........................................16 4.1.2. HostMatch ..........................................17 4.1.3. HostMetadata .......................................18 4.1.4. PathMatch ..........................................19 4.1.5. PatternMatch .......................................20 4.1.6. PathMetadata .......................................21 4.1.7. GenericMetadata ....................................23 4.2. Definitions of the Initial Set of CDNI GenericMetadata Objects ...................................24 4.2.1. SourceMetadata .....................................24 4.2.1.1. Source ....................................25 4.2.2. LocationACL Metadata ...............................26 4.2.2.1. LocationRule ..............................28 4.2.2.2. Footprint .................................29 4.2.3. TimeWindowACL ......................................30 4.2.3.1. TimeWindowRule ............................31 4.2.3.2. TimeWindow ................................32 4.2.4. ProtocolACL Metadata ...............................33 4.2.4.1. ProtocolRule ..............................34 4.2.5. DeliveryAuthorization Metadata .....................35 4.2.6. Cache ..............................................35 4.2.7. Auth ...............................................37 4.2.8. Grouping ...........................................38 4.3. CDNI Metadata Simple Data Type Descriptions ...............39 4.3.1. Link ...............................................39 4.3.1.1. Link Loop Prevention ......................40 4.3.2. Protocol ...........................................40 4.3.3. Endpoint ...........................................40 4.3.4. Time ...............................................41 4.3.5. IPv4CIDR ...........................................41 4.3.6. IPv6CIDR ...........................................42 4.3.7. ASN ................................................42 4.3.8. Country Code .......................................42 5. CDNI Metadata Capabilities .....................................42
6. CDNI Metadata Interface ........................................43 6.1. Transport .................................................44 6.2. Retrieval of CDNI Metadata Resources ......................44 6.3. Bootstrapping .............................................45 6.4. Encoding ..................................................46 6.5. Extensibility .............................................46 6.6. Metadata Enforcement ......................................47 6.7. Metadata Conflicts ........................................47 6.8. Versioning ................................................48 6.9. Media Types ...............................................49 6.10. Complete CDNI Metadata Example ...........................50 7. IANA Considerations ............................................54 7.1. CDNI Payload Types ........................................54 7.1.1. CDNI MI HostIndex Payload Type .....................54 7.1.2. CDNI MI HostMatch Payload Type .....................55 7.1.3. CDNI MI HostMetadata Payload Type ..................55 7.1.4. CDNI MI PathMatch Payload Type .....................55 7.1.5. CDNI MI PatternMatch Payload Type ..................55 7.1.6. CDNI MI PathMetadata Payload Type ..................55 7.1.7. CDNI MI SourceMetadata Payload Type ................56 7.1.8. CDNI MI Source Payload Type ........................56 7.1.9. CDNI MI LocationACL Payload Type ...................56 7.1.10. CDNI MI LocationRule Payload Type .................56 7.1.11. CDNI MI Footprint Payload Type ....................56 7.1.12. CDNI MI TimeWindowACL Payload Type ................57 7.1.13. CDNI MI TimeWindowRule Payload Type ...............57 7.1.14. CDNI MI TimeWindow Payload Type ...................57 7.1.15. CDNI MI ProtocolACL Payload Type ..................57 7.1.16. CDNI MI ProtocolRule Payload Type .................57 7.1.17. CDNI MI DeliveryAuthorization Payload Type ........58 7.1.18. CDNI MI Cache Payload Type ........................58 7.1.19. CDNI MI Auth Payload Type .........................58 7.1.20. CDNI MI Grouping Payload Type .....................58 7.2. "CDNI Metadata Footprint Types" Registry ..................58 7.3. "CDNI Metadata Protocol Types" Registry ...................59 8. Security Considerations ........................................60 8.1. Authentication and Integrity ..............................60 8.2. Confidentiality and Privacy ...............................60 8.3. Securing the CDNI Metadata Interface ......................61 9. References .....................................................62 9.1. Normative References ......................................62 9.2. Informative References ....................................63 Acknowledgments ...................................................65 Contributors ......................................................65 Authors' Addresses ................................................66
1. Introduction
Content Delivery Network Interconnection (CDNI) [RFC6707] enables a downstream Content Delivery Network (dCDN) to service content requests on behalf of an upstream CDN (uCDN). The CDNI Metadata interface (MI) is discussed in [RFC7336] along with four other interfaces that can be used to compose a CDNI solution (the CDNI Control interface, the CDNI Request Routing Redirection interface, the CDNI Footprint & Capabilities Advertisement interface (FCI), and the CDNI Logging interface). [RFC7336] describes each interface and the relationships between them. The requirements for the CDNI Metadata interface are specified in [RFC7337]. The CDNI Metadata associated with a piece of content (or with a set of content) provides a dCDN with sufficient information for servicing content requests on behalf of a uCDN, in accordance with the policies defined by the uCDN. This document defines a CDNI Metadata interface that enables a dCDN to obtain CDNI Metadata from a uCDN so that the dCDN can properly process and respond to: o Redirection requests received over the CDNI Request Routing Redirection interface [RFC7975]. o Content requests received directly from User Agents. Specifically, this document defines: o A data structure for mapping content requests and redirection requests to CDNI Metadata objects (Sections 3 and 4.1). o An initial set of CDNI GenericMetadata objects (Section 4.2). o An HTTP web service for the transfer of CDNI Metadata (Section 6).1.1. Terminology
This document reuses the terminology defined in [RFC6707]. Additionally, the following terms are used throughout this document and are defined as follows: o Object - a collection of properties. o Property - a key and value pair where the key is a property name and the value is the property value or another object.
This document uses the phrase "[Object] A contains [Object] B" for simplicity when a strictly accurate phrase would be "[Object] A contains or references (via a Link object) [Object] B". The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].1.2. Supported Metadata Capabilities
Only the metadata for a small set of initial capabilities is specified in this document. This set provides the minimum amount of metadata for basic CDN interoperability while still meeting the requirements set forth by [RFC7337]. The following high-level functionality can be configured via the CDNI Metadata objects specified in Section 4: o Acquisition Source: Metadata for allowing a dCDN to fetch content from a uCDN. o Delivery Access Control: Metadata for restricting (or permitting) access to content based on any of the following factors: * Location * Time window * Delivery protocol o Delivery Authorization: Metadata for authorizing dCDN User Agent requests. o Cache Control: Metadata for controlling cache behavior of the dCDN. The metadata encoding described by this document is extensible in order to allow for future additions to this list. The set of metadata specified in this document covers the initial capabilities above. It is only intended to support CDNI for the delivery of content by a dCDN using HTTP/1.1 [RFC7230] and for a dCDN to be able to acquire content from a uCDN using either HTTP/1.1 or HTTP/1.1 over Transport Layer Security (TLS) [RFC2818].
Supporting CDNI for the delivery of content using unencrypted HTTP/2 [RFC7540] (as well as for a dCDN to acquire content using unencrypted HTTP/2 or HTTP/2 over TLS) requires the registration of these protocol names in the "CDNI Metadata Protocol Types" registry (Section 7.3). Delivery of content using HTTP/1.1 over TLS or HTTP/2 over TLS SHOULD follow the guidelines set forth in [RFC7525]. Offline configuration of TLS parameters between CDNs is beyond the scope of this document.2. Design Principles
The CDNI Metadata interface was designed to achieve the following objectives: 1. Cacheability of CDNI Metadata objects; 2. Deterministic mapping from redirection requests and content requests to CDNI Metadata properties; 3. Support for DNS redirection as well as application-specific redirection (for example, HTTP redirection); 4. Minimal duplication of CDNI Metadata; and 5. Leveraging of existing protocols. Cacheability can decrease the latency of acquiring metadata while maintaining its freshness and can therefore decrease the latency of serving content requests and redirection requests, without sacrificing accuracy. The CDNI Metadata interface uses HTTP and its existing caching mechanisms to achieve CDNI Metadata cacheability. Deterministic mapping from content to metadata properties eliminates ambiguity and ensures that policies are applied consistently by all dCDNs. Support for both HTTP and DNS redirection ensures that the CDNI Metadata meets the same design principles for both HTTP-based and DNS-based redirection schemes. Minimal duplication of CDNI Metadata improves storage efficiency in the CDNs. Leveraging existing protocols avoids reinventing common mechanisms such as data structure encoding (by leveraging I-JSON (Internet JSON) [RFC7493]) and data transport (by leveraging HTTP [RFC7230]).
3. CDNI Metadata Object Model
The CDNI Metadata object model describes a data structure for mapping redirection requests and content requests to metadata properties. Metadata properties describe how to acquire content from a uCDN, authorize access to content, and deliver content from a dCDN. The object model relies on the assumption that these metadata properties can be grouped based on the hostname of the content and subsequently on the resource path (URI) of the content. The object model associates a set of CDNI Metadata properties with a hostname to form a default set of metadata properties for content delivered on behalf of that hostname. That default set of metadata properties can be overridden by properties that apply to specific paths within a URI. Different hostnames and URI paths will be associated with different sets of CDNI Metadata properties in order to describe the required behavior when a dCDN Surrogate or request router is processing User Agent requests for content at that hostname and URI path. As a result of this structure, significant commonality could exist between the CDNI Metadata properties specified for different hostnames, different URI paths within a hostname, and different URI paths on different hostnames. For example, the definition of which User Agent IP addresses should be grouped together into a single network or geographic location is likely to be common for a number of different hostnames; although a uCDN is likely to have several different policies configured to express geo-blocking rules, it is likely that a single geo-blocking policy could be applied to multiple hostnames delivered through the CDN. In order to enable the CDNI Metadata for a given hostname and URI path to be decomposed into reusable sets of CDNI Metadata properties, the CDNI Metadata interface splits the CDNI Metadata into separate objects. Efficiency is improved by enabling a single CDNI Metadata object (that is shared across hostnames and/or URI paths) to be retrieved and stored by a dCDN once, even if it is referenced by the CDNI Metadata for multiple hostnames and/or URI paths. Important Note: Any CDNI Metadata object A that contains another CDNI Metadata object B can include a Link object specifying a URI that can be used to retrieve object B, instead of embedding object B within object A. The remainder of this document uses the phrase "[Object] A contains [Object] B" for simplicity when a strictly accurate phrase would be "[Object] A contains or references (via a Link object) [Object] B". It is generally a deployment choice for the uCDN implementation to decide when to embed CDNI Metadata objects and when to reference separate resources via Link objects.
Section 3.1 introduces a high-level description of the HostIndex, HostMatch, HostMetadata, PathMatch, PatternMatch, and PathMetadata objects, and describes the relationships between them. Section 3.2 introduces a high-level description of the CDNI GenericMetadata object, which represents the level at which CDNI Metadata override occurs between HostMetadata and PathMetadata objects. Section 4 describes in detail the specific CDNI Metadata objects and properties specified by this document that can be contained within a CDNI GenericMetadata object.3.1. HostIndex, HostMatch, HostMetadata, PathMatch, PatternMatch, and PathMetadata Objects
The relationships between the HostIndex, HostMatch, HostMetadata, PathMatch, PatternMatch, and PathMetadata objects are described in Figure 1. +---------+ +---------+ +------------+ |HostIndex+-(*)->|HostMatch+-(1)->|HostMetadata+-------(*)------+ +---------+ +---------+ +------+-----+ | | | (*) | | V --> Contains or references V ***************** (1) One and only one +---------+ *GenericMetadata* (*) Zero or more +--->|PathMatch| * Objects * | +----+---++ ***************** | | | ^ (*) (1) (1) +------------+ | | | +->|PatternMatch| | | V +------------+ | | +------------+ | +--+PathMetadata+-------(*)------+ +------------+ Figure 1: Relationships between CDNI Metadata Objects (Diagram Representation) A HostIndex object (see Section 4.1.1) contains an array of HostMatch objects (see Section 4.1.2) that contain hostnames (and/or IP addresses) for which content requests might be delegated to the dCDN. The HostIndex is the starting point for accessing the uCDN CDNI Metadata data store. It enables the dCDN to deterministically discover which CDNI Metadata objects it requires in order to deliver a given piece of content.
The HostIndex links hostnames (and/or IP addresses) to HostMetadata objects (see Section 4.1.3) via HostMatch objects. A HostMatch object defines a hostname (or IP address) to match against a requested host and contains a HostMetadata object. HostMetadata objects contain the default GenericMetadata objects (see Section 4.1.7) required to serve content for that host. When looking up CDNI Metadata, the dCDN looks up the requested hostname (or IP address) against the HostMatch entries in the HostIndex; from there, it can find HostMetadata, which describes the default metadata properties for each host as well as PathMetadata objects (see Section 4.1.6), via PathMatch objects (see Section 4.1.4). PathMatch objects define patterns, contained inside PatternMatch objects (see Section 4.1.5), to match against the requested URI path. PatternMatch objects contain the pattern strings and flags that describe the URI path to which a PathMatch applies. PathMetadata objects contain the GenericMetadata objects that apply to content requests matching the defined URI path pattern. PathMetadata properties override properties previously defined in HostMetadata or less-specific PathMatch paths. PathMetadata objects can contain additional PathMatch objects to recursively define more-specific URI paths to which GenericMetadata properties might be applied. A GenericMetadata object contains individual CDNI Metadata objects that define the specific policies and attributes needed to properly deliver the associated content. For example, a GenericMetadata object could describe the source from which a CDN can acquire a piece of content. The GenericMetadata object is an atomic unit that can be referenced by HostMetadata or PathMetadata objects. For example, if "example.com" is a content provider, a HostMatch object could include an entry for "example.com" with the URI of the associated HostMetadata object. The HostMetadata object for "example.com" describes the metadata properties that apply to "example.com" and could contain PathMatches for "example.com/movies/*" and "example.com/music/*", which in turn reference corresponding PathMetadata objects that contain the properties for those more-specific URI paths. The PathMetadata object for "example.com/movies/*" describes the properties that apply to that URI path. It could also contain a PathMatch object for "example.com/movies/hd/*", which would reference the corresponding PathMetadata object for the "example.com/movies/hd/" path prefix.
The relationships in Figure 1 are also represented in tabular format in Table 1 below. +--------------+----------------------------------------------------+ | Data Object | Objects it contains or references | +--------------+----------------------------------------------------+ | HostIndex | 0 or more HostMatch objects. | | | | | HostMatch | 1 HostMetadata object. | | | | | HostMetadata | 0 or more PathMatch objects. 0 or more | | | GenericMetadata objects. | | | | | PathMatch | 1 PatternMatch object. 1 PathMetadata object. | | | | | PatternMatch | Does not contain or reference any other objects. | | | | | PathMetadata | 0 or more PathMatch objects. 0 or more | | | GenericMetadata objects. | +--------------+----------------------------------------------------+ Table 1: Relationships between CDNI Metadata Objects (Table Representation)3.2. Generic CDNI Metadata Objects
The HostMetadata and PathMetadata objects contain other CDNI Metadata objects that contain properties that describe how User Agent requests for content should be processed -- for example, where to acquire the content from, authorization rules that should be applied, geo-blocking restrictions, and so on. Each such CDNI Metadata object is a specialization of a CDNI GenericMetadata object. The GenericMetadata object abstracts the basic information required for metadata override and metadata distribution, from the specifics of any given property (i.e., property semantics, enforcement options, etc.). The GenericMetadata object defines the properties contained within it as well as whether or not the properties are "mandatory-to-enforce". If the dCDN does not understand or support a mandatory-to-enforce property, the dCDN MUST NOT serve the content. If the property is not mandatory-to-enforce, then that GenericMetadata object can be safely ignored and the content request can be processed in accordance with the rest of the CDNI Metadata.
Although a CDN MUST NOT serve content to a User Agent if a mandatory-to-enforce property cannot be enforced, it could still be safe to redistribute that metadata (the "safe-to-redistribute" property) to another CDN without modification. For example, in the cascaded CDN case, a transit CDN (tCDN) could convey mandatory-to-enforce metadata to a dCDN. For metadata that does not require customization or translation (i.e., metadata that is safe-to-redistribute), the data representation received off the wire MAY be stored and redistributed without being understood or supported by the tCDN. However, for metadata that requires translation, transparent redistribution of the uCDN metadata values might not be appropriate. Certain metadata can be safely, though perhaps not optimally, redistributed unmodified. For example, a source acquisition address might not be optimal if transparently redistributed, but it might still work. Redistribution safety MUST be specified for each GenericMetadata property. If a CDN does not understand or support a given GenericMetadata property that is not safe-to-redistribute, the CDN MUST set the "incomprehensible" flag to true for that GenericMetadata object before redistributing the metadata. The "incomprehensible" flag signals to a dCDN that the metadata was not properly transformed by the tCDN. A CDN MUST NOT attempt to use metadata that has been marked as "incomprehensible" by a uCDN. tCDNs MUST NOT change the value of mandatory-to-enforce or safe-to-redistribute when propagating metadata to a dCDN. Although a tCDN can set the value of "incomprehensible" to true, a tCDN MUST NOT change the value of "incomprehensible" from true to false.
Table 2 describes the action to be taken by a tCDN for the different combinations of mandatory-to-enforce ("MtE") and safe-to-redistribute ("StR") properties when the tCDN either does or does not understand the metadata in question: +-------+-------+------------+--------------------------------------+ | MtE | StR | Metadata | Action | | | | Understood | | | | | by tCDN | | +-------+-------+------------+--------------------------------------+ | False | True | True | Can serve and redistribute. | | | | | | | False | True | False | Can serve and redistribute. | | | | | | | False | False | False | Can serve. MUST set | | | | | "incomprehensible" to true when | | | | | redistributing. | | | | | | | False | False | True | Can serve. Can redistribute after | | | | | transforming the metadata (if the | | | | | CDN knows how to do so safely); | | | | | otherwise, MUST set | | | | | "incomprehensible" to true when | | | | | redistributing. | | | | | | | True | True | True | Can serve and redistribute. | | | | | | | True | True | False | MUST NOT serve but can redistribute. | | | | | | | True | False | True | Can serve. Can redistribute after | | | | | transforming the metadata (if the | | | | | CDN knows how to do so safely); | | | | | otherwise, MUST set | | | | | "incomprehensible" to true when | | | | | redistributing. | | | | | | | True | False | False | MUST NOT serve. MUST set | | | | | "incomprehensible" to true when | | | | | redistributing. | +-------+-------+------------+--------------------------------------+ Table 2: Action to Be Taken by a tCDN for the Different Combinations of MtE and StR Properties
Table 3 describes the action to be taken by a dCDN for the different combinations of mandatory-to-enforce and "incomprehensible" (Incomp) properties, when the dCDN either does or does not understand the metadata in question: +-------+--------+--------------+-----------------------------------+ | MtE | Incomp | Metadata | Action | | | | Understood | | | | | by dCDN | | +-------+--------+--------------+-----------------------------------+ | False | False | True | Can serve. | | | | | | | False | True | True | Can serve but MUST NOT | | | | | interpret/apply any metadata | | | | | marked as "incomprehensible". | | | | | | | False | False | False | Can serve. | | | | | | | False | True | False | Can serve but MUST NOT | | | | | interpret/apply any metadata | | | | | marked as "incomprehensible". | | | | | | | True | False | True | Can serve. | | | | | | | True | True | True | MUST NOT serve. | | | | | | | True | False | False | MUST NOT serve. | | | | | | | True | True | False | MUST NOT serve. | +-------+--------+--------------+-----------------------------------+ Table 3: Action to Be Taken by a dCDN for the Different Combinations of MtE and Incomp Properties3.3. Metadata Inheritance and Override
In the metadata object model, a HostMetadata object can contain multiple PathMetadata objects (via PathMatch objects). Each PathMetadata object can in turn contain other PathMetadata objects. HostMetadata and PathMetadata objects form an inheritance tree where each node in the tree inherits or overrides the property values set by its parent. GenericMetadata objects of a given type override all GenericMetadata objects of the same type previously defined by any parent object in the tree. GenericMetadata objects of a given type previously defined by a parent object in the tree are inherited when no object of the same type is defined by the child object. For example, if
HostMetadata for the host "example.com" contains GenericMetadata objects of types LocationACL and TimeWindowACL (where "ACL" means "Access Control List") while a PathMetadata object that applies to "example.com/movies/*" defines an alternate GenericMetadata object of type TimeWindowACL, then: o The TimeWindowACL defined in the PathMetadata would override the TimeWindowACL defined in the HostMetadata for all User Agent requests for content under "example.com/movies/", and o The LocationACL defined in the HostMetadata would be inherited for all User Agent requests for content under "example.com/movies/". A single HostMetadata or PathMetadata object MUST NOT contain multiple GenericMetadata objects of the same type. If an array of GenericMetadata contains objects of duplicate types, the receiver MUST ignore all but the first object of each type.