RMT | V. Roca |
Internet-Draft | INRIA |
Intended status: Experimental | B. Adamson |
Expires: October 13, 2013 | Naval Research Laboratory |
April 11, 2013 |
FCAST: Object Delivery for the ALC and NORM Protocols
draft-ietf-rmt-fcast-08
This document introduces the FCAST reliable object (e.g., file) delivery application. It is designed to operate either on top of the underlying Asynchronous Layer Coding (ALC)/Layered Coding Transport (LCT) or the NACK-Oriented Reliable Multicast (NORM) reliable multicast transport protocols.
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."
This Internet-Draft will expire on October 13, 2013.
Copyright (c) 2013 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
This document introduces the FCAST reliable and scalable object (e.g., file) delivery application. Two variants of FCAST exist:
Hereafter, the term FCAST denotes either FCAST/ALC or FCAST/NORM. FCAST is not a new protocol specification per se. Instead it is a set of data format specifications and instructions on how to use ALC and NORM to implement a file-casting service.
FCAST is expected to work in many different environments and is designed to be flexible. The service provided by FCAST can differ according to the exact conditions FCAST is used. For instance the delivery service provided by FCAST might be fully reliable, or only partially reliable depending upon the exact way FCAST is used. Indeed, if FCAST/ALC is used for a finite duration over purely unidirectional networks (where no feedback is possible), a fully reliable service may not be possible in practice. This is different with NORM that can collect reception and loss feedbacks from receivers. This is discussed in Section 6.
The delivery service provided by FCAST might also differ in terms of scalability with respect to the number of receivers. The FCAST/ALC service is naturally massively scalable since neither FCAST nor ALC limit the number of receivers (there is no feedback message at all). On the opposite FCAST/NORM scalability is typically limited by NORM itself as NORM relies on feedback messages from the receivers. However NORM is designed in such a way to offer a reasonably scalable service (e.g. through the use of proactive Forward Erasure Corrections (FEC) codes), and so does the service provided by FCAST/NORM. This aspect is also discussed in Section 6.
A design goal behind FCAST is to define a streamlined solution, in order to enable lightweight implementations of the protocol stack, and limit the operational processing and storage requirements. A consequence of this choice is that FCAST cannot be considered as a versatile application, capable of addressing all the possible use-cases. On the contrary, FCAST has some intrinsic limitations. From this point of view it differs from FLUTE [RFC6726] which favors flexibility at the expense of some additional complexity.
A good example of the design choices meant to favor simplicity is the way FCAST manages the object meta-data: by default, the meta-data and the object content are sent together, in a compound object. This solution has many advantages in terms of simplicity as will be described later on. However this solution has an intrinsic limitation since it does not enable a receiver to decide in advance, before beginning the reception of the compound object, whether the object is of interest or not, based on the information that may be provided in the meta-data. Therefore this document discusses additional techniques that may be used to mitigate this limitation. When use-cases require that each receiver download the whole set of objects sent in the session (e.g., with mirroring tools), this limitation is not considered a problem.
Finally, Section 4 provides guidance for compliant implementation of the specification and identifies those features that are optional.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].
This document uses the following definitions:
This section details the various data formats used by FCAST.
In an FCAST session, Compound Objects are constructed by prepending the FCAST Header (which usually contains the meta-data of the object) to the Object Data (see Section 3.2). Figure 1 illustrates the associated format. All multi-byte fields MUST be in network (Big Endian) byte order.
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ^ | Ver |Resvd|G|C| MDFmt | MDEnc | Checksum | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | FCAST Header Length | h +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-| d | Object Meta-Data (variable length) | r | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Padding (optional) | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ v | | . Object Data (optional, variable length) . . . . .
Figure 1: Compound Object Format.
The FCAST Header fields are:
Field | Description |
---|---|
Version | 3-bit field that MUST be set to 0 in this specification and indicates the FCAST protocol version number. |
Reserved | 3-bit field that MUST be set to 0 in this specification and is reserved for future use. Receivers MUST ignore this field. |
G | 1-bit field that, when set to 1, indicates that the checksum encompasses the whole Compound Object (Global checksum). When set to 0, this field indicates that the checksum encompasses only the FCAST header. |
C | 1-bit field that, when set to 1, indicates the object is a Carousel Instance Descriptor (CID). When set to 0, this field indicates that the transported object is a standard object. |
Meta-Data Format (MDFmt) | 4-bit field that defines the format of the Object Meta-Data field (see Section 7). An HTTP/1.1 meta information format [RFC2616] MUST be supported and is associated to value 0. Other formats (e.g., XML) may be defined in the future. |
Meta-Data Encoding (MDEnc) | 4-bit field that defines the optional encoding of the Object Meta-Data field (see Section 7). Two values are currently defined. A value of 0 indicates that the field contains UTF-8 [RFC2279] encoded text. A value of 1 indicates that the field contains GZIP[RFC1952] compressed UTF-8 encoded text. |
Checksum | 16-bit field that contains the checksum computed over either the whole Compound Object (when G is set to 1), or over the FCAST Header (when G is set to 0), using the Internet checksum algorithm specified in [RFC1071]. More precisely, the checksum field is the 16-bit one's complement of the one's complement sum of all 16-bit words to be considered. If a segment contains an odd number of octets to be checksummed, the last octet is padded on the right with zeros to form a 16-bit word for checksum purposes (this pad is not transmitted). While computing the checksum, the checksum field itself MUST be set to zero. |
FCAST Header Length | 32-bit field indicating total length (in bytes) of all fields of the FCAST Header, except the optional padding. A header length field set to value 8 means that there is no meta-data included. When this size is not multiple to 32-bits words and when the FCAST Header is followed by a non null Object Data, padding MUST be added. It should be noted that the meta-data field maximum size is equal to (2^32 - 8) bytes. |
Object Meta-Data | Variable length field that contains the meta-data associated to the object. The format and encoding of this field are defined respectively by the MDFmt and MDEnc fields. With the default format and encoding, the Object Meta-Data field, if not empty, MUST contain a UTF-8 encoded text that follows the "TYPE" ":" "VALUE" "<CR-LF>" format used in HTTP/1.1 for meta information [RFC2616]. The various meta-data items can appear in any order. The receiver MUST NOT assume this string is NULL-terminated. When no meta-data is communicated, this field MUST be empty and the FCAST Header Length MUST be equal to 8. |
Padding | Optional, variable length field of zero-value bytes to align the start of the Object Data to a 32-bit boundary. Padding is only used when the FCAST Header Length value, in bytes, is not multiple of 4 and when the FCAST Header is followed by non null Object Data. |
The FCAST Header is then followed by the Object Data, i.e., either an original object (possibly encoded by FCAST) or a CID. Note that the length of the Object Data content is the ALC or NORM transported object length (e.g., as specified by the FEC OTI) minus the FCAST Header Length and optional padding if any.
In an FCAST session, a Carousel Instance Descriptor (CID) MAY be sent in order to carry the list of Compound Objects that are part of a given Carousel Instance (see Section 3.5). The format of the CID, that is sent as a special Compound Object, is given in Figure 2. Being a special case of Compound Object, this format is in line with the format described in Section 2.1.
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ^ | Ver |Resvd|G|C| MDFmt | MDEnc | Checksum | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | FCAST Header Length | h +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-| d | Object Meta-Data (variable length) | r | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Padding (optional) | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ v . . ^ . Object List (variable length) . | . . o . +-+-+-+-+-+-+-+-+ b . | j +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ v
Figure 2: Carousel Instance Descriptor Format.
Because the CID is transmitted as a special Compound Object, the following CID-specific meta-data entries are defined and MUST be supported:
The following standard meta-data entry types are also used (Section 3.3):
Content-Length: 0
An empty Object List is valid and indicates that the current carousel instance does not include any objects (Section 3.5). This can be specified by using the following meta-data entry:
The Object List, when non empty and with MDEnc=0, is a UTF-8 encoded text that is not necessarily NULL-terminated. It can contain two things:
A list of TOIs included in the current carousel instance is specified as an ASCII string containing comma-delimited individual TOI values and/or TOI intervals. Individual TOIs consist of a single integer value while TOI intervals are a hyphen-delimited pair of TOI values to indicate a inclusive range of TOI values (e.g., "1,2,4-6" would indicate the list of TOI values of 1,2,4,5, and 6). For a TOI Interval indicated by ""TOI_a-TOI_b", the 'TOI_a' value MUST be strictly inferior to the 'TOI_b' value. If a TOI wrapping to 0 occurs in an interval, then two TOI intervals MUST be specified, TOI_a-MAX_TOI and 0-TOI_b.
This string can also contain the TOI equivalences, if any. The format is a comma-separated list of equivalence TOI value pairs with a delimiting equals sign '=' to indicate the equivalence assignment (e.g., " newTOI "=" 1stTOI "/" 1stCIID "). Each equivalence indicates that the new TOI, for the current Carousel Instance, is equivalent to (i.e., refers to the same object as) the provided identifier, 1stTOI, for the Carousel Instance of ID 1stCIID. In the case of the NORM protocol where NormTransportId values need to monotonically increase for NACK-based protocol operation, this allows an object from a prior Carousel Instance to be relisted in a subsequent Carousel Instance with the receiver set informed of the equivalence so that unnecessary retransmission requests can be avoided.
The ABNF [RFC5234] specification is the following:
cid-list = *(list-elem *( "," list-elem)) list-elem = toi-elem / toieq-elem toi-elem = toi-value / toi-interval toi-value = 1*DIGIT toi-interval = toi-value "-" toi-value ; additionally, the first toi-value MUST be ; strictly inferior to the second toi-value toieq-elem = "(" toi-value "=" toi-value "/" ciid-value ")" ciid-value = 1*DIGIT DIGIT = %x30-39 ; a digit between 0 and 9, inclusive
For readability purposes and to simplify processing, the TOI values in the list MUST be given in increasing order handling wrap of the TOI space appropriately. TOI equivalence elements MUST be grouped together at the end of the list in increasing newTOI order. Specifying a TOI equivalence for a given newTOI relieves the sender from specifying newTOI explicitly in the TOI list. A receiver MUST be able to handle situations where the same TOI appears both in the TOI value and TOI equivalence lists. Finally, a given TOI value or TOI equivalence item MUST NOT be included multiple times in either list.
For instance, the following object list specifies that the current Carousel Instance is composed of 8 objects, and that TOIs 100 to 104 are equivalent to the TOIs 10 to 14 of Carousel Instance ID 2 and refer to the same objects:
97,98,99,(100=10/2),(101=11/2),(102=12/2),(103=13/2),(104=14/2)
or equivalently:
97-104,(100=10/2),(101=11/2),(102=12/2),(103=13/2),(104=14/2)
This section details the principles of FCAST.
The basic goal of FCAST is to transmit objects to a group of receivers in a reliable way, where the receiver set may be restricted to a single receiver or may include possibly a very large number of receivers. FCAST supports two forms of operation:
This specification is designed such that both forms of operation share as much commonality as possible. Section 6 discusses some operational aspects and the content delivery service that is provided by FCAST for a given use-case.
FCAST carries meta-data elements by prepending them to the object they refer to. As a result, a Compound Object is created that is composed of an FCAST Header followed by the Object Data (Figure 3). This header is itself composed of the object meta-data (if any) as well as several fields (e.g., to indicate format, encoding or boundaries Section 2.1).
<------------------------ Compound Object -----------------------> +-------------------------+--------------------------------------+ | FCAST Header | Object Data | | (can include meta-data) | (can be encoded by FCAST) | +-------------------------+--------------------------------------+
Figure 3: Compound Object composition.
Attaching the meta-data to the object is an efficient solution, since it guaranties that meta-data are received along with the associated object, and it allows the transport of the meta-data to benefit from any transport-layer erasure protection of the Compound Object (e.g., using FEC encoding and/or NACK-based repair). However a limit of this scheme is that a client does not know the meta-data of an object before beginning its reception, and in case of erasures affecting the meta-data, not until the object decoding is completed. The details of course depend upon the transport protocol and the FEC code used.
Appendix B describes extensions that provide additional means to carry meta-data, e.g., to communicate meta-data ahead of time.
Content-Encoding: gzip
The following meta-data types are defined in [RFC2616]:
The following additional meta-data type is defined to check object integrity:
The following additional meta-data types are used for dealing with very large objects (e.g., that largely exceed the working memory of a receiver). When this happens, the meta-data associated to each sub-object MUST include the following entries:
Future standards actions can extend the set of meta-data types supported by FCAST.
A set of FCAST Compound Objects scheduled for transmission are considered a logical "Carousel". A given "Carousel Instance" is comprised of a fixed set of Compound Objects. Whenever the FCAST application needs to add new Compound Objects to or remove old Compound Objects from the transmission set, a new Carousel Instance is defined since the set of Compound Objects changes. Because of the native object multiplexing capability of both ALC and NORM, sender and receiver(s) are both capable to multiplex and demultiplex FCAST Compound Objects.
For a given Carousel Instance, one or more transmission cycles are possible. During each cycle, all of the Compound Objects comprising the Carousel are sent. By default, each object is transmitted once per cycle. However, in order to allow different levels of priority, some objects MAY be transmitted more often that others during a cycle, and/or benefit from higher FEC protection than others. For example, this can be the case for the CID objects (Section 3.5) where extra protection can benefit overall carousel integrity. For some FCAST usage (e.g., a unidirectional "push" mode), a Carousel Instance may be sent in a single transmission cycle. In other cases it may be conveyed in a large number of transmission cycles (e.g., in "on-demand" mode, where objects are made available for download during a long period of time).
The FCAST sender can transmit an OPTIONAL Carousel Instance Descriptor (CID). The CID carries the list of the Compound Objects that are part of a given Carousel Instance, by specifying their respective Transmission Object Identifiers (TOI). However the CID does not describe the objects themselves (i.e., there is no meta-data). Additionally, the CID MAY include an "Fcast-CID-Complete: 1" meta-data entry to indicate that no further modification to the enclosed list will be done in the future. Finally, the CID MAY include a Carousel Instance ID (CIID) that identifies the Carousel Instance it pertains to. These aspects are discussed in Section 2.2.
There is no reserved TOI value for the CID Compound Object itself, since this special object is regarded by ALC/LCT or NORM as a standard object. On the contrary, the nature of this object (CID) is indicated by means of a specific FCAST Header field (the "C" flag from Figure 1) so that it can be recognized and processed by the FCAST application as needed. A direct consequence is the following: since a receiver does not know in advance which TOI will be used for the following CID (in case of a dynamic session), it MUST NOT filter out packets that are not in the current CID's TOI list. Said differently, the goal of CID is not to setup ALC or NORM packet filters (this mechanism would not be secure in any case).
The use of a CID remains OPTIONAL. If it is not used, then the clients progressively learn what files are part of the carousel instance by receiving ALC or NORM packets with new TOIs. However using a CID has several benefits:
During idle periods, when the carousel instance does not contain any object, a CID with an empty TOI list MAY be transmitted. In that case, a new carousel instance ID MUST be used to differentiate this (empty) carousel instance from the other ones. This mechanism can be useful to inform the receivers that:
The FCAST Compound Objects are directly associated with the object-based transport service that the ALC and NORM protocols provide. In each protocol, the packets containing transport object content are labeled with a numeric transport object identifier: the TOI with ALC, and the NormTransportId with NORM. For the purposes of this document, this identifier in either case (ALC or NORM) is referred to as the TOI.
There are several differences between ALC and NORM:
In both NORM and ALC, it is possible that the transport identification space eventually wraps for long-lived sessions (especially with NORM where this phenomenon is expected to happen more frequently). This can possibly introduce some ambiguity in FCAST object identification if a sender retains some older objects in newer Carousel Instances with updated object sets. To avoid ambiguity the active TOIs (i.e., the TOIs corresponding to objects being transmitted) can only occupy half of the TOI sequence space. If an old object, whose TOI has fallen outside the current window, needs to be transmitted again, a new TOI must be used for it. In case of NORM, this constraint limits to 32768 the maximum number of objects that can be part of any carousel instance.
In order to allow receivers to properly combine the transport packets with a newly-assigned TOI to those associated to the previously-assigned TOI, a mechanism is required to equate the objects with the new and the old TOIs. This mechanism consists in signaling, within the CID, that the newly assigned TOI, for the current Carousel Instance, is equivalent to the TOI used within a previous Carousel Instance. By convention, the reference tuple for any object is the {TOI; CIID} tuple used for its first transmission within a Carousel Instance. This tuple MUST be used whenever a TOI equivalence is provided. Section 2.2 details how to describe these TOI equivalences.
This section provides an informative description of expected FCAST sender behavior. The following operations can take place at a sender:
This section provides an informative description of expected FCAST receiver behavior. The following operations can take place at a receiver:
This section lists the features that any compliant FCAST/ALC or FCAST/NORM implementation MUST support, and those that remain OPTIONAL, e.g., in order to enable some optimizations for a given use-case, at a receiver.
Meta-data transmission mechanisms:
Feature | Status |
---|---|
meta-data transmission using FCAST's in-band mechanism | An FCAST sender MUST send meta-data with the in-band mechanism provided by FCAST, i.e., within the FCAST Header. All the FCAST receivers MUST be able to process meta-data sent with this FCAST in-band mechanism. |
meta-data transmission using other mechanisms | In addition to the FCAST in-band transmission of meta-data, an FCAST sender MAY send a subset or all of the meta-data using another mechanism. Supporting this mechanism in a compliant FCAST receiver is OPTIONAL, and its use is OPTIONAL too. An FCAST receiver MAY support this mechanism and take advantage of the meta-data sent in this way. If it is not the case, the FCAST receiver will anyway receive and process meta-data sent in-band. See Appendix B. |
Meta-data format and encoding:
Feature | Status |
---|---|
Meta-Data Format (MDFmt field) | All FCAST implementations MUST support an HTTP/1.1 meta information format [RFC2616]. |
Meta-Data Encoding (MDEnc field) | All FCAST implementations MUST support both UTF-8 encoded text and a GZIP compressed [RFC1952] of UTF-8 encoded text, for the Object Meta-Data field. |
Meta-data items (Section 3.3):
Feature | Status |
---|---|
Content-Location | MUST be supported |
Content-Type | MUST be supported |
Content-Length | MUST be supported |
Content-Encoding | MUST be supported. All FCAST implementations MUST support GZIP encoding [RFC1952] |
Fcast-Obj-Digest-SHA1 | MUST be supported |
Fcast-Obj-Digest-SHA256 | MUST be supported |
Fcast-Obj-Slice-Nb | MUST be supported |
Fcast-Obj-Slice-Idx | MUST be supported |
Fcast-Obj-Slice-Offset | MUST be supported |
Any compliant FCAST implementation MUST support the CID mechanism, in order to list the Compound Objects that are part of a given Carousel Instance. However its use is OPTIONAL.
CID-specific Meta-data items (Section 2.2):
Feature | Status |
---|---|
Fcast-CID-Complete | MUST be supported |
Fcast-CID-ID | MUST be supported |
A content delivery system may be subject to attacks that target:
These attacks can be launched against all or any subset of the following:
More details on these possible attacks are provided in the following sections along with possible counter-measures. Recommendations are made in Section 5.5.
The following types of attacks exist against the data flow:
Modern cryptographic mechanisms can provide access control to transmitted objects. One way to do this is by encrypting the entire object prior to transmission, knowing that authenticated receivers have the cryptographic mechanisms to decrypt the content. Another way is to encrypt individual packets using IPsec/ESP [RFC4303] (Section 5.5). These two techniques can also provide confidentiality to the objects being transferred.
If access control and/or confidentiality services are desired, one of these mechanisms is RECOMMENDED and SHOULD be deployed.
Protection against attacks on the data integrity of the object may be achieved by a mechanism agreed upon between the sender and receiver, that features sender authentication and a method to verify that the object integrity has remained intact during transmission. This service can be provided at the object level, but in that case a receiver has no way to identify what symbols are corrupted if the object is detected as corrupted. This service can also be provided at the packet level. In some cases, after removing all corrupted packets, the object may be recovered. Several techniques can provide the data integrity and sender authentication services:
Techniques relying on public key cryptography (digital signatures and TESLA during the bootstrap process, when used) require that public keys be securely associated to the entities. This can be achieved by a Public Key Infrastructure (PKI), or by a PGP Web of Trust, or by securely preplacing the public keys of each group member.
Techniques relying on symmetric key cryptography (Group MAC) require that a secret key be shared by all group members. This can be achieved by means of a group key management protocol, or simply by securely preplacing the secret key (but this manual solution has many limitations).
It is up to the developer and deployer, who know the security requirements and features of the target application area, to define which solution is the most appropriate. In any case, whenever there is a threat of object corruption, it is RECOMMENDED that at least one of these techniques be used. Section 5.5 defines minimum security recommendations that can be used to provide such services.
Let us now consider attacks against the session control parameters and the associated building blocks. The attacker has at least the following opportunities to launch an attack:
The consequences of these attacks are potentially serious, since they can compromise the behavior of the content delivery system or even compromise the network itself.
An FCAST receiver may potentially obtain an incorrect Session Description for the session. The consequence of this is that legitimate receivers with the wrong Session Description will be unable to correctly receive the session content, or that receivers will inadvertently try to receive at a much higher rate than they are capable of, thereby possibly disrupting other traffic in the network.
To avoid these problems, it is RECOMMENDED that measures be taken to prevent receivers from accepting incorrect Session Descriptions. One such measure is sender authentication to ensure that receivers only accept legitimate Session Descriptions from authorized senders. How these measures are achieved is outside the scope of this document since this session description is usually carried out-of-band.
Corrupting the FCAST CID is one way to create a Denial of Service attack. For example, the attacker can insert an "Fcast-CID-Complete: 1" meta-data entry to make the receivers believe that no further modification will be done.
It is therefore RECOMMENDED that measures be taken to guarantee the integrity and to check the sender's identity of the CID. To that purpose, one of the counter-measures mentioned above (Section 5.2.2) SHOULD be used. These measures will either be applied on a packet level, or globally over the whole CID object. When there is no packet level integrity verification scheme, it is RECOMMENDED to digitally sign the CID.
Modifying the object meta-data is another way to launch an attack. For example, the attacker may change the message digest associated to an object, leading a receiver to reject an object, even if it has been correctly received. More generally, a receiver SHOULD be very careful during meta-data processing. For instance a receiver SHOULD NOT try to follow links (e.g., the URI contained in th Content-Location meta-data). As another example, malformed HTTP contents can be used as an attack vector and a receiver should take great care.
It is therefore RECOMMENDED that measures be taken to guarantee the integrity and to check the sender's identity of the Compound Object. To that purpose, one of the counter-measures mentioned above (Section 5.2.2) SHOULD be used. These measures will either be applied on a packet level, or globally over the whole Compound Object. When there is no packet level integrity verification scheme, it is RECOMMENDED to digitally sign the Compound Object.
By corrupting the ALC/LCT header (or header extensions) one can execute attacks on the underlying ALC/LCT implementation. For example, sending forged ALC packets with the Close Session flag (A) set to one can lead the receiver to prematurely close the session. Similarly, sending forged ALC packets with the Close Object flag (B) set to one can lead the receiver to prematurely give up the reception of an object. The same comments can be made for NORM.
It is therefore RECOMMENDED that measures be taken to guarantee the integrity and to check the sender's identity of each ALC or NORM packet received. To that purpose, one of the counter-measures mentioned above (Section 5.2.2) SHOULD be used.
Let us first focus on the congestion control building block that may be used in an ALC or NORM session. A receiver with an incorrect or corrupted implementation of the multiple rate congestion control building block may affect the health of the network in the path between the sender and the receiver. That may also affect the reception rates of other receivers who joined the session.
When congestion control is applied with FCAST, it is therefore RECOMMENDED that receivers be authenticated as legitimate receivers before they can join the session. If authenticating a receiver does not prevent this latter to launch an attack, it will enable the network operator to easily identify him and to take counter-measures. The details of how this is done are outside the scope of this document.
When congestion control is applied with FCAST, it is also RECOMMENDED that a packet level authentication scheme be used, as explained in Section 5.2.2. Some of them, like TESLA, only provide a delayed authentication service, whereas congestion control requires a rapid reaction. It is therefore RECOMMENDED [RFC5775] that a receiver using TESLA quickly reduces its subscription level when the receiver believes that a congestion did occur, even if the packet has not yet been authenticated. Therefore TESLA will not prevent DoS attacks where an attacker makes the receiver believe that a congestion occurred. This is an issue for the receiver, but this will not compromise the network. Other authentication methods that do not feature this delayed authentication could be preferred, or a group MAC scheme could be used in parallel to TESLA to prevent attacks launched from outside of the group.
Lastly, we note that the security considerations that apply to, and are described in, ALC [RFC5775], LCT [RFC5651], NORM [RFC5740] and FEC [RFC5052] also apply to FCAST as FCAST builds on those specifications. In addition, any security considerations that apply to any congestion control building block used in conjunction with FCAST also applies to FCAST. Finally, the security discussion of [I-D.ietf-rmt-sec-discussion] also applies here.
We now introduce a mandatory to implement but not necessarily to use security configuration, in the sense of [RFC3365]. Since FCAST/ALC relies on ALC/LCT, it inherits the "baseline secure ALC operation" of [RFC5775]. Similarly, since FCAST/NORM relies on NORM, it inherits the "baseline secure NORM operation" of [RFC5740]. Therefore, IPsec/ESP in transport mode MUST be implemented, but not necessarily used, in accordance to [RFC5775] and [RFC5740]. [RFC4303] explains that ESP can be used to potentially provide confidentiality, data origin authentication, content integrity, anti-replay and (limited) traffic flow confidentiality. [RFC5775] specifies that the data origin authentication, content integrity and anti-replay services SHALL be used, and that the confidentiality service is RECOMMENDED. If a short lived session MAY rely on manual keying, it is also RECOMMENDED that an automated key management scheme be used, especially in case of long lived sessions.
Therefore, the RECOMMENDED solution for FCAST provides per-packet security, with data origin authentication, integrity verification and anti-replay. This is sufficient to prevent most of the in-band attacks listed above. If confidentiality is required, a per-packet encryption SHOULD also be used.
FCAST is compatible with any congestion control protocol designed for ALC/LCT or NORM. However, depending on the use-case, the data flow generated by the FCAST application might not be constant, but instead be bursty in nature. Similarly, depending on the use-case, an FCAST session might be very short. Whether and how this will impact the congestion control protocol is out of the scope of the present document.
FCAST is compatible with any security mechanism designed for ALC/LCT or NORM. The use of a security scheme is strongly RECOMMENDED (see Section 5).
FCAST is compatible with any FEC scheme designed for ALC/LCT or NORM. Whether FEC is used or not, and the kind of FEC scheme used, is to some extent transparent to FCAST.
FCAST is compatible with both IPv4 and IPv6. Nothing in the FCAST specification has any implication on the source or destination IP address type.
The delivery service provided by FCAST might be fully reliable, or only partially reliable depending upon:
The receiver set can be restricted to a single receiver or possibly a very large number of receivers. While the choice of the underlying transport protocol (i.e., ALC or NORM) and its parameters may limit the practical receiver group size, nothing in FCAST itself limits it. For instance, if FCAST/ALC is used on top of purely unidirectional transport channels, with no feedback information at all, which is the default mode of operation, then the scalability is maximum since neither FCAST, nor ALC, UDP or IP generates any feedback message. On the contrary, the FCAST/NORM scalability is typically limited by NORM scalability itself. For example, NORM can be configured to operate using proactive FEC without feedback similar to ALC, with receivers configured to provide NACK and optionally ACK feedback, or a hybrid combination of these. Similarly, if FCAST is used along with a session control application that collects reception information from the receivers, then this session control application may limit the scalability of the global object delivery system. This situation can of course be mitigated by using a hierarchy of servers or feedback message aggregation. The details of this are out of the scope of the present document.
The content of a carousel instance MAY be described by means of an OPTIONAL Carousel Instance Descriptor (CID) (Section 3.5). The decisions of whether a CID should be used or not, how often and when a CID should be sent, are left to the sender and depend on many parameters, including the target use case and the session dynamics. For instance it may be appropriate to send a CID at the beginning of each new carousel instance, and then periodically. These operational aspects are out of the scope of the present document.
This specification requires IANA to create three new registries.
This document requires IANA to create a new registry, "FCAST Object Meta-Data Format" (MDFmt), with a reference to this document. The registry entries consist of a numeric value from 0 to 15, inclusive (i.e., they are 4-bit positive integers) that define the format of the object meta-data (see Section 2.1).
The initial value for this registry is defined below. Future assignments are to be made through Expert Review with Specification Required [RFC5226].
Value | Format Name | Format Reference | Reference |
---|---|---|---|
0 (default) | HTTP/1.1 meta information format | [RFC2616], Section 7.1 | This specification |
This document requires IANA to create a new registry, "FCAST Object Meta-Data Encoding" (MDEnc), with a reference to this document. The registry entries consist of a numeric value from 0 to 15, inclusive (i.e., they are 4-bit positive integers) that defines the encoding of the Object Meta-Data field (see Section 2.1).
The initial values for this registry are defined below. Future assignments are to be made through Expert Review [RFC5226].
Value | Encoding Name | Encoding Reference | Reference |
---|---|---|---|
0 | UTF-8 encoded text | [RFC2279] | This specification |
1 | GZIP'ed UTF-8 encoded text | [RFC1952] [RFC2279] | This specification |
This document requires IANA to create a new registry, "FCAST Object Meta-Data Types" (MDType), with a reference to this document. The registry entries consist of additional text meta-data type identifiers and descriptions for meta-data item types that are specific to FCAST operation and not previously defined in [RFC1952]. The initial values are those described in Section 3.3 of this specification. This table summarizes those initial registry entries. Future assignments are to be made through Expert Review [RFC5226].
Meta-Data Type | Description | Reference |
---|---|---|
Fcast-Obj-Digest-SHA1 | a string that contains the "base64" encoding of the SHA-1 message digest of the object before any content encoding is applied (if any) and without considering the FCAST Header | This specification |
Fcast-Obj-Digest-SHA256 | a string that contains the "base64" encoding of the SHA-256 message digest of the object before any content encoding is applied (if any) and without considering the FCAST Header | This specification |
Fcast-Obj-Slice-Nb | Unsigned 32-bit integer that contains the total number of slices. A value greater than 1 indicates that this object is the result of a split of the original object | This specification |
Fcast-Obj-Slice-Idx | Unsigned 32-bit integer that contains the slice index (in the {0 .. SliceNb - 1} interval) | This specification |
Fcast-Obj-Slice-Offset | Unsigned 64-bit integer that contains the byte offset at which this slice starts within the original object | This specification |
The authors are grateful to the authors of [ALC-00] for specifying the first version of FCAST/ALC. The authors are also grateful to David Harrington, Gorry Fairhurst and Lorenzo Vicisano for their valuable comments. The authors are also grateful to Jari Arkko, Ralph Droms, Wesley Eddy, Roni Even, Stephen Farrell, Russ Housley, Chris Lonvick, Pete Resnick, Joseph Yee, and Martin Stiemerling.
This appendix provides informative examples of FCAST Compound Objects and Carousel Instance Descriptor formats.
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |Ver=0| 0 |1|0|MDFmt=0|MDEnc=0| Checksum | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Header Length=41 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-| . . . "Content-Location: example_1.txt<CR-LF>" meta-data (33 bytes) . . . + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | Padding | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ . . . Object data . . . +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 4: Simple Compound Object Example.
Figure 4 shows a simple Compound Object where the meta-data string, in HTTP/1.1 meta-information format (MDFmt=0) contains:
Content-Location: example_1.txt<CR-LF>
This UTF-8 encoded text (since MDEnc=0) is 33 bytes long (there is no final '\0' character). Therefore 3 padding bytes are added. There is no Content-Length meta-data entry for the object transported (without FCAST additional encoding) in the Object Data field, since this length can easily be calculated by the receiver as the FEC OTI transfer length minus the header length. Finally, the checksum encompasses the whole Compound Object (G=1).
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |Ver=0| 0 |1|1|MDFmt=0|MDEnc=0| Checksum | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Header Length=31 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-| . . . "Fcast-CID-Complete: 1<CR-LF>" meta-data string (23 bytes) . . . + +-+-+-+-+-+-+-+-+ | | Padding | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-| . . . Object List string . . . . +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ . | +-+-+-+-+-+-+-+-+
Figure 5: Example of CID, in case of a static session.
Figure 5 shows an example CID object, in the case of a static FCAST session, i.e., a session where the set of objects is set once and for all. The meta-data UTF-8 encoded text only contains the following entry since Fcast-CID-ID is implicit:
Fcast-CID-Complete: 1<CR-LF>
This UTF-8 encoded text (since MDEnc=0) is 23 bytes long (there no final '\0' character). Therefore 1 padding byte is added.
The object list contains the following 25 byte long string, (there is no final '\0' character):
1,2,3,100-104,200-203,299
There are therefore a total of 3+5+4+1 = 13 objects in the carousel instance, and therefore in the FCAST session. There is no meta-data associated to this CID. The session being static and composed of a single Carousel Instance, the sender did not feel the necessity to carry a Carousel Instance ID meta-data.
In certain use-cases, FCAST can take advantage of another in-band (e.g., via NORM_INFO messages Appendix B.2) or out-of-band signaling mechanism. This section provides an overview of how other signaling mechanism could be employed and a normative specification for how FCAST information is embedded when NORM_INFO messages are used for carrying FCAST Headers. Such additional signaling schemes can be used to carry the whole meta-data, or a subset of it, ahead of time, before the associated compound object. Therefore a receiver could be able to decide in advance, before beginning the reception of the compound object, whether the object is of interest or not, based on the information retrieved by this way, which mitigates FCAST limitations. While out-of-band techniques are out of the scope of this document, we explain below how this can be achieved in case of FCAST/NORM.
Supporting additional mechanisms is OPTIONAL in FCAST implementations. In any case, an FCAST sender MUST continue to send all the required meta-data in the compound object, even if the whole meta-data, or a subset of it, is sent by another mechanism (Section 4). Additionally, when meta-data is sent several times, there MUST NOT be any contradiction in the information provided by the different mechanisms. In case a mismatch is detected, the meta-data contained in the Compound Object MUST be used as the definitive source.
When meta-data elements are communicated out-of-band, in advance of data transmission, the following piece of information can be useful:
The NORM_INFO message of NORM can convey "out-of-band" content with respect to a given transport object. With FCAST, this message MAY be used as an additional mechanism to transmit meta-data. In that case, the NORM_INFO message carries a new Compound Object that contains all the meta-data of the original object, or a subset of it. The NORM_INFO Compound Object MUST NOT contain any Object Data field (i.e., it is only composed of the header), it MUST feature a non global checksum, and it MUST NOT include any padding field. Finally, note that the availability of NORM_INFO for a given object is signaled through the use of a dedicated flag in the NORM_DATA message header. Along with NORM's NACK-based repair request signaling, it allows a receiver to quickly (and independently) request an object's NORM_INFO content. However, a limitation here is that the FCAST Header MUST fit within the byte size limit defined by the NORM sender's configured "segment size" (typically a little less than the network MTU);
In case of FCAST/NORM, the object meta-data (or a subset of it) can be carried as part of a NORM_INFO message, as a new Compound Object that does not contain any Object Data. In the following informative example we assume that the whole meta-data is carried in such a message. Figure 6 shows an example NORM_INFO message that contains the FCAST Header, including meta-data. In this example, the first 16 bytes are the NORM_INFO base header, the next 12 bytes are a NORM EXT_FTI header extension containing the FEC Object Transport Information for the associated object, and the remaining bytes are the FCAST Header, including meta-data. Note that "padding" MUST NOT be used and that the FCAST checksum only encompasses the Compound Object Header (G=0).
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -- |version| type=1| hdr_len = 7 | sequence | ^ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | source_id | n +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ o | instance_id | grtt |backoff| gsize | r +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ m | flags | fec_id = 5 | object_transport_id | v +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -- | HET = 64 | HEL = 3 | | ^ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + f | Transfer Length = 41 | t +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ i | Encoding Symbol Length (E) | MaxBlkLen (B) | max_n | v +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -- | 0 | 0 |0|0| 0 | 0 | Checksum | ^ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | 41 | f +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-| c . . a . meta-data UTF-8 encoded text (32 bytes) . s . . t + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | v +-+-+-+-+-+-+-+-+ --
Figure 6: NORM_INFO containing an EXT_FTI header extension and an FCAST Header
The NORM_INFO message shown in Figure 6 contains the EXT_FTI header extension to carry the FEC OTI. In this example, the FEC OTI format is that of the Reed-Solomon FEC coding scheme for fec_id = 5 as described in [RFC5510]. Other alternatives for providing the FEC OTI would have been to either include it directly in the meta-data of the FCAST Header, or to include an EXT_FTI header extension to all NORM_DATA packets (or a subset of them). Note that the NORM "Transfer_Length" is the total length of the associated Compound Object, i.e., 41 bytes.
The Compound Object in this example does contain the same meta-data and is formatted as in the example of Figure 4. With the combination of the FEC_OTI and the FCAST meta-data, the NORM protocol and FCAST application have all of the information needed to reliably receive and process the associated object. Indeed, the NORM protocol provides rapid (NORM_INFO has precedence over the associated object content), reliable delivery of the NORM_INFO message and its payload, the FCAST Compound Object.