One document matched: draft-ietf-cdni-metadata-08.xml
<?xml version="1.0" encoding="US-ASCII"?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd">
<?rfc toc="yes"?>
<?rfc tocompact="yes"?>
<?rfc tocdepth="4"?>
<?rfc tocindent="yes"?>
<?rfc symrefs="yes"?>
<?rfc sortrefs="yes"?>
<?rfc comments="yes"?>
<?rfc inline="yes"?>
<?rfc compact="yes"?>
<rfc category="std" docName="draft-ietf-cdni-metadata-08" ipr="trust200902">
<front>
<title abbrev="CDN Interconnection Metadata">CDN Interconnection
Metadata</title>
<author fullname="Ben Niven-Jenkins" initials="B" surname="Niven-Jenkins">
<organization>Velocix (Alcatel-Lucent)</organization>
<address>
<postal>
<street>3 Ely Road</street>
<city>Milton</city>
<region>Cambridge</region>
<code>CB24 6AA</code>
<country>UK</country>
</postal>
<email>ben@velocix.com</email>
</address>
</author>
<author fullname="Rob Murray" initials="R" surname="Murray">
<organization>Velocix (Alcatel-Lucent)</organization>
<address>
<postal>
<street>3 Ely Road</street>
<city>Milton</city>
<region>Cambridge</region>
<code>CB24 6AA</code>
<country>UK</country>
</postal>
<email>rmurray@velocix.com</email>
</address>
</author>
<author fullname="Matt Caulfield" initials="M" surname="Caulfield">
<organization>Cisco Systems</organization>
<address>
<postal>
<street>1414 Massachusetts Avenue</street>
<city>Boxborough</city>
<region>MA</region>
<code>01719</code>
<country>USA</country>
</postal>
<phone>+1 978 936 9307</phone>
<email>mcaulfie@cisco.com</email>
</address>
</author>
<author fullname="Kevin J. Ma" initials="K.J." surname="Ma">
<organization>Ericsson</organization>
<address>
<postal>
<street>43 Nagog Park</street>
<city>Acton</city>
<region>MA</region>
<code>01720</code>
<country>USA</country>
</postal>
<phone>+1 978-844-5100</phone>
<email>kevin.j.ma@ericsson.com</email>
</address>
</author>
<date/>
<abstract>
<t>The CDNI Metadata interface enables interconnected CDNs to exchange
content distribution metadata in order to enable content acquisition and
delivery. The CDNI metadata associated with a piece of content provides
a downstream CDN with sufficient information for the downstream CDN to
service content requests on behalf of an upstream CDN. This document
describes both a base set of CDNI metadata and the protocol for
exchanging that metadata.</t>
</abstract>
<note title="Requirements Language">
<t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in <xref
target="RFC2119">RFC 2119</xref>.</t>
</note>
</front>
<middle>
<section title="Introduction">
<t>Content Delivery Networks Interconnection (CDNI) (<xref
target="RFC6707"/>) enables a downstream CDN to service content requests
on behalf of an upstream CDN.</t>
<t>The CDNI Metadata interface is discussed in <xref
target="I-D.ietf-cdni-framework"/> along with four other interfaces that
may be used to compose a CDNI solution (CDNI Control interface, CDNI
Request Routing Redirection interface, CDNI Footprint & Capabilities
Advertisement interface and CDNI Logging interface). <xref
target="I-D.ietf-cdni-framework"/> describes each interface, and the
relationships between them. The requirements for the CDNI metadata
interface are specified in <xref
target="I-D.ietf-cdni-requirements"/>.</t>
<t>The CDNI metadata associated with a piece of content (or with a set
of content) provides a downstream CDN with sufficient information for
servicing content requests on behalf of an upstream CDN in accordance
with the policies defined by the upstream CDN.</t>
<t>This document focuses on the CDNI Metadata interface which enables a
downstream CDN to obtain CDNI Metadata from an upstream CDN so that the
downstream CDN can properly process and respond to:</t>
<t><list style="symbols">
<t>Redirection requests received over the CDNI Request Routing
Redirection interface.</t>
<t>Content requests received directly from User Agents.</t>
</list></t>
<t>Specifically, this document specifies:</t>
<t><list style="symbols">
<t>A data structure for mapping content requests and redirection
requests to CDNI Metadata objects (<xref target="data-model"/> and
<xref target="structural-objects"/>).</t>
<t>An initial set of CDNI Generic Metadata objects (<xref
target="property-objects"/>).</t>
<t>A RESTful web service for the transfer of CDNI Metadata (<xref
target="metadata-interface"/>).</t>
</list></t>
<section anchor="terminology" title="Terminology">
<t>This document reuses the terminology defined in <xref
target="RFC6707"/>.</t>
<t>Additionally, the following terms are used throughout this document
and are defined as follows:<list style="symbols">
<t>Object - a collection of properties</t>
<t>Property - a key and value pair where the key is a property
name and the value is the property value or an object.</t>
</list></t>
</section>
<section title="Supported Metadata Capabilities">
<t>Only the metadata for a small set of initial capabilities is
specified in this document. This set provides the minimum amount of
metadata for basic CDN interoperability while still meeting the
requirements set forth by <xref
target="I-D.ietf-cdni-requirements"/>.</t>
<t>The following high-level functionality is configured via the
metadata described in <xref
target="abstract-metadata-description"/>:</t>
<t><list style="symbols">
<t>Acquisition Source: Metadata for allowing a dCDN to fetch
content from a uCDN.</t>
<t>Delivery Access Control: Metadata for restricting (or
permitting) access to content based on any of the following
factors:<list style="symbols">
<t>Location</t>
<t>Time Window</t>
<t>Delivery Protocol</t>
</list></t>
</list><list style="symbols">
<t>Delivery Authorization: Metadata for authorizing dCDN user
agent requests.</t>
<t>Cache Control: Metadata for controlling cache behavior of the
dCDN.</t>
</list></t>
<t>The metadata encoding described by this document is extensible in
order to allow for future additions to this list.</t>
<t>This document supports HTTPv1.1 for delivery and both HTTPv1.1 and
HTTPv1.1. over TLS for acquisition. All metadata is described in a
protocol-agnostic manner.</t>
<t>Supporting unencrypted HTTPv2.0 for delivery (or unencrypted
HTTPv2.0 or HTTPv2.0 over TLS for acquisition) only requires the
registration of these protocol names in the CDNI Metadata Protocol
Sub-Registry.</t>
<t>Supporting HTTPv1.1 over TLS or HTTPv2.0 over TLS for delivery
requires specifying additional metadata objects to carry the
properties required to establish a TLS session, for example metadata
to describe the certificate to use as part of the TLS
handshake.</t>
</section>
</section>
<section title="Design Principles">
<t>The CDNI Metadata interface was designed to achieve the following
objectives:</t>
<t><list style="numbers">
<t>Cacheability of CDNI metadata objects.</t>
<t>Deterministic mapping from redirection requests and content
requests to CDNI metadata properties.</t>
<t>Support for DNS redirection as well as application-specific
redirection (for example HTTP redirection).</t>
<t>Minimal duplication of CDNI metadata.</t>
<t>Leveraging of existing protocols.</t>
</list></t>
<t>Cacheability improves the latency of acquiring metadata while
maintaining its freshness, and therefore improves the latency of serving
content requests and redirection requests, without sacrificing accuracy.
The CDNI Metadata interface uses HTTP and its existing caching
mechanisms to achieve CDNI metadata cacheability.</t>
<t>Deterministic mappings from content to metadata properties eliminates
ambiguity and ensures that policies are applied consistently by all
downstream CDNs.</t>
<t>Support for both HTTP and DNS redirection ensures that the CDNI
Metadata interface can be used for HTTP and DNS redirection and also
meets the same design principles for both HTTP and DNS based redirection
schemes.</t>
<t>Minimal duplication of CDNI metadata provides space efficiency on
storage in the CDNs, on caches in the network, and across the network
between CDNs.</t>
<t>Leveraging existing protocols avoids reinventing common mechanisms
such as data structure encoding (e.g., JSON) and data transport
(e.g., HTTP).</t>
</section>
<section anchor="data-model" title="CDNI Metadata Data Model">
<t>The CDNI Metadata Model describes a data structure for mapping
redirection requests and content requests to metadata properties.
Metadata properties describe how to acquire content from an upstream
CDN, authorize access to content, and deliver content from a downstream
CDN. The data model relies on the assumption that these metadata
properties may be aggregated based on the hostname of the content and
subsequently on the resource path of the content. The data model
associates a set of CDNI Metadata properties with a Hostname to form a
default set of metadata properties for content delivered on behalf of
that Hostname. That default set of metadata properties can be overridden
by properties that apply to specific paths within a URI.</t>
<t>Different Hostnames and URI paths will be associated with different
sets of CDNI Metadata properties in order to describe the required
behaviour when a dCDN surrogate is processing User Agent requests for
content at that Hostname or URI path. As a result of this structure,
significant commonality may exist between the CDNI Metadata properties
specified for different Hostnames, different URI paths within a Hostname
and different URI paths on different Hostnames. For example the
definition of which User Agent IP addresses should be treated as being
grouped together into a single network or geographic location is likely
to be common for a number of different Hostnames. Another example is
that although a uCDN is likely to have several different policies
configured to express geo-blocking rules, it is likely that a single
geo-blocking policy would be applied to multiple Hostnames delivered
through the CDN.</t>
<t>In order to enable the CDNI Metadata for a given Hostname or URI Path
to be decomposed into sets of CDNI Metadata properties that can be
reused by multiple Hostnames and URI Paths, the CDNI Metadata interface
specified in this document splits the CDNI Metadata into a number of
objects. Efficiency is improved by enabling a single CDNI Metadata
object (that is shared across Hostname and/or URI paths) to be retrieved
and stored by a dCDN once, even if it is referenced by the CDNI Metadata
of multiple Hostnames or of multiple URI paths.</t>
<t><xref target="hostindex-intro"/> introduces a high level description
of the HostIndex, HostMetadata and PathMetadata objects and describes
the relationships between those objects.</t>
<t><xref target="other-objects-intro"/> introduces a high level
description of the CDNI GenericMetadata object which represents the
level at which CDNI Metadata override occurs between HostMetadata and
PathMetadata objects.</t>
<t><xref target="abstract-metadata-description"/> describes in detail
the specific CDNI Metadata objects and properties which may be contained
within a CDNI GenericMetadata object.</t>
<section anchor="hostindex-intro"
title="HostIndex, HostMetadata and PathMetadata objects">
<t>A HostIndex object contains (or references) a list of Hostnames
(and/or IP addresses) for which content requests may be delegated to
the downstream CDN. The HostIndex is the starting point for accessing
the uCDN CDNI Metadata data store. It enables the dCDN to
deterministically discover, on receipt of a User Agent request for
content, which other CDNI Metadata objects it requires in order to
deliver the requested content.</t>
<t>The HostIndex links Hostnames (and/or IP addresses) to HostMetadata
objects via HostMatch objects. HostMetadata objects contain (or
reference) the default CDNI Metadata required to serve content for
that host. When looking up CDNI Metadata, the downstream CDN looks up
the requested Hostname (or IP address) against the HostMatch entries
in the HostIndex, from there it can find HostMetadata which describes
properties for a host and PathMetadata which may override those
properties for given URI paths within the host.</t>
<t>HostMetadata and PathMetadata objects may also contain PathMatch
objects which in turn contain PathMetadata objects. PathMetadata objects
override the CDNI Metadata in the HostMetadata object or one or more
preceding PathMetadata objects with more specific CDNI Metadata that
applies to content requests matching the pattern defined in that
PathMatch object.</t>
<t>For the purposes of retrieving CDNI Metadata, all other required
CDNI Metadata objects and their properties are discoverable from the
appropriate HostMetadata, PathMatch and PathMetadata objects for the
requested content.</t>
<t>The relationships between the HostIndex, HostMatch, HostMetadata,
PathMatch and PathMetadata objects are described in <xref
target="metadata-model-figure-top"/>.</t>
<t><figure anchor="metadata-model-figure-top"
title="Relationships between CDNI Metadata Objects (Diagram Representation)">
<artwork><![CDATA[
+---------+ +---------+ +------------+
|HostIndex+-(*)->|HostMatch+-(1)->|HostMetadata+-------(*)------+
+---------+ +---------+ +------+-----+ |
| |
(*) |
| V
--> Contains or References V ******************
(1) One and only one +---------+ *Generic Metadata*
(*) Zero or more +--->|PathMatch| * Objects *
| +----+---++ ******************
| | | ^
(*) (1) (1) +------------+ |
| | +->|PatternMatch| |
| V +------------+ |
| +------------+ |
+--+PathMetadata+-------(*)------+
+------------+
]]></artwork>
</figure></t>
<t>The relationships in <xref target="metadata-model-figure-top"/> are
also represented in tabular format in <xref
target="metadata-model-table"/> below.</t>
<texttable anchor="metadata-model-table"
title="Relationships between CDNI Metadata Objects (Table Representation)">
<ttcol>Data Object</ttcol>
<ttcol>Objects it contains or references</ttcol>
<c>HostIndex</c>
<c>0 or more HostMatch objects.</c>
<c>HostMatch</c>
<c>1 HostMetadata object.</c>
<c>HostMetadata</c>
<c>0 or more PathMatch objects. 0 or more GenericMetadata
objects.</c>
<c>PathMatch</c>
<c>1 PatternMatch object. 1 PathMetadata object.</c>
<c>PatternMatch</c>
<c>Does not contain or reference any other objects.</c>
<c>PathMetadata</c>
<c>0 or more PathMatch objects. 0 or more GenericMetadata
objects.</c>
</texttable>
<t>The table below describes the HostIndex, HostMetadata and
PathMetadata objects in more detail.</t>
<texttable anchor="hostindex-objects-table"
title="HostIndex, HostMetadata and PathMetadata CDNI Metadata Objects">
<ttcol>Data Object</ttcol>
<ttcol>Description</ttcol>
<c>HostIndex</c>
<c>A HostIndex object lists HostMatch objects</c>
<c>HostMatch</c>
<c>A HostMatch object defines a hostname (or IP address) to match
against a requested host, and contains (or references) a
HostMetadata object which contains (or references) CDNI Metadata
objects to be applied when a request matches against the hostname.
For example, if "example.com" is a content provider, a HostMatch
object may include an entry for "example.com" with the URI of the
associated HostMetadata object.</c>
<c>HostMetadata</c>
<c>A HostMetadata object contains (or references) the default CDNI
Metadata objects for content served from that host, i.e., the CDNI
Metadata objects for content requests that do not match any of the
PathMatch objects contained (or referenced) by that HostMetadata
object. For example, a HostMetadata object may describe the metadata
properties which apply to "example.com" and may contain PathMatches
for "example.com/movies/*" and "example.com/music/*" which reference
corresponding PathMetadata objects that contain the CDNI Metadata
objects for those more specific URI paths.</c>
<c>PathMatch</c>
<c>A PathMatch object defines a pattern (inside a PatternMatch
object which PathMatch object contains or references) to match
against the requested URI path, and contains (or references) a
PathMetadata object which contains (or references) the CDNI Metadata
objects to be applied when a content request matches against the
defined URI path pattern. For example, a PathMatch object may
include a PatternMatch object containing a pattern for the path
"/movies/*" and may reference a PathMetadata object which contains
(or references) the CDNI Metadata for content with that path.</c>
<c>PatternMatch</c>
<c>A PatternMatch object contains the pattern string and flags that
describe the URI path that a PathMatch applies to.</c>
<c>PathMetadata</c>
<c>A PathMetadata object contains (or references) the CDNI
GenericMetadata objects for content served with the associated URI
path (defined in a PathMatch object). A PathMetadata object may also
contain (or reference) PathMatch objects in order to recursively
define more specific URI paths that require different (e.g., more
specific) CDNI Metadata to this one. For example, the PathMetadata
object which applies to "example.com/movies/*" may describe CDNI
Metadata which apply to that resource path and may contain a
PathMatch object for "example.com/movies/hd/*" which would reference
the corresponding PathMetadata object for the
"example.com/movies/hd/" path prefix.</c>
<c>GenericMetadata</c>
<c>A GenericMetadata object contains (or references) individual CDNI
Metadata objects which define the specific policies and attributes
needed to properly deliver the associated content. For example, a
GenericMetadata object may describe the source from which a CDN may
acquire a piece of content. The GenericMetadata object is an atomic
unit that may be referenced by HostMetadata and/or PathMetadata
objects, but SHOULD NOT contain references to other CDNI Metadata
objects. The member objects of a specific CDNI Metadata object MAY
be referenced by the GenericMetadata object.</c>
</texttable>
<t/>
</section>
<section anchor="other-objects-intro"
title="Generic CDNI Metadata Object Properties">
<t>The HostMetadata and PathMetadata objects contain or can reference
other CDNI Metadata objects that contain properties which describe how
User Agent requests for content should be processed, for example where
to acquire the content, authorization rules that should be applied,
delivery location restrictions and so on. Each such CDNI Metadata
object is a specialization of a CDNI GenericMetadata object. The
GenericMetadata object abstracts the basic information required for
Metadata override and Metadata distribution, from the specifics of any
given property (e.g., property semantics, enforcement options,
etc.).</t>
<t>The GenericMetadata object defines the type of properties contained
within it as well as whether or not the properties are
"mandatory-to-enforce". If the dCDN does not understand or support the
property type and the property type is "mandatory-to-enforce", the
dCDN MUST NOT serve the content to the User Agent. If the dCDN does
not understand or support the property type and the property type is
not "mandatory-to-enforce", then that GenericMetadata object may be
safely ignored and the dCDN MUST process the content request in
accordance with the rest of the CDNI metadata.</t>
<t>Although a CDN MUST NOT serve content to a User Agent if a
"mandatory-to-enforce" property cannot be enforced, it may be
"safe-to-redistribute" that metadata to another CDN without
modification. For example, in the cascaded CDN case, a transit CDN may
pass through "mandatory-to-enforce" metadata to a downstream CDN. For
Metadata which does not require customization or translation (i.e.,
metadata that is "safe-to-redistribute"), the data representation
received off the wire MAY be stored and redistributed without being
natively understood or supported by the transit CDN. However, for
Metadata which requires translation, transparent redistribution of the
uCDN Metadata values may not be appropriate. Certain Metadata may be
safely, though possibly not optimally, redistributed unmodified. For
example, source acquisition address may not be optimal if
transparently redistributed, but may still work.</t>
<t>Redistribution safety MUST be specified for each GenericMetadata.
If a CDN does not understand or support a given GenericMetadata
property type and the property type is not "safe-to-redistribute",
before redistributing the metadata, the CDN MUST set the
"incomprehensible" flag for the GenericMetadata property that it did
not understand and was marked as not "safe-to-redistribute". The
"incomprehensible" flag signals to a dCDN that the metadata was not
properly transformed by the transit CDN. A CDN MUST NOT attempt to use
metadata that has been marked as "incomprehensible" by a uCDN.</t>
<t>Transit CDNs MUST NOT change the value of "mandatory-to-enforce" or
"safe-to-redistribute" when propagating metadata to a dCDN. Although a
transit CDN may set the value of "incomprehensible" to true, a transit
CDN MUST NOT change the value of "incomprehensible" from true to
false.</t>
<t>The following table describes the action to be taken by a transit
CDN (tCDN) for the different "mandatory-to-enforce" (MtE) and
"safe-to-redistribute" (StR) cases, when the tCDN either does or does
not understand the metadata in question:</t>
<texttable>
<ttcol>MtE</ttcol>
<ttcol>StR</ttcol>
<ttcol>Metadata Understood</ttcol>
<ttcol>Actions</ttcol>
<c>False</c>
<c>True</c>
<c>True</c>
<c>Can serve and redistribute.</c>
<c>False</c>
<c>True</c>
<c>False</c>
<c>Can serve and redistribute.</c>
<c>False</c>
<c>False</c>
<c>False</c>
<c>Can serve. MUST set "incomprehensible" to True when
redistributing.</c>
<c>False</c>
<c>False</c>
<c>True</c>
<c>Can serve. Can redistribute either by transforming not StR
metadata (if the CDN know how to do so safely), otherwise MUST set
"incomprehensible" to True when redistributing.</c>
<c>True</c>
<c>True</c>
<c>True</c>
<c>Can serve and redistribute.</c>
<c>True</c>
<c>True</c>
<c>False</c>
<c>MUST NOT serve but can redistribute.</c>
<c>True</c>
<c>False</c>
<c>True</c>
<c>Can serve and redistribute.</c>
<c>True</c>
<c>False</c>
<c>False</c>
<c>MUST NOT serve. MUST set "incomprehensible" to True when
redistributing.</c>
</texttable>
<t>The following table describes the action to be taken by a dCDN for
the different "mandatory-to-enforce" (MtE)
and "incomprehensible" (Incomp) cases, when the dCDN either does
or does not understand the metadata in question:</t>
<texttable>
<ttcol>MtE</ttcol>
<ttcol>Metadata Understood</ttcol>
<ttcol>Incomp</ttcol>
<ttcol>Actions</ttcol>
<c>False</c>
<c>True</c>
<c>False</c>
<c>Can serve.</c>
<c>False</c>
<c>True</c>
<c>True</c>
<c>Can serve but MUST NOT interpret/apply any metadata marked
incomprehensible.</c>
<c>False</c>
<c>False</c>
<c>False</c>
<c>Can serve.</c>
<c>False</c>
<c>False</c>
<c>True</c>
<c>Can serve but MUST NOT interpret/apply any metadata marked
incomprehensible.</c>
<c>True</c>
<c>True</c>
<c>False</c>
<c>Can serve.</c>
<c>True</c>
<c>True</c>
<c>True</c>
<c>Can serve but MUST NOT interpret/apply any metadata marked
incomprehensible.</c>
<c>True</c>
<c>False</c>
<c>False</c>
<c>MUST NOT serve.</c>
<c>True</c>
<c>False</c>
<c>True</c>
<c>MUST NOT serve.</c>
</texttable>
<t/>
</section>
<section anchor="metadata-inheritance"
title="Metadata Inheritance and Override">
<t>In the data model, a HostMetadata object may contain (or reference)
multiple PathMetadata objects (via PathMatch objects). Each
PathMetadata object may in turn contain (or reference) other
PathMetadata objects. HostMetadata and PathMetadata objects form an
inheritance tree where each node in the tree inherits or overrides the
property values set by its parent.</t>
<t>GenericMetadata objects of a given type override all
GenericMetadata objects of the same type previously defined by any
parent object in the tree. GenericMetadata objects of a given type
previously defined by a parent object in the tree are inherited when
no object of the same type is defined by the child object. For
example, if HostMetadata for the host "example.com" contains
GenericMetadata objects of type LocationACL and TimeWindowACL, while a
PathMetadata object which applies to "example.com/movies/*" defines an
alternate GenericMetadata object of type TimeWindowACL, then: <list
style="symbols">
<t>the TimeWindowACL defined in the PathMetadata would override
the TimeWindowACL defined in the HostMetadata for all User Agent
requests for content under "example.com/movies", and</t>
<t>the LocationACL defined in the HostMetadata would be inherited
for all User Agent requests for content under
"example.com/movies".</t>
<t>A single HostMetadata or PathMetadata object SHOULD NOT contain
multiple GenericMetadata objects of the same type. If a list of
GenericMetadata contains objects of duplicate types, the receiver
MUST ignore all but the first object of each type. </t>
</list></t>
<t></t>
</section>
</section>
<section anchor="abstract-metadata-description"
title="Encoding-Independent CDNI Metadata Object Descriptions">
<t><xref target="structural-objects"/> provides the definitions of each
object type declared in <xref target="data-model"/>. These objects are
described as structural objects as they provide the structure for the
inheritance tree and identify which specific properties apply to a
given User Agent content request.</t>
<t><xref target="property-objects"/> provides the definitions for a base
set of core metadata objects which may be contained within a
GenericMetadata object. These objects are described as property objects,
as they define the structure, semantics, and enforcement options for
specific properties of the metadata being described. Property objects
govern how User Agent requests for content are handled. Property objects
may be composed of, or contain references to, other property sub-objects
(i.e., property objects contained within or referenced by the property
object that refers to that property sub-object). In those cases the
value of the property sub-objects can be either a complete serialized
representation of the sub-object, or a Link object that contains a URI
and relationship that can be dereferenced to retrieve the complete
serialized representation of the property sub-object.</t>
<t><xref target="extensibility"/> discusses the ability to extend the
base set of metadata objects specified in this document with additional
standards based or vendor specific property objects that may be defined
in the future in separate documents.</t>
<t>Downstream CDNs MUST support parsing of all CDNI metadata objects
specified in this document. A dCDN does not have to implement the
underlying functionality represented by the metadata object,
though that may
restrict the content that a given dCDN can serve. uCDNs as generators of
CDNI Metadata only need to support generating the CDNI metadata that
they need in order to express the policies and treatment
required by the content they are describing.</t>
<t>Note: In the following sections, the term "mandatory-to-specify" is
used to convey which property sub-objects MUST be specified for a given
structural or property object. When mandatory-to-specify is set to true
on a sub-object, it implies that if the property object containing that
property sub-object is specified, then the mandatory-to-specify property
sub-object MUST also be specified, e.g., a HostMatch property object
without a host to match against does not make sense, therefore, the host
is mandatory-to-specify inside a HostMatch property object.</t>
<section anchor="structural-objects"
title="Descriptions of the CDNI Structural Metadata Objects">
<t>Each of the sub-sections below describe the structural objects
defined in <xref target="hostindex-objects-table"/>.</t>
<section anchor="HostIndex" title="HostIndex">
<t>The HostIndex object is the entry point into the CDNI Metadata
hierarchy. It contains (or references) a list of HostMatch objects.
An incoming content request is checked against the hostname (or
IP address) specified by
each of the listed HostMatch objects to find the HostMatch object
which applies to the request.</t>
<t><list style="empty">
<t>Property: hosts<list style="empty">
<t>Description: List of HostMatch objects, in priority
order.</t>
<t>Type: List of HostMatch objects</t>
<t>Mandatory-to-Specify: Yes.</t>
</list></t>
</list></t>
</section>
<section anchor="HostMatch" title="HostMatch">
<t>The HostMatch object contains a hostname or IP address to match
against content requests. The HostMatch object also contains or
references a HostMetadata object to apply if a match is found.</t>
<t><list style="empty">
<t>Property: host<list style="empty">
<t>Description: String (hostname or IP address) to match
against the requested host.</t>
<t>Type: String</t>
<t>Mandatory-to-Specify: Yes.</t>
</list></t>
</list> <list style="empty">
<t>Property: host-metadata<list style="empty">
<t>Description: CDNI Metadata to apply when delivering
content that matches this host.</t>
<t>Type: HostMetadata</t>
<t>Mandatory-to-Specify: Yes.</t>
</list></t>
</list></t>
</section>
<section anchor="HostMetadata" title="HostMetadata">
<t>A HostMetadata object contains (or references) the CDNI Metadata
properties for content served for a particular host (defined
in the HostMatch object) and possibly child PathMatch objects.</t>
<t><list style="empty">
<t>Property: metadata<list style="empty">
<t>Description: List of host related metadata.</t>
<t>Type: List of GenericMetadata objects</t>
<t>Mandatory-to-Specify: Yes.</t>
</list></t>
</list> <list style="empty">
<t>Property: paths<list style="empty">
<t>Description: Path specific rules. Path patterns
(PathMatch objects) MUST be evaluated in the order they
appear and the first PathMatch object that matches the
content request being process is applied.</t>
<t>Type: List of PathMatch objects</t>
<t>Mandatory-to-Specify: No.</t>
</list></t>
</list></t>
</section>
<section anchor="PathMatch" title="PathMatch">
<t>The PathMatch object contains (or references) an expression given
as a PatternMatch object to match against a resource URI path and
contains or references a PathMetadata object to apply if a
match is found.</t>
<t><list style="empty">
<t>Property: path-pattern<list style="empty">
<t>Description: Pattern to match against the requested path,
i.e., against the <xref target="RFC3986"/> path-absolute.</t>
<t>Type: PatternMatch</t>
<t>Mandatory-to-Specify: Yes.</t>
</list></t>
</list> <list style="empty">
<t>Property: path-metadata<list style="empty">
<t>Description: CDNI Metadata to apply when delivering
content that matches this path.</t>
<t>Type: PathMetadata</t>
<t>Mandatory-to-Specify: Yes.</t>
</list></t>
</list></t>
</section>
<section anchor="PathMetadata" title="PathMetadata">
<t>A PathMetadata object contains (or references) the CDNI Metadata
properties for content served with the associated URI path (defined
in a PathMatch object) and possibly child PathMatch objects.</t>
<t>Note that if DNS-based redirection is employed, then any metadata
at the PathMetadata level or below will be inaccessible at request
routing time because only the content request hostname is available
at request routing time.</t>
<t><list style="empty">
<t>Property: metadata<list style="empty">
<t>Description: List of path related metadata.</t>
<t>Type: List of GenericMetadata objects</t>
<t>Mandatory-to-Specify: Yes.</t>
</list></t>
</list> <list style="empty">
<t>Property: paths<list style="empty">
<t>Description: Path specific rules. First match
applies.</t>
<t>Type: List of PathMatch objects</t>
<t>Mandatory-to-Specify: No.</t>
</list></t>
</list></t>
</section>
<section title="PatternMatch">
<t>A PatternMatch object contains the pattern string and flags that
describe the PathMatch expression.</t>
<t><list style="empty">
<t>Property: pattern<list style="empty">
<t>Description: A pattern for string matching. The pattern
may contain the wildcards * and ?, where * matches any
sequence of characters (including the empty string) and ?
matches exactly one character. The three literals \ , * and
? should be escaped as \\, \* and \?. All other characters
are treated as literals.</t>
<t>Type: String</t>
<t>Mandatory-to-Specify: Yes.</t>
</list></t>
</list> <list style="empty">
<t>Property: case-sensitive<list style="empty">
<t>Description: Flag indicating whether or not
case-sensitive matching should be used.</t>
<t>Type: Boolean</t>
<t>Mandatory-to-Specify: No. Default is case-insensitive
match.</t>
</list></t>
</list> <list style="empty">
<t>Property: ignore-query-string<list style="empty">
<t>Description: List of query parameters which should be
ignored when searching for a pattern match. If all query
parameters should be ignored then the list MUST be
empty.</t>
<t>Type: List of String</t>
<t>Mandatory-to-Specify: No. Default is to include query
strings when matching.</t>
</list></t>
</list></t>
</section>
<section anchor="generic-metadata" title="GenericMetadata">
<t>A GenericMetadata object is an abstraction for managing
individual CDNI Metadata properties in an opaque manner.</t>
<t><list style="empty">
<t>Property: generic-metadata-type<list style="empty">
<t>Description: CDNI Metadata property object type.</t>
<t>Type: MIME Type String (from <xref
target="metadata-registry"></xref>)</t>
<t>Mandatory-to-Specify: Yes.</t>
</list></t>
</list> <list style="empty">
<t>Property: generic-metadata-value<list style="empty">
<t>Description: CDNI Metadata property object.</t>
<t>Type: Format/Type is defined by the value of
generic-metadata-type property above.</t>
<t>Mandatory-to-Specify: Yes.</t>
</list></t>
</list> <list style="empty">
<t>Property: mandatory-to-enforce<list style="empty">
<t>Description: Flag identifying whether or not the
enforcement of the property Metadata is required.</t>
<t>Type: Boolean</t>
<t>Mandatory-to-Specify: No. Default is to treat metadata as
mandatory to enforce (i.e., true).</t>
</list></t>
</list> <list style="empty">
<t>Property: safe-to-redistribute<list style="empty">
<t>Description: Flag identifying whether or not the property
Metadata may be safely redistributed without
modification.</t>
<t>Type: Boolean</t>
<t>Mandatory-to-Specify: No. Default is allow transparent
redistribution (i.e., true).</t>
</list></t>
</list> <list style="empty">
<t>Property: incomprehensible<list style="empty">
<t>Description: Flag identifying whether or not any
CDN in the chain of delegation has failed to
understand and/or failed to properly transform the
Metadata.</t>
<t>Type: Boolean</t>
<t>Mandatory-to-Specify: No. Default is
comprehensible (i.e., false).</t>
</list></t>
</list></t>
</section>
</section>
<section anchor="property-objects"
title="Description of the CDNI Generic Metadata Objects">
<t>The property objects defined below are intended to be used in the
GenericMetadata object generic-metadata-value field as defined in
<xref target="generic-metadata"/> and their generic-metadata-type
property MUST be set to the appropriate Media Type as defined in
<xref target="metadata-registry"></xref>.</t>
<section anchor="SourceMetadata" title="Source Metadata">
<t>Source Metadata provides the dCDN information about content
acquisition, i.e., how to contact an uCDN Surrogate or an Origin
Server to obtain the content to be served. The sources are not
necessarily the actual Origin Servers operated by the CSP but might
be a set of Surrogates in the uCDN.</t>
<t/>
<t>Endpoints within a source should be treated as equivalent/equal
so one can specify a list of sources in preference order and for
each source/preference rank one can specify a list of endpoints that
are equivalent, e.g., a pool of servers that are not behind a load
balancer.</t>
<t><list style="empty">
<t>Property: sources<list style="empty">
<t>Description: Sources from which the dCDN can acquire
content, listed in order of preference.</t>
<t>Type: List of Source objects</t>
<t>Mandatory-to-Specify: No. Default is to use static
configuration, out-of-band from the metadata interface.</t>
</list></t>
</list></t>
<section anchor="Source" title="Source">
<t>A Source object describes the Source which should be used by
the dCDN for content acquisition, e.g., a Surrogate within the uCDN
or an alternate Origin Server, the protocol to be used and any
authentication method.</t>
<t><list style="empty">
<t>Property: acquisition-auth<list style="empty">
<t>Description: Authentication method to use when
requesting content from this source.</t>
<t>Type: Auth</t>
<t>Mandatory-to-Specify: No. Default is no authentication
required.</t>
</list></t>
</list> <list style="empty">
<t>Property: endpoints<list style="empty">
<t>Description: Origins from which the dCDN can acquire
content. If multiple endpoints are specified they are all
equal, i.e., the list is not in preference order, for
example a pool of servers behind a load balancer.</t>
<t>Type: List of EndPoint objects</t>
<t>Mandatory-to-Specify: Yes.</t>
</list></t>
</list> <list style="empty">
<t>Property: protocol<list style="empty">
<t>Description: Network retrieval protocol to use when
requesting content from this source.</t>
<t>Type: Protocol</t>
<t>Mandatory-to-Specify: Yes.</t>
</list></t>
</list></t>
</section>
</section>
<section anchor="LocationACL" title="LocationACL Metadata">
<t>LocationACL Metadata defines location-based restrictions.</t>
<t>A LocationACL which does not include a locations property results
in an action of allow, meaning that delivery can be performed
regardless of the User Agent's location. The action from the first
footprint to match against the User Agent's location is the action a
CDN MUST take. If two or more footprints overlap, the first
footprint that matches against the User Agent's location determines
the action a CDN MUST take. If the locations property is included
but is empty, or if none of the listed footprints matches the User
Agent's location, then the result is an action of deny.</t>
<t>Although the LocationACL, TimeWindowACL, and ProtocolACL are
independent GenericMetadata objects, they may provide conflicting
information to a dCDN, e.g., a content request which is
simultaneously allowed based on the LocationACL and denied based on
the TimeWindowACL. The dCDN MUST use the logical AND of all ACLs
(where 'allow' is true and 'deny' is false) to determine whether or
not a request should be allowed. Thus, in the example given, the
request should be denied.</t>
<t><list style="empty">
<t>Property: locations<list style="empty">
<t>Description: Access control list which
allows or blocks delivery based on client location.</t>
<t>Type: List of LocationRule objects</t>
<t>Mandatory-to-Specify: No. Default is allow all
locations.</t>
</list></t>
</list></t>
<section anchor="LocationRule" title="LocationRule">
<t>A LocationRule contains or references a list of Footprint
objects and the corresponding action.</t>
<t><list style="empty">
<t>Property: footprints<list style="empty">
<t>Description: List of footprints to which the rule
applies.</t>
<t>Type: List of Footprint objects</t>
<t>Mandatory-to-Specify: Yes.</t>
</list></t>
</list> <list style="empty">
<t>Property: action<list style="empty">
<t>Description: Defines whether the rule specifies
locations to allow or deny.</t>
<t>Type: Enumeration [allow|deny]</t>
<t>Mandatory-to-Specify: No. Default is deny.</t>
</list></t>
</list></t>
</section>
<section anchor="Footprint" title="Footprint">
<t>A Footprint object describes the footprint to which a
LocationRule may be applied by, e.g., an IPv4 address range or a
geographic location.</t>
<t><list style="empty">
<t>Property: footprint-type<list style="empty">
<t>Description: Registered footprint type (see <xref
target="FootprintReg"/>).</t>
<t>Type: String</t>
<t>Mandatory-to-Specify: Yes.</t>
</list></t>
</list> <list style="empty">
<t>Property: footprint-value<list style="empty">
<t>Description: Footprint object conforming to the
specification associated with the registered footprint
type.</t>
<t>Type: String</t>
<t>Mandatory-to-Specify: Yes.</t>
</list></t>
</list></t>
</section>
</section>
<section anchor="TimeWindowACL" title="TimeWindowACL Metadata">
<t>TimeWindowACL Metadata defines time-based restrictions. </t>
<t>A TimeWindowACL which does not include a times property results
in an action of allow, meaning that delivery can be performed
regardless of the time of the User Agent's request. The
action from the first window to match against the current
time is the action a CDN MUST take. If two or more windows
overlap, the first window that matches against the current
time determines the action a CDN MUST take. If the times
property is included but is empty, or if none of the listed
windows matches the current time, then the result is an
action of deny.</t>
<t>Although the LocationACL, TimeWindowACL, and ProtocolACL are
independent GenericMetadata objects, they may provide conflicting
information to a dCDN, e.g., a content request which is
simultaneously allowed based on the LocationACL and denied based on
the TimeWindowACL. The dCDN MUST use the logical AND of all ACLs
(where 'allow' is true and 'deny' is false) to determine whether or
not a request should be allowed. Thus, in the example given, the
request should be denied.</t>
<t><list style="empty">
<t>Property: times<list style="empty">
<t>Description: Description: Access control list which
allows or blocks delivery based on request time.</t>
<t>Type: List of TimeWindowRule objects</t>
<t>Mandatory-to-Specify: No. Default is allow all time
windows.</t>
</list></t>
</list></t>
<section anchor="TimeWindowRule" title="TimeWindowRule">
<t>A TimeWindowRule contains or references a list of TimeWindow
objects and the corresponding action.</t>
<t><list style="empty">
<t>Property: windows<list style="empty">
<t>Description: List of time windows to which the rule
applies.</t>
<t>Type: List of TimeWindow objects</t>
<t>Mandatory-to-Specify: Yes.</t>
</list></t>
</list> <list style="empty">
<t>Property: action<list style="empty">
<t>Description: Defines whether the rule specifies time
windows to allow or deny.</t>
<t>Type: Enumeration [allow|deny]</t>
<t>Mandatory-to-Specify: No. Default is deny.</t>
</list></t>
</list></t>
</section>
<section anchor="TimeWindow" title="TimeWindow">
<t>A TimeWindow object describes a time range which may be applied
by an TimeWindowACL, e.g., start 946717200 (i.e., 09:00AM
01/01/2000 UTC), end: 946746000 (i.e., 17:00AM 01/01/2000
UTC).</t>
<t><list style="empty">
<t>Property: start<list style="empty">
<t>Description: The start time of the window.</t>
<t>Type: Time</t>
<t>Mandatory-to-Specify: Yes.</t>
</list></t>
</list> <list style="empty">
<t>Property: end<list style="empty">
<t>Description: The end time of the window.</t>
<t>Type: Time</t>
<t>Mandatory-to-Specify: Yes.</t>
</list></t>
</list></t>
</section>
</section>
<section anchor="ProtocolACL" title="ProtocolACL Metadata">
<t>ProtocolACL Metadata defines delivery protocol restrictions.</t>
<t>A ProtocolACL which does not include a protocol-acl
property results in an action of allow, meaning that
delivery can be performed regardless of the protocol of the
User Agent's request. The action from the first protocol to
match against the request protocol is the action a CDN MUST
take. If two or more request protocols overlap, the first
protocol that matches thre request protocol determines the
action a CDN MUST take. If the protocol-acl property is
included but is empty, or if none of the listed protocol
matches the request protocol, then the result is an
action of deny.</t>
<t>Although the LocationACL, TimeWindowACL, and ProtocolACL are
independent GenericMetadata objects, they may provide conflicting
information to a dCDN, e.g., a content request which is
simultaneously allowed based on the LocationACL and denied based on
the TimeWindowACL. The dCDN MUST use the logical AND of all ACLs
(where 'allow' is true and 'deny' is false) to determine whether or
not a request should be allowed. Thus, in the example given, the
request should be denied.</t>
<t><list style="empty">
<t>Property: protocol-acl<list style="empty">
<t>Description: Description: Access control list which
allows or blocks delivery based on delivery protocol.</t>
<t>Type: List of ProtocolRule objects</t>
<t>Mandatory-to-Specify: No. Default is allow all
protocols.</t>
</list></t>
</list></t>
<section anchor="ProtocolRule" title="ProtocolRule">
<t>A ProtocolRule contains or references a list of Protocol
objects. ProtocolRule objects are used to construct a ProtocolACL
to apply restrictions to content acquisition or delivery.</t>
<t><list style="empty">
<t>Property: protocols<list style="empty">
<t>Description: List of protocols to which the rule
applies.</t>
<t>Type: List of protocol objects</t>
<t>Mandatory-to-Specify: Yes.</t>
</list></t>
</list> <list style="empty">
<t>Property: action<list style="empty">
<t>Description: Defines whether the rule specifies
protocols to allow or deny.</t>
<t>Type: Enumeration [allow|deny]</t>
<t>Mandatory-to-Specify: No. Default is deny.</t>
</list></t>
</list></t>
</section>
</section>
<section anchor="DeliveryAuthorization" title="DeliveryAuthorization Metadata">
<t>Delivery Authorization defines authorization
methods for the delivery of content to User Agents.</t>
<t><list style="empty">
<t>Property: delivery-auth-methods<list style="empty">
<t>Description: Options for authorizing content requests.
Delivery for a content request is authorized if any
of the authorization method in the list is satisfied
for that request.</t>
<t>Type: List of Auth objects</t>
<t>Mandatory-to-Specify: No. Default is no authorization
required.</t>
</list></t>
</list></t>
</section>
<section anchor="Cache" title="Cache">
<t>A Cache object describes the cache control parameters to be
applied to the content by intermediate caches.</t>
<t><list style="empty">
<t>Property: ignore-query-string<list style="empty">
<t>Description: Allows a cache to ignore URI query string
parameters while comparing URIs for equivalence. Each query
parameter to ignore is specified in the list. If all query
parameters should be ignored, then the list MUST be
specified and MUST be empty.</t>
<t>Type: List of String</t>
<t>Mandatory-to-Specify: No. Default is to consider query
string parameters when comparing URIs.</t>
</list></t>
</list></t>
</section>
<section anchor="Grouping" title="Grouping">
<t>A Grouping object identifies a large group of content to which
a given asset belongs.</t>
<t><list style="empty">
<t>Property: ccid<list style="empty">
<t>Description: Content Collection identifier for an
application-specific purpose such as logging.</t>
<t>Type: String</t>
<t>Mandatory-to-Specify: No. Default is an empty string.</t>
</list></t>
</list> <list style="empty">
<t>Property: sid<list style="empty">
<t>Description: Session identifier for an
application-specific purpose such as logging.</t>
<t>Type: String</t>
<t>Mandatory-to-Specify: No. Default is an empty string.</t>
</list></t>
</list></t>
</section>
</section>
<section anchor="simple-data-types"
title="CDNI Metadata Simple Data Type Descriptions">
<t>This section describes the simple data types that are used for
properties of CDNI Metadata objects.</t>
<section anchor="Link" title="Link">
<t>A link object may be used in place of any of the objects or
properties described above. Links can be used to avoid duplication
if the same metadata information is repeated within the metadata
tree. When a link replaces an object, its href property is set to
the URI of the resource and its type property is set to the type of
the object it is replacing.</t>
<t><list style="empty">
<t>Property: href<list style="empty">
<t>Description: The URI of the addressable object
being referenced.</t>
<t>Type: URI</t>
<t>Mandatory-to-Specify: Yes</t>
</list></t>
</list> <list style="empty">
<t>Property: type<list style="empty">
<t>Description: The type of the object being referenced.</t>
<t>Type: String</t>
<t>Mandatory-to-Specify: No</t>
</list></t>
</list></t>
</section>
<section anchor="Protocol" title="Protocol">
<t>Protocol objects are used to specify registered protocols for
content acquisition or delivery (see <xref
target="ProtocolReg"/>).</t>
<t>Type: String</t>
</section>
<section title="Endpoint">
<t>A hostname (with optional port) or an IP address (with optional
port).</t>
<t>Note: All implementations MUST support IPv4 addresses encoded as
specified by the 'IPv4address' rule in Section 3.2.2 of <xref
target="RFC3986"/> and MUST support all IPv6 address formats
specified in <xref target="RFC4291"/>. Server implementations SHOULD
use IPv6 address formats specified in <xref target="RFC5952"/>.</t>
<t>Type: String</t>
</section>
<section title="URI">
<t>A URI as specified in <xref target="RFC3986"/>.</t>
<t>Type: String</t>
</section>
<section title="Time">
<t>A time value expressed in seconds since Unix epoch in the UTC
timezone.</t>
<t>Type: Integer</t>
</section>
</section>
<section anchor="Auth" title="Auth">
<t>An Auth object defines authentication and authorization methods
to be used during content acquisition and content delivery,
respectively.</t>
<t><list style="empty">
<t>Property: auth-type<list style="empty">
<t>Description: Registered Auth type (see <xref
target="AuthReg"/>).</t>
<t>Type: String</t>
<t>Mandatory-to-Specify: Yes.</t>
</list></t>
</list> <list style="empty">
<t>Property: auth-value<list style="empty">
<t>Description: An object conforming to the specification
associated with the Registered Auth type.</t>
<t>Type: String</t>
<t>Mandatory-to-Specify: Yes.</t>
</list></t>
</list></t>
<section anchor="CredentialAuth" title="CredentialAuth Type">
<t>CredentialAuth is a Registered Auth type defining an
object for encapsulating user credentials (i.e., username
and password) (see <xref target="AuthReg"/>). The
CredentialAuth object contains the following properties:</t>
<t><list style="empty">
<t>Property: username<list style="empty">
<t>Description: Identification of user.</t>
<t>Type: String</t>
<t>Mandatory-to-Specify: Yes.</t>
</list></t>
<t>Property: password<list style="empty">
<t>Description: Password for user identified by username
property.</t>
<t>Type: String</t>
<t>Mandatory-to-Specify: Yes.</t>
</list></t>
</list></t>
</section>
</section>
</section>
<section anchor="metadata-capabilities" title="CDNI Metadata Capabilities">
<t>CDNI Metadata is used to convey information pertaining to content
delivery from uCDN to dCDN. For optional metadata, it may be useful for
the uCDN to know if the dCDN supports the metadata, prior to delegating
any content requests to the dCDN. If optional-to-implement metadata is
"mandatory-to-enforce", and the dCDN does not support it, any delegated
requests for that content will fail. The uCDN will likely want to
avoid delegating those requests to that dCDN. Likewise, for any metadata
which may be assigned optional values, it may be useful for the uCDN to
know which values a dCDN supports, prior to delegating any content
requests to that dCDN. If the optional value assigned to a given piece of
content's metadata is not supported by the dCDN, any delegated requests
for that content may fail, so again the uCDN is likely to want to avoid
delegating those requests to that dCDN.</t>
<t>The CDNI Footprint and Capabilities Interface (FCI) <xref
target="I-D.ietf-cdni-framework"/> provides a means of advertising
capabilities from dCDN to uCDN. Support for optional metadata and
support for optional metadata values may be advertised using the
FCI.</t>
</section>
<section anchor="metadata-interface" title="CDNI Metadata interface">
<t>This section specifies an interface to enable a Downstream CDN to
retrieve CDNI Metadata objects from an Upstream CDN.</t>
<t>The interface can be used by a Downstream CDN to retrieve CDNI
Metadata objects either</t>
<t><list style="symbols">
<t>Dynamically as required by the Downstream CDN to process received
requests. For example in response to a query from an Upstream CDN
over the CDNI Request Routing Redirection interface (RI) <xref
target="I-D.ietf-cdni-redirection"/> or in response to receiving a
request for content from a User Agent. Or;</t>
<t>In advance of being required. For example in the case of
Pre-positioned CDNI Metadata acquisition.</t>
</list></t>
<t>The CDNI Metadata interface is built on the principles of RESTful web
services. In particular, this means that requests and responses over the
interface are built around the transfer of representations of
hyperlinked resources. A resource in the context of the CDNI Metadata
interface is any object in the Data Model (as described in <xref
target="data-model"/> through <xref
target="abstract-metadata-description"/>).</t>
<t>To retrieve CDNI metadata, a CDNI Metadata client (i.e., a client in
the dCDN) first makes a HTTP GET request for the URI of the HostIndex
which provides the CDNI Metadata client with a list of Hostnames for
which the upstream CDN may delegate content delivery to the downstream
CDN. The CDNI Metadata client can then obtain any other CDNI Metadata
objects by making a HTTP GET requests for any linked Metadata objects it
requires.</t>
<t>CDNI Metadata servers (i.e., servers in the uCDN) are free to assign
whatever structure they desire to the URIs for CDNI Metadata objects and
CDNI Metadata clients MUST NOT make any assumptions regarding the
structure of CDNI Metadata URIs or the mapping between CDNI Metadata
objects and their associated URIs. Therefore any URIs present in the
examples below are purely illustrative and are not intended to impose a
definitive structure on CDNI Metadata interface implementations.</t>
<section title="Transport">
<t>The CDNI Metadata interface uses HTTP as the underlying protocol
transport.</t>
<t>The HTTP Method in the request defines the operation the request
would like to perform. A server implementation of the CDNI Metadata
interface MUST support the HTTP GET and HEAD methods.</t>
<t>The corresponding HTTP Response returns the status of the operation
in the HTTP Status Code and returns the current representation of the
resource (if appropriate) in the Response Body. HTTP Responses from
servers implementing the CDNI Metadata interface that contain a
response body SHOULD include an ETag to enable validation of cached
versions of returned resources.</t>
<t>The CDNI Metadata interface specified in this document is a
read-only interface. Therefore support for other HTTP methods such as
PUT, POST and DELETE etc. is not specified. A server implementation
of the CDNI Metadata interface SHOULD reject all methods other than
GET and HEAD.</t>
<t>As the CDNI Metadata interface builds on top of HTTP, CDNI Metadata
server implementations MAY make use of any HTTP feature when
implementing the CDNI Metadata interface, for example a CDNI Metadata
server MAY make use of HTTP's caching mechanisms to indicate that the
returned response/representation can be reused without re-contacting
the CDNI Metadata server.</t>
</section>
<section title="Retrieval of CDNI Metadata resources">
<t>In the general case a CDNI Metadata server makes each instance of
an addressable CDNI Metadata object available via a unique URI and
therefore in order to retrieve CDNI Metadata, a CDNI Metadata client
first makes a HTTP GET request for the URI of the HostIndex which
provides the CDNI Metadata client with a list of Hostnames for which
the upstream CDN may delegate content delivery to the downstream
CDN.</t>
<t>In order to retrieve the CDNI Metadata for a particular request the
CDNI Metadata client processes the received HostIndex object and finds
the corresponding HostMetadata entry (by matching the hostname in the
request against the hostnames in the HostMatch). If the HostMetadata
is linked (rather than embedded), the CDNI metadata client then makes
a GET request for the URI specified in the href property of the Link
object which points to the HostMetadata object itself.</t>
<t>In order to retrieve the most specific metadata for a particular
request, the CDNI metadata client inspects the HostMetadata for
references to more specific PathMetadata objects. If any PathMetadata
match the request (and are linked rather than embedded), the CDNI
metadata client makes another GET request for the PathMetadata. Each
PathMetadata object may also include references to yet more specific
metadata. If this is the case, the CDNI metadata client continues
requesting PathMetadata recursively.</t>
<t>Where a downstream CDN is interconnected with multiple upstream
CDNs, the downstream CDN needs to determine which upstream CDN's CDNI
metadata should be used to handle a particular User Agent request.</t>
<t>When application level redirection (e.g., HTTP 302 redirects) is
being used between CDNs, it is expected that the downstream CDN will
be able to determine the upstream CDN that redirected a particular
request from information contained in the received request (e.g., via
the URI). With knowledge of which upstream CDN routed the request, the
downstream CDN can choose the correct metadata server from which to
obtain the HostIndex. Note that the HostIndex served by each uCDN may
be unique.</t>
<t>In the case of DNS redirection there is not always sufficient
information carried in the DNS request from User Agents to determine
the upstream CDN that redirected a particular request (e.g., when
content from a given host is redirected to a given downstream CDN by
more than one upstream CDN) and therefore downstream CDNs may have to
apply local policy when deciding which upstream CDN's metadata to
apply.</t>
</section>
<section title="Bootstrapping">
<t>The URI for the HostIndex object of a given upstream CDN needs to
be either configured in, or discovered by, the downstream CDN. All
other objects/resources are then discoverable from the HostIndex
object by following the links in the HostIndex object and the
referenced HostMetadata and PathMetadata objects.</t>
<t>If the URI for the HostIndex object is not manually configured in
the downstream CDN then the HostIndex URI could be discovered. A
mechanism allowing the downstream CDN to discover the URI of the
HostIndex is outside the scope of this document.</t>
</section>
<section title="Encoding">
<t>Objects are resources that may be:</t>
<t><list style="symbols">
<t>Addressable, where the object is a resource that may be
retrieved or referenced via its own URI.</t>
<t>Embedded, where the object is contained within a property of an
addressable object.</t>
</list></t>
<t>The descriptions of objects use the phrase "X contains Y" to
mean that Y is either directly embedded in X or is linked to by X. It
is generally a deployment choice for the uCDN implementation to decide
when and which CDNI Metadata objects to embed and which are made
separately addressable.</t>
<section anchor="media-types" title="MIME Media Types">
<t>All MIME types for CDNI Metadata objects are prefixed with
"application/cdni.". The MIME type for each object then contains the
object name of that object as defined by this document. The object
type name is followed by ".v" and the version number of the object
type (e.g., “.v1”). Finally, the encoding type "+json" is
appended. <xref target="metadata-media-types-table"/> 3 lists a few
examples of the MIME Media Type for some object (resource) that are
retrievable through the CDNI Metadata interface.</t>
<texttable anchor="metadata-media-types-table"
title="Example MIME Media Types for CDNI Metadata objects">
<ttcol>Data Object</ttcol>
<ttcol>MIME Media Type</ttcol>
<c>HostIndex</c>
<c>application/cdni.HostIndex.v1+json</c>
<c>HostMatch</c>
<c>application/cdni.HostMatch.v1+json</c>
<c>HostMetadata</c>
<c>application/cdni.HostMetadata.v1+json</c>
<c>PathMatch</c>
<c>application/cdni.PathMatch.v1+json</c>
<c>PathMetadata</c>
<c>application/cdni.PathMetadata.v1+json</c>
<c>Source</c>
<c>application/cdni.Source.v1+json</c>
<c>LocationACL</c>
<c>application/cdni.LocationACL.v1+json</c>
<c>LocationRule</c>
<c>application/cdni.LocationRule.v1+json</c>
</texttable>
<t/>
</section>
<section title="JSON Encoding of Objects">
<t>A CDNI Metadata object is encoded as a JSON object containing a
dictionary of (key,value) pairs where the keys are the property
names and the values are the associated property values.</t>
<t>The keys of the dictionary are the names of the properties
associated with the object and are therefore dependent on the
specific object being encoded (i.e., dependent on the MIME Media Type
of the returned resource). Likewise, the values associated with each
key are dependent on the specific object being encoded (i.e.,
dependent on the MIME Media Type of the returned resource).</t>
<t>Dictionary keys in JSON are case sensitive. By convention any
dictionary key defined by this document (for example the names of
CDNI Metadata object properties) MUST be represented in
lowercase.</t>
<t>In addition to the properties specified for each object type, the
keys defined below may be present in any object.</t>
<t><list style="empty">
<t>Key: base<list style="empty">
<t>Description: Provides a prefix for any relative URLs in
the object. This is similar to the XML base tag <xref
target="XML-BASE"/>. If absent, all URLs in the remainder of
the response MUST be absolute URLs.</t>
<t>Type: URI</t>
<t>Mandatory: No</t>
</list></t>
</list></t>
<t><list style="empty">
<t>Key: _links<list style="empty">
<t>Description: The links from this object to other
addressable objects. Any property whose value is an object
may be replaced by a link to an object with the same type as
the property it replaces. The keys of the _links dictionary
are the names of the properties being replaced. The values
of the dictionary are Link objects with href set to the URI
of the object and type set to the MIME type of the object
being replaced.</t>
<t>Type: Dictionary object of Link objects</t>
<t>Mandatory: Yes</t>
</list></t>
</list></t>
<section title="Encoded CDNI Metadata Example">
<t>A downstream CDN may request the HostIndex and receive the
following object of type "application/cdni.HostIndex.v1+json":</t>
<t><figure>
<artwork><![CDATA[{
"hosts": [
{
"host": "video.example.com",
"_links": {
"host-metadata" : {
"type": "application/cdni.HostMetadata.v1+json",
"href": "http://metadata.ucdn.example/host1234"
}
}
},
{
"host": "images.example.com",
"_links": {
"host-metadata" : {
"type": "application/cdni.HostMetadata.v1+json",
"href": "http://metadata.ucdn.example/host5678"
}
}
}
]
}]]></artwork>
</figure></t>
<t>If the incoming request has a Host header with
"video.example.com" then the downstream CDN would fetch the next
metadata object from "http://metadata.ucdn.example/host1234"
expecting a MIME type of
"application/cdni.HostMetadata.v1+json":</t>
<t><figure>
<artwork><![CDATA[{
"metadata": [
{
"generic-metadata-type": "application/cdni.SourceMetadata.v1+json",
"generic-metadata-value": {
"sources": [
{
"_links": {
"acquisition-auth": {
"auth-type": "application/cdni.Auth.v1+json",
"href": "http://metadata.ucdn.example/auth1234"
}
},
"endpoint": "acq1.ucdn.example",
"protocol": "ftp"
},
{
"_links": {
"acquisition-auth": {
"auth-type": "application/cdni.Auth.v1+json",
"href": "http://metadata.ucdn.example/auth1234"
}
},
"endpoint": "acq2.ucdn.example",
"protocol": "http"
}
]
}
},
{
"generic-metadata-type": "application/cdni.LocationACL.v1+json",
"generic-metadata-value": {
"locations": [
{
"footprints": [
{
"footprint-type": "IPv4CIDR",
"footprint-value": "192.168.0.0/16"
}
],
"action": "deny"
}
]
}
},
{
"generic-metadata-type": "application/cdni.ProtocolACL.v1+json",
"generic-metadata-value": {
"protocol-acl": [
{
"protocols": [
"ftp"
],
"action": "deny"
}
]
}
}
],
"paths": [
{
"path-pattern": {
"pattern": "/video/trailers/*"
},
"_links": {
"path-metadata": {
"type": "application/cdni.PathMetadata.v1+json",
"href": "http://metadata.ucdn.example/host1234/pathABC"
}
}
},
{
"path-pattern": {
"pattern": "/video/movies/*"
},
"_links": {
"path-metadata": {
"type": "application/cdni.PathMetadata.v1+json",
"href": "http://metadata.ucdn.example/host1234/pathDCE"
}
}
}
]
}]]></artwork>
</figure></t>
<t>Suppose the path of the requested resource matches the
"/video/movies/*" pattern, the next metadata requested would be
for "http://metadata.ucdn.example/host1234/pathDCE" with an
expected type of "application/cdni.PathMetadata.v1+json":</t>
<t><figure>
<artwork><![CDATA[{
"metadata": [],
"paths": [
{
"path-pattern": {
"pattern": "/videos/movies/hd/*"
},
"_links": {
"pathmetadata": {
"type": "application/cdni.PathMetadata.v1+json",
"href":
"http://metadata.ucdn.example/host1234/pathABC/path123"
}
}
}
]
}]]></artwork>
</figure></t>
<t>Finally, if the path of the requested resource also matches the
"/videos/movies/hd/*" pattern, the downstream CDN would also fetch
the following object from
"http://metadata.ucdn.example/host1234/movies/hd" with MIME type
"application/cdni.PathMetadata.v1+json":</t>
<t><figure>
<artwork><![CDATA[{
"metadata": [
{
"generic-metadata-type": "application/cdni.TimeWindowACL.v1+json",
"generic-metadata-value": {
"times": [
"windows": [
{
"start": "1213948800",
"end": "1327393200"
}
],
"action": "allow"
]
}
}
]
}]]></artwork>
</figure></t>
</section>
</section>
</section>
<section anchor="extensibility" title="Extensibility">
<t>The set of property Metadata may be extended with additional
(standards based or vendor specific) property Metadata. The
GenericMetadata object defined in <xref target="generic-metadata"/>
allows any Metadata property to be included in either the HostMetadata
or PathMetadata lists. It is expected that additional property
Metadata will be defined in the future and that the documents defining
those property Metadata will be registered in the CDNI GenericMetadata
Types registry <xref target="metadata-registry"/>.</t>
<t>Note: Identification, within the type name defined for a property
Metadata object, of the organization that defined the extension
property Metadata decreases the possibility of property Metadata type
collisions.</t>
<section title="Metadata Enforcement">
<t>At any given time, the set of GenericMetadata types supported by
the uCDN may not match the set of GenericMetadata types supported by
the dCDN.</t>
<t>In the cases where a uCDN sends Metadata containing a
GenericMetadata type that a dCDN does not support, the dCDN MUST
enforce the semantics of the "mandatory-to-enforce” property.
If a dCDN does not understand or is unable to perform the functions
associated with any "mandatory-to-enforce” Metadata, the dCDN
MUST NOT service any requests for the corresponding content.</t>
<t>Note: Ideally, uCDNs would not delegate content requests to a
dCDN which does not support the "mandatory-to-enforce" Metadata
associated with the content being requested. However, even if the
uCDN has a priori knowledge of the Metadata supported by the dCDN
(e.g., via the CDNI capabilities interface or through out-of-band
negotiation between CDN operators) Metadata support may fluctuate or
be inconsistent (e.g., due to mis-communication, mis-configuration,
or temporary outage). Thus, the dCDN MUST always evaluate all
Metadata associated with content requests and reject any requests
where "mandatory-to-enforce" Metadata associated with the content
cannot be enforced.</t>
</section>
<section title="Metadata Conflicts">
<t>It is possible that new Metadata definitions may obsolete or
conflict with existing property Metadata (e.g., a future revision of
the CDNI Metadata interface may redefine the Auth Metadata or a
custom vendor extension may implement an alternate Auth Metadata
option). If multiple Metadata (e.g., cdni.Auth.v2, vendor1.Auth,
and vendor2.Auth) all conflict with an existing Metadata (e.g.,
cdni.Auth) and all are marked as "mandatory-to-enforce", it may be
ambiguous which Metadata should be applied, especially if the
functionality of the Metadata overlap.</t>
<t>As described in <xref target="metadata-inheritance"/>, Metadata
override only applies to Metadata objects of the same exact type,
found in HostMetadata and nested PathMetadata structures. The CDNI
Metadata interface does not support enforcement of dependencies
between different Metadata types. It is the responsibility of the
CSP and the CDN operators to ensure that Metadata assigned to a
given content do not conflict.</t>
<t>Note: Because Metadata is inherently ordered in GenericMetadata
lists, as well as in the PathMetadata hierarchy and PathMatch lists,
multiple conflicting Metadata types MAY be used, however, Metadata
hierarchies MUST ensure that independent PathMatch root objects are
used to prevent ambiguous or conflicting Metadata definitions.</t>
</section>
</section>
<section title="Versioning">
<t>The version of CDNI Metadata Structural objects is conveyed inside
the MIME-Type that is included in the HTTP Content-Type header. Upon
responding to a request for an object, a metadata server MUST include
a Content-Type header with the MIME-type containing the version number
of the object. HTTP requests sent to a metadata server SHOULD include
an Accept header with the MIME-type (which includes the version) of
the expected object. Metadata clients can specify multiple MIME-types
in the Accept header, for example if a metadata client is capable of
processing two different versions of the same type of object (defined
by different MIME-types) it may decide to include both in the Accept
header. The version of each object defined by this document is version
1. For example: "Content-Type:
application/cdni.HostIndex.v1+json".</t>
<t>GenericMetadata objects include a "type" property which specifies
the MIME-type of the GenericMetadata value. This MIME-type should also
include a version. Any document which defines a new type of
GenericMetadata MUST specify the version number which it describes.
For example: "application/cdni.Location.v1+json".</t>
</section>
</section>
<section anchor="IANA" title="IANA Considerations">
<t>This document requests the registration of the following MIME Media
Type under the IANA MIME Media Type registry
(http://www.iana.org/assignments/media-types/index.html).<list>
<t>application/cdni.HostIndex.v1</t>
<t>application/cdni.HostMetadata.v1</t>
<t>application/cdni.PathMatch.v1</t>
<t>application/cdni.PathMetadata.v1</t>
<t>application/cdni.PatternMatch.v1</t>
<t>application/cdni.GenericMetadata.v1</t>
<t>application/cdni.SourceMetadata.v1</t>
<t>application/cdni.Source.v1</t>
<t>application/cdni.LocationACL.v1</t>
<t>application/cdni.LocationRule.v1</t>
<t>application/cdni.Footprint.v1</t>
<t>application/cdni.TimeWindowACL.v1</t>
<t>application/cdni.TimeWindowRule.v1</t>
<t>application/cdni.TimeWindow.v1</t>
<t>application/cdni.ProtocolACL.v1</t>
<t>application/cdni.ProtocolRule.v1</t>
<t>application/cdni.Authorization.v1</t>
<t>application/cdni.Auth.v1</t>
<t>application/cdni.CredentialsAuth.v1</t>
<t>application/cdni.Cache.v1</t>
<t>application/cdni.Grouping.v1</t>
</list></t>
<section anchor="metadata-registry"
title="GenericMetadata Type Registry">
<t>CDNI Metadata is distributed as a list of GenericMetadata objects
which specify a type field and a type-specific value field, as
described in <xref target="generic-metadata"/>. In order to prevent
namespace collisions for GenericMetadata object types a new IANA
registry is requested for the "CDNI GenericMetadata Types" namespace.
The namespace shall be split into two partitions: standard and
optional.</t>
<t>The standard namespace partition is intended to contain
mandatory-to-implement capabilities and conforms to the "IETF
Review" policy as
defined in <xref target="RFC5226"/>. The registry contains the generic
metadata type name, the RFC number of the specification defining the
metadata type, the version number of the GenericMetadata set to which
the standard capability applies, and boolean values indicating whether
or not the new type is considered "mandatory-to-enforce" or
"safe-to-redistribute" (as defined in <xref
target="generic-metadata"/>).</t>
<t>The following table defines the initial values for the standard
partition:</t>
<texttable>
<ttcol align="left">Type name</ttcol>
<ttcol align="left">Specification</ttcol>
<ttcol align="left">Version</ttcol>
<ttcol align="left">MTE</ttcol>
<ttcol align="left">STR</ttcol>
<c>application/cdni.SourceMetadata.v1</c>
<c>RFCthis</c>
<c>1</c>
<c>true</c>
<c>true</c>
<c>application/cdni.LocationACL.v1</c>
<c>RFCthis</c>
<c>1</c>
<c>true</c>
<c>true</c>
<c>application/cdni.TimeWindowACL.v1</c>
<c>RFCthis</c>
<c>1</c>
<c>true</c>
<c>true</c>
<c>application/cdni.ProtocolACL.v1</c>
<c>RFCthis</c>
<c>1</c>
<c>true</c>
<c>true</c>
<c>application/cdni.Auth.v1</c>
<c>RFCthis</c>
<c>1</c>
<c>true</c>
<c>true</c>
<c>application/cdni.Cache.v1</c>
<c>RFCthis</c>
<c>1</c>
<c>true</c>
<c>true</c>
<c>application/cdni.Grouping.v1</c>
<c>RFCthis</c>
<c>1</c>
<c>true</c>
<c>true</c>
</texttable>
<t>The initial MI version number is set to 1. All of the initial
GenericMetadata types are considered mandatory-to-implement for
version 1. The version field should be incremented when new
GenericMetadata type sets are added to the registry.</t>
<t>The "optional" namespace partition conforms to the "Expert Review"
policy as defined in <xref target="RFC5226"/>. The expert review is
intended to prevent namespace hoarding and to prevent the definition
of redundant GenericMetadata types. Vendors defining new
GenericMetadata types which conflict with existing GenericMetadata
types follow the guidelines for the "Specification Required" policy as
defined in <xref target="RFC5226"/>. The Version field in the registry
is set to "-1" (negative one) for non-standard GenericMetadata
types.</t>
<t>As with the initial GenericMetadata types defined in <xref
target="property-objects"/>, future GenericMetadata type registrations
will specify the information necessary for constructing and decoding
the GenericMetadata object. This information includes the list of
properties contained within the GenericMetadata object, and for each
property, the specification should include a description, a type, and
whether or not the given property is mandatory-to-specify.</t>
<t>Any document which defines a new GenericMetadata has to:<list
style="numbers">
<t>Allocate a new type in the <xref target="IANA">GenericMetadata
Type Registry</xref>. Generic Metadata types should be descriptive
and may be hierarchnical to support aggregating groups of
properties for the purpose of readability and for avoiding
conflicts between vendor defined extensions. A dotted
alpha-numeric notation is suggested for human readability.</t>
<t>Define the set of properties associated with the new type.</t>
<t>For each property, define a name, description, type, and
whether or not the property is mandatory-to-specify.</t>
<t>Specify whether or not the new type is "mandatory-to-enforce"
(vs optional-to-enforce).</t>
<t>Describe the semantics of the new type including its purpose
and example of a use case to which it applies.</t>
</list></t>
<section title="GenericMetadata Sub-Registries">
<t>Some of the initial standard GenericMetadata objects contain
enumerated types which require registration (i.e., LocationACL
footprint types, ProtocolACL protocols, and Auth protocols). The
following sections define the initial values for these
GenericMetadata type sub-registries.</t>
<section anchor="FootprintReg" title="Footprint Sub-Registry">
<t>The IANA is requested to create a new "CDNI Metadata
Footprint Types" sub-registry under the "CDNI
GenericMetadata Types" registry.
The "CDNI Metadata Footprint Types" namespace defines the valid
Footprint object type values used by the Footprint object in <xref
target="Footprint"/>. Additions to the Footprint type namespace
conform to the "Expert Review" policy as defined in <xref
target="RFC5226"/>. The expert review should verify that new type
definitions do not duplicate existing type definitions and prevent
gratuitous additions to the namespace.</t>
<t>The following table defines the initial Footprint type
values:</t>
<texttable>
<ttcol align="left">Type name</ttcol>
<ttcol align="left">Description</ttcol>
<ttcol align="left">Specification</ttcol>
<c>IPv4CIDR</c>
<c>IPv4 address block using slash prefix length notation (e.g.,
192.168.0.16/28). Single IP addresses can be expressed as
/32.</c>
<c>RFCthis</c>
<c>IPv6CIDR</c>
<c>IPv6 address block using slash prefix length notation (e.g.,
fc80::0010/124). Single IP addresses can be expressed as
/128.</c>
<c>RFCthis</c>
<c>ASN</c>
<c>Autonomous System (AS) Number</c>
<c>RFCthis</c>
<c>CountryCode</c>
<c>ISO 3166-1 alpha-2 code</c>
<c>RFCthis</c>
</texttable>
</section>
<section anchor="ProtocolReg" title="Protocol Sub-Registry">
<t>The IANA is requested to create a new "CDNI Metadata
Protocols" sub-registry under the "CDNI
GenericMetadata Types" registry.
The "CDNI Metadata Protocols" namespace defines the valid
Protocol object values in <xref target="Protocol"/>, used by the
SourceMetadata and ProtocolACL objects. Additions to the Protocol
namespace conform to the "Expert Review" policy as defined in
<xref target="RFC5226"/>. The expert review should verify that new
protocol definitions do not duplicate existing protocol
definitions and prevent gratuitous additions to the namespace.</t>
<t>The following table defines the initial Protocol values:</t>
<texttable>
<ttcol align="left">Protocol</ttcol>
<ttcol align="left">Description</ttcol>
<ttcol align="left">Specification</ttcol>
<c>HTTP</c>
<c>Hypertext Transfer Protocol -- HTTP/1.1</c>
<c>RFC2616</c>
<c>HTTPS</c>
<c>HTTP Over TLS</c>
<c>RFC2818</c>
<c>RTSP</c>
<c>Real Time Streaming Protocol</c>
<c>RFC2326</c>
<c>RTMP</c>
<c>Real-Time Messaging Protocol</c>
<c>http://www.adobe.com/devnet/rtmp.html</c>
<c>FTP</c>
<c>FILE TRANSFER PROTOCOL</c>
<c>RFC959</c>
<c>SFTP</c>
<c>SSH File Transfer Protocol</c>
<c>N/A</c>
<c>SCP</c>
<c>Secure Copy</c>
<c>N/A</c>
<c>fasp</c>
<c>Aspera fast, adaptive, secure protocol</c>
<c>N/A</c>
</texttable>
</section>
<section anchor="AuthReg" title="Authentication Type Sub-Registry">
<t>The IANA is requested to create a new "CDNI Metadata
Auth Types" sub-registry under the "CDNI
GenericMetadata Types" registry.
The "CDNI Metadata Auth Type" namespace defines the valid Auth
object types used by the Auth object in <xref target="Auth"/>.
Additions to the Auth Type namespace conform to the "Expert Review"
policy as defined in <xref target="RFC5226"/>. The expert review
should verify that new type definitions do not duplicate existing
type definitions and prevent gratuitous additions to the
namespace.</t>
<t>The following table defines the initial Auth type values:</t>
<texttable>
<ttcol align="left">Type</ttcol>
<ttcol align="left">Description</ttcol>
<ttcol align="left">Specification</ttcol>
<c>CredentialAuth</c>
<c>Simple username and password authentication as defined by
<xref target="CredentialAuth"/>.</c>
<c>RFCthis</c>
</texttable>
</section>
</section>
</section>
</section>
<section anchor="Security" title="Security Considerations">
<t>An implementation of the CDNI Metadata interface MUST support
TLS transport as per <xref target="RFC2818"/> for message
confidentiality and mutual authentication. An implementation of
the CDNI Metadata interface MUST support the
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 cipher suite
(<xref target="RFC2818"/>). An implementation of the CDNI
Metadata interface SHOULD prefer cipher suites which suppport
perfect forward secrecy over cipher suites that do not.</t>
<section anchor="SecurityAuthentication" title="Authentication">
<t>Unauthorized access to metadata could result in denial of
service. A malicious metadata server could provide metadata
to a dCDN that denies service for one or more pieces of content
to one or more user agents. A malicious metadata server could
also provide metadata directing dCDNs to malicious origin
servers instead of the actual origin servers. A malicious
client could continuously issue large metadata requests to
overload the uCDN metadata server.</t>
<t>Unauthorized access to metadata could result in leakage of
private information. A malicious metadata client could
request metadata in order to gain access to origin servers, as
well as information pertaining to content restrictions.</t>
<t>An implementation of the CDNI Metadata interface SHOULD use
mutual authentication to prevent unauthorized access to metadata.</t>
</section>
<section anchor="SecurityConfidentiality" title="Confidentiality">
<t>Unauthorized viewing of metadata could result in leakage of
private information. A third party could intercept metadata
transactions in order to gain access to origin servers, as
well as information pertaining to content restrictions.</t>
<t>An implementation of the CDNI Metadata interface SHOULD use
strong encryption to prevent unauthorized viewing of metadata.</t>
</section>
<section anchor="SecurityIntegrity" title="Integrity">
<t>Unauthorized modification of metadata could result in denial of
service. A malicious proxy server could modify metadata destined
to a dCDN in order to deny service for one or more pieces of content
to one or more user agents. A malicious proxy server could
also modify metadata directing dCDNs to malicious origin
servers instead of the actual origin servers.</t>
<t>An implementation of the CDNI Metadata interface SHOULD use
strong encryption and mutual authentication to prevent
unauthorized modification of metadata.</t>
</section>
<section anchor="SecurityPrivacy" title="Privacy">
<t>Content provider origin and policy information is conveyed
through the CDNI Metadata interface. The distribution of
this information to another CDN introduces potential content
provider privacy protection concerns.</t>
<t>The use of TLS for transport of the CDNI Metadata as
discussed above protects the confidentiality of content
metadata by preventing any party other than the authorized
dCDN from gaining access to content metadata.</t>
</section>
</section>
<section anchor="Acknowledgements" title="Acknowledgements">
<t>The authors would like to thank David Ferguson and Francois Le
Faucheur for their valuable comments and input to this document.</t>
</section>
<section title="Contributing Authors">
<t>[RFC Editor Note: Please move the contents of this section to the
Authors' Addresses section prior to publication as an RFC.]</t>
<t><figure>
<artwork><![CDATA[Grant Watson
Velocix (Alcatel-Lucent)
3 Ely Road
Milton, Cambridge CB24 6AA
UK
Email: gwatson@velocix.com
Kent Leung
Cisco Systems
3625 Cisco Way
San Jose, 95134
USA
Email: kleung@cisco.com
]]></artwork>
</figure></t>
</section>
</middle>
<back>
<references title="Normative References">
<?rfc include="reference.RFC.2119" ?>
<?rfc include="reference.RFC.2617" ?>
<?rfc include="reference.RFC.5226" ?>
<?rfc include="reference.RFC.4291" ?>
<?rfc include="reference.RFC.2818" ?>
<?rfc include="reference.RFC.5952" ?>
</references>
<references title="Informative References">
<?rfc include="reference.I-D.ietf-cdni-requirements"?>
<?rfc include="reference.I-D.ietf-cdni-framework"?>
<?rfc include="reference.RFC.6707" ?>
<?rfc include="reference.RFC.3986" ?>
<?rfc include="reference.I-D.ietf-cdni-redirection"?>
<reference anchor="XML-BASE">
<front>
<title>XML Base (Second Edition) -
http://www.w3.org/TR/xmlbase/</title>
<author fullname="Jonathan" initials="J" role="editor"
surname="Marsh">
<organization/>
</author>
<author fullname="Richard" initials="R" role="editor"
surname="Tobin">
<organization/>
<address>
<postal>
<street/>
<city/>
<region/>
<code/>
<country/>
</postal>
<phone/>
<facsimile/>
<email/>
<uri/>
</address>
</author>
<date day="28" month="January" year="2009"/>
</front>
</reference>
</references>
</back>
</rfc>
| PAFTECH AB 2003-2026 | 2026-04-24 01:08:24 |