Network Working Group A. Barbir
Internet-Draft N. Mistry
Expires: May 12, 2002 R. Penno
Nortel Networks
D. Kaplan
Activia
November 12, 2001
A Framework for OPES End to End Data Integrity:
Virtual Private Content Networks (VPCN)
draft-barbir-opes-vpcn-00.txt
Status of this Memo
This document is an Internet-Draft and is in full conformance with all
provisions of Section 10 of RFC2026.
Internet-Drafts are working documents of the Internet Engineering Task Force
(IETF), its areas, and its working groups. Note that other groups may also
distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months and may be
updated, replaced, or obsoleted by other documents at any time. It is
inappropriate to use Internet-Drafts as
reference material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at http:// www.ietf.org/
ietf/1id-abstracts.txt. The
list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on January 10, 2002.
Copyright Notice
Copyright (C) The Internet Society (2001). All Rights Reserved.
Intellectual Property Existence
The authors are aware of the existence of intellectual property associated with
certain edge service
implementations of the high level model described herein.
Barbir, et. al. Expires May 10,2002 Page [1]
Internet-Draft VPCN November 2001
Abstract
In the IETF, OPES is developing a framework for a "services engine" in the
Internet to communicate with a user agent to deliver content in a format
based on user preferences and abiding to content owners policies.
The document introduces the concept of Virtual Private Content Networks as a
layer-7 Virtual Private Network as a vehicle for providing content integrity and
trust model that ensures the delivery of content in a network with distributed
intelligence. The VPCN framework represents a trusted closed group of entities
that agree to deliver, store/cache, modify or adapt content as specified by the
rules and polices in the content profile. In a VPCN, the content provider is a
member and the owner of the VPCN. Any surrogate or an application gateway that
is in the content path must be a member of the VPCN. In a VPCN content is
distributed among members' nodes through the use of Content Tunnels that ensure
the integrity of the transport of content among network nodes.
1. Introduction
Content Delivery is of increasing importance to the overall architecture of
the web. Content providers and content consumers are interested in value-add
services that operate on content before its delivery to content consumer. In
the IETF, OPES is currently in the process of providing services that would be
deployed in the network, for example, at a web proxy cache between the
origin server and the client, that would transform or filter content. Examples
of proposed OPES services include assembling personalized web pages, adding
user-specific regional information to web pages, virus scanning, content
adaptation for clients with limited bandwidth, language translation, and the
like [12,20].
Providing Edge Services have also paved the road to the use of Content Services
Overlay Networks [16], whereby, the customization of the content can be
performed across Service engines or Application Gateways that span multiple
networks. Content Services Overlay Networks can consist of Service Engines that
belong to different Authoritative domains that agree to cooperate together
to provide value added service on the content on behalf of Content Providers.
However, the introduction of intermediaries in the Content Path requires the
development of mechanisms that guarantee the integrity of the content in transit
in the Internet between client/intermediary, intermediary/intermediary, and
intermediary/origin server. This in return raises serious questions about the
integrity of the content as delivered to the consumer, and whether the
content provider or content consumer authorizes the adaptations that were
performed on the content. For example, in transparent caching a proxy server
instead of the intended server can silently fulfill user's requests for the
content. In general, transparent caching can be performed without the user or
the content provider consent.
Barbir, et. al. Expires May 10,2002 Page [2]
Internet-Draft VPCN November 2001
In [20], the IAB stated that the architecture of OPES type devices must
protect end-to-end data integrity by supporting end-host detection and
response to inappropriate behavior by OPES intermediaries. Certainly, the
presence of OPES type intermediaries and caches in the content path
add intelligence within the public network, where content storage and/or
adaptation can occur. Thus, what is needed is an approach that ensures the
security, trust and integrity of content in an intelligent network. In the
essence, there should be an approach that guarantee the end-to-end data
integrity in a network with distributed intelligence.
In the Internet today, Virtual Private Networks (VPN) may be constructed as
Overlay Networks to ensure the integrity of transition of packets between
private networks as it span public networks (IPSec for example). The same
concept can be extended to layer-7 to introduce Virtual Private Networks
focused on content. These networks are overlay networks permitting
establishment of a framework for data trust and integrity at the content level.
In this regard, the document introduces the concept of Virtual Private
Content Networks (VPCN) as a layer 7 overlay network that ensures the
trust, integrity and security of content. The VPCN concept associates a
content profile or attribute with the content. The content profile determines
the rules and polices that are associated with the content as a whole or any
part that is dynamically generated. Intermediaries that deal with content
must be members of a VPCN. Intermediaries within a VPCN are treated as
extension or authorized agents of the content source. In VPCN content
traverses among the members using "Content Tunnels" that ensure that
content is received by authorized entities. In a VPCN there are provisions
that enable the content provider to verify that the intermediary is acting
on the content as specified in the content profile.
The current version of the draft uses the VPCN concept to address the data
integrity with server-centric OPES or OPES type services. The emphasis is
on responses as opposed to requests. However, the concept can be easily
extended to cover that aspect.
The draft presents a vocabulary that can be used in developing Virtual
Private Content Networks and describes the core components of such, and
their relationships. Section 2 introduces the terms used for elements of
VPCN. Section 3 explains the concept of overlay networks and how different
types of such are built upon each other. The core CVPN components and their
relationship are introduced in Sections 4 and 5, followed by OPES security
considerations in Section 6.
Barbir, et. al. Expires May 10,2002 Page [3]
Internet-Draft VPCN November 2001
2. Definitions and Terminology
The section provides the definitions of a number of terms used to refer to
the roles, participants, and objects involved in Virtual Private Content
Networks. The definition are based on the OPES framework [12]. Although
the following uses many terms used in RFC 2616 [4] and RFC 3040 [6],
there is no required dependency on HTTP or web caching technology.
This vocabulary is applicable to other protocols and content networks.
ACTION
An action is a form of a policy action [] that results in the execution
of an 'content service module' when 'conditions' of a 'rule' are met.
AUTHORITATIVE DOMAIN
A logical domain in which the network elements have rights, either
delegated or inherited to act authoritatively on behalf of a party.
This logical domain may be wholly contained within the administrative
domain [2] of the party, or it may be a collection of administrative
domains in which the party rights have been delegated.
CACHE
A program's local store of response messages and the subsystem that
controls its message storage, retrieval, and deletion. A cache stores
cacheable responses in order to reduce the response time and network
bandwidth consumption on future, equivalent requests. Any client or
server may include a cache, however, a cache cannot be used by a server that
is acting as a tunnel.
CACHING PROXY
A proxy with a cache, acting as a server to clients, and a client to
servers. Caching proxies are often referred to as "proxy caches" or
simply "caches". The term "proxy" is also frequently misused when
referring to caching proxies.
CLIENT
A program that establishes connections for the purpose of sending requests.
CONDITION
A form of a policy condition[11] that is an expression which is used to
determine whether a 'rule' 'action' should be executed.
CONTENT CONSUMER
The 'client' that is the final destination of content delivery.
CONTENT PATH
The content path describes the path that content requests and responses
take through the network. Typically, content requests and responses flow
between a client, one or more intermediaries, and a content server.
CONTENT ATTRIBUTE
See content profile.
Barbir, et. al. Expires May 10,2002 Page [4]
Internet-Draft VPCN November 2001
CONTENT PROFILE
A content profile consists of a set of elements that describe available
variants for given content. The profile also includes policy information
about allowable transformations, adaptations, and Digital Rights Management
that are applicable for that content. The profile can be applicable to a
specific piece of content, a set or class of content, or an aggregation of
content from several locations. The profile is also applicable to dynamically
generated content.
CONTENT SERVER
The server that delivers the content. It may be an 'origin server',
replica server, 'surrogate' or parent proxy.
CONTENT SERVICE
A service operating on and providing a value-add to content.
DELEGATE
A caching proxy located near or at the network access point of the
'user agent', delegated the authority to operate on behalf of, and
typically working in close co-operation with a group of 'user
agents'.
IN-PATH
In-Path Content Services are naturally within the message path of the
application they are
associated with. This may be an application proxy, gateway, or in the
extreme case, one of the end-hosts, that is party to the application.
INTERMEDIARY
Intermediaries are application gateway devices located in the content
path between client and origin server. Caching proxies' and 'surrogates'
are probably the most commonly known and used intermediaries today.
OVERLAY NETWORK
A set of connected network elements layered onto existing underlying
networks, and presented as a virtual application layer to both 'clients'
and 'origin servers'.
OUT-OF-PATH
Out-of-Path Content Services are not natively in the transport path
of an application. In other words, they are not necessarily resident
(or co-resident) on entities that are natively in the path of application
flows [18]
PDP
See 'policy decision point'.
PEP
See 'policy enforcement point'.
Barbir, et. al. Expires May 10,2002 Page [5]
Internet-Draft VPCN November 2001
POLICY DECISION POINT
A logical entity that makes policy decisions for itself or for other
network elements that request such decisions.
POLICY ENFORCEMENT POINT
A logical entity that enforces policy decisions.
SURROGATE
A gateway co-located with an origin server, or at a different point in
the network, delegated the authority to operate on behalf of, and
typically working in close co-operation with, one or more origin servers.
Responses are typically delivered from an internal cache.
Surrogates may derive cache entries from the origin server or from another
of the origin server's delegates. In some cases a surrogate may tunnel such
requests.
Devices commonly known as "reverse proxies" and "(origin) server
accelerators" are both more properly defined as surrogates.
USER AGENT
The client that initiates a request. These are often browsers, editors,
spiders (web-traversing robots), or other end user tools.
VPN
See Virtual Private Network
Virtual Private Network
Virtual Private Networks (VPN) represents communication between a set
of sites making use of a shared network infrastructure. Multiple sites
of a private network may therefore communicate via the public infrastructure,
in order to facilitate the operation of the private network. The logical
structure of the VPN, such as addressing, topology, connectivity,
reach-ability and access control, is equivalent to part of or all
of a conventional private network using private facilities
3. Content Integrity
The Internet provides an attractive medium for the distribution of content
in electronic form. However, the ease of delivering and the ease of
manipulation of information in electronic form make tracking such acts
intractable. To address these issues a model that guarantee content trust,
security and integrity must be developed. The model should create an
environment in which information cannot be stored or manipulated in the
network without the consent of content source and/or the content consumers.
Barbir, et. al. Expires May 10,2002 Page [6]
Internet-Draft VPCN November 2001
In order to provide content delivery and content services, there may be
a need to store/cache and/or adapt the content in the network in its
transit from the content source to the content consumer. In order to be able
to provide content delivery and services in a legal and trust worthy manner,
the entity that is providing the services must guarantee the following
minimum functionality:
- Content source (owners) must be assured that their content is used and
manipulated only in authorized ways.
- Content providers must be able to remove, update, and modify their
content (or variant such as OPES versions) on the fly.
- Content providers are able to maintain control over literary or
copyrighted assets.
- Content providers are compensated for all uses of the content.
- Privacy rights of users of content are preserved.
- Diverse business models related to content could be implemented.
3.1 Content Profiles
Content providers can describe the list of adaptations, modifications,
cache-ability and policies that they authorize on their content in whole
or any dynamically generated parts in content profiles. The content profile
also includes the set of policies that they would like to be used to
determine the allowable set of modifications that could be used on the content.
In order to ensure content trust and integrity a mechanism should be
developed that allow the creation of content profiles. The profiles
encapsulate information about the content and their associated polices.
This includes information such as available variants at the content source,
encoding method, and dimensions. Content profiles and policies also include
information about what is and is not allowed in terms of use or manipulation
of that content (e.g. do not allow legal documents to be translated into
another language). Furthermore, content profiles must be able applicable to
static and dynamically generated content. The static content and the
dynamically generated content can also be cacheable.
Content policies are an integral part of the content profile for a given
piece of content. A content profile must encapsulate all of the information
about the content, which is needed to make any of the adaptation decisions
required for that content. RFC 2295 provides the means for automatically
and efficiently retrieving the best content variant from a content source
in HTTP. This specification defines transparent content negotiation as an
extension on top of the HTTP/1.1 protocol. Ensuring the integrity of
content in the Internet requires the development of a generalized,
protocol-independent definition of content profiles.
Barbir, et. al. Expires May 10,2002 Page [7]
Internet-Draft VPCN November 2001
Content profiles may be stored as part of the content or as separate
entities. In this regard, there may be a need to develop appropriate
protocols that distribute and invalidate content profiles in the
network in a secure manner. The next subsection provide a brief overview
of a method [17] that content providers can use to indicate to intermediaries
the possible set of modifications that could be performed on content.
3.1.1 Content Adaptation and Validation Method
In [17], a method is proposed that enable content owners to express how
their content is treated as part of the content message. The method
allows for fine-grained delegation of modification rights. The method
allows any party to validate the message with respect to owner's intentions,
even if several intermediaries are involved in the modification process.
In particular, the requester can validate the final message. The method
is friendly to caches whereby partially modified message forms can be
cached. This is because the method separates the content from the
authorization and validation information.
3.1.1.1 Overview of the Method
In the method, the content owner specifies content as a set of parts,
some of which are immutable and some of which are replaceable. Each part
has permissions, and the set of parts and their permissions is the
message "manifest", an index to the message. The content owner's signature
on the manifest specifies his/her intentions.
In order for the owner to delegate modification rights verifiable to parts
of a message, the message must have well-defined part boundaries. This can
be accomplished by specifying byte ranges with MIME or other standards.
The manifest names each part and its hash value: non-invertible,
collision-resistant function of each byte of the part. The modification
right for a part includes both the permitted action and the identification
of the parties authorized to perform the action. The modification rights
can be extended to specify content type, size, resolution and method.
Each party that modifies the message in accordance with the owner
instructions must attach an action notification to the message. This
refers to the permission in the manifest, the message part, the action,
the hash of the manifest, the identity of the editor, and a signature over
these items. Because, the manifest and the signed actions are separate from
the content, the content remains cacheable even in partially modified from.
The manifest concept is similar to the W3C XML Digital Signature standard.
This allows for the possibility of including information about the content
that might not be part of the current content, such as the contents
associated with URL.
Barbir, et. al. Expires May 10,2002 Page [8]
Internet-Draft VPCN November 2001
The full details of the method are given in [17]. The method separates
Content profile from the content and is a good candidate to be used as
a building block for defining content profiles that include the
rules that are associated with it. It can also be used as a building block
for developing techniques that enable the content provider to verify the
operations of OPES intermediaries.
3.2 Content Path
The content path describes the path that content requests and responses
take through the network. In the traditional client/server Internet
end-to-end model content requests and responses flow between the client and
the content server.
However, in an intelligent network, content requests and responses may
flow between a client, a single or group of intermediaries and a content
server. Furthermore, for OPES [12] type intermediaries, content requests
and responses may also be directed to remote callout servers that perform
added content services. In general, there may be Policy Decision Points
(PDP) that is associated with Policy Enforcement Points (PEP) that
determines the number of intermediaries that the content path will
consist off.
To ensure content integrity and security, every intermediary in the
content path must be authorized by the content provider to act on the
content. Content profiles can be used to enforce the rules and policies
that are associated with that content. What is needed is a proper model
that ensures that all the entities in the content path are entities with
legal access to the content and its associated profiles.
4. Content Level Overlay Networks
Overlay networks are a powerful abstraction that creates a virtual network
of connected devices layered on an existing underlying network in order to
provide new network functionality. The functionality can be packet based
or content based. For example, Virtual Private Networks [19] are packet based
overlay networks that aim towards providing connectivity of multi-networks
over the public networks. Similarly, Edge Services networks are overlay
networks that aim towards providing content services.
In packet based VPNs, the emphasis is on transporting packets in a secure
fashion across a public medium. The level of security depends on the
tunneling mechanism that is used. This type of VPNs examine the packet
headers at a given protocol stack in order to make a routing or forwarding
decision. There is no consideration to which content the packets belong to
and no attempt to relate the packets to a given content profile.
Barbir, et. al. Expires May 10,2002 Page [9]
Internet-Draft VPCN November 2001
At the content level, it is possible to define Edge Networks [16] consisting
of intermediaries in the network for the delivery of content in a close
proximity to the content consumer. These overlay networks create a virtual
overlay on top of IP packet networks, that via 'intermediaries' enables the
necessary network infrastructure to provide better content delivery services.
There are two forms of edge servers, the 'delegate' and the 'surrogate'.
'Delegates', are authorized agents 'intermediaries' that act on behalf of
'clients'. Surrogates on the other hand, are authorized agent 'intermediaries'
that act on behalf of 'origin servers'. Due to their strategic location in the
network, Edge servers are ideal candidates for performing content delivery and
'content services'.
In a similar fashion overlay networks can be used to construct Content
Services Networks [16]. In this case, Application Gateways can be
introduced between independent end-to-end sessions to construct a specialized
form of application network Overlays. Content service networks provide
services that act on content flowing through the 'content path'. Content
service networks are constrained to provide services only on the 'content
path', as opposed to general applications. For OPES type networks, content
service networks provide a mechanism for vectoring the content flow to
Application Gateways for processing. This vectoring is accomplished with
'rules' that set 'conditions' to trap on the content flowing through the
'content path'. This process is a classic example of a policy 'PEP'.
5. Virtual Private Content Networks
There are other models that can be used within the Internet for providing
content services [16]. However, regardless of the nature of the network,
there should exist mechanisms that allow the establishment of a trust
model for the content.
At the content level, the content path may traverse one or more of the
following components: Client, Delegate, Service Modules, Surrogate and
Origin Server. A proper trust model must ensure the integrity of the
content throughout the whole content path. Here, the concept of overlay
networks can be used to construct Virtual Private Content Networks (VPCN)
as an overlay network that has as members all the entities that are on the
content path. All the members' of a VPCN agree to act on the content as
described in the content profile. Content profiles can be stored in a single
location or distributed manner in the Internet or the network.
In essence, a VPCN represents a trusted closed group of entities that agree
to deliver, store/cache, modify or adapt content as specified by the rules
and polices in the content profile. In a VPCN, the content provider is a member
and the owner of the VPCN. Any surrogate or an application gateway that is in
the content path must be a member of the VPCN.
Barbir, et. al. Expires May 10,2002 Page [10]
Internet-Draft VPCN November 2001
Members of a VPCN can belong to different Administrative domains. Figure 1
depicts the construction of a VPCN as an overlay network consisting of
surrogates, service modules and content servers that belong to various
Edge Services Networks.
Form Figure 1, a service module (ag) can be the broker for content from
content providers P1 and P2. In this case the 'ag' can be a member of
content trust overlays termed VPCN-P1 with provider P1 and a member of a
content trust overlay termed VPCN-P2 with provider P2. Associated with
each VPCN would be its own set of policies and attributes. This would be
negotiated between the 'ag' service provider and the content provider.
'Client' or 'Delegate' can subscribe to become members of the VPCNs either
subscribing to a default set of policies and attributes or negotiating a
subset. In this simplified model, the VPCN has publisher and consumers of
the content; allowing supports for content push and pop models plus the
ability to enforce policies.
+--------+
/ Client /
+--------+
^
/
v
_________________(i)_______________
/ intermediary /
/ (P1) content services /__
+-------+ / (P2) / / +-------+
/ Client /<->(i) Virtual Private Content / /<-> / Content /
+------+/ / Network (ag) / / / Server /
/ (ag) / /__ +-------+
/___________________(i)____________/ / /
/__________________________________/ /
/ Edge Services Network Overlay /
/ . /
/___________________(i)______________/
Figure 1. OPES Based VPCN Network Overlay
The concept of VPCN enables deployment of layer 7 content networks,
independent of physical topology. Thus, the term "virtual" implies the
ability to allow a geographically distributed group of hosts to interact
and be managed at the content level as a single network without concern to
physical location. The term 'private' is simply defined as a closed user
group with secure access. It is important to note here that security can
be achieved through various techniques. The choice of the technique will
be based on overlay network that delivers the content. In addition, the
choice of security is also based on the nature of the content. In some
cases, there may be a need to encrypt the data. However, in some other
Barbir, et. al. Expires May 10,2002 Page [11]
Internet-Draft VPCN November 2001
cases such as live streaming sessions, the use of encryption may not
be appropriate. Data security is achieved through the use of Content
Tunnels that establish a trusted path between any two end points. The
term Content refers to layer 7 content. The VPCN concept leads to virtual
networks that provide content confidentiality, integrity, and authentication
within the content path.
5.1 VPCN Requirements
The previous sections have stated that VPCN can be constructed as an
overlay network on top of other overlay networks such as Edge Services
Networks. When implementing VPCN care must be taken to ensure the integrity
of content across the content path. In this regard, it is possible to
implement a VPCN using the same techniques as Virtual Private Networks.
In general, VPNs come in various flavors. It is possible to define Layer 1
to Layer 3 VPNs. Some VPNs implement encryption techniques, while others
achieve the security of the data at the routing table level. Regardless of
how a VPCN is implemented, the following minimum characteristics must be met:
1. Confidentiality. : The VPCN must ensure the privacy of content data sent
over it and protect it from interception by eavesdroppers. Basically,
content must be protected along the content path.
2. Authenticity. The VPCN must ensure that intermediaries accessing it are
indeed authorized members of the VPCN community. In addition, the VPCN
should ensure the authenticity of the data and its source, that is,
it must ensure that senders are indeed who they say they are.
3. Integrity. The VPCN must ensure that the data received is indeed the same
data that was transmitted, that is, it must protect data from corruption
by transmission errors or vandals.
4. Optimize performance. The VPCN must be designed to optimize use of the
limited bandwidth of the Internet.
5. The VPCN must be able to support protocols that allow for the delivery,
update, and invalidation of content and content profiles.
6. Content Providers and Surrogates can belong to different VPCN.
7. Compliance: The content source (provider) must be able to verify the members
of the VPCN are generating content that is compliant by the content profile.
This can be done by using the method of 3.1.1 or through the logging of
some of the user's requests and the responses.
Barbir, et. al. Expires May 10,2002 Page [12]
Internet-Draft VPCN November 2001
5.2 VPCN Characteristics
This section looks at how a VPCN service can be provided. The distinguishing
characteristic of a VPCN is that packets are treated at the content layer.
In VPCNs packets are forwarded to intermediaries that are member of the
content path. Note that VPCN operation is decoupled from the mechanisms that
are used to transport packets across the Internet.
5.2.1 VPCN Topology
The topology of a VPCN may consist of a full mesh of content tunnels between
each VPCN node, or may be an arbitrary topology, such as a set of nodes
connected to the nearest regional site. The regional sites may be connected
together via a full or partial mesh.
5.2.1 Addressing
The addressing used within a VPCN may have no relation to the addressing
used on the IP backbone over which the VPCN is instantiated. Multiple VPCNs
may be instantiated over the same set of physical devices, and they may use
the same or overlapping address spaces.
5.2.3 Forwarding
In a VPCN forwarding of packets is performed at the content layer for a
given content profile. Packets are forwarded at the application level to
other OPES or non-OPES intermediaries or remote callout servers based on
the content profile. Packets are forwarded to members' nodes only.
5.2.4 Multiple concurrent VPCN connectivity
A single intermediary or content provider may belong concurrently to
multiple VPCNs and may want to transmit traffic both onto one or
more VPCNs.
5.3 VPCN Generic Requirements
There are a number of common requirements, which any network-based VPCN
solution must address, and there are a number of different mechanisms
that can be used to meet these requirements. These generic issues are
1. The use of a globally unique VPCN identifier in order to be able to refer
to a particular VPCN.
2. VPCN membership determination. There should a mechanism that enables the
VPCN nodes to determine member nodes in that VPCN.
3. Reachability information. VPCN nodes must be able to determine the
reachability of other VPCN nodes.
Barbir, et. al. Expires May 10,2002 Page [13]
Internet-Draft VPCN November 2001
4. Content Tunneling mechanism. A VPCN node must be able to construct the
necessary tunnels to other nodes members in the VPCN. The nodes must be
able to perform content tunneling on the packets that may include the
encapsulation and de-encapsulation necessary to send and receive
packets over the tunnels.
5. Authentication. VPCN nodes must be able to authenticate all members of
the group.
6. Accounting/billing. Members of the VPCN must be able to bill each other
for services that is being performed on content.
7. Content addition and deletion. Content providers must be able to
inject content and its associated profile into the VPCN. Furthermore,
they should be able to modify/delete that content, it's profile and any
cached dynamic content.
5.3.1 VPCN Membership Information Configuration and Dissemination
In order to establish a VPCN, or to insert new nodes into an established VPCN,
a mechanism must exist that can either perform the task through manual
configuration or through an appropriate VPCN auto discovery and configuration
protocol.
For subscribers that want to attach to the VPCN dynamically it is possible to
Add them to the VPCN during the authentication phase. If the node is
unsuccessfully authenticated (e.g. using a Radius server), then the newly created node can be bound to the correct VPCN. Note that static
configuration information is still needed, for example to maintain the
list of authorized subscribers for each VPCN. Whether a particular node
joins the VPCN dynamically or statically (through configuration) the VPCN-ID
can be used to determine the appropriate VPCN.
5.4 Contrast Packet Based and Content Based Overlay Networks
Packet based VPNs provide a mechanism for transmitting data packets in
a secure fashion across public networks. Depending on how the VPNs are
constructed, the packet routing decisions is performed at OSI layers 1 to 3.
Packet based VPNs do not perform packet forwarding that are based on content
type or based on rules that specify required adaptations on the content.
On the other hand, VPCN are layer 7 virtual private networks that perform
routing decisions that are solely based on content types, content attributes
and policies that are related to a given content. While the main task of
packet based VPN is to deliver the packets in a secure fashion, the main
objective of VPCN is to ensure the integrity of data at the content level.
Barbir, et. al. Expires May 10,2002 Page [14]
Internet-Draft VPCN November 2001
VPCN can be constructed using any technology that ensures the appropriate
delivery of content between two end points in the content path is a secure
fashion. In this regard, VPCN can be constructed as overlay networks that
uses basic packet based VPNs.
5. VPCN and OPES Requirements for Data Integrity and Security
This section discusses the applicability of VPCN to address the requirements
for data integrity, security and privacy for OPES.
6.1. VPCN and OPES Content Integrity Requirements
The VPCN framework ensures that any intermediary that is in the content path be
a member of the layer 7 VPCN. The VPCN framework ensures the following content
integrity criteria for OPES type intermediaries:
1. OPES intermediaries can only modify content as expressly permitted by the
Content Provider.
Note: The intermediaries must still get the consent of the End User.
2. OPES intermediaries have permissions from the content provider based on the
content profile that indicates what parts of the content can be modified and
what modifications are allowed. The content profile can allow different
permissions for different resources.
3. VPCN Framework provides OPES intermediaries the ability to fetch the content
provider's content profile that could be stored at a well-known place
(similar to P3P) on the Internet. Furthermore, the VPCN framework allows the
content provider the ability to modify/change/delete or expires the content
profile on the fly.
4. The VPCN framework enables the content provider to identify all
intermediaries that can act on the content. Content Providers can exclude
certain intermediaries from performing any actions on the content by simply
excluding them from the VPCN.
5. In the VPCN framework, End Users can easily discover the types of
Intermediaries that are on the content path. This enables the development of
proper tools that allow the End Users to indicate what type of Intermediary
activities they allow.
6. The VPCN framework requires the development of means to pass End User
Intermediaries Permissions to OPES Intermediaries as part of a resource
request.
7. The VPCN framework can provide the means for either a Content Provider or End
User to indicate that Intermediary activity is limited to passing on the
request or response.
Barbir, et. al. Expires May 10,2002 Page [15]
Internet-Draft VPCN November 2001
6.2 VPCN and OPES End to End Data Integrity
The End to End data integrity for OPES type intermediaries is guaranteed by
the VPCN framework. The VPCN concept provides the following:
1. The use of content tunnels among the members of the VPCN may preclude the
need of associating digital signatures with parts or all of content. End
User agents are ensured about the content integrity when served from an
intermediary.
2. The VPCN framework allow the content provider to specify the rules for
dynamically created content. This may preclude the need for creating
temporary versions of the integrity check format for dynamically created
content.
3. The VPCN framework does not preclude the development of a mechanism that
allows End Users (or others) to retrieve integrity checking information about
how the content is handled in the VPCN.
6.3 VPCN and OPES Privacy requirements
The VPCN framework allows all the intermediaries that are on the content
path to become legal extensions of the content providers. The intermediaries
therefore must honor the privacy policies of the content providers. These
policies can be packaged in the content profile.
1. As a member of a VPCN, OPES Intermediaries must agree to confirm to the
content provider Web site's W3C P3P policy as applicable to a resource.
2. The VPCN framework does not preclude Users and Content Providers from
defining additional privacy requirements that apply to Intermediaries in an
Intermediaries Privacy policy. P3P describes privacy policy end to end, but a
more restrictive privacy policy may be desirable at Intermediaries. The
Intermediaries Privacy Policy must include the ability to specify what
information can be recorded by Intermediaries and how it is used.
3. The VPCN framework does not preclude the development of mechanisms for
OPES intermediaries to access a Content Provider's Intermediaries Privacy
policy.
4. The VPCN framework does not preclude the development of a mechanism for
OPES Intermediaries to receive an End User's Intermediaries Privacy policy.
5. The VPCN framework requires OPES intermediaries to honor both End User and
content provider intermediaries privacy policies.
6. The VPCN framework does not preclude OPES Intermediaries Privacy policies
from specifying what information Intermediaries can or cannot record,
including cookies, IP addresses, HTTP header fields and how they can use that
information.
Barbir, et. al. Expires May 10,2002 Page [16]
Internet-Draft VPCN November 2001
7. The VPCN framework does not preclude OPES Intermediaries Privacy policies
from specifying what information can or cannot be passed by OPES
Intermediaries to OPES callout services, including cookies, IP addresses,
HTTP header fields.
8. The VPCN framework ensures that OPES Intermediaries will report back to the
content provider any information that is related to its content. The needed
information can be specified in the content profile.
7. Acknowledgements
The authors acknowledge the contributions and comments of Wayne Ding (Nortel),
Hilarie Orman (Volear) and Markus Hufmann (Lucent), and R. Chen (AT&T)
References
[1] Postel, J., "Internet Protocol", RFC 791, September 1981,
<URL:http://www.rfc-editor.org/rfc/rfc791.txt>.
[2] Hares, S. and D. Katz, "Administrative Domains and Routing Domains A
Model for Routing in the Internet", RFC 1136, December 1989,
<URL:http://www.rfc-editor.org/rfc/rfc1136.txt>.
[3] Carpenter, B., "Architecture Principles of the Internet", RFC 1958, June
1996, <URL:http://www.rfc-editor.org/rfc/rfc1958.txt>.
[4] Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., Leach,
P. and T. Berners-Lee, "Hypertext Transfer Protocol-- HTTP/1.1", RFC
2616, June 1999, <URL:http://www.rfc-editor.org/rfc/rfc2616.txt>.
[5] Carpenter, B., "Internet Transparency", RFC 2775, February 2000,
<URL:http://www.rfc-editor.org/rfc/rfc2775.txt>.
[6] Cooper, I., Melve, I. and G. Tomlinson, "Internet Web Replication and
Caching Taxonomy", RFC 3040, January 2001,
<URL:http://www.ietf.org/rfc/rfc3040.txt>.
[7] Day, M., Cain, B., Tomlinson, G. and P. Rzewski, "A Model for Content
Internetworking", draft-day-cdnp-model-09.txt (work in progress),
June 2001, <URL:http://www.ietf.org/internet-drafts/draft-day-cdnp-model-
08.txt>.
Barbir, et. al. Expires May 10,2002 Page [17]
Internet-Draft VPCN November 2001
[8] Beck, A. and M. Hofmann, "IRML: A Rule Specification Language for
Intermediary Services", draft-beck-opes-irml-00.txt (work in progress)
February s001, <URL:http://www.ietf.org/internet-drafts/draft-beck-opes-
irml-00.txt>.
[9] Elson, J. and A. Cerpa, "ICAP the Internet Content Adaptation Protocol",
ICAP Forum http://www.circlemud.org/~jelson/icap-1.72.txt, June 2001,
<URL:http://www.circlemud.org/~jelson/icap-1.72.txt>.
[10] Box, D., Ehnebuske, D., Kakivaya, G., Layman, A., Mendelsohn, N., Frystyk
Nielsen, H., Thatte, S. and D. Winer, "Simple Object Access Protocol
(SOAP) 1.1", W3C Note http://www.w3.org/TR/2000/NOTE-SOAP-20000508/, May
2000, <URL:http://www.w3.org/TR/2000/NOTE-SOAP-20000508/>.
[11] Westerinen, A., Schnizlein, J., Strassner, J., Scherling, M., Quinn, B.,
Perry, J., Herzog, S., Huynh, A., Carlson, M. and S. Waldbusser, "Policy
Terminology", draft-ietf-policy-terminology-03..txt (work in progress),
April 2001, <URL:http://www.ietf.org/internet-drafts/draft-ietf-policy-
terminology-03.txt>.
[12] McHenry, S., Condry, M. and G. Tomlinson, "Open Pluggable Edge Services
Use Cases and Deployment Scenarios", draft-mchenry-opes-deployment-
scenarios.txt (work in progress), November 2000,
<URL:http://www.ietf.org/internet-drafts/draft-mchenry-opes-
deployment-scenarios.txt>.
[13] Rafalow, L., Yang, L. and A. Beck, "Policy Requirements for Edge
Services", draft-rafalow-opes-policy-requirements-00.txt (work in
progress), July 2001.
[14] Nottingham, M., Tsimelzon, M., Weihl, B. and L. Jacobs, "ESI Language
Specification 1.0", EDGE SIDE INCLUDES http://www.edge-
delivery.org/language_spec_1-0.html, May 2001,
<URL:http://www.edge-delivery.org/language_spec_1-0.html>.
[15] P. Srisuresh, J. Kuthan, J. Rosenberg, A. Molitor, A. Rayhan,
"Middlebox Communication Architecture and framework",
draft-ietf-midcom-framework-03.txt, work in progress.
[16] G. Tomlinson et al, "A Model for OPES Service Overlay Networks",
URL:http://www.ietf.org/internet-drafts/draft-tomlinson-opes-model-
01.txt, work in progress.
[17] Hillary Orman, "Data Integrity in an Active Content System",
http://www.cs.utah.edu/~horman/opes.html.
[18] R. Penno, A. Rayhan, M. Duffy, "Out-Of-Path (OOP) Agents and MIDCOM
Framework Integration", draft-penno-midcom-oop-01.txt, work in progress.
[19] B. Gleeson et al, "A Framework for IP based Virtual Private Networks", RFC
2764, February 2000.
Barbir, et. al. Expires May 10,2002 Page [18]
Internet-Draft VPCN November 2001
[20] S. Floyd et al, "IAB Architectural and Policy Considerations for OPES
",draft-iab-opes-01.txt.
[21] Wayne Carr, ``Suggested OPES Requirements for Integrity, Privacy and
Security'', email to ietf-openproxy@imc.org, August 16, 2001. URL
``http://www.imc.org/ietf-openproxy/mail-archive/msg00869.html''.
Authors' Addresses
Abbie Barbir, Ph.D.
Nortel Networks
3500 Carling Avenue
Nepean Ontario K2H 8E9 Canada
Email: abbieb@nortelnetworks.com
Nalin Mistry
Nortel Networks
3500 Carling Avenue
Nepean Ontario K2H 8E9 Canada
Reinaldo Penno
Nortel Networks, Inc.
2305 Mission College Boulevard
Building SC9-B1240
San Jose, CA 95134
Email: rpenno@nortelnetworks.com
Delphine Kaplan
ActiVia Networks
Space Antipolis 5
Parc de Sophia Antipolis
2323 Chemin St Bernard
06225 Vallauris, Cedex FRANCE
Phone: +33 4 97 23 46 66
email: Delphine.Kaplan@activia.net
URI: http://www.activia.net/
Barbir, et. al. Expires May 10,2002 Page [19]
Internet-Draft VPCN November 2001
Full Copyright Statement
Copyright (C) The Internet Society (2001). All Rights Reserved.
This document and translations of it may be copied and furnished to others, and
derivative works
that comment on or otherwise explain it or assist in its implementation may be
prepared, copied,
published and distributed, in whole or in part, without restriction of any
kind, provided that the
above copyright notice and this paragraph are included on all such copies and
derivative works.
However, this document itself may not be modified in any way, such as by
removing the copyright
notice or references to the Internet Society or other Internet organizations,
except as needed for the
purpose of developing Internet standards in which case the procedures for
copyrights defined in the
Internet Standards process must be followed, or as required to translate it
into languages other than
English.
The limited permissions granted above are perpetual and will not be revoked by
the Internet
Society or its successors or assigns.
This document and the information contained herein is provided on an "AS IS"
basis and THE
INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS
ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY
WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE
ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS
FOR A PARTICULAR PURPOSE.
Acknowledgement
Funding for the RFC editor function is currently provided by the Internet
Society.
Barbir, et. al. Expires May 10,2002 Page [20]