One document matched: draft-ietf-rmt-fcast-03.xml
<?xml version="1.0" encoding="US-ASCII"?>
<!-- $Id: draft-ietf-rmt-fcast-03.xml 64 2011-02-10 14:24:37Z roca $ -->
<!DOCTYPE rfc SYSTEM "rfc2629.dtd">
<!-- rfc category="exp" docName="draft-ietf-rmt-fcast-03" ipr="trust200902" -->
<rfc category="exp" ipr="trust200902">
<!--
<?xml-stylesheet type='text/xsl' href='rfc2629.xslt' ?>
-->
<?xml-stylesheet type='text/xsl'
href='http://xml.resource.org/authoring/rfc2629.xslt' ?>
<?rfc toc="yes"?>
<?rfc tocompact="yes"?>
<?rfc tocdepth="3"?>
<?rfc tocindent="yes"?>
<?rfc symrefs="yes"?>
<?rfc sortrefs="no"?>
<?rfc comments="yes"?>
<?rfc inline="yes"?>
<?rfc compact="yes"?>
<?rfc subcompact="no"?>
<?rfc iprnotified="no" ?>
<?rfc strict="yes" ?>
<front>
<title abbrev="FCAST: Scalable Object Delivery">FCAST: Scalable Object
Delivery for the ALC and NORM Protocols</title>
<author fullname="Vincent Roca" initials="V." surname="Roca">
<organization>INRIA</organization>
<address>
<postal>
<street>655, av. de l'Europe</street>
<street>Inovallee; Montbonnot</street>
<city>ST ISMIER cedex</city>
<code>38334</code>
<country>France</country>
</postal>
<email>vincent.roca@inria.fr</email>
<uri>http://planete.inrialpes.fr/people/roca/</uri>
</address>
</author>
<author fullname="Brian Adamson" initials="B." surname="Adamson">
<organization>Naval Research Laboratory</organization>
<address>
<postal>
<street></street>
<city>Washington, DC</city>
<code>20375</code>
<country>USA</country>
</postal>
<email>adamson@itd.nrl.navy.mil</email>
<uri>http://cs.itd.nrl.navy.mil</uri>
</address>
</author>
<date month="February" year="2011" />
<area>Transport</area>
<workgroup>RMT</workgroup>
<keyword>ALC, NORM</keyword>
<abstract>
<t>This document introduces the FCAST object (e.g., file) delivery
application on top of the ALC and NORM reliable multicast protocols.
FCAST is a highly scalable application that provides a reliable object
delivery service.</t>
</abstract>
</front>
<middle>
<!--
<t>
<list style="empty">
<t> *** Editor's note:
XXX </t>
</list>
</t>
-->
<section anchor="intro" title="Introduction">
<t>This document introduces the FCAST reliable and scalable object
(e.g., file) delivery application. Two variants of FCAST exist: <list
style="symbols">
<t>FCAST/ALC that relies on the Asynchronous Layer Coding (ALC)
<xref target="RFC5775"></xref> and the Layered Coding Transport
(LCT) <xref target="RFC5651"></xref> reliable multicast transport
protocol, and</t>
<t>FCAST/NORM that relies on the NACK-Oriented Reliable Multicast
(NORM) <xref target="RFC5740"></xref> reliable multicast
transport protocol.</t>
</list> Hereafter, the term FCAST denotes either FCAST/ALC or
FCAST/NORM.
FCAST is not a new protocol specification per se. Instead it is a set
of data format specifications and instructions on how to use ALC and
NORM to implement a file-casting service.</t>
<t>Depending on the target use case, the delivery service provided by
FCAST is more or less reliable. For instance, with FCAST/ALC used in
ON-DEMAND mode over a time period that largely exceeds the typical
download time, the service can be considered as fully reliable.
Similarly, when FCAST is used along with a session control application
that collects reception information and takes appropriate corrective
measures (e.g., a direct point-to-point retransmission of missing
packets, or a new multicast recovery session), then the service can be
considered as fully reliable. On the opposite, if FCAST operates in PUSH
mode, then the service is usually only partially reliable, and a
receiver that is disconnected during a sufficient time will perhaps not
have the possibility to download the object.</t>
<t>Depending on the target use case, the FCAST scalability is more or
less important. For instance, if FCAST/ALC is used on top of purely
unidirectional transport channels, with no feedback information at all,
which is the default mode of operation, then the scalability is maximum
since neither FCAST, nor ALC, UDP or IP generates any feedback message.
On the opposite, the FCAST/NORM scalability is typically limited by NORM
scalability itself. Similarly, if FCAST is used along with a session
control application that collects reception information from the
receivers, then this session control application may limit the
scalability of the global object delivery system. This situation can of
course be mitigated by using a hierarchy of feedback message aggregators
or servers. The details of this are out of the scope of the present
document.</t>
<t>A design goal behind FCAST is to define a streamlined solution, in
order to enable lightweight implementations of the protocol stack, and
limit the operational processing and storage requirements. A consequence
of this choice is that FCAST cannot be considered as a versatile
application, capable of addressing all the possible use-cases. On the
opposite, FCAST has some intrinsic limitations. From this point of view
it differs from FLUTE <xref target="RMT-FLUTE"></xref> which favors
flexibility at the expense of some additional complexity.</t>
<t>A good example of the design choices meant to favor the simplicity is
the way FCAST manages the object meta-data: by default, the meta-data
and the object content are sent together, in a compound object. This
solution has many advantages in terms of simplicity as will be described
later on. However, as such, it also has an intrinsic limitation since it
does not enable a receiver to decide in advance, before beginning the
reception of the compound object, whether the object is of interest or
not, based on the information that may be provided in the meta-data.
Therefore this document defines additional techniques that may be used
to mitigate this limitation. It is also possible that some use-cases
require that each receiver download the whole set of objects sent in the
session (e.g., with mirroring tools). When this is the case, the above
limitation is no longer be a problem.</t>
<section anchor="applicability" title="Applicability">
<!-- ==================================== -->
<t>FCAST is compatible with any congestion control protocol designed
for ALC/LCT or NORM. However, depending on the use-case, the data flow
generated by the FCAST application might not be constant, but instead
be bursty in nature. Similarly, depending on the use-case, an FCAST
session might be very short. Whether and how this will impact the
congestion control protocol is out of the scope of the present
document.</t>
<t>FCAST is compatible with any security mechanism designed for
ALC/LCT or NORM. The use of a security scheme is strongly RECOMMENDED
(see <xref target="security"></xref>).</t>
<t>FCAST is compatible with any FEC scheme designed for ALC/LCT or
NORM. Whether FEC is used or not, and the kind of FEC scheme used, is
to some extent transparent to FCAST.</t>
<t>FCAST is compatible with both IPv4 and IPv6. Nothing in the FCAST
specification has any implication on the source or destination IP
address.</t>
</section>
</section>
<section title="Requirements notation">
<!-- ==================================== -->
<t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in <xref
target="RFC2119"></xref>.</t>
</section>
<section title="Definitions, Notations and Abbreviations">
<!-- ================================================= -->
<section title="Definitions">
<!-- ==================== -->
<t>This document uses the following definitions: <list hangIndent="7"
style="hanging">
<t hangText="FCAST/ALC:">denotes the FCAST application running on
top of the ALC/LCT reliable transport protocol;</t>
<t hangText="FCAST/NORM:">denotes the FCAST application running on
top of the NORM reliable transport protocol;</t>
<t hangText="FCAST:">denotes either FCAST/ALC or FCAST/NORM;</t>
<t hangText="Compound Object:">denotes an ALC or NORM transport
object composed of the Compound Object Header (<xref
target="header_format"></xref>), including any meta-data, and the
content of the original application object (e.g., a file);</t>
<t hangText="Carousel:"> denotes the process of sending
Compound Objects implemented by a FCAST sender;</t>
<t hangText="Carousel Instance:">denotes a fixed set of registered
Compound Objects that are sent by the carousel during a certain
number of cycles. Whenever Compound Objects need to be added or
removed, a new Carousel Instance is defined;</t>
<t hangText="Carousel Instance Descriptor (CID):">denotes a special
object that lists the Compound Objects that comprise a given
Carousel Instance;</t>
<t hangText="Carousel Cycle:">denotes a transmission round within
which all the Compound Objects registered in the Carousel Instance
are transmitted a certain number of times. By default, Compound
Objects are transmitted once per cycle, but higher values are
possible, that might differ on a per-object basis;</t>
<t hangText="Transmission Object Identifier (TOI):">denotes the
numeric identifier associated to a specific object by the
underlying transport layer. In the case of ALC, this corresponds
to the TOI described in that specification while for the NORM
specification this corresponds to the NormTransportId described
there.</t>
</list></t>
</section>
<section title="Abbreviations">
<!-- ====================== -->
<t>This document uses the following abbreviations: <list
hangIndent="7" style="hanging">
<t hangText="CID:">Carousel Instance Descriptor</t>
<t hangText="CIID:">Carousel Instance IDentifier</t>
<t hangText="FEC OTI:">FEC Object Transmission Information</t>
<t hangText="TOI:">Transmission Object Identifier</t>
</list></t>
</section>
</section>
<section anchor="fcast_principles" title="FCAST Principles">
<!-- ==================================== -->
<section anchor="fcast_service" title="FCAST Content Delivery Service">
<!-- ==================================== -->
<t>The basic goal of FCAST is to transmit objects to a group of
receivers in a reliable way. The receiver set MAY be restricted to a
single receiver or MAY include possibly a very large number of
receivers. FCAST is specified to support two forms of operation:<list
style="numbers">
<t>FCAST/ALC: where the FCAST application is meant to run on top
of the ALC/LCT reliable multicast transport protocol, and</t>
<t>FCAST/NORM: where the FCAST application is meant to run on top
of the NORM reliable multicast transport protocol.</t>
</list></t>
<t>This specification is designed such that both forms of operation
share as much commonality as possible.</t>
<t>While the choice of the underlying transport protocol (i.e., ALC or
NORM) and its parameters may limit the practical receiver group size,
nothing in FCAST itself limits it. The transmission might be fully
reliable, or only partially reliable depending upon the way ALC or
NORM is used (e.g., whether FEC encoding and/or NACK-based repair
requests are used or not), the way the FCAST carousel is used (e.g.,
whether the objects are made available for a long time span or not),
and the way in which FCAST itself is employed (e.g., whether there is
a session control application that might automatically extend an
existing FCAST session until all receivers have received the
transmitted content).</t>
<t>FCAST is designed to be as self-sufficient as possible, in
particular in the way object meta-data is attached to object data
content. However, for some uses, meta-data MAY also be communicated by
an out-of-band mechanism that is out of the scope of the present
document.</t>
</section>
<section anchor="meta-data_tx" title="Meta-Data Transmission">
<!-- ==================================== -->
<t>FCAST usually carries meta-data elements by prepending them to the
object it refers to. As a result, a Compound Object is created that is
composed of a header followed by the original object data. This
header is itself composed of the meta-data as well as several fields,
for instance to indicate the boundaries between the various parts of
this Compound Object (<xref target="fig_compound_obj"></xref>).</t>
<figure anchor="fig_compound_obj" title="Compound Object composition.">
<artwork align="center"><![CDATA[
<------------------------ Compound Object ----------------------->
+-------------------------+--------------------------------------+
| Compound Object Header | Object Data |
| (can include meta-data) | (can be encoded by FCAST) |
+-------------------------+--------------------------------------+
]]></artwork>
</figure>
<t>Attaching the meta-data to the object is an efficient solution,
since it guaranties that meta-data be received along with the
associated object, and it allows the transport of the meta-data to
benefit from any transport-layer erasure protection of the Compound
Object (e.g., using FEC encoding and/or NACK-based repair). However a
limit of this scheme, as such, is that a client does not know the
meta-data of an object before beginning its reception, and in case of
erasures affecting the meta-data, not until the object decoding is
completed. The details of course depend upon the transport protocol
and the FEC code used.</t>
<t>In certain use-cases, FCAST can also be associated to another
in-band (e.g., via NORM INFO messages, <xref
target="norm_specifics"></xref>) or out-of-band signaling mechanism.
In that case, this mechanism can be used in order to carry the whole
meta-data (or a subset of it), possibly ahead of time.</t>
</section>
<section anchor="meta-data_content" title="Meta-Data Content">
<!-- ==================================== -->
<t>The meta-data associated to an object can be composed of, but are
not limited to: <list style="symbols">
<t>Content-Location: the URI of the object, which gives the name
and location of the object;</t>
<t>Content-Type: the MIME type of the object;</t>
<t>Content-Length: the size of the initial object, before any
content encoding (if any). Note that this content length does not
include the meta-data nor the fixed size Compound Object
header;</t>
<t>Content-Encoding: the optional encoding of the object performed
by FCAST. If there is no Content-Encoding entry, the receiver MUST
assume that the object is not encoded (default). The support of
gzip encoding, or any other solution, remains optional.</t>
<t>Content-MD5: the MD5 message digest of the object in order to
check its integrity. Note that this digest is meant to protect
from transmission and processing errors, not from deliberate
attacks by an intelligent attacker. Note also that this digest
only protects the object, not the header, and therefore not the
meta-data. A separate checksum is provided to that purpose (<xref
target="header_format"></xref>);</t>
<t>a digital signature for this object;</t>
</list></t>
<t>This list is not limited and new meta-data information can be
added. For instance, when dealing with very large objects (e.g., that
largely exceed the working memory of a receiver), it can be
interesting to split this object into several sub-objects (or slices).
When this happens, the meta-data associated to each sub-object MUST
include the following entries: <list style="symbols">
<t>Fcast-Obj-Slice-Nb: the total number of slices. A value
strictly greater than 1 indicates that this object is the result
of a split of the original object;</t>
<t>Fcast-Obj-Slice-Idx: the slice index (in the {0 .. SliceNb - 1}
interval);</t>
<t>Fcast-Obj-Slice-Offset: the offset at which this slice starts
within the original object;</t>
</list></t>
<t>When meta-data elements are communicated out-of-band, in advance of
data transmission, the following pieces of information MAY also be
useful: <list style="symbols">
<t>TOI: the Transmission Object Identifier (TOI) of the object
(<xref target="object_id"></xref>), in order to enable a receiver
to easily associate the meta-data to the object;</t>
<t>FEC Object Transmission Information (FEC OTI). In this case the
FCAST sender does not need to use the optional EXT_FTI mechanism
of the ALC or NORM protocols.</t>
</list></t>
</section>
<section anchor="carousel" title="Carousel Transmission">
<!-- ==================================== -->
<t>A set of FCAST Compound Objects scheduled for transmission are
considered a logical "Carousel". A given "Carousel Instance" is
comprised of a fixed set of Compound Objects. Whenever the FCAST
application needs to add new Compound Objects to, or remove old
Compound Objects from the transmission set, a new Carousel Instance is
defined since the set of Compound Objects changes.
Because of the native object multiplexing capability of both ALC and NORM,
sender and receiver(s) are both capable to multiplex and demultiplex
FCAST Compound Objects.</t>
<t>For a given Carousel Instance, one or more transmission cycles are
possible. During each cycle, all of the Compound Objects comprising
the Carousel are sent. By default, each object is transmitted once per
cycle. However, in order to allow different levels of priority, some
objects MAY be transmitted more often that others during a cycle,
and/or benefit from higher FEC protection than others. This can be the
case for instance for the CID objects (<xref target="cio"></xref>). For
some FCAST usage (e.g., a unidirectional "push" mode), a Carousel
Instance may be associated to a single transmission cycle. In other
cases it may be associated to a large number of transmission cycles
(e.g., in "on-demand" mode, where objects are made available for
download during a long period of time).</t>
</section>
<section anchor="cio" title="Carousel Instance Descriptor Special Object">
<!-- ==================================== -->
<t>The FCAST sender CAN transmit an OPTIONAL Carousel Instance Descriptor
(CID). The CID carries the list of the Compound Objects that are part
of a given Carousel Instance, by specifying their respective
Transmission Object Identifiers (TOI). However the CID does not
describe the objects themselves (i.e., there is no meta-data).
Additionally, the CID MAY include a "Complete" flag that is used to
indicate that no further modification to the enclosed list will be
done in the future. Finally, the CID MAY include a Carousel Instance
ID that identifies the Carousel Instance it pertains to. These aspects
are discussed in <xref target="carousel_instance_descr"></xref>.</t>
<t>There is no reserved TOI value for the CID Compound Object itself, since
this special object is regarded by ALC/LCT or NORM as a standard object.
On the opposite, the nature of this object (CID) is indicated by means of a
specific Compound Object header field (the "I" flag) so that it can be
recognized and processed by the FCAST application as needed. A direct
consequence is the following: since a receiver does not know in
advance which TOI will be used for the following CID (in case of a
dynamic session), he MUST NOT filter out packets that are not in the
current CID's TOI list. Said differently, the goal of CID is not to
setup ALC or NORM packet filters (this mechanism would not be secure
in any case).</t>
<t>The use of a CID remains optional. If it is not used, then the
clients progressively learn what files are part of the carousel
instance by receiving ALC or NORM packets with new TOIs. However using
a CID has several benefits: <list style="symbols">
<t>When the "Complete" flag is set (if ever), the receivers know
when they can leave the session, i.e., when they have received all
the objects that are part of the last carousel instance of this
delivery session;</t>
<t>In case of a session with a dynamic set of objects, the sender
can reliably inform the receivers that some objects have been
removed from the carousel with the CID. This solution is more
robust than the "Close Object flag (B)" of ALC/LCT since a client
with an intermittent connectivity might loose all the packets
containing this B flag. And while NORM provides a robust object
cancellation mechanism in the form of its NORM_CMD(SQUELCH)
message in response to receiver NACK repair requests, the use of
the CID provides an additional means for receivers to learn of
objects for which it is futile to request repair;</t>
<t>The TOI equivalence (<xref target="object_id"></xref>) can be
signaled with the CID. This is often preferable to the alternative
solution where the equivalence is identified by examining the
object meta-data, especially in case of erasures.</t>
</list></t>
<t>During idle periods, when the carousel instance does not contain
any object, a CID with an empty TOI list MAY be transmitted. In that
case, a new carousel instance ID MUST be used to differentiate this
(empty) carousel instance from the other ones. This mechanism can be
useful to inform the receivers that: <list style="symbols">
<t>all the previously sent objects have been removed from the
carousel. It therefore improves the FCAST robustness even during
"idle" period;</t>
<t>the session is still active even if there is currently no
content being sent. Said differently, it can be used as a
heartbeat mechanism. If the "Complete" flag has not been set, it
implicitly informs the receivers that new objects MAY be sent in
the future;</t>
</list></t>
<t>The decisions of whether a CID should be used or not, how often and
when a CID should be sent, are left to the sender and depend on many
parameters, including the target use case and the session dynamics.
For instance it may be appropriate to send a CID at the beginning of
each new carousel instance, and then periodically. These operational
aspects are out of the scope of the present document.</t>
</section>
<section anchor="object_id" title="Compound Object Identification">
<!-- ==================================== -->
<t>The FCAST Compound Objects are directly associated with the
object-based transport service that the ALC and NORM protocols
provide. In each of these protocols, the messages containing transport
object content are labeled with a numeric transport object identifier
(i.e., the ALC TOI and the NORM NormTransportId). For the purposes of
this document, this identifier in either case (ALC or NORM) is
referred to as the TOI.
<!--
The FCAST Compound Object Header
meta-data can include an attribute that identifies the given object's
TOI. Additionally, the CID lists objects for the applicable Carousel
Instance by using the TOI.
--></t>
<t>There are several differences between ALC and NORM: <list
style="symbols">
<t>the ALC use of TOI is rather flexible, since several TOI field
sizes are possible (from 16 to 112 bits), since this size can be
changed at any time, on a per-packet basis, and since the TOI
management is totally free as long as each object is associated to
a unique TOI (if no wraparound happened);</t>
<t>the NORM use of TOI is more directive, since the TOI field is
16 bit long and since TOIs MUST be managed sequentially;</t>
</list></t>
<t>In both NORM and ALC, it is possible that the transport
identification space may eventually wrap for long-lived sessions
(especially with NORM where this phenomenon is expected to happen more
frequently). This can possibly introduce some ambiguity in FCAST
object identification if a sender retains some older objects in newer
Carousel Instances with updated object sets.
<!-- Thus, when an updated
object set, for a new Carousel Instance, would transport identifiers
that exceed one-half of the TOI sequence space (or otherwise exceed
the sender repair window capability in the case of NORM), it MAY be
necessary to re-enqueue old objects within the Carousel with new TOI
to stay within transport identifier limits. -->
To avoid ambiguity
the active TOIs (i.e., the TOIs corresponding to objects being
transmitted) can only occupy half of the TOI sequence space. If an
old object, whose TOI has fallen outside the current window, needs to
be transmitted again, a new TOI must be used for it.
In case of NORM, this
constraint limits to 32768 the maximum number of objects that can be
part of any carousel instance. In order to allow receivers to properly
combine the transport packets with a newly-assigned TOI to those of
associated to the previously-assigned TOI, a mechanism is required to
equate the objects with the new and the old TOIs.</t>
<t>The preferred mechanism consists in signaling, within the CID, that
the newly assigned TOI, for the current Carousel Instance, is
equivalent to the TOI used within a previous Carousel Instance. By
convention, the reference tuple for any object is the {TOI; CI ID}
tuple used for its first transmission within a Carousel Instance. This
tuple MUST be used whenever a TOI equivalence is provided.</t>
<t>An alternative solution, when meta-data can be processed rapidly
(e.g., by using NORM-INFO messages), consists for the receiver in
identifying that both objects are the same, after examining the
meta-data. The receiver can then take appropriate measures.</t>
</section>
<section anchor="alc_specifics"
title="FCAST/ALC Additional Specificities">
<!-- ==================================== -->
<t>There are no additional detail or option for FCAST/ALC
operation.</t>
</section>
<section anchor="norm_specifics"
title="FCAST/NORM Additional Specificities">
<!-- ==================================== -->
<t>The NORM Protocol provides a few additional capabilities that can
be used to specifically support FCAST operation:</t>
<t><list style="numbers">
<t>The NORM_INFO message can convey "out-of-band" content with
respect to a given transport object. With FCAST, it MAY be used to
provide to the receivers a new, associated, Compound Object which
contains the main Compound Object meta-data, or a subset of it.
In that case the NORM_INFO Compound Object MUST NOT contain any
Object Data field (i.e., it is only
composed of the header), it MUST feature a non global checksum, and
it MUST NOT include any padding field. The main Compound
Object MUST in any case contain the whole meta-data (e.g., because
a receiver MAY not support the NORM_INFO facility). Additionally, the
meta-data entries contained in the NORM_INFO MUST be identical to
the same entries in the main Compound Object. Finally, note that
the availability of NORM_INFO for a given object is signaled
through the use of a dedicated flag in the NORM_DATA message
header. Along with NORM's NACK-based repair request signaling, it
allows a receiver to quickly (and independently) request an
object's NORM_INFO content. However, a limitation here is that the
NORM_INFO Compound Object header MUST fit within the byte size
limit defined by the NORM sender's configured "segment size"
(typically a little less than the network MTU);</t>
<t>The NORM_CMD(SQUELCH) messages are used by the NORM protocol
sender to inform receivers of objects that have been canceled when
receivers make repair requests for such invalid objects. Along
with the CID mechanism, a receiver has two efficient and reliable
ways to discover old objects that have been removed from the
carousel instance;</t>
<t>NORM also supports an optional positive acknowledgment
mechanism that can be used for small-scale multicast receiver
group sizes. Also, it may be possible in some cases for the sender
to infer, after some period without receiving NACKs at the end of
its transmission that the receiver set has fully received the
transmitted content. In particular, if the sender completes its
end-of-transmission series of NORM_CMD(FLUSH) messages without
receiving repair requests from the group, it may have some
assurance that the receiver set has received the content prior to
that point. These mechanisms are likely to help FCAST in achieving
fully reliable transmissions;</t>
</list></t>
<t>It should be noted that the NORM_INFO message header may carry
the EXT_FTI extension. The reliable delivery of the NORM_INFO content
allows the individual objects' FEC Transmission Information to be
provided to the receivers without burdening every packet (i.e.
NORM_DATA messages) with this additional, but important, content.
Examples are provided in <xref target="fcast_exple"></xref>.</t>
</section>
<section anchor="sender_behavior" title="FCAST Sender Behavior">
<!-- ==================================== -->
<t>The following operations MAY take place at a sender: <list
style="numbers">
<t>The user (or another application) selects a set of objects
(e.g., files) to deliver and submits them, along with their
meta-data, to the FCAST application;</t>
<t>For each object, FCAST creates the Compound Object and
registers this latter in the carousel instance;</t>
<t>The user then informs FCAST that all the objects of the set
have been submitted. If the user knows that no new object will be
submitted in the future (i.e., if the session's content is now
complete), the user informs FCAST. Finally, the user specifies how
many transmission cycles are desired (this number may be
infinite);</t>
<t>At this point, the FCAST application knows the full list of
Compound Objects that are part of the Carousel Instance and can
create a CID if desired, possibly with the complete flag set;</t>
<t>The FCAST application can now define a transmission schedule of
these Compound Objects, including the optional CID. This schedule
defines in which order the packets of the various Compound Objects
should be sent. This document does not specify any scheme. This is
left to the developer within the provisions of the underlying ALC
or NORM protocol used and the knowledge of the target
use-case.</t>
<t>The FCAST application then starts the carousel transmission,
for the number of cycles specified. Transmissions take place
until: <list style="symbols">
<t>the desired number of transmission cycles has been reached,
or</t>
<t>the user wants to prematurely stop the transmissions,
or</t>
<t>the user wants to add one or several new objects to the
carousel, or on the opposite wants to remove old objects from
the carousel. In that case a new carousel instance must be
created.</t>
</list></t>
<t>If the session is not finished, then continue at Step 1
above;</t>
</list></t>
</section>
<section anchor="receiver_behavior" title="FCAST Receiver Behavior">
<!-- ==================================== -->
<t>The following operations MAY take place at a receiver: <list
style="numbers">
<t>The receiver joins the session and collects incoming
packets;</t>
<t>If the header portion of a Compound Object is entirely received
(which may happen before receiving the entire object with some
ALC/NORM configurations), or if the meta-data is sent by means of
another mechanism prior to the object, the receiver processes the
meta-data and chooses to continue to receive the object content or
not;</t>
<t>When a Compound Object has been entirely received, the receiver
processes the header, retrieves the object meta-data, perhaps
decodes the meta-data, and processes the object accordingly;</t>
<t>When a CID is received, which is indicated by the 'C' flag set
in the Compound Object header, the receiver decodes the CID, and
retrieves the list of objects that are part of the current
carousel instance. This list CAN be used to remove objects sent in
a previous carousel instance that might not have been totally
decoded and that are no longer part of the current carousel
instance;</t>
<t>When a CID is received, the receiver also retrieves the list of
TOI equivalences, if any, and takes appropriate measures, for
instance by informing the transport layer;</t>
<t>When a receiver has received a CID with the "Complete" flag
set, and has successfully received all the objects of the current
carousel instance, it can safely exit from the current FCAST
session;</t>
<t>Otherwise continue at Step 2 above.</t>
</list></t>
</section>
</section>
<section anchor="fcast_specifications" title="FCAST Data Formats">
<!-- ==================================== -->
<t>This section details the various data formats used by FCAST.</t>
<section anchor="header_format" title="Compound Object Header Format">
<!-- ==================================== -->
<t>In an FCAST session, Compound Objects are constructed by prepending
the Compound Object Header (which may include meta-data) before the
original object data content (<xref
target="header_with_md_format"></xref>).</t>
<figure anchor="header_with_md_format"
title="Compound Object Header with Meta-Data.">
<artwork align="center"><![CDATA[
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ^
|Ver| Resvd |G|C| MDFmt | MDEnc | Checksum | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
| Compound Object Header Length | h
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-| d
| Object Meta-Data (optional, variable length) | r
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
| | Padding (optional) | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ v
| |
. Object Data (optional, variable length) .
. .
. .]]></artwork>
</figure>
<t>The Compound Object Header fields are:</t>
<texttable>
<ttcol align="right" width="15%">Field</ttcol>
<ttcol align="left">Description</ttcol>
<c>Version</c>
<c>2-bit field that MUST be set to 0 in this specification and indicates
the protocol version number.</c>
<c>Reserved</c>
<c>4-bit field that MUST be set to 0 in this specification and is reserved for
future use. Receivers MUST ignore this field.</c>
<c>G</c>
<c>1-bit field that, when set to 1, indicates that the checksum
encompasses the whole Compound Object (Global checksum). When set to
0, this field indicates that the checksum encompasses only the
Compound Object header.</c>
<c>C</c>
<c>1-bit field that, when set to 1, indicates the object is a
Carousel Instance Descriptor (CID). When set to 0, this field indicates
that the transported object is a standard object.</c>
<c>Meta-Data Format (MDFmt)</c>
<c>4-bit field that defines the format of the object meta-data (see
<xref target="iana"></xref>). An HTTP/1.1 metainformation format
<xref target="RFC2616"></xref> MUST be supported and is associated
to value 0. Other formats (e.g., XML) MAY be defined in the
future.</c>
<c>Meta-Data Encoding (MDEnc)</c>
<c>4-bit field that defines the optional encoding of the Object
Meta-Data field (see <xref target="iana"></xref>). By default, a
plain text encoding is used and is associated to value 0. Gzip
encoding MUST also be supported and is associated to value 1. Other
encodings MAY be defined in the future.</c>
<c>Checksum</c>
<c>16-bit field that contains the checksum computed over either the
whole Compound Object (when G is set to 1), or over the Compound
Object header (when G is set to 0), using the Internet checksum
algorithm specified in <xref target="RFC1071"/>.
More precisely, the checksum field is the 16-bit
one's complement of the one's complement sum of all 16-bit words to
be considered. If a segment contains an odd number of octets to be
checksummed, the last octet is padded on the right with zeros to
form a 16-bit word for checksum purposes (this pad is not
transmitted). While computing the checksum, the checksum field
itself is set to zero.</c>
<c>Compound Object Header Length</c>
<c>32-bit field indicating total length (in bytes) of all fields of
the Compound Object Header, except the optional padding. A header
length field set to value 8 means that there is no meta-data
included. When this size is not multiple to 32-bits words and when
the Compound Object Header is followed by a non null Compound Object Data,
padding MUST be added. It should be noted that the meta-data field maximum
size is equal to (2^32 - 8) bytes.</c>
<c>Object Meta-Data</c>
<c>Optional, variable length field that contains the meta-data
associated to the object.
The format and encoding of this field is defined by the MDFmt MDEnc
fields.
With the default HTTP/1.1 format and plain text encoding, the Meta-Data
is NULL-terminated plain text that follows the "TYPE" ":" "VALUE" "<CR-LF>"
format used in HTTP/1.1 for metainformation <xref target="RFC2616"></xref>.
The various meta-data items can appear in any order. The associated
string, when non empty, MUST be NULL-terminated. When no meta-data
is communicated, this field MUST be empty and the
Compound Object Header Length MUST be equal to 8.</c>
<c>Padding</c>
<c>Optional, variable length field of zero-value bytes to align the
start of the Object Data to 32-bit boundary. Padding is only
used when the Compound Object Header Length value, in bytes, is not
multiple of 4 and when the Compound Object Header is followed by
non null Compound Object Data.</c>
</texttable>
<t>The Compound Object Header is then followed by the Object Data,
i.e., the original object possibly encoded by FCAST. Note that the
length of this content is the transported object length (e.g., as
specified by the FEC OTI) minus the Compound Object Header Length
and optional padding if any.</t>
</section>
<section anchor="carousel_instance_descr"
title="Carousel Instance Descriptor Format">
<!-- ==================================== -->
<t>The format of the CID, which is a special Compound Object, is
given in <xref target="cid_format"></xref>.</t>
<figure anchor="cid_format" title="Carousel Instance Object Format.">
<artwork align="center"><![CDATA[
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ^
|Ver| Resvd |G|C| MDFmt | MDEnc | Checksum | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
| Compound Object Header Length | h
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-| d
| Object Meta-Data (optional, variable length) | r
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
| | Padding (optional) | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ v
. . ^
. Object List (variable length) . |
. . o
. +-+-+-+-+-+-+-+-+ b
. | j
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ v ]]></artwork>
</figure>
<t>Because the CID is transmitted as a special Compound Object, the
following CID-specific meta-data entries are defined: <list
style="symbols">
<t>Fcast-CID-Complete: when set to 1, it indicates that no new
objects in addition to the ones whose TOI are specified in this
CID, or the ones that have been specified in the previous CID(s),
will be sent in the future. Otherwise it MUST be set to 0. This
entry is optional. If absent, a receiver MUST conclude that the
session is complete.</t>
<t>Fcast-CID-ID: this entry contains the Carousel Instance IDentifier,
or CIID.
It starts from 0 and is incremented by 1 for each new carousel
instance. This entry is optional if the FCAST session consists of
a single, complete, carousel instance. In all other cases, this
entry MUST be defined. In particular, the CIID is used by the TOI
equivalence mechanism thanks to which any object is uniquely
identified, even if the TOI is updated (e.g., after re-enqueuing
the object with NORM). The Fcast-CID-ID value can also be useful
to detect possible gaps in the Carousel Instances, for instance
caused by long disconnection periods. Finally, it can also be
useful to avoid problems when TOI wrapping to 0 takes place to
differentiate the various incarnations of the TOIs if need be.</t>
</list>
The motivation for making the Fcast-CID-Complete and
Fcast-CID-ID entries optional is to simplify the simple case of
a session consisting of a single, complete, carousel instance, with
an Object List given in plain text, without any content encoding.
In that case, the CID does not need to contain any meta-data entry.</t>
<t>Additionally, the following standard meta-data entries are often
used (<xref target="meta-data_content"></xref>): <list style="symbols">
<t>Content-Length: it specifies the size of the object list,
before any content encoding (if any).</t>
<t>Content-Encoding: it specifies the optional encoding of the
object list, performed by FCAST. For instance: <figure>
<artwork align="left"><![CDATA[ Content-Encoding: gzip ]]></artwork>
</figure> indicates that the Object List field has been encoded
with gzip <xref target="RFC1952"></xref>. If there is no
Content-Encoding entry, the receiver MUST assume that the Object
List field is plain text (default). The support of gzip encoding,
or any other solution, remains optional.</t>
</list></t>
<t>An empty Object List is valid and indicates that the current
carousel instance does not include any object (<xref
target="cio"></xref>). This can be specified by using the following
meta-data entry: <figure>
<artwork align="left"><![CDATA[ Content-Length: 0 ]]></artwork>
</figure> or simply by leaving the Object List empty. In both
cases, padding MUST NOT be used and consequently the transported object
length (e.g., as specified by the FEC OTI) minus the
Compound Object Header Length equals zero.</t>
<t>The non-encoded (i.e., plain text) Object List, when non empty, is
a NULL-terminated ASCII string. It can contain two things: <list
style="symbols">
<t>a list of TOI values, and</t>
<t>a list of TOI equivalences;</t>
</list> First of all, this string can contain the list of TOIs
included in the current carousel instance, specified either as the
individual TOIs of each object, or as TOI intervals, or any
combination. The format of the ASCII string is a comma-separated list
of individual "TOI" values or "TOI_a-TOI_b" elements. This latter case
means that all values between TOI_a and TOI_b, inclusive, are part of
the list. In that case TOI_a MUST be strictly inferior to TOI_b. If a
TOI wrapping to 0 occurs in an interval, then two TOI intervals MUST
be specified, TOI_a-MAX_TOI and 0-TOI_b.</t>
<t>This string can also contain the TOI equivalences, if any. The
format is a comma-separated list of "(" newTOI "=" 1stTOI "/" 1stCIID
")" elements. Each element says that the new TOI, for the current
Carousel Instance, is equivalent to (i.e., refers to the same object
as) the provided identifier, 1stTOI, for the Carousel Instance of ID
1stCIID.</t>
<t>The ABNF specification is the following:</t>
<figure>
<artwork align="left"><![CDATA[cid-list = *(list-elem *( "," list-elem))
list-elem = toi-elem / toieq-elem
toi-elem = toi-value / toi-interval
toi-value = 1*DIGIT
toi-interval = toi-value "-" toi-value
; additionally, the first toi-value MUST be
; strictly inferior to the second toi-value
toieq-elem = "(" toi-value "=" toi-value "/" ciid-value ")"
ciid-value = 1*DIGIT
DIGIT = %x30-39
; a digit between O and 9, inclusive]]></artwork>
</figure>
<t>For readability purposes, it is RECOMMENDED that all the TOI values
in the list be given in increasing order. However a receiver MUST be
able to handle non-monotonically increasing values. It is also
RECOMMENDED to group the TOI equivalence elements together, at the end
of the list, in increasing newTOI order. However a receiver MUST be
able to handle lists of mixed TOI and TOI equivalence elements.
Specifying a TOI equivalence for a given newTOI relieves the sender
from specifying newTOI explicitly in the TOI list. However a receiver
MUST be able to handle situations where the same TOI appears both in
the TOI value and TOI equivalence lists. Finally, a given TOI value or
TOI equivalence item MUST NOT be included multiple times in either
list.</t>
<t>For instance, the following object list specifies that the current
Carousel Instance is composed of 8 objects, and that TOIs 100 to 104
are equivalent to the TOIs 10 to 14 of Carousel Instance ID 2 and
refer to the same objects:</t>
<figure>
<artwork align="left"><![CDATA[
97,98,99,(100=10/2),(101=11/2),(102=12/2),(103=13/2),(104=14/2)
]]></artwork>
</figure>
<t>or equivalently:</t>
<figure>
<artwork align="left"><![CDATA[
97-104,(100=10/2),(101=11/2),(102=12/2),(103=13/2),(104=14/2)
]]></artwork>
</figure>
</section>
</section>
<section anchor="security" title="Security Considerations">
<!-- ==================================== -->
<!-- XXX: this section is taken from FLUTE. It is therefore very ALC centric... -->
<section anchor="pb_statement" title="Problem Statement">
<!-- ==================================== -->
<t>A content delivery system is potentially subject to attacks.
Attacks may target: <list style="symbols">
<t>the network (to compromise the routing infrastructure, e.g., by
creating congestion),</t>
<t>the Content Delivery Protocol (CDP) (e.g., to compromise the
normal behavior of FCAST), or</t>
<t>the content itself (e.g., to corrupt the objects being
transmitted).</t>
</list></t>
<t>These attacks can be launched either: <list style="symbols">
<t>against the data flow itself (e.g., by sending forged
packets),</t>
<t>against the session control parameters (e.g., by corrupting the
session description, the CID, the object meta-data, or the ALC/LCT
control parameters), that are sent either in-band or out-of-band,
or</t>
<t>against some associated building blocks (e.g., the congestion
control component).</t>
</list></t>
<t>In the following sections we provide more details on these possible
attacks and sketch some possible counter-measures.
We finally provide recommendations in <xref target="min-sec-recommendations"/>.</t>
</section>
<section anchor="attacks_against_data"
title="Attacks Against the Data Flow">
<!-- ==================================== -->
<t>Let us consider attacks against the data flow first. At least, the
following types of attacks exist: <list style="symbols">
<t>attacks that are meant to give access to a confidential object
(e.g., in case of a non-free content) and</t>
<t>attacks that try to corrupt the object being transmitted (e.g.,
to inject malicious code within an object, or to prevent a
receiver from using an object, which is a kind of Denial of
Service (DoS)).</t>
</list></t>
<section anchor="access_to_confidential_obj"
title="Access to Confidential Objects">
<!-- ==================================== -->
<t>Access control to the object being transmitted is typically
provided by means of encryption. This encryption can be done over
the whole object (e.g., by the content provider, before submitting
the object to FCAST), or be done on a packet per packet basis (e.g.,
when IPsec/ESP is used <xref target="RFC4303"></xref>, see
<xref target="min-sec-recommendations"/>).
If confidentiality is a concern, it is RECOMMENDED that one of these
solutions be used.</t>
</section>
<section anchor="obj_corruption" title="Object Corruption">
<!-- ==================================== -->
<t>Protection against corruptions (e.g., if an attacker sends forged
packets) is achieved by means of a content integrity verification/sender
authentication scheme. This service can be provided at the object
level, but in that case a receiver has no way to identify which
symbol(s) is(are) corrupted if the object is detected as corrupted.
This service can also be provided at the packet level. In this case,
after removing all corrupted packets, the file may be in some cases
recovered. Several techniques can provide this content
integrity/sender authentication service: <list style="symbols">
<t>at the object level, the object can be digitally signed,
for instance by using RSASSA-PKCS1-v1_5 <xref target="RFC3447"></xref>.
This signature enables a receiver to check the object integrity, once this
latter has been fully decoded. Even if digital signatures are
computationally expensive, this calculation occurs only once per
object, which is usually acceptable;</t>
<t>at the packet level, each packet can be digitally signed <xref target="RMT-SIMPLE-AUTH"/>.
A major limitation is the high computational and transmission
overheads that this solution requires. To avoid this
problem, the signature may span a set of packets (instead of a
single one) in order to amortize the signature calculation. But
if a single packets is missing, the integrity of the whole set
cannot be checked;</t>
<t>at the packet level, a Group Message Authentication Code
(MAC) <xref target="RFC2104"></xref><xref target="RMT-SIMPLE-AUTH"/>
scheme can be used, for
instance by using HMAC-SHA-256 with a secret key shared by all the
group members, senders and receivers. This technique creates a
cryptographically secured digest of a packet that is sent along
with the packet. The Group MAC scheme does not create
prohibitive processing load nor transmission overhead, but it
has a major limitation: it only provides a group
authentication/integrity service since all group members share
the same secret group key, which means that each member can send
a forged packet. It is therefore restricted to situations where
group members are fully trusted (or in association with another
technique as a pre-check);</t>
<t>at the packet level, Timed Efficient Stream Loss-Tolerant
Authentication (TESLA) <xref target="RFC4082"/><xref target="RFC5776"/>
is an attractive solution that is robust to losses, provides a true
authentication/integrity service, and does not create any
prohibitive processing load or transmission overhead. Yet
checking a packet requires a small delay (a second or more)
after its reception;</t>
<t> at the packet level, IPsec/ESP <xref target="RFC4303"/>
can be used to check the integrity and authenticate the sender
of all the packets being exchanged in a session
(see <xref target="min-sec-recommendations"/>).</t>
</list></t>
<t>Techniques relying on public key cryptography (digital signatures
and TESLA during the bootstrap process, when used) require that
public keys be securely associated to the entities. This can be
achieved by a Public Key Infrastructure (PKI), or by a PGP Web of
Trust, or by pre-distributing securely the public keys of each group
member.</t>
<t>Techniques relying on symmetric key cryptography (Group MAC)
require that a secret key be shared by all group members. This can
be achieved by means of a group key management protocol, or simply
by pre-distributing securely the secret key (but this manual
solution has many limitations).</t>
<t>It is up to the developer and deployer, who know the security
requirements and features of the target application area, to define
which solution is the most appropriate. In any case, whenever there
is any concern of the threat of file corruption, it is RECOMMENDED
that at least one of these techniques be used.</t>
</section>
</section>
<section anchor="attack_against_ctrl_param"
title="Attacks Against the Session Control Parameters and Associated Building Blocks">
<!-- ==================================== -->
<t>Let us now consider attacks against the session control parameters
and the associated building blocks. The attacker has at least the
following opportunities to launch an attack: <list style="symbols">
<t>the attack can target the session description,</t>
<t>the attack can target the FCAST CID,</t>
<t>the attack can target the meta-data of an object,</t>
<t>the attack can target the ALC/LCT parameters, carried within
the LCT header or</t>
<t>the attack can target the FCAST associated building blocks,
for instance the multiple rate congestion control protocol.</t>
</list></t>
<t>The consequences of these attacks are potentially serious, since
they can compromise the behavior of content delivery system or even
compromise the network itself.</t>
<section anchor="attack_against_sdp"
title="Attacks Against the Session Description">
<!-- ==================================== -->
<t>An FCAST receiver may potentially obtain an incorrect Session
Description for the session. The consequence of this is that
legitimate receivers with the wrong Session Description are unable
to correctly receive the session content, or that receivers
inadvertently try to receive at a much higher rate than they are
capable of, thereby possibly disrupting other traffic in the
network.</t>
<t>To avoid these problems, it is RECOMMENDED that measures be taken
to prevent receivers from accepting incorrect Session Descriptions.
One such measure is the sender authentication to ensure that
receivers only accept legitimate Session Descriptions from
authorized senders. How these measures are achieved is outside the
scope of this document since this session description is usually
carried out-of-band.</t>
</section>
<section anchor="attack_against_cio"
title="Attacks Against the FCAST CID">
<!-- ==================================== -->
<t>Corrupting the FCAST CID is one way to create a Denial of Service
attack. For example, the attacker can set the "Complete" flag to
make the receivers believe that no further modification will be
done.</t>
<t>It is therefore RECOMMENDED that measures be taken to guarantee
the integrity and to check the sender's identity of the CID. To that
purpose, one of the counter-measures mentioned above (<xref
target="obj_corruption"></xref>) SHOULD be used. These measures will
either be applied on a packet level, or globally over the whole CID
object. When there is no packet level integrity verification scheme,
it is RECOMMENDED to digitally sign the CID.</t>
</section>
<section anchor="attack_against_meta_data"
title="Attacks Against the Object Meta-Data">
<!-- ==================================== -->
<t>Corrupting the object meta-data is another way to create a Denial
of Service attack. For example, the attacker changes the MD5 sum
associated to a file. This possibly leads a receiver to reject the
files received, no matter whether the files have been correctly
received or not. When the meta-data are appended to the object,
corrupting the meta-data means that the Compound Object will be
corrupted.</t>
<t>It is therefore RECOMMENDED that measures be taken to guarantee
the integrity and to check the sender's identity of the Compound
Object. To that purpose, one of the counter-measures mentioned above
(<xref target="obj_corruption"></xref>) SHOULD be used. These
measures will either be applied on a packet level, or globally over
the whole Compound Object. When there is no packet level integrity
verification scheme, it is RECOMMENDED to digitally sign the
Compound Object.</t>
<!-- XXX: how can we digitally sign a compound object? -->
</section>
<section anchor="attack_against_alc"
title="Attacks Against the ALC/LCT and NORM Parameters">
<!-- ==================================== -->
<t>By corrupting the ALC/LCT header (or header extensions) one can
execute attacks on the underlying ALC/LCT implementation. For
example, sending forged ALC packets with the Close Session flag (A)
set to one can lead the receiver to prematurely close the session.
Similarly, sending forged ALC packets with the Close Object flag (B)
set to one can lead the receiver to prematurely give up the reception
of an object. The same comments can be made for NORM.</t>
<t>It is therefore RECOMMENDED that measures be taken to guarantee
the integrity and to check the sender's identity of each ALC or NORM
packet received. To that purpose, one of the counter-measures
mentioned above (<xref target="obj_corruption"></xref>) SHOULD be
used.</t>
</section>
<section anchor="attack_against_bb"
title="Attacks Against the Associated Building Blocks">
<!-- ==================================== -->
<t>Let us first focus on the congestion control building block that
may be used in an ALC or NORM session. A receiver with an incorrect
or corrupted implementation of the multiple rate congestion control
building block may affect the health of the network in the path
between the sender and the receiver. That may also affect the
reception rates of other receivers who joined the session.</t>
<t>When congestion control is applied with FCAST, it is therefore
RECOMMENDED that receivers be required to identify themselves as
legitimate before they receive the Session Description needed to
join the session. If authenticating a receiver does not prevent this
latter to launch an attack, it will enable the network operator to
identify him and to take counter-measures. This authentication can
be made either toward the network operator or the session sender (or
a representative of the sender) in case of NORM. The details of how
it is done are outside the scope of this document.</t>
<t>When congestion control is applied with FCAST, it is also
RECOMMENDED that a packet level authentication scheme be used, as
explained in <xref target="obj_corruption"></xref>. Some of them,
like TESLA, only provide a delayed authentication service, whereas
congestion control requires a rapid reaction. It is therefore
RECOMMENDED <xref target="RFC5775"></xref> that a receiver using
TESLA quickly reduces its subscription level when the receiver
believes that a congestion did occur, even if the packet has not yet
been authenticated. Therefore TESLA will not prevent DoS attacks
where an attacker makes the receiver believe that a congestion
occurred. This is an issue for the receiver, but this will not
compromise the network.
Other authentication methods that do not feature this delayed
authentication could be preferred, or a group MAC scheme could be
used in parallel to TESLA to prevent attacks launched from outside
of the group.</t>
</section>
</section>
<section title="Other Security Considerations">
<!-- ==================================== -->
<t>Lastly, we note that the security considerations that apply to, and
are described in, ALC <xref target="RFC5775"></xref>, LCT <xref
target="RFC5651"></xref>, NORM <xref target="RFC5740"></xref>
and FEC <xref target="RFC5052"></xref> also apply to FCAST as FCAST
builds on those specifications. In addition, any security
considerations that apply to any congestion control building block
used in conjunction with FCAST also applies to FCAST. Finally, the
security discussion of <xref target="RMT-SEC"></xref> also applies
here.</t>
</section>
<section anchor='min-sec-recommendations' title='Minimum Security Recommendations'>
<!-- ==================================== -->
<t>
We now introduce a mandatory to implement but not necessarily to use security configuration,
in the sense of <xref target="RFC3365"/>.
Since FCAST/ALC relies on ALC/LCT, it inherits the "baseline secure ALC operation" of <xref target="RFC5775"/>.
Similarly, since FCAST/NORM relies on NORM, it inherits the "baseline secure NORM operation" of <xref target="RFC5740"/>.
More precisely, in both cases security is achieved by means of IPsec/ESP in transport mode.
<xref target='RFC4303'/> explains that ESP can be used to potentially provide confidentiality, data origin
authentication, content integrity, anti-replay and (limited) traffic flow confidentiality.
<xref target="RFC5775"/> specifies that the data origin authentication, content integrity and
anti-replay services SHALL be used, and that the confidentiality service is RECOMMENDED.
If a short lived session MAY rely on manual keying, it is also RECOMMENDED that an automated key management
scheme be used, especially in case of long lived sessions.
</t>
<t>
Therefore, the RECOMMENDED solution for FCAST provides per-packet security, with data origin
authentication, integrity verification and anti-replay.
This is sufficient to prevent most of the in-band attacks listed above.
If confidentiality is required, a per-packet encryption SHOULD also be used.
</t>
</section>
</section>
<section anchor="iana" title="IANA Considerations">
<!-- ==================================== -->
<section title="Namespace declaration for Object Meta-Data Format">
<!-- ==================================== -->
<t> This document requires a IANA registration for the following name-space:
"Object Meta-Data Format" (MDFmt).
Values in this namespace are 4-bit positive integers between 0 and 15 inclusive and
they define the format of the object meta-data ((see <xref target="header_format"/>).
</t>
<t> Initial values for the LCT Header Extension Type registry are defined in
<xref target="mdfmt_registration"/>.
Future assignments are to be made through Expert Review <xref target="RFC5226"/>.</t>
<section anchor="mdfmt_registration" title="Object Meta-Data Format registration">
<!-- ==================================== -->
<t> This document registers one value in the "Object Meta-Data Format" namespace as follows: </t>
<texttable>
<preamble></preamble>
<ttcol align="center">format name</ttcol>
<ttcol align="center">Value</ttcol>
<c>as per HTTP/1.1 metainformation format</c>
<c>0 (default)</c>
</texttable>
<t> All implementations MUST support format 0 (default). </t>
</section>
</section>
<section title="Namespace declaration for Object Meta-Data Encoding">
<!-- ==================================== -->
<t> This document requires a IANA registration for the following name-space:
"Object Meta-Data Encoding" (MDEnc).
Values in this namespace are 4-bit positive integers between 0 and 15 inclusive and
they define the optional encoding of the Object Meta-Data field (see <xref target="header_format"/>).
</t>
<t> Initial values for the LCT Header Extension Type registry are defined in
<xref target="mdenc_registration"/>.
Future assignments are to be made through Expert Review <xref target="RFC5226"/>.</t>
<section anchor="mdenc_registration" title="Object Meta-Data Encoding registration">
<!-- ==================================== -->
<t> This document registers two values in the "Object Meta-Data Encoding" namespace as follows: </t>
<texttable>
<preamble></preamble>
<ttcol align="center">Name</ttcol>
<ttcol align="center">Value</ttcol>
<c>plain text</c>
<c>0 (default)</c>
<c>gzip</c>
<c>1</c>
</texttable>
<t> All implementations MUST support both value 0 (plain-text, default) and value 1 (gzip).</t>
</section>
</section>
</section>
<section title="Acknowledgments">
<!-- ==================================== -->
<t>The authors are grateful to the authors of <xref
target="ALC-00"></xref> for specifying the first version of FCAST/ALC.
The authors are also grateful to Gorry Fairhurst and Lorenzo Vicisano for their valuable
comments.</t>
</section>
</middle>
<back>
<references title="Normative References">
<!-- ==================================== -->
<?rfc include='reference.RFC.2119'?>
<?rfc include='reference.RFC.5226'?>
<?rfc include='reference.RFC.1071'?>
<?rfc include='reference.RFC.5651'?>
<?rfc include='reference.RFC.5740'?>
<?rfc include='reference.RFC.5775'?>
<?rfc include='reference.RFC.1952'?>
<?rfc include='reference.RFC.2616'?>
</references>
<references title="Informative References">
<!-- ==================================== -->
<reference anchor="ALC-00">
<front>
<title>Asynchronous Layered Coding: a Scalable Reliable Multicast
Protocol</title>
<author initials="M." surname="Luby">
<organization></organization>
</author>
<author initials="G." surname="Gemmell">
<organization></organization>
</author>
<author initials="L." surname="Vicisano">
<organization></organization>
</author>
<author initials="J." surname="Crowcroft">
<organization></organization>
</author>
<author initials="B." surname="Lueckenhoff">
<organization></organization>
</author>
<date month="March" year="2000" />
</front>
</reference>
<reference anchor="RMT-FLUTE">
<front>
<title>FLUTE - File Delivery over Unidirectional Transport</title>
<author initials="T." surname="Paila">
<organization></organization>
</author>
<author initials="R." surname="Walsh">
<organization></organization>
</author>
<author initials="M." surname="Luby">
<organization></organization>
</author>
<author initials="V." surname="Roca">
<organization></organization>
</author>
<author initials="R." surname="Lehtonen">
<organization></organization>
</author>
<date month="February" year="2011" />
</front>
<seriesInfo name="Work in" value="Progress" />
</reference>
<?rfc include='reference.RFC.3365'?>
<reference anchor="RMT-SEC">
<front>
<title>Security and Reliable Multicast Transport Protocols:
Discussions and Guidelines</title>
<author initials="V." surname="Roca">
<organization></organization>
</author>
<author initials="B." surname="Adamson">
<organization></organization>
</author>
<author initials="H." surname="Asaeda">
<organization></organization>
</author>
<date month="May" year="2010" />
</front>
<seriesInfo name="Work in progress, "
value="draft-ietf-rmt-sec-discussion-05.txt" />
</reference>
<!--<?rfc include='reference.RFC.2068'?> obsoleted by 2616 -->
<?rfc include='reference.RFC.2104'?>
<?rfc include='reference.RFC.3447'?>
<?rfc include='reference.RFC.4082'?>
<?rfc include='reference.RFC.4303'?>
<?rfc include='reference.RFC.5052'?>
<?rfc include='reference.RFC.5510'?>
<?rfc include='reference.RFC.5776'?>
<reference anchor="RMT-SIMPLE-AUTH">
<front>
<title>Simple Authentication Schemes for the ALC and NORM Protocols</title>
<author initials='V.' surname='Roca'> <organization /></author>
<date month="July" year="2010"/>
</front>
<seriesInfo name="Work in progress" value="draft-ietf-rmt-simple-auth-for-alc-norm-03.txt"/>
</reference>
</references>
<section anchor="fcast_exple" title="FCAST Examples">
<!-- ==================================== -->
<section title="Basic Examples">
<!-- ==================================== -->
<figure anchor="expl_object" title="Compound Object Example.">
<artwork align="center"><![CDATA[ 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 0 | 0 |1|0| 0 | 0 | Checksum |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 44 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-|
. .
. meta-data ASCII null terminated string (33 bytes) .
. .
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | Padding |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
. .
. Object data .
. .
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+]]></artwork>
</figure>
<t><xref target="expl_object"></xref> shows a regular Compound Object
where the meta-data ASCII string, in HTTP/1.1 meta-information format
(MDFmt=0) contains:</t>
<figure>
<artwork align="left"><![CDATA[
Content-Location: example.txt <CR-LF>
]]></artwork>
</figure>
<t>This string is 33 bytes long, including the NULL-termination
character. There is no gzip encoding of the meta-data (MDEnc=0) and
there is no Content-Length information either since this length can
easily be calculated by the receiver as the FEC OTI transfer length
minus the header length. Finally, the checksum encompasses the whole
Compound Object (G=1).</t>
<figure anchor="expl_no_meta-data"
title="Compound Object Example with no Meta-Data.">
<artwork align="center"><![CDATA[ 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 0 | 0 |1|0| 0 | 0 | Checksum |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 8 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
. .
. Object data .
. .
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+]]></artwork>
</figure>
<t><xref target="expl_no_meta-data"></xref> shows a Compound Object
without any meta-data. The fact there is no meta-data is indicated by
the value 8 of the Compound Object Header Length field. No
padding is required.</t>
<t><xref target="expl_cio"></xref> shows an example CID object, in the
case of a static FCAST session, i.e., a session where the set of
objects is set once and for all. There is no meta-data in this
example since Fcast-CID-Complete and Fcast-CID-ID are both
implicit.</t>
<figure align="center" anchor="expl_cio"
title="Example of CID, in case of a static session.">
<artwork align="center"><![CDATA[ 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 0 | 0 |1|1| 0 | 0 | Checksum |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 8 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-|
. .
. Object List string .
. .
. +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
. |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+]]></artwork>
</figure>
<t>The object list contains the following 26 byte long string, including
the NULL-termination character:</t>
<figure>
<artwork align="left"><![CDATA[
1,2,3,100-104,200-203,299
]]></artwork>
</figure>
<t>There are therefore a total of 3+5+4+1 = 13 objects in the carousel
instance, and therefore in the FCAST session. There is no meta-data
associated to this CID. The session being static and composed of a
single Carousel Instance, the sender did not feel the necessity to
carry a Carousel Instance ID meta-data.</t>
</section>
<section title="FCAST/NORM with NORM_INFO Examples">
<!-- ==================================== -->
<t>In case of FCAST/NORM, the FCAST Compound Object meta-data
(or a subset of it) can be carried as part of a NORM_INFO message,
as a new Compound Object that does not contain any Compound Object
Data. In the following example we assume that the whole meta-data
is carried in such a message for a certain Compound Object. <xref
target="expl_norm_info"></xref> shows an example NORM_INFO message
that contains the FCAST Compound Object Header and meta-data as its
payload. In this example, the first 16 bytes are the NORM_INFO base
header, the next 12 bytes are a NORM EXT_FTI header extension
containing the FEC Object Transport Information for the associated
object, and the remaining bytes are the FCAST Compound Object Header
and meta-data. Note that "padding" MUST NOT be used and that the
FCAST checksum only encompasses the Compound Object Header (G=0).</t>
<figure align="center" anchor="expl_norm_info"
title="NORM_INFO containing an EXT_FTI header extension
and an FCAST Compound Object Header">
<artwork align="center"><![CDATA[0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ --
|version| type=1| hdr_len = 7 | sequence | ^
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
| source_id | n
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ o
| instance_id | grtt |backoff| gsize | r
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ m
| flags | fec_id = 5 | object_transport_id | v
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ --
| HET = 64 | HEL = 3 | | ^
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + f
| Transfer Length = 41 | t
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ i
| Encoding Symbol Length (E) | MaxBlkLen (B) | max_n | v
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ --
| 0 | 0 |0|0| 0 | 0 | Checksum | ^
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
| 41 | f
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-| c
. . a
. meta-data ASCII null terminated string (33 bytes) . s
. . t
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
| | v
+-+-+-+-+-+-+-+-+ --]]></artwork>
</figure>
<t>The NORM_INFO message shown in <xref
target="expl_norm_info"></xref> contains the EXT_FTI header extension
to carry the FEC OTI. In this example, the FEC OTI format is that of
the Reed-Solomon FEC coding scheme for fec_id = 5 as described in
<xref target="RFC5510"></xref>. Other alternatives for providing the
FEC OTI would have been to either include it directly in the meta-data
of the FCAST Compound Header, or to include an EXT_FTI header extension to
all NORM_DATA packets (or a subset of them). Note that the NORM
"Transfer_Length" is the total length of the associated FCAST Compound
Object, i.e., 41 bytes.
</t>
<t>The FCAST Compound Object in this example does contain the same
meta-data and is formatted as in the example of <xref
target="expl_object"></xref>. With the combination of the FEC_OTI and
the FCAST meta-data, the NORM protocol and FCAST application have all
of the information needed to reliably receive and process the
associated object. Indeed, the NORM protocol provides rapid (NORM_INFO has
precedence over the associated object content), reliable delivery of
the NORM_INFO message and its payload, the FCAST Compound Object
Header.</t>
</section>
</section>
</back>
</rfc>
| PAFTECH AB 2003-2026 | 2026-04-23 05:36:39 |