Network Working Group P. Rzewski Request for Comments: 3570 Media Publisher, Inc. Category: Informational M. Day Cisco D. Gilletti July 2003 Content Internetworking (CDI) Scenarios Status of this Memo This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited. Copyright Notice Copyright (C) The Internet Society (2003). All Rights Reserved. Abstract In describing content internetworking as a technology targeted for use in production networks, it is useful to provide examples of the sequence of events that may occur when two content networks decide to interconnect. The scenarios presented here seek to provide some concrete examples of what content internetworking is, and also to provide a basis for evaluating content internetworking proposals. Table of Contents 1. Introduction...................................................2 1.1. Terminology..............................................3 2. Special Cases of Content Networks..............................3 2.1. Publishing Content Network...............................3 2.2. Brokering Content Network................................3 2.3. Local Request-Routing Content Network....................4 3. Content Internetworking Arrangements...........................5 4. Content Internetworking Scenarios..............................5 4.1. General Content Internetworking..........................6 4.2. BCN providing ACCOUNTING INTERNETWORKING and REQUEST-ROUTING INTERNETWORKING..........................9 4.3. BCN providing ACCOUNTING INTERNETWORKING................11 4.4. PCN ENLISTS multiple CNs................................12 4.5. Multiple CNs ENLIST LCN.................................13 5. Security Considerations.......................................15 5.1. Threats to Content Internetworking......................15 5.1.1. Threats to the CLIENT.............................15 Rzewski, et al. Informational [Page 1] RFC 3570 CDI Scenarios July 2003 5.1.2. Threats to the PUBLISHER..........................17 5.1.3. Threats to a CN...................................17 6. Acknowledgements..............................................18 7. References....................................................18 8. Authors' Addresses............................................19 9. Full Copyright Statement......................................20 1. Introduction In [1], the concept of a "content network" is introduced and described. In addition to describing some general types of content networks, it also describes motivations for allowing content networks to interconnect (defined as "content internetworking"). In describing content internetworking as a technology targeted for use in production networks, it's useful to provide examples of the sequence of events that may occur when two content networks decide to interconnect. Naturally, different types of content networks may be created due to different business motivations, and so many combinations are likely. This document first provides detailed examples of special cases of content networks that are specifically designed to participate in content internetworking (Section 2). We then discuss the steps that would be taken in order to "bring up" or "tear down" a content internetworking arrangement (Section 3). Next we provide some detailed examples of how content networks (such as those from Section 2) could interconnect (Section 4). Finally, we describe any security considerations that arise specifically from the examples presented here (Section 5). The scenarios presented here answer two distinct needs: 1. To provide some concrete examples of what content internetworking is, and 2. To provide a basis for evaluating content internetworking proposals. A number of content internetworking systems have been implemented, but there are few published descriptions. One such description is [2]. 1.1. Terminology Terms in ALL CAPS are defined in [1] except for the following terms defined below in this document: PCN, BCN, and LCN. Additionally, the term SLA is used as an abbreviation for Service Level Agreement. Rzewski, et al. Informational [Page 2] RFC 3570 CDI Scenarios July 2003 2. Special Cases of Content Networks A CN may have REQUEST-ROUTING, DISTRIBUTION, and ACCOUNTING interfaces. However, some participating networks may gravitate toward particular subsets of the CONTENT INTERNETWORKING interfaces. Others may be seen differently in terms of how they relate to their CLIENT bases. This section describes these refined cases of the general CN case so they may be available for easier reference in the further development of CONTENT INTERNETWORKING scenarios. The special cases described are the Publishing Content Network, the Brokering Content Network, and the Local Request-Routing Content Network. 2.1. Publishing Content Network A Publishing Content Network (PCN), maintained by a PUBLISHER, contains an ORIGIN and has a NEGOTIATED RELATIONSHIP with two or more CNs. A PCN may contain SURROGATES for the benefit of serving some CONTENT REQUESTS locally, but does not intend to allow its SURROGATES to serve CONTENT on behalf of other PUBLISHERS. Several implications follow from knowing that a particular CN is a PCN. First, the PCN contains the AUTHORITATIVE REQUEST-ROUTING SYSTEM for the PUBLISHER's CONTENT. This arrangement allows the PUBLISHER to determine the distribution of CONTENT REQUESTS among ENLISTED CNs. Second, it implies that the PCN need only participate in a subset of CONTENT INTERNETWORKING. For example, a PCN's DISTRIBUTION INTERNETWORKING SYSTEM need only be able to receive DISTRIBUTION ADVERTISEMENTS, it need not send them. Similarly, a PCN's REQUEST-ROUTING INTERNETWORKING SYSTEM has no reason to send AREA ADVERTISEMENTS. Finally, a PCN's ACCOUNTING INTERNETWORKING SYSTEM need only be able to receive ACCOUNTING data, it need not send it. 2.2. Brokering Content Network A Brokering Content Network (BCN) is a network that does not operate its own SURROGATES. Instead, a BCN operates only CIGs as a service on behalf other CNs. A BCN may therefore be regarded as a "clearinghouse" for CONTENT INTERNETWORKING information. For example, a BCN may choose to participate in DISTRIBUTION INTERNETWORKING and/or REQUEST-ROUTING INTERNETWORKING in order to aggregate ADVERTISEMENTS from one set of CNs into a single update stream for the benefit of other CNs. To name a single specific example, a BCN could aggregate CONTENT SIGNALS from CNs that represent PUBLISHERS into a single update stream for the benefit of CNs that contain SURROGATES. A BCN may also choose to participate in Rzewski, et al. Informational [Page 3] RFC 3570 CDI Scenarios July 2003 ACCOUNTING INTERNETWORKING in order to aggregate utilization data from several CNs into combined reports for CNs that represent PUBLISHERS. This definition of a BCN implies that a BCN's CIGs would implement the sending and/or receiving of any combination of ADVERTISEMENTS and ACCOUNTING data as is necessary to provide desired services to other CONTENT NETWORKS. For example, if a BCN is only interested in aggregating ACCOUNTING data on behalf of other CNs, it would only need to have an ACCOUNTING INTERNETWORKING interface on its CIGs. 2.3. Local Request-Routing Content Network Another type of CN is the Local Request-Routing CONTENT NETWORK (LCN). An LCN is defined as a type of network where CLIENTS' CONTENT REQUESTS are always handled by some local SERVER (such as a caching proxy [1]). In this context, "local" is taken to mean that both the CLIENT and SERVER are within the same administrative domain, and there is an administrative motivation for forcing the local mapping. This type of arrangement is common in enterprises where all CONTENT REQUESTS must be directed through a local SERVER for access control purposes. As implied by the name, the LCN creates an exception to the rule that there is a single AUTHORITATIVE REQUEST-ROUTING SYSTEM for a particular item of CONTENT. By directing CONTENT REQUESTS through the local SERVER, CONTENT RESPONSES may be given to CLIENTS without first referring to the AUTHORITATIVE REQUEST-ROUTING SYSTEM. Knowing this to be true, other CNs may seek a NEGOTIATED RELATIONSHIP with an LCN in order to perform DISTRIBUTION into the LCN and receive ACCOUNTING data from it. Note that once SERVERS participate in DISTRIBUTION INTERNETWORKING and ACCOUNTING INTERNETWORKING, they effectively take on the role of SURROGATES. However, an LCN would not intend to allow its SURROGATES to be accessed by non-local CLIENTS. This set of assumptions implies multiple things about the LCN's CONTENT INTERNETWORKING relationships. First, it is implied that the LCN's DISTRIBUTION INTERNETWORKING SYSTEM need only be able to send DISTRIBUTION ADVERTISEMENTS, it need not receive them. Second, it is implied that an LCN's ACCOUNTING INTERNETWORKING SYSTEM need only be able to send ACCOUNTING data, it need not receive it. Finally, due to the locally defined REQUEST-ROUTING, the LCN would not participate in REQUEST-ROUTING INTERNETWORKING. Rzewski, et al. Informational [Page 4] RFC 3570 CDI Scenarios July 2003 3. Content Internetworking Arrangements When the controlling interests of two CNs decide to interconnect their respective networks (such as for business reasons), it is expected that multiple steps would need to occur. The first step would be the creation of a NEGOTIATED RELATIONSHIP. This relationship would most likely take the form of a legal document that describes the services to be provided, cost of services, SLAs, and other stipulations. For example, if an ORIGINATING CN wished to leverage another CN's reach into a particular country, this would be laid out in the NEGOTIATED RELATIONSHIP. The next step would be to configure CONTENT INTERNETWORKING protocols on the CIGs of the respective CNs in order to technically support the terms of the NEGOTIATED RELATIONSHIP. To follow our previous example, this could include the configuration of the ENLISTED CN's CIGs in a particular country to send DISTRIBUTION ADVERTISEMENTS to the CIGs of the ORIGINATING CN. In order to configure these protocols, technical details (such as CIG addresses/hostnames and authentication information) would be exchanged by administrators of the respective CNs. Note also that some terms of the NEGOTIATED RELATIONSHIP would be upheld through means outside the scope of CDI protocols. These could include non-technical terms (such as financial settlement) or other technical terms (such as SLAs). In the event that the controlling interests of two CNs no longer wish to have their networks interconnected, it is expected that these tasks would be undone. That is, the protocol configurations would be changed to cease the movement of ADVERTISEMENTS and/or ACCOUNTING data between the networks, and the NEGOTIATED RELATIONSHIP would be legally terminated. 4. Content Internetworking Scenarios This section provides several scenarios that may arise in CONTENT INTERNETWORKING implementations. Note that we obviously cannot examine every single permutation. Specifically, it should be noted that: o Any one of the interconnected CNs may have other CONTENT INTERNETWORKING arrangements that may or may not be transitive to the relationships being described in the diagram. Rzewski, et al. Informational [Page 5] RFC 3570 CDI Scenarios July 2003 o The graphical figures do not illustrate the CONTENT REQUEST paths. It is assumed that a REQUEST-ROUTING SYSTEM eventually returns to the CLIENT the IP address of the SURROGATE deemed appropriate to honor the CLIENT's CONTENT REQUEST. The scenarios described include a general case, two cases in which BCNs provide limited interfaces, a case in which a PCN enlists the services of multiple CNs, and a case in which multiple CNs enlist the services of an LCN. 4.1. General Content Internetworking This scenario considers the general case where two or more existing CNs wish to establish a CONTENT INTERNETWORKING relationship in order to provide increased scale and reach for their existing customers. It assumes that all of these CNs already provide REQUEST-ROUTING, DISTRIBUTION, and ACCOUNTING services and that they will continue to provide these services to existing customers as well as offering them to other CNs. In this scenario, these CNs would interconnect with others via a CIG that provides a REQUEST-ROUTING INTERNETWORKING SYSTEM, a DISTRIBUTION INTERNETWORKING SYSTEM, and an ACCOUNTING INTERNETWORKING SYSTEM. The net result of this interconnection would be that a larger set of SURROGATES will now be available to the CLIENTS. Figure 1 shows three CNs which have interconnected to provide greater scale and reach to their existing customers. They are all participating in DISTRIBUTION INTERNETWORKING, REQUEST-ROUTING INTERNETWORKING, and ACCOUNTING INTERNETWORKING. As a result of the NEGOTIATED RELATIONSHIPS it is assumed that: 1. CONTENT that has been INJECTED into any one of these ORIGINATING CNs may be distributed into any other ENLISTED CN. 2. Commands affecting the DISTRIBUTION of CONTENT may be issued within the ORIGINATING CN, or may also be issued within the ENLISTED CN. The latter case allows local decisions to be made about DISTRIBUTION within the ENLISTED CN, but such commands would not control DISTRIBUTION within the ORIGINATING CN. 3. ACCOUNTING information regarding CLIENT access and/or DISTRIBUTION actions will be made available to the ORIGINATING CN by the ENLISTED CN. Rzewski, et al. Informational [Page 6] RFC 3570 CDI Scenarios July 2003 4. The ORIGINATING CN would provide this ACCOUNTING information to the PUBLISHER based on existing Service Level Agreements (SLAs). 5. CONTENT REQUESTS by CLIENTS may be directed to SURROGATES within any of the ENLISTED CNs. The decision of where to direct an individual CONTENT REQUEST may be dependent upon the DISTRIBUTION and REQUEST-ROUTING policies associated with the CONTENT being requested as well as the specific algorithms and methods used for directing these requests. For example, a REQUEST-ROUTING policy for a piece of CONTENT may indicate multiple versions exist based on the spoken language of a CLIENT. Therefore, the REQUEST-ROUTING SYSTEM of an ENLISTED CN would likely direct a CONTENT REQUEST to a SURROGATE known to be holding a version of CONTENT of a language that matches that of a CLIENT. Rzewski, et al. Informational [Page 7] RFC 3570 CDI Scenarios July 2003 Figure 1 - General CONTENT INTERNETWORKING +--------------+ +--------------+ | CN A | | CN B | |..............| +---------+ +---------+ |..............+ | REQ-ROUTING |<=>| |<=>| |<=>| REQ-ROUTING | |..............| | CONTENT | | CONTENT | |..............| | DISTRIBUTION |<=>|INTWRKING|<=>|INTWRKING|<=>| DISTRIBUTION | |..............| | GATEWAY | | GATEWAY | |..............| | ACCOUNTING |<=>| |<=>| |<=>| ACCOUNTING | +--------------+ +---------+ +---------+ +--------------+ | ^ \^ \ \ ^/ ^/ ^/ | ^ v | \\ \\ \\ // // // v | +--------------+ \\ \\ \\ // // // +--------------+ | SURROGATES | \\ v\ v\ /v /v // | SURROGATES | +--------------+ \\+---------+// +--------------+ ^ | v| |v ^ | | | | CONTENT | | | | | |INTWRKING| | | | | | GATEWAY | | | | | | | | | | | +---------+ | | | | ^| ^| ^| | | | | || || || | | | | |v |v |v | | | | +--------------+ | | | | | CN C | | | | | |..............| | | | | | REQ-ROUTING | | | | | |..............| | | \ \ | DISTRIBUTION | / / \ \ |..............| / / \ \ | ACCOUNTING | / / \ \ |--------------| / / \ \ | ^ / / \ \ v | / / \ \ +--------------+ / / \ \ | SURROGATES | / / \ \ +--------------+ / / \ \ | ^ / / \ \ | | / / \ \ v | / / \ \ +---------+ / / \ \-->| CLIENTS |---/ / \----| |<---/ +---------+ Rzewski, et al. Informational [Page 8] RFC 3570 CDI Scenarios July 2003 4.2. BCN providing ACCOUNTING INTERNETWORKING and REQUEST-ROUTING INTERNETWORKING This scenario describes the case where a single entity (BCN A) performs ACCOUNTING INTERNETWORKING and REQUEST-ROUTING INTERNETWORKING functions, but has no inherent DISTRIBUTION or DELIVERY capabilities. A potential configuration which illustrates this concept is given in Figure 2. In the scenario shown in Figure 2, BCN A is responsible for collecting ACCOUNTING information from multiple CONTENT NETWORKS (CN A and CN B) to provide a clearinghouse/settlement function, as well as providing a REQUEST-ROUTING service for CN A and CN B. In this scenario, CONTENT is injected into either CN A or CN B and its DISTRIBUTION between these CNs is controlled via the DISTRIBUTION INTERNETWORKING SYSTEMS within the CIGs. The REQUEST-ROUTING SYSTEM provided by BCN A is informed of the ability to serve a piece of CONTENT from a particular CONTENT NETWORK by the REQUEST-ROUTING SYSTEMS within the interconnected CIGs. BCN A collects statistics and usage information via the ACCOUNTING INTERNETWORKING SYSTEM and disseminates that information to CN A and CN B as appropriate. As illustrated in Figure 2, there are separate REQUEST-ROUTING SYSTEMS employed within CN A and CN B. If the REQUEST-ROUTING SYSTEM provided by BCN A is the AUTHORITATIVE REQUEST-ROUTING SYSTEM for a given piece of CONTENT this is not a problem. However, each individual CN may also provide the AUTHORITATIVE REQUEST-ROUTING SYSTEM for some portion of its PUBLISHER customers. In this case care must be taken to ensure that the there is one and only one AUTHORITATIVE REQUEST-ROUTING SYSTEM identified for each given CONTENT object. Rzewski, et al. Informational [Page 9] RFC 3570 CDI Scenarios July 2003 Figure 2 - BCN providing ACCOUNTING INTERNETWORKING and REQUEST-ROUTING INTERNETWORKING +--------------+ | BCN A | |..............| +-----------+ | REQ-ROUTING |<===>| | |..............| | CONTENT | | ACCOUNTING |<===>| INTWRKING | +--------------+ | GATEWAY | | | +-----------+ ^| ^| ^| ^| +--------------+ // // \\ \\ +--------------+ | CN A | |v |v |v |v | CN B | |..............| +---------+ +---------+ |..............| | REQ-ROUTING |<=>| | | |<=>| REQ-ROUTING | |..............| | CONTENT | | CONTENT | |..............| | DISTRIBUTION |<=>|INTWRKING|<=>|INTWRKING|<=>| DISTRIBUTION | |..............| | GATEWAY | | GATEWAY | |..............| | ACCOUNTING |<=>| | | |<=>| ACCOUNTING | +--------------+ +---------+ +---------+ +--------------+ | ^ | ^ v | v | +--------------+ +--------------+ | SURROGATES | | SURROGATES | +--------------+ +--------------+ ^ \ ^ / \ \ / / \ \ / / \ \ / / \ \ +---------+ / / \ \---->| CLIENTS |-----/ / \------| |<-----/ +---------+ Rzewski, et al. Informational [Page 10] RFC 3570 CDI Scenarios July 2003 4.3. BCN providing ACCOUNTING INTERNETWORKING This scenario describes the case where a single entity (BCN A) performs ACCOUNTING INTERNETWORKING to provide a clearinghouse/ settlement function only. In this scenario, BCN A would enter into NEGOTIATED RELATIONSHIPS with multiple CNs that each perform their own DISTRIBUTION INTERNETOWRKING and REQUEST-ROUTING INTERNETWORKING as shown in FIGURE 3. Figure 3 - BCN providing ACCOUNTING INTERNETWORKING +--------------+ | BCN A | |..............| +-----------+ | ACCOUNTING |<===>| | +--------------+ | CONTENT | | INTWRKING | | GATEWAY | | | +-----------+ ^| ^| +--------------+ // \\ +--------------+ | CN A | |v |v | CN B | |..............| +---------+ +---------+ |..............| | REQ-ROUTING |<=>| |<=>| |<=>| REQ-ROUTING | |..............| | CONTENT | | CONTENT | |..............| | DISTRIBUTION |<=>|INTWRKING|<=>|INTWRKING|<=>| DISTRIBUTION | |..............| | GATEWAY | | GATEWAY | |..............| | ACCOUNTING |<=>| | | |<=>| ACCOUNTING | +--------------+ +---------+ +---------+ +--------------+ | ^ | ^ v | v | +--------------+ +--------------+ | SURROGATES | | SURROGATES | +--------------+ +--------------+ ^ \ ^ / \ \ / / \ \ / / \ \ / / \ \ +---------+ / / \ \---->| CLIENTS |-----/ / \------| |<-----/ +---------+ Rzewski, et al. Informational [Page 11] RFC 3570 CDI Scenarios July 2003 4.4. PCN ENLISTS multiple CNs In the previously enumerated scenarios, PUBLISHERS have not been discussed. Much of the time, it is assumed that the PUBLISHERS will allow CNs to act on their behalf. For example, a PUBLISHER may designate a particular CN to be the AUTHORITATIVE REQUEST-ROUTING SYSTEM for its CONTENT. Similarly, a PUBLISHER may rely on a particular CN to aggregate all its ACCOUNTING data, even though that data may originate at SURROGATES in multiple distant CNs. Finally, a PUBLISHER may INJECT content only into a single CN and rely on that CN to ENLIST other CNs to obtain scale and reach. However, a PUBLISHER may wish to maintain more control and take on the task of ENLISTING CNs itself, therefore acting as a PCN (Section 2.1). This scenario, shown in Figure 4, describes the case where a PCN wishes to directly enter into NEGOTIATED RELATIONSHIPS with multiple CNs. In this scenario, the PCN would operate its own CIG and enter into DISTRIBUTION INTERNETWORKING, ACCOUNTING INTERNETWORKING, and REQUEST-ROUTING INTERNETWORKING relationships with two or more CNs. Rzewski, et al. Informational [Page 12] RFC 3570 CDI Scenarios July 2003 Figure 4 - PCN ENLISTS multiple CNs +--------------+ | PCN | |..............| +-----------+ | REQ-ROUTING |<=>| |<---\ |..............| | CONTENT |----\\ | DISTRIBUTION |<=>| INTWRKING | \\ |..............| | GATEWAY |--\ \\ | ACCOUNTING |<=>| |<-\\ \\ +--------------+ +-----------+ \\ \\ ^| ^| ^| ^| \\ || +--------------+ || || || \\ || || +--------------+ | CN A | |v |v |v \v |v |v | CN B | |..............| +---------+ +---------+ |..............| | REQ-ROUTING |<=>| | | |<=>| REQ-ROUTING | |..............| | CONTENT | | CONTENT | |..............| | DISTRIBUTION |<=>|INTWRKING| |INTWRKING|<=>| DISTRIBUTION | |..............| | GATEWAY | | GATEWAY | |..............| | ACCOUNTING |<=>| | | |<=>| ACCOUNTING | +--------------+ +---------+ +---------+ +--------------+ | ^ | ^ v | v | +--------------+ +--------------+ | SURROGATES | | SURROGATES | +--------------+ +--------------+ ^ \ ^ / \ \ / / \ \ / / \ \ / / \ \ +---------+ / / \ \---->| CLIENTS |-----/ / \------| |<-----/ +---------+ 4.5. Multiple CNs ENLIST LCN A type of CN described in Section 2.3 is the LCN. In this scenario, we imagine a tightly administered CN (such as within an enterprise) has determined that all CONTENT REQUESTS from CLIENTS must be serviced locally. Likely due to a large CLIENT base in the LCN, multiple CNs determine they would like to engage in DISTRIBUTION INTERNETWORKING with the LCN in order to extend control over CONTENT objects held in the LCN's SURROGATES. Similarly, the CNs would like to engage in ACCOUNTING INTERNETWORKING with the LCN in order to receive ACCOUNTING data regarding the usage of the content in the local SURROGATES. This scenario is shown in Figure 5. Although this diagram shows a DISTRIBUTION INTERNETWORKING connection between CN A Rzewski, et al. Informational [Page 13] RFC 3570 CDI Scenarios July 2003 and CN B, it should be recognized that this connection is optional and not a requirement in this scenario. Figure 5 - Multiple CNs ENLIST LCN +--------------+ +--------------+ | CN A | | CN B | +..............| +---------+ +---------+ |..............+ | REQ-ROUTING |<=>| |<=>| |<=>| REQ-ROUTING | |..............| | CONTENT | | CONTENT | |..............| | DISTRIBUTION |<=>|INTWRKING|<=>|INTWRKING|<=>| DISTRIBUTION | |..............| | GATEWAY | | GATEWAY | |..............| | ACCOUNTING |<=>| |<=>| |<=>| ACCOUNTING | +--------------+ +---------+ +---------+ +--------------+ | ^ \^ \^ ^/ ^/ | ^ v | \\ \\ // // v | +--------------+ \\ \\ // // +--------------+ | SURROGATES | v\ v\ /v /v | SURROGATES | +--------------+ +---------+ +--------------+ | | | CONTENT | |INTWRKING| | GATEWAY | | | +---------+ ^| ^| || || |v |v +--------------+ | LCN A | |..............| | DISTRIBUTION | |..............| | ACCOUNTING | |--------------| | ^ v | +--------------+ | SURROGATES | +--------------+ | ^ | | v | +---------+ | CLIENTS | | | +---------+ Rzewski, et al. Informational [Page 14] RFC 3570 CDI Scenarios July 2003 5. Security Considerations Security concerns with respect to Content Internetworking can be generally categorized into trust within the system and protection of the system from threats. The trust model utilized with Content Internetworking is predicated largely on transitive trust between the ORIGIN, REQUEST-ROUTING INTERNETWORKING SYSTEM, DISTRIBUTION INTERNETWORKING SYSTEM, ACCOUNTING INTERNETWORING SYSTEM, and SURROGATES. Network elements within the Content Internetworking system are considered to be "insiders" and therefore trusted. 5.1. Threats to Content Internetworking The following sections document key threats to CLIENTs, PUBLISHERs, and CNs. The threats are classified according to the party that they most directly harm, but, of course, a threat to any party is ultimately a threat to all. (For example, having a credit card number stolen may most directly affect a CLIENT; however, the resulting dissatisfaction and publicity will almost certainly cause some harm to the PUBLISHER and CN, even if the harm is only to those organizations' reputations.) 5.1.1. Threats to the CLIENT 5.1.1.1. Defeat of CLIENT's Security Settings Because the SURROGATE's location may differ from that of the ORIGIN, the use of a SURROGATE may inadvertently or maliciously defeat any location-based security settings employed by the CLIENT. And since the SURROGATE's location is generally transparent to the CLIENT, the CLIENT may be unaware that its protections are no longer in force. For example, a CN may relocate CONTENT from a Internet Explorer user's "Internet Web Content Zone" to that user's "Local Intranet Web Content Zone". If the relocation is visible to the Internet Explorer browser but otherwise invisible to the user, the browser may be employing less stringent security protections than the user is expecting for that CONTENT. (Note that this threat differs, at least in degree, from the substitution of security parameters threat below, as Web Content Zones can control whether or not, for example, the browser executes unsigned active content.) 5.1.1.2. Delivery of Bad Accounting Information In the case of CONTENT with value, CLIENTs may be inappropriately charged for viewing content that they did not successfully access. Conversely, some PUBLISHERs may reward CLIENTs for viewing certain Rzewski, et al. Informational [Page 15] RFC 3570 CDI Scenarios July 2003 CONTENT (e.g., programs that "pay" users to surf the Web). Should a CN fail to deliver appropriate accounting information, the CLIENT may not receive appropriate credit for viewing the required CONTENT. 5.1.1.3. Delivery of Bad CONTENT A CN that does not deliver the appropriate CONTENT may provide the user misleading information (either maliciously or inadvertently). This threat can be manifested as a failure of either the DISTRIBUTION SYSTEM (inappropriate content delivered to appropriate SURROGATEs) or REQUEST-ROUTING SYSTEM (request routing to inappropriate SURROGATEs, even though they may have appropriate CONTENT), or both. A REQUEST- ROUTING SYSTEM may also fail by forwarding the CLIENT request when no forwarding is appropriate, or by failing to forward the CLIENT request when forwarding is appropriate. 5.1.1.4. Denial of Service A CN that does not forward the CLIENT appropriately may deny the CLIENT access to CONTENT. 5.1.1.5. Exposure of Private Information CNs may inadvertently or maliciously expose private information (passwords, buying patterns, page views, credit card numbers) as it transmits from SURROGATEs to ORIGINs and/or PUBLISHERs. 5.1.1.6. Substitution of Security Parameters If a SURROGATE does not duplicate completely the security facilities of the ORIGIN (e.g., encryption algorithms, key lengths, certificate authorities) CONTENT delivered through the SURROGATE may be less secure than the CLIENT expects. 5.1.1.7. Substitution of Security Policies If a SURROGATE does not employ the same security policies and procedures as the ORIGIN, the CLIENT's private information may be treated with less care than the CLIENT expects. For example, the operator of a SURROGATE may not have as rigorous protection for the CLIENT's password as does the operator of the ORIGIN server. This threat may also manifest itself if the legal jurisdiction of the SURROGATE differs from that of the ORIGIN, should, for example, legal differences between the jurisdictions require or permit different treatment of the CLIENT's private information. Rzewski, et al. Informational [Page 16] RFC 3570 CDI Scenarios July 2003 5.1.2. Threats to the PUBLISHER 5.1.2.1. Delivery of Bad Accounting Information If a CN does not deliver accurate accounting information, the PUBLISHER may be unable to charge CLIENTs for accessing CONTENT or it may reward CLIENTs inappropriately. Inaccurate accounting information may also cause a PUBLISHER to pay for services (e.g., content distribution) that were not actually rendered. Invalid accounting information may also effect PUBLISHERs indirectly by, for example, undercounting the number of site visitors (and, thus, reducing the PUBLISHER's advertising revenue). 5.1.2.2. Denial of Service A CN that does not distribute CONTENT appropriately may deny CLIENTs access to CONTENT. 5.1.2.3. Substitution of Security Parameters If a SURROGATE does not duplicate completely the security services of the ORIGIN (e.g., encryption algorithms, key lengths, certificate authorities, client authentication) CONTENT stored on the SURROGATE may be less secure than the PUBLISHER prefers. 5.1.2.4. Substitution of Security Policies If a SURROGATE does not employ the same security policies and procedures as the ORIGIN, the CONTENT may be treated with less care than the PUBLISHER expects. This threat may also manifest itself if the legal jurisdiction of the SURROGATE differs from that of the ORIGIN, should, for example, legal differences between the jurisdictions require or permit different treatment of the CONTENT. 5.1.3. Threats to a CN 5.1.3.1. Bad Accounting Information If a CN is unable to collect or receive accurate accounting information, it may be unable to collect compensation for its services from PUBLISHERs. Rzewski, et al. Informational [Page 17] RFC 3570 CDI Scenarios July 2003 5.1.3.2. Denial of Service Misuse of a CN may make that CN's facilities unavailable, or available only at reduced functionality, to legitimate customers or the CN provider itself. Denial of service attacks can be targeted at a CN's ACCOUNTING SYSTEM, DISTRIBUTION SYSTEM, or REQUEST-ROUTING SYSTEM. 5.1.3.3. Transitive Threats To the extent that a CN acts as either a CLIENT or a PUBLISHER (such as, for example, in transitive implementations) such a CN may be exposed to any or all of the threats described above for both roles. 6. Acknowledgements The authors acknowledge the contributions and comments of Fred Douglis (AT&T), Raj Nair (Cisco), Gary Tomlinson (CacheFlow), John Scharber (CacheFlow), Nalin Mistry (Nortel), Steve Rudkin (BT), Christian Hoertnagl (IBM), Christian Langkamp (Oxford University), and Don Estberg (Activate). 7. References [1] Day, M., Cain, B., Tomlinson, G. and P. Rzewski, "A Model for Content Internetworking (CDI)", RFC 3466, February 2003. [2] Biliris, A., Cranor, C., Douglis, F., Rabinovich, M., Sibal, S., Spatscheck, O. and W. Sturm, "CDN Brokering", Proceedings of the 6th International Workshop on Web Caching and Content Distribution, Boston, MA, June 2001. Rzewski, et al. Informational [Page 18] RFC 3570 CDI Scenarios July 2003 8. Authors' Addresses Mark S. Day Cisco Systems 1414 Massachusetts Avenue Boxborough, MA 01719 US Phone: +1 978 936 1089 EMail: mday@alum.mit.edu Don Gilletti 21 22nd Ave. San Mateo, CA 94403 US Phone +1 408 569 6813 EMail: dgilletti@yahoo.com Phil Rzewski 30 Jennifer Place San Francisco, CA 94107 US Phone: +1 650 303 3790 EMail: philrz@yahoo.com Rzewski, et al. Informational [Page 19] RFC 3570 CDI Scenarios July 2003 9. Full Copyright Statement Copyright (C) The Internet Society (2003). All Rights Reserved. This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English. The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assignees. This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Acknowledgement Funding for the RFC Editor function is currently provided by the Internet Society. Rzewski, et al. Informational [Page 20]