Internet Engineering Task Force | C.M. Martinez, Ed. |
Internet-Draft | A. Servin, Ed. |
Intended status: Informational | L. Zhou, Ed. |
CNNIC | |
D. Gomez | |
LACNIC | |
G. Rada | |
LACNIC | |
Feb 2013 |
Redirection Service for Registration Data Access Protocol
draft-ietf-weirds-redirects-01
The traditional WHOIS protocol has several important shortcomings, and over the past few years several approaches to a better Registration Data Access Protocol (RDAP) have been discussed and proposed.
Among these shortcomings, different registries operate different WHOIS services. For users this implies that several WHOIS queries to different registries may be necessary in order to obtain data for a given resource.
This document describes a redirection service for RESTful WHOIS queries. This service allows users to query a single WHOIS service and be redirected to the authoritative registry.
The solution implemented proposed here applies to Regional Internet Registries(RIRs) and Domain Name Registries(DNRs).
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."
Copyright (c) 2013 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
A user interested in obtaining registration information for a given number or domain resource normally uses the WHOIS service provided by the RIRs and DNRs.
In order to avoid having to query several databases until obtaining an answer, some approaches have been discussed and implemented in the past, most notably the Joint WHOIS [lacnic-joint-whois] initiative. However, among other shortcomings, Joint WHOIS is implemented using proxies and server-side referrals.
The RESTful approach to WHOIS services (draft-ietf-weirds-using-http [I-D.ietf-weirds-using-http]) makes it comparatively easy to implement client-side redirects based on normal HTTP 1.1 semantics and behavior.
The goal of this I-D is to describe a RESTful WHOIS redirection service and to encourage discussion on the topic of redirects in this problem domain.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119].
While a full introduction to REST and RESTful http://www.rest.org interfaces is out of the scope of this document it is important to note that these interfaces employ the verbs defined in HTTP (GET, POST, HEAD, DELETE) and HTTP response codes to signal the semantics and outcomes of an operation.
As WHOIS is a read-only service only the GET verb is implemented.
HTTP status codes provide signaling for errors and other conditions, including the concept of "client-side redirection" as outlined below.
Each RESTful WHOIS server should answer directly only those queries for which it is authoritative. In this case, being authoritative equals "having direct access to a given registry database".
For all other queries, a RESTful WHOIS server could provide a 301 MOVED PERMANENTLY redirect answer pointing to an URL hosted on a different RESTful WHOIS server.
As all requests are to be performed employing HTTP GETs, a user agent can transparently follow the HTTP 30x redirection hints ([RFC2616]) until obtaining a non-error answer (HTTP 20x) or an unrecoverable error condition (HTTP 40x or 50x).
When a registry does not have the authoritative answers to the user agent's query, user agent's query will be redirected to a redirection-only RESTful WHOIS server which could provide the authoritative WHOIS server address.
The redirect server is responsible for tracking and returning the authoritative sources for IP, AS, domain name, name server or entity queries. All the query format are described in the draft-ietf-weirds-rdap-query [I-D.ietf-weirds-rdap-query] Until now, there are some alternative solutions for the bootstrapping problem of redirect server, such as using DNS SRV or NAPTR records. But this problem is out of scope of this document and will be discussed further in the following drafts in WEIRDS working group.
Figure 1 shows the general scheme of a single RESTWhois Redirection Service serving three different RIRs standalone RESTWhois while providing a seamless query interface to clients.
...................... | | | WHOIS REDIRECTOR | | | `....................' _, | ._ ,,' | `. ,-' | `-. ,-' | `._ _,-' | `. .' | `-. +-----------Y +-------------. ,------------b | LACNIC | | RIPE-NCC | | ARIN | | | | | | | '`''''''''''' '`'''''''''''' '`''''''''''''
RESTful Joint WHOIS Tree.
Figure 1
Figure 2 shows how HTTP 301 redirection hints guide a client looking for registration data for the IPv4 address 23.1.1.1 (administered by ARIN) from LACNIC's WHOIS, the redirector and finally ARIN's WHOIS.
LACNIC REDIRECTOR ARIN WHOIS WHOIS WHOIS . . . Q: 23.1.1.1? ----> | | | | | | <-- HTTP 301 --- | | | ('Try Redirector') | | | | | | | | | Q: 23.1.1.1? -----------------> | | | | <---------- HTTP 301 --------| | ('Try ARIN WHOIS') | | | | | Q: 23.1.1.1? -------------------------------> | | <---------- HTTP 200 --------------------- | (WHOIS response is returned) | | | .
Querying WHOIS data for 23.1.1.1
Figure 2
When redirection is used there is always the risk that bogus user- agents and applications or malicious user can create loops that in turn may become Denial of Service attacks.
To minimize the risk of loops created by bogus applications and user- agents operators MAY use the mechanism shown in Section 3.1. However, this mechanism could be forged and bypassed by malicious users possibly creating a Denial of Service attack against the operator. To avoid completely the risk of DoS operators should use other methods such as rate-limit and authentication that are outside the scope of this document.
One of the challenges by using redirection is loop avoidance. Even though recommendation from REFERENCE** indicates that user-agents should have a mechanism to break loops, due to sometimes not carefully coded user-agents and other applications or due to malicious users' activities loops that could end up in a Denial of Service for the RESTful WHOIS operator.
A simple scenario that creates a loop is shown in Figure 3. A user request (1) an object from Operator 1; Operator 1 do not have the object but it has a pointer that Operator 2 has it, so it redirects (2) the user to Operator 2; user request Object X to Operator 2 (3); Operator 2 does not have the object either object but it has a pointer that Operator 1 has it, so it redirects (4) the user to Operator 1; it creates a loop (5).
+--------------+ +--------------+ | | | | | Operator A | | Operator B | | | | | +---^-----+----+ +----^----.----+ 1) | | 2) 3) | | 4) Redirect Request | | Redirect Request | | to Object X | | to Object X | | Operator A | | Operator B | | | |____________ _______________| | |_______________ | | _________________| | | | | +--------------+ | | 5) Loop | User | | | +--------------+
A simple loop
Figure 3
The loop described could be avoided by simple forbidding redirecting a response when the query has been originated by a redirect. However this solution only allows one redirection. A less restrictive approach forbidding redirection to only when the destination is the same than the originator for the redirection does not work either as shown in Figure 4.
+--------------+ +--------------+ | | | | | Operator A | | Operator B | | | | | +---^-----+----+ +----^----+----+ 1) | | 2) 3) | | 4)Redirect Request | | Redirect Request | | to Object X | | to Object X | | Operator C | | Operator B | | | |____________ _____________| | |_______________ | | _______________| | | | | +---\/------\/-+ 7) Loop | | | User | | | +---^-----+----+ 6) Redirect | | 5) to Operator A | | Request | | Object X +--------\/----+ | | | Operator C | | | +--------------+
A more complex loop.
Figure 4
In the scenario depicted in Figure 4 the user request object X from Operator A which redirects him/her to Operator B which in turn redirects the user to Operator C. Operator C then redirects the user back to Operator A again creating a loop.
To avoid loops created by not well-programmed user-agents or applications when redirecting operators MAY append or modify a special URI indicating that a redirection and how many times it has been done. The format of the URI is described as follows.
When a RESTful WHOIS operator redirects a user to retrieve an object from another operator, the operator making the redirection operator MAY append or modify a special URI.
When using an URI to indicate redirection, the URI MUST have the following structure:
/redirect/[step]
Where [step] is a consecutive counter that MUST be increased by every operator when the URI is encountered in a query object.
When an operator is redirecting a query for the first time it MAY append the redirection URI to the original URL. If the redirection URI is used, it MUST use the format previously described and it MUST set "step" equal to 1. For example, the URL "http://whois.lacnic.net/restfulwhois/ip/200.7.84.0/24" would be replaced by
"http://whois.example.com/restfulwhois/ip/200.7.84.0/24/redirect/1"
If an operator receives a request with the redirect URI it first SHOULD check if "step" is shorter that the defined threshold. If it does the operator SHOULD strip it and process the query. If the query requires further redirection the operator MAY use the redirection URI and it MUST increase "step" in one.
Operators that support the redirect URI MUST never create a new redirect that contain a step value greater that their locally set threshold. However if the operator has an authoritative response to the agent it MUST respond regardless to the threshold value.
TBD
Firstly, redirect server settings cannot be modified by someone other than the user validated by the redirection server.
Secondly, insure the redirection URL data must not be able to modify URL in data transmission process. Such as http://www.labs.lacnic.net/restwhois/rwhois_redir/ip/23.1.1.1 cannot be modified to http://www.labs.somenic.net/restwhois/rwhois_redir/ip/23.1.1.1.
While security practices are outside the scope of this document, the authors believe it is important to identify such problematic use cases to any DNR or RIR that may implement the redirection WHOIS service.
[RFC2119] | Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. |
[RFC2616] | Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., Leach, P. and T. Berners-Lee, "Hypertext Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999. |
[I-D.ietf-weirds-using-http] | Newton, A., Ellacott, B. and N. Kong, "Using the Registration Data Access Protocol (RDAP) with HTTP", Internet-Draft draft-ietf-weirds-using-http-01, December 2012. |
[I-D.ietf-weirds-rdap-query] | Newton, A. and S. Hollenbeck, "Registration Data Access Protocol Query Format", Internet-Draft draft-ietf-weirds-rdap-query-02, December 2012. |
[lacnic-joint-whois] | LACNIC, "Joint WHOIS", 2005. |