IETF Logo Mail Archive

Re: [apps-discuss] Review of draft-ietf-cdni-problem-statement-04

Francois Le Faucheur <flefauch@cisco.com> Wed, 25 April 2012 18:34 UTC

Return-Path: <flefauch@cisco.com>
X-Original-To: apps-discuss@ietfa.amsl.com
Delivered-To: apps-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 490CD21F88E8 for <apps-discuss@ietfa.amsl.com>; Wed, 25 Apr 2012 11:34:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.466
X-Spam-Level:
X-Spam-Status: No, score=-9.466 tagged_above=-999 required=5 tests=[AWL=-0.288, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8, SARE_GIF_ATTACH=1.42]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QAxCYLfG5sYz for <apps-discuss@ietfa.amsl.com>; Wed, 25 Apr 2012 11:34:16 -0700 (PDT)
Received: from ams-iport-1.cisco.com (ams-iport-1.cisco.com [144.254.224.140]) by ietfa.amsl.com (Postfix) with ESMTP id 4A0DC21F8832 for <apps-discuss@ietf.org>; Wed, 25 Apr 2012 11:34:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=flefauch@cisco.com; l=46346; q=dns/txt; s=iport; t=1335378854; x=1336588454; h=subject:mime-version:from:in-reply-to:date:cc:message-id: references:to; bh=QxQSCbJQeBBHUhqn+M7lSqvY+inajqacEyr7sAUaF+o=; b=ObCHkBIObTPRsZbht6tu9nLhe+q+Z6ePVl2mqYZtMX0Zy7cr3WlBE7jC MZ+uEmWhNxkpALZRg1ADtajlBJQKOzVz2HwFXpSZ0wv0NG/e7xYYYtjji EcVCqXKey2ZSTCgIEQaLL6YLErOSa1Ifq83WWjQZcZYXXA6CYjbcWbRiS E=;
X-Files: image001.jpg, green.gif : 11041, 87
X-IronPort-AV: E=Sophos; i="4.75,481,1330905600"; d="gif'147?jpg'147,145?scan'147,145,208,145,147,217"; a="136228531"
Received: from ams-core-4.cisco.com ([144.254.72.77]) by ams-iport-1.cisco.com with ESMTP; 25 Apr 2012 18:34:13 +0000
Received: from ams-flefauch-8712.cisco.com (ams-flefauch-8712.cisco.com [10.55.161.195]) by ams-core-4.cisco.com (8.14.3/8.14.3) with ESMTP id q3PIYBnX009643; Wed, 25 Apr 2012 18:34:11 GMT
Mime-Version: 1.0 (Apple Message framework v1257)
Content-Type: multipart/alternative; boundary="Apple-Mail=_5AB648E7-8C2B-409E-A6DB-60EB57BF4DA9"
From: Francois Le Faucheur <flefauch@cisco.com>
In-Reply-To: <4F8C3E49.5030100@bell-labs.com>
Date: Wed, 25 Apr 2012 20:34:06 +0200
Message-Id: <8CD8D5FA-CCA8-4A3F-B7C5-62F91B311002@cisco.com>
References: <4F8C3E49.5030100@bell-labs.com>
To: "Vijay K. Gurbani" <vkg@bell-labs.com>, draft-ietf-cdni-problem-statement@tools.ietf.org
X-Mailer: Apple Mail (2.1257)
X-Mailman-Approved-At: Wed, 25 Apr 2012 12:53:56 -0700
Cc: Le Faucheur Francois <flefauch@cisco.com>, apps-discuss@ietf.org
Subject: Re: [apps-discuss] Review of draft-ietf-cdni-problem-statement-04
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Apr 2012 18:34:18 -0000

Vijay, Ben, Nabil, all,

On 16 Apr 2012, at 17:44, Vijay K. Gurbani wrote:
> 
> Major Issues:
> - S6: I believe that expanding the security considerations for each
> CDNI interface will help in the long run.

Below is an edited/expanded version of the Security Considerations section that integrates Vijay's comment and also captures a couple of high-level points from the Security Considerations section of the cdni-framework. Can you guys review and refine if needed?

I think we can integrate Vijay's Minor comments and nits offline.

Thanks much to Vijay for the useful review.

Francois


6.  Security Considerations

Distribution of content by a CDN comes with a range of security
   considerations such as how to enforce control of access to the
   content by users in line with the CSP policy, or how to trust the logging information generated by the CDN for the purposes of charging the CSP. These security aspects
   are already dealt with by CDN Providers and CSPs today in the context
   of standalone CDNs.  However, interconnection of CDNs introduces a
   new set of security considerations by extending the trust model to a chain of trust (i.e.
   the CSP "trusts" a CDN that "trusts" another CDN).
The mechanisms used to mitigate these risks in multi-CDN environments may be similar to those used in the single CDN case, but their
   suitability in this more complex environment must be validated.

   Maintaining the security of the content itself, its associated
   metadata (including delivery policies) and the CDNs
   distributing and delivering it, are critical requirements for both
   CDN Providers and CSPs and the CDN Interconnection interfaces must
   provide sufficient mechanisms to maintain the security of the overall
  system of interconnected CDNs as well as the information (content,
   metadata, logs, etc) distributed and delivered through any set of interconnected CDNs.

6.1 Security of the CDNI Control Interface

  Information on this interface is of a very private nature.
  A pair of CDNs use this interface to allow bootstrapping of all the other CDNI interfaces possibly including establishment of the mechanisms for securing these interfaces. Therefore, corruption of that interface may result in corruption of all other interfaces. 
Using this interface, an upstream CDN may pre-position or delete content or metadata in a downstream
  CDN and a downstream CDN may provide administrative information to an upstream CDN, etc.
  All of these operations require that the peer CDNs are appropriately
  authenticated and that the confidentiality and integrity of information flowing
  between them can be ensured.

6.2 Security of the CDNI Request Routing Interface

  Appropriate levels of authentication and confidentiality must be
  used in this interface because it allows an upstream CDN to
  query the downstream CDN in order to redirect requests, and conversely, allows
  the downstream CDN to influence the upstream CDN's Request Routing
  function.

  Absent appropriate security on this interface, a rogue upstream
  CDN can inundate downstream CDNs with bogus requests, or have the
  downstream CDN send the rogue upstream CDN private information. Also, a rogue downstream CDN could influence the upstream CDN so the uCDN redirects requests to the rogue dCDN or another dCDN in order to attract additional delivery revenue.

6.3 Security of the CDNI Metadata Interface

  Because this interface allows a downstream CDN to request metadata
  from an upstream CDN, the latter must ensure that the former is
  appropriately authenticated before sending the data.  Conversely,
  a downstream CDN must authenticate an upstream CDN before requesting
  metadata to insulate itself from poisoning by rogue upstream CDNs.
  The confidentiality and integrity of the information exchanged between the peers
  must be protected.

6.4 Security of the CDNI Logging Interface

  Logging data consists of potentially sensitive information (which
  user accesses which media resource, IP addresses of users, potential
  names and subscriber account information, etc.) Confidentiality of this information
  must be protected as the log records are moved between hosts.
This information may also be sensitive from the viewpoint that it can be the basis for charging across CDNs. Therefore, appropriate levels of protection are needed against corruption, duplication and loss of this information. 





>  Here is a first stab at
> this that you may want to consider replacing the second paragraph
> with (please feel free to expand this since you are the subject
> matter experts here).  Suggested text:
> 
> 6.1 Security of the CDNI Request Routing Interface
> 
>   Appropriate levels of authentication and confidentiality must be
>   used in this interface because it allows an upstream CDN to
>   query capabilities of a downstream CDN, and conversely, allows
>   the downstream CDN to control the upstream CDN's Request Routing
>   function.
> 
>   Absent appropriate security on this interface, a rogue upstream
>   CDN can inundate downstream CDNs with bogus requests, or have the
>   downstream CDN send the rogue upstream CDN private information
>  (e.g., load, resources).
> 
> 6.2 Security of the CDNI Control Interface
> 
>   Information on this interface is of a very private nature as well.
>   A pair of CDNs use this interface to allow bootstrapping of content
>   acquisition; an upstream CDN may pre-position content in a downstream
>   CDN, or it may purge the contents at a downstream CDN; a downstream
>   CDN may provide administrative information to an upstream CDN, etc.
>   All of these operations require that the peer CDNs are appropriately
>   authenticated and that the confidentiality of information flowing
>   between them is maintained.
> 
> 6.3 Security of the CDNI Metadata Interface
> 
>   Because this interface allows a downstream CDN to request metadata
>   from an upstream CDN, the latter must ensure that the former is
>   appropriately authenticated before sending the data.  Conversely,
>   a downstream CDN must authenticate an upstream CDN before requesting
>   metadata to insulate itself from poisoning by rouge upstream CDNs.
>   The confidentiality of the information exchanged between the peers
>   must be protected.
> 
> 6.4 Security of the CDNI Logging Interface
> 
>   Logging data consists of potentially sensitive information (which
>   user accesses which media resource, IP addresses of users, potential
>   names and subscriber account information, etc.)  This information
>   must be protected as the log records are moved between hosts.
> 
> Minor Issues:
> 
> - S1: Your problem statement essentially is an interplay between
> four logical entities: end user, CSP, CDN, and NSP.  I think this
> interplay needs to be laid out a bit more explicitly.  It seems to me
> that your model is that a user is subscribed to a CSP.   The CSP has
> arrangements with various CDN providers to distribute content.  The
> user, at a certain point in time, is in a network owned by a NSP that
> uses a CDN that does not have receive content from CSP.  Thus CSP is
> at a disadvantage since it will have to serve the user from a CDN that
> is not necessarily close to the user, thereby introducing a reduced
> quality of experience for the user.
> 
> What CDNI does is enable the CSP to contract with an "authoritative"
> CDN provider for the delivery of content and that that
> authoritative CDN Provider could contract with one or more downstream
> CDN Provider(s) to distribute and deliver some or all of the content
> on behalf of the authoritative CDN Provider.  Because the downstream
> CDN Provider(s) will be closer to the user, the user is subjected to
> a better viewing experience than he or she would be had the content
> been delivered from a farther CDN.
> 
> I think that laying out the interplay between the four entities in
> the second paragraph of S1 more explicitly may provide better context
> to the reader who is not already well versed with CDNs.
> 
> - S1: I would advise to order the terms defined by an alphabetical
> order (if possible).
> 
> - S3, last paragraph: The term "where to go" is rather ambiguous.
> Do you mean, "which upstream CDN to acquire content from"?  Or
> something else?  It will help to make this more explicit.
> 
> - S4, last paragraph: it is stated that "we assume that this [developing
> a new protocol] is unnecessary".  Based on the contents of S4.1-
> S4.4, I believe you do more than "assume".  You clearly enunciate a
> list of protocols that can be used for the various interfaces, thus
> providing a first order reasoning for why a new protocol for CDNI
> is not needed.
> 
> Therefore, I would exhort you to use a stronger word than "assume";
> something like:
> 
>   Secondly, although a new application protocol could be designed
>   specifically for CDNI, our analysis below shows that this is
>   unnecessary ...
> 
> - S4.3: Are these "log lines" or "log records"?  Presumably, one or
> more lines will aggregate to one log record.  It seems appropriate
> in this document to talk about "log records" instead of "log lines".
> The CDNI logging interface draft can tease out more precisely how
> many lines comprise a record, etc.
> 
> Secure ftp and secure copying (scp) appears to be missing in the list
> of protocols.  I would suspect that sftp would be preferred over
> normal ftp.
> 
> Nits:
> 
> - Global: In the Abstract and S1, "End Users" is employed multiple
> times.  End Users is defined in the Terminology section as a
> definition.  I would propose that attach the acronym "EU" on
> the first encounter of "End User" in the Abstract and S1,
> and from then on simply use "EU".
> 
> - S1, second paragraph: "attachment network" sounds incomplete.
> Maybe you meant "attachment to the network"?
> 
> - S3: s/existing protocols: this is/existing protocols; this is/
> 
> - S4.1, last paragraph: May be good to give a reference to ALTO.
> 
> Thanks,
> 
> - vijay
> -- 
> Vijay K. Gurbani, Bell Laboratories, Alcatel-Lucent
> 1960 Lucent Lane, Rm. 9C-533, Naperville, Illinois 60563 (USA)
> Email: vkg@{bell-labs.com,acm.org} / vijay.gurbani@alcatel-lucent.com
> Web:   http://ect.bell-labs.com/who/vkg/



Francois Le Faucheur
Distinguished Engineer
Service Provider Video Technology Group   
flefauch@cisco.com
Phone: +33 49 723 2619
Mobile: +33 6 19 98 50 90



Cisco Systems France
Greenside
400 Ave de Roumanille
06410 Sophia Antipolis
France
Cisco.com


 


 Think before you print.

This email may contain confidential and privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive for the recipient), please contact the sender by reply email and delete all copies of this message.

Cisco Systems France, Société à responsabiité limitée, Rue Camille Desmoulins – Imm Atlantis Zac Forum Seine Ilot 7 92130 Issy les Moulineaux, Au capital de 91.470 €, 349 166 561 RCS Nanterre, Directeur de la publication: Jean-Luc Michel Givone.

For corporate legal information go to:
http://www.cisco.com/web/about/doing_business/legal/cri/index.html

v2.23.0 | Report a Bug | By Email