diff options
author | Thomas Voss <mail@thomasvoss.com> | 2024-11-27 20:54:24 +0100 |
---|---|---|
committer | Thomas Voss <mail@thomasvoss.com> | 2024-11-27 20:54:24 +0100 |
commit | 4bfd864f10b68b71482b35c818559068ef8d5797 (patch) | |
tree | e3989f47a7994642eb325063d46e8f08ffa681dc /doc/rfc/rfc5353.txt | |
parent | ea76e11061bda059ae9f9ad130a9895cc85607db (diff) |
doc: Add RFC documents
Diffstat (limited to 'doc/rfc/rfc5353.txt')
-rw-r--r-- | doc/rfc/rfc5353.txt | 2187 |
1 files changed, 2187 insertions, 0 deletions
diff --git a/doc/rfc/rfc5353.txt b/doc/rfc/rfc5353.txt new file mode 100644 index 0000000..0d94bc4 --- /dev/null +++ b/doc/rfc/rfc5353.txt @@ -0,0 +1,2187 @@ + + + + + + +Network Working Group Q. Xie +Request for Comments: 5353 R. Stewart +Category: Experimental The Resource Group + M. Stillman + Nokia + M. Tuexen + Muenster Univ. of Applied Sciences + A. Silverton + Sun Microsystems, Inc. + September 2008 + + + Endpoint Handlespace Redundancy Protocol (ENRP) + +Status of This Memo + + This memo defines an Experimental Protocol for the Internet + community. It does not specify an Internet standard of any kind. + Discussion and suggestions for improvement are requested. + Distribution of this memo is unlimited. + +Abstract + + The Endpoint Handlespace Redundancy Protocol (ENRP) is designed to + work in conjunction with the Aggregate Server Access Protocol (ASAP) + to accomplish the functionality of the Reliable Server Pooling + (RSerPool) requirements and architecture. Within the operational + scope of RSerPool, ENRP defines the procedures and message formats of + a distributed, fault-tolerant registry service for storing, + bookkeeping, retrieving, and distributing pool operation and + membership information. + +Table of Contents + + 1. Introduction ....................................................3 + 1.1. Definitions ................................................3 + 1.2. Conventions ................................................4 + 2. ENRP Message Definitions ........................................4 + 2.1. ENRP_PRESENCE Message ......................................5 + 2.2. ENRP_HANDLE_TABLE_REQUEST Message ..........................6 + 2.3. ENRP_HANDLE_TABLE_RESPONSE Message .........................7 + 2.4. ENRP_HANDLE_UPDATE Message .................................9 + 2.5. ENRP_LIST_REQUEST Message .................................10 + 2.6. ENRP_LIST_RESPONSE Message ................................11 + 2.7. ENRP_INIT_TAKEOVER Message ................................12 + 2.8. ENRP_INIT_TAKEOVER_ACK Message ............................13 + 2.9. ENRP_TAKEOVER_SERVER Message ..............................14 + 2.10. ENRP_ERROR Message .......................................15 + + + +Xie, et al. Experimental [Page 1] + +RFC 5353 Endpoint Handlespace Redundancy September 2008 + + + 3. ENRP Operation Procedures ......................................15 + 3.1. Methods for Communicating amongst ENRP Servers ............16 + 3.2. ENRP Server Initialization ................................16 + 3.2.1. Generate a Server Identifier .......................16 + 3.2.2. Acquire Peer Server List ...........................17 + 3.2.2.1. Finding the Mentor Server .................17 + 3.2.2.2. Request Complete Server List from + Mentor Peer ...............................17 + 3.2.3. Download ENRP Handlespace Data from Mentor Peer ....18 + 3.3. Server Handlespace Update .................................20 + 3.3.1. Announcing Additions or Updates of PE ..............20 + 3.3.2. Announcing Removal of PE ...........................21 + 3.4. Maintaining Peer List and Monitoring Peer Status ..........22 + 3.4.1. Discovering New Peer ...............................22 + 3.4.2. Server Sending Heartbeat ...........................22 + 3.4.3. Detecting Peer Server Failure ......................23 + 3.5. Taking Over a Failed Peer Server ..........................23 + 3.5.1. Initiating Server Take-over Arbitration ............23 + 3.5.2. Takeover Target Peer Server ........................24 + 3.6. Handlespace Data Auditing and Re-synchronization ..........25 + 3.6.1. Auditing Procedures ................................25 + 3.6.2. PE Checksum Calculation Algorithm ..................26 + 3.6.3. Re-Synchronization Procedures ......................27 + 3.7. Handling Unrecognized Messages or Unrecognized + Parameters ................................................28 + 4. Variables and Thresholds .......................................28 + 4.1. Variables .................................................28 + 4.2. Thresholds ................................................28 + 5. IANA Considerations ............................................28 + 5.1. A New Table for ENRP Message Types ........................29 + 5.2. A New Table for Update Action Types .......................29 + 5.3. Port Numbers ..............................................30 + 5.4. SCTP Payload Protocol Identifier ..........................30 + 6. Security Considerations ........................................30 + 6.1. Summary of RSerPool Security Threats ......................30 + 6.2. Implementing Security Mechanisms ..........................32 + 6.3. Chain of Trust ............................................34 + 7. Acknowledgments ................................................35 + 8. References .....................................................36 + 8.1. Normative References ......................................36 + 8.2. Informative References ....................................37 + + + + + + + + + + +Xie, et al. Experimental [Page 2] + +RFC 5353 Endpoint Handlespace Redundancy September 2008 + + +1. Introduction + + ENRP is designed to work in conjunction with ASAP [RFC5352] to + accomplish the functionality of RSerPool as defined by its + requirements [RFC3237]. + + Within the operational scope of RSerPool, ENRP defines the procedures + and message formats of a distributed, fault-tolerant registry service + for storing, bookkeeping, retrieving, and distributing pool operation + and membership information. + + Whenever appropriate, in the rest of this document, we will refer to + this RSerPool registry service as ENRP handlespace, or simply + handlespace, because it manages all pool handles. + +1.1. Definitions + + This document uses the following terms: + + Operational scope: The part of the network visible to pool users by + a specific instance of the reliable server pooling protocols. + + Pool (or server pool): A collection of servers providing the same + application functionality. + + Pool handle: A logical pointer to a pool. Each server pool will be + identifiable in the operational scope of the system by a unique + pool handle. + + Pool element: A server entity having registered to a pool. + + Pool user: A server pool user. + + Pool element handle (or endpoint handle): A logical pointer to a + particular pool element in a pool, consisting of the pool handle + and a destination transport address of the pool element. + + Handle space: A cohesive structure of pool handles and relations + that may be queried by an internal or external agent. + + ENRP client channel: The communication channel through which an ASAP + User (either a Pool Element (PE) or Pool User (PU)) requests ENRP + handlespace service. The client channel is usually defined by the + transport address of the Home ENRP server and a well-known port + number. + + + + + + +Xie, et al. Experimental [Page 3] + +RFC 5353 Endpoint Handlespace Redundancy September 2008 + + + ENRP server channel: Defined by a list of IP addresses (one for each + ENRP server in an operational scope) and a well-known port number. + All ENRP servers in an operational scope can send "group-cast" + messages to other servers through this channel. In a "group- + cast", the sending server sends multiple copies of the message, + one to each of its peer servers, over a set of point-to-point + Stream Control Transmission Protocol (SCTP) associations between + the sending server and the peers. The "group-cast" may be + conveniently implemented with the use of the "SCTP_SENDALL" option + on a one-to-many style SCTP socket. + + Home ENRP server: The ENRP server to which a PE or PU currently + belongs. A PE MUST only have one Home ENRP server at any given + time, and both the PE and its Home ENRP server MUST keep track of + this master/slave relationship between them. A PU SHOULD select + one of the available ENRP servers as its Home ENRP server. + +1.2. Conventions + + The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", + "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this + document are to be interpreted as described in [RFC2119]. + +2. ENRP Message Definitions + + In this section, we define the format of all ENRP messages. These + are messages sent and received amongst ENRP servers in an operational + scope. Messages sent and received between a PE/PU and an ENRP server + are part of ASAP and are defined in [RFC5352]. A common format, that + is defined in [RFC5354], is used for all ENRP and ASAP messages. + + Most ENRP messages contain a combination of fixed fields and TLV + (Type-Length-Value) parameters. The TLV parameters are also defined + in [RFC5354]. If a nested TLV parameter is not ended on a 32-bit + word boundary, it will be padded with all '0' octets to the next 32- + bit word boundary. + + All messages, as well as their fields/parameters described below, + MUST be transmitted in network byte order (aka Big Endian, meaning + the most significant byte is transmitted first). + + + + + + + + + + + +Xie, et al. Experimental [Page 4] + +RFC 5353 Endpoint Handlespace Redundancy September 2008 + + + For ENRP, the following message types are defined in this section: + + Type Message Name + ----- ------------------------- + 0x00 - (Reserved by IETF) + 0x01 - ENRP_PRESENCE + 0x02 - ENRP_HANDLE_TABLE_REQUEST + 0x03 - ENRP_HANDLE_TABLE_RESPONSE + 0x04 - ENRP_HANDLE_UPDATE + 0x05 - ENRP_LIST_REQUEST + 0x06 - ENRP_LIST_RESPONSE + 0x07 - ENRP_INIT_TAKEOVER + 0x08 - ENRP_INIT_TAKEOVER_ACK + 0x09 - ENRP_TAKEOVER_SERVER + 0x0a - ENRP_ERROR + 0x0b-0xff - (Reserved by IETF) + + Figure 1 + +2.1. ENRP_PRESENCE Message + + This ENRP message is used to announce (periodically) the presence of + an ENRP server, or to probe the status of a peer ENRP server. This + message is either sent on the ENRP server channel or sent point-to- + point to another ENRP server. + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Type = 0x01 |0|0|0|0|0|0|0|0| Message Length | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Sending Server's ID | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Receiving Server's ID | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + : PE Checksum Param : + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + : Server Information Param (optional) : + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + Sending Server's ID: 32 bits (unsigned integer) + + This is the ID of the ENRP server that sent this message. + + + + + + + + +Xie, et al. Experimental [Page 5] + +RFC 5353 Endpoint Handlespace Redundancy September 2008 + + + Receiving Server's ID: 32 bits (unsigned integer) + + This is the ID of the ENRP server to which this message is + intended. If the message is not intended for an individual + server (e.g., the message is group-casted to a group of + servers), this field MUST be sent with all 0s. If the message + is sent point-to-point, this field MAY be sent with all 0s. + + PE Checksum Parameter: + + This is a TLV that contains the latest PE checksum of the ENRP + server that sends the ENRP_PRESENCE. This parameter SHOULD be + included for handlespace consistency auditing. See + Section 3.6.1 for details. + + Server Information Parameter: + + If this parameter is present, it contains the server + information of the sender of this message (the Server + Information Parameter is defined in [RFC5354]). This parameter + is optional. However, if this message is sent in response to a + received "reply required" ENRP_PRESENCE from a peer, the sender + then MUST include its server information. + + Note, at startup, an ENRP server MUST pick a randomly generated, non- + zero 32-bit unsigned integer as its ID and MUST use this same ID + until the ENRP server is rebooted. + +2.2. ENRP_HANDLE_TABLE_REQUEST Message + + An ENRP server sends this message to one of its peers to request a + copy of the handlespace data. This message is normally used during + server initialization or handlespace re-synchronization. + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Type = 0x02 |0|0|0|0|0|0|0|W| Message Length = 0xC | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Sending Server's ID | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Receiving Server's ID | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + + + + + + + +Xie, et al. Experimental [Page 6] + +RFC 5353 Endpoint Handlespace Redundancy September 2008 + + + W (oWn-children-only) Flag: 1 bit + + Set to '1' if the sender of this message is only requesting + information about the PEs owned by the message receiver. + Otherwise, set to '0'. + + Sending Server's ID: + + See Section 2.1. + + Receiving Server's ID: + + See Section 2.1. + +2.3. ENRP_HANDLE_TABLE_RESPONSE Message + + The PEER_NAME_TABLE_RESPONSE message is sent by an ENRP server in + response to a received PEER_NAME_TABLE_REQUEST message to assist + peer-server initialization or handlespace synchronization. + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Type = 0x03 |0|0|0|0|0|0|M|R| Message Length | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Sending Server's ID | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Receiving Server's ID | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + : : + : Pool Entry #1 (optional) : + : : + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + : : + : ... : + : : + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + : : + : Pool Entry #n (optional) : + : : + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + M (More_to_send) Flag: 1 bit + + Set to '1' if the sender of this message has more pool entries + to send in subsequent ENRP_HANDLE_TABLE_RESPONSE messages. + Otherwise, set to '0'. + + + + +Xie, et al. Experimental [Page 7] + +RFC 5353 Endpoint Handlespace Redundancy September 2008 + + + R (Reject) Flag: 1 bit + + MUST be set to '1' if the sender of this message is rejecting a + handlespace request. In this case, pool entries MUST NOT be + included. This might happen if the sender of this message is + in the middle of initializing its database or is under high + load. + + Message Length: 16 bits (unsigned integer) + + Indicates the entire length of the message, including the + header, in number of octets. + + Note, the value in the Message Length field will NOT cover any + padding at the end of this message. + + Sending Server's ID: + + See Section 2.1. + + Receiving Server's ID: + + See Section 2.1. + + Pool Entry #1-#n: + + If the R flag is set to '0', at least one pool entry SHOULD be + present in this message. Each pool entry MUST start with a + Pool Handle parameter, as defined in Section 3.9 of [RFC5354], + and is followed by one or more Pool Element parameters in TLV + format, as shown below: + + +---------------------------+ + : Pool Handle : + +---------------------------+ + : PE #1 : + +---------------------------+ + : PE #2 : + +---------------------------+ + : ... : + +---------------------------+ + : PE #n : + +---------------------------+ + + + + + + + + +Xie, et al. Experimental [Page 8] + +RFC 5353 Endpoint Handlespace Redundancy September 2008 + + +2.4. ENRP_HANDLE_UPDATE Message + + The PEER_NAME_UPDATE message is sent by the Home ENRP server of a PE + to all peer servers to announce registration, re-registration, or de- + registration of the PE in the handlespace. + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Type = 0x04 |0|0|0|0|0|0|0|0| Message Length | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Sending Server's ID | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Receiving Server's ID | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Update Action | (reserved) | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + : Pool Handle Parameter : + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + : Pool Element Parameter : + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + Message Length: 16 bits (unsigned integer) + + Indicates the entire length of the message, including the + header, in number of octets. + + Note, the value in the Message Length field will NOT cover any + padding at the end of this message. + + Update Action: 16 bits (unsigned integer) + + This field indicates the requested action of the specified PE. + The field MUST be set to one of the following values: + + 0x0000 - ADD_PE: Add or update the specified PE in the ENRP + handlespace. + + 0x0001 - DEL_PE: Delete the specified PE from the ENRP + handlespace. + + 0x0002 - 0xFFFF: Reserved by IETF. + + Other values are reserved by IETF and MUST NOT be used. + + + + + + + +Xie, et al. Experimental [Page 9] + +RFC 5353 Endpoint Handlespace Redundancy September 2008 + + + Reserved: 16 bits + + This field MUST be set to all 0s by the sender and ignored by + the receiver. + + Sending Server's ID: + + See Section 2.1. + + Receiving Server's ID: + + See Section 2.1. + + Pool Handle: + + Specifies to which the PE belongs. + + Pool Element: + + Specifies the PE. + +2.5. ENRP_LIST_REQUEST Message + + The PEER_LIST_REQUEST message is sent to request a current copy of + the ENRP server list. This message is normally sent from a newly + activated ENRP server to an established ENRP server as part of the + initialization process. + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Type = 0x05 |0|0|0|0|0|0|0|0| Message Length = 0xC | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Sending Server's ID | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Receiving Server's ID | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + Sending Server's ID: + + See Section 2.1. + + Receiving Server's ID: + + See Section 2.1. + + + + + + +Xie, et al. Experimental [Page 10] + +RFC 5353 Endpoint Handlespace Redundancy September 2008 + + +2.6. ENRP_LIST_RESPONSE Message + + The PEER_LIST_RESPONSE message is sent in response from an ENRP + server that receives a PEER_LIST_REQUEST message to return + information about known ENRP servers. + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Type = 0x06 |0|0|0|0|0|0|0|R| Message Length | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Sending Server's ID | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Receiving Server's ID | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + : Server Information Parameter of Peer #1 : + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + : ... : + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + : Server Information Parameter of Peer #n : + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + R (Reject) Flag: 1 bit + + This flag MUST be set to '1' if the sender of this message is + rejecting a PEER_LIST_REQUEST message. If this case occurs, + the message MUST NOT include any Server Information Parameters. + + Message Length: 16 bits (unsigned integer) + + Indicates the entire length of the message in number of octets. + + Note, the value in the Message Length field will NOT cover any + padding at the end of this message. + + Sending Server's ID: + + See Section 2.1. + + Receiving Server's ID: + + See Section 2.1. + + Server Information Parameter of Peer #1-#n: + + Each contains a Server Information Parameter of a peer known to + the sender. The Server Information Parameter is defined in + [RFC5354]. + + + +Xie, et al. Experimental [Page 11] + +RFC 5353 Endpoint Handlespace Redundancy September 2008 + + +2.7. ENRP_INIT_TAKEOVER Message + + The ENRP_INIT_TAKEOVER message is sent by an ENRP server (the + takeover initiator) to announce its intention of taking over a + specific peer ENRP server. It is sent to all its peers. + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Type = 0x07 |0|0|0|0|0|0|0|0| Message Length | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Sending Server's ID | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Receiving Server's ID | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Targeting Server's ID | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + Sending Server's ID: + + See Section 2.1. + + Receiving Server's ID: + + See Section 2.1. + + Targeting Server's ID: 32 bits (unsigned integer) + + This is the ID of the peer ENRP that is the target of this + takeover attempt. + + + + + + + + + + + + + + + + + + + + + +Xie, et al. Experimental [Page 12] + +RFC 5353 Endpoint Handlespace Redundancy September 2008 + + +2.8. ENRP_INIT_TAKEOVER_ACK Message + + The PEER_INIT_TAKEOVER_ACK message is sent in response to a takeover + initiator to acknowledge the reception of the PEER_INIT_TAKEOVER + message and that it does not object to the takeover. + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Type = 0x08 |0|0|0|0|0|0|0|0| Message Length | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Sending Server's ID | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Receiving Server's ID | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Targeting Server's ID | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + Sending Server's ID: + + See Section 2.1. + + Receiving Server's ID: + + See Section 2.1. + + Targeting Server's ID: + + This is the ID of the peer ENRP that is the target of this + takeover attempt. + + + + + + + + + + + + + + + + + + + + + +Xie, et al. Experimental [Page 13] + +RFC 5353 Endpoint Handlespace Redundancy September 2008 + + +2.9. ENRP_TAKEOVER_SERVER Message + + The PEER_TAKEOVER_REGISTRAR message is sent by the takeover initiator + to declare the enforcement of a takeover to all active peer ENRP + servers. + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Type = 0x09 |0|0|0|0|0|0|0|0| Message Length | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Sending Server's ID | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Receiving Server's ID | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Targeting Server's ID | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + Sending Server's ID: + + See Section 2.1. + + Receiving Server's ID: + + See Section 2.1. + + Targeting Server's ID: + + This is the ID of the peer ENRP that is the target of this + takeover operation. + + + + + + + + + + + + + + + + + + + + + +Xie, et al. Experimental [Page 14] + +RFC 5353 Endpoint Handlespace Redundancy September 2008 + + +2.10. ENRP_ERROR Message + + The ENRP_ERROR message is sent by a registrar to report an + operational error to a peer ENRP server. + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Type = 0x0a |0|0|0|0|0|0|0|0| Message Length | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Sending Server's ID | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Receiving Server's ID | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + : Operational Error Parameter : + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + Sending Server's ID: + + See Section 2.1. + + Receiving Server's ID: + + See Section 2.1. + + Operational Error Parameter: + + This parameter, defined in [RFC5354], indicates the type of + error(s) being reported. + +3. ENRP Operation Procedures + + In this section, we discuss the operation procedures defined by ENRP. + An ENRP server MUST follow these procedures when sending, receiving, + or processing ENRP messages. + + Many of the RSerPool events call for both server-to-server and PU/ + PE-to-server message exchanges. Only the message exchanges and + activities between an ENRP server and its peer(s) are considered + within the ENRP scope and are defined in this document. + + Procedures for exchanging messages between a PE/PU and ENRP servers + are defined in [RFC5352]. + + + + + + + + +Xie, et al. Experimental [Page 15] + +RFC 5353 Endpoint Handlespace Redundancy September 2008 + + +3.1. Methods for Communicating amongst ENRP Servers + + Within an RSerPool operational scope, ENRP servers need to + communicate with each other in order to exchange information, such as + the pool membership changes, handlespace data synchronization, etc. + + Two types of communications are used amongst ENRP servers: + + o point-to-point message exchanges from one ENPR server to a + specific peer server, and + + o announcements from one server to all its peer servers in the + operational scope. + + Point-to-point communication is always carried out over an SCTP + association between the sending server and the receiving server. + Announcements are sent out via "group-casts" over the ENRP server + channel. + +3.2. ENRP Server Initialization + + This section describes the steps a new ENRP server needs to take in + order to join the other existing ENRP servers, or to initiate the + handlespace service if it is the first ENRP server started in the + operational scope. + +3.2.1. Generate a Server Identifier + + A new ENRP server MUST generate a non-zero, 32-bit server ID that is + as unique as possible among all the ENRP servers in the operational + scope, and this server ID MUST remain unchanged for the lifetime of + the server. Normally, a good 32-bit random number will be good + enough, as the server ID [RFC4086] provides some information on + randomness guidelines. + + Note, there is a very remote chance (about 1 in about 4 billion) that + two ENRP servers in an operational scope will generate the same + server ID and hence cause a server ID conflict in the pool. However, + no severe consequence of such a conflict has been identified. + + Note, the ENRP server ID space is separate from the PE Id space + defined in [RFC5352]. + + + + + + + + + +Xie, et al. Experimental [Page 16] + +RFC 5353 Endpoint Handlespace Redundancy September 2008 + + +3.2.2. Acquire Peer Server List + + At startup, the ENRP server (the initiating server) will first + attempt to learn of all existing peer ENRP servers in the same + operational scope, or to determine that it is alone in the scope. + + The initiating server uses an existing peer server to bootstrap + itself into service. We call this peer server the mentor server. + +3.2.2.1. Finding the Mentor Server + + If the initiating server is told about one existing peer server + through some administrative means (such as DNS query, configuration + database, startup scripts, etc.), the initiating server MUST then use + this peer server as its mentor server. + + If multiple existing peer servers are specified, the initiating + server MUST pick one of them as its mentor server and keep the others + as its backup mentor servers. + + If no existing peer server is specified, the initiating server MUST + assume that it is alone in the operational scope, and MUST skip the + procedures in Section 3.2.2.2 and Section 3.2.3 and MUST consider its + initialization completed and start offering ENRP services. + +3.2.2.2. Request Complete Server List from Mentor Peer + + Once the initiating server finds its mentor peer server (by either + discovery or administrative means), the initiating server MUST send + an ENRP_LIST_REQUEST message to the mentor peer server to request a + copy of the complete server list maintained by the mentor peer (see + Section 3.4 for maintaining a server list). + + The initiating server SHOULD start a MAX-TIME-NO-RESPONSE timer every + time it finishes sending an ENRP_LIST_REQUEST message. If the timer + expires before receiving a response from the mentor peer, the + initiating server SHOULD abandon the interaction with the current + mentor server and send a new server list request to a backup mentor + peer, if one is available. + + Upon the reception of this request, the mentor peer server SHOULD + reply with an ENRP_LIST_RESPONSE message and include in the message + body all existing ENRP servers known by the mentor peer. + + Upon the reception of the ENRP_LIST_RESPONSE message from the mentor + peer, the initiating server MUST use the server information carried + in the message to initialize its own peer list. + + + + +Xie, et al. Experimental [Page 17] + +RFC 5353 Endpoint Handlespace Redundancy September 2008 + + + However, if the mentor itself is in the process of startup and not + ready to provide a peer server list (for example, the mentor peer is + waiting for a response to its own ENRP_LIST_REQUEST to another + server), it MUST reject the request by the initiating server and + respond with an ENRP_LIST_RESPONSE message with the R flag set to + '1', and with no server information included in the response. + + In the case where its ENRP_LIST_REQUEST is rejected by the mentor + peer, the initiating server SHOULD either wait for a few seconds and + re-send the ENRP_LIST_REQUEST to the mentor server, or if there is a + backup mentor peer available, select another mentor peer server and + send the ENRP_LIST_REQUEST to the new mentor server. + +3.2.3. Download ENRP Handlespace Data from Mentor Peer + + After a peer list download is completed, the initiating server MUST + request a copy of the current handlespace data from its mentor peer + server, by taking the following steps: + + 1. The initiating server MUST first send an + ENRP_HANDLE_TABLE_REQUEST message to the mentor peer, with the W + flag set to '0', indicating that the entire handlespace is + requested. + + 2. Upon the reception of this message, the mentor peer MUST start a + download session in which a copy of the current handlespace data + maintained by the mentor peer is sent to the initiating server in + one or more ENRP_HANDLE_TABLE_RESPONSE messages. (Note, the + mentor server may find it particularly desirable to use multiple + ENRP_HANDLE_TABLE_RESPONSE messages to send the handlespace when + the handlespace is large, especially when forming and sending out + a single response containing a large handlespace may interrupt + its other services.) + + If more than one ENRP_HANDLE_TABLE_RESPONSE message is used + during the download, the mentor peer MUST use the M flag in each + ENRP_HANDLE_TABLE_RESPONSE message to indicate whether this + message is the last one for the download session. In particular, + the mentor peer MUST set the M flag to '1' in the outbound + ENRP_HANDLE_TABLE_RESPONSE if there is more data to be + transferred and MUST keep track of the progress of the current + download session. The mentor peer MUST set the M flag to '0' in + the last ENRP_HANDLE_TABLE_RESPONSE for the download session and + close the download session (i.e., removing any internal record of + the session) after sending out the last message. + + + + + + +Xie, et al. Experimental [Page 18] + +RFC 5353 Endpoint Handlespace Redundancy September 2008 + + + 3. During the downloading, every time the initiating server receives + an ENRP_HANDLE_TABLE_RESPONSE message, it MUST transfer the data + entries carried in the message into its local handlespace + database, and then check whether or not this message is the last + one for the download session. + + If the M flag is set to '1' in the just processed + ENRP_HANDLE_TABLE_RESPONSE message, the initiating server MUST + send another ENRP_HANDLE_TABLE_REQUEST message to the mentor peer + to request for the next ENRP_HANDLE_TABLE_RESPONSE message. + + 4. When unpacking the data entries from a ENRP_HANDLE_TABLE_RESPONSE + message into its local handlespace database, the initiating + server MUST handle each pool entry carried in the message using + the following rules: + + A. If the pool does not exist in the local handlespace, the + initiating server MUST create the pool in the local + handlespace and add the PE(s) in the pool entry to the pool. + + When creating the pool, the initiation server MUST set the + overall member selection policy type of the pool to the + policy type indicated in the first PE. + + B. If the pool already exists in the local handlespace, but the + PE(s) in the pool entry is not currently a member of the + pool, the initiating server MUST add the PE(s) to the pool. + + C. If the pool already exists in the local handlespace AND the + PE(s) in the pool entry is already a member of the pool, the + initiating server SHOULD replace the attributes of the + existing PE(s) with the new information. ENRP will make sure + that the information stays up to date. + + 5. When the last ENRP_HANDLE_TABLE_RESPONSE message is received from + the mentor peer and unpacked into the local handlespace, the + initialization process is completed and the initiating server + SHOULD start to provide ENRP services. + + Under certain circumstances, the mentor peer itself may not be able + to provide a handlespace download to the initiating server. For + example, the mentor peer is in the middle of initializing its own + handlespace database, or it currently has too many download sessions + open to other servers. + + + + + + + +Xie, et al. Experimental [Page 19] + +RFC 5353 Endpoint Handlespace Redundancy September 2008 + + + In such a case, the mentor peer MUST reject the request by the + initiating server and respond with an ENRP_HANDLE_TABLE_RESPONSE + message with the R flag set to '1', and with no pool entries included + in the response. + + In the case where its ENRP_HANDLE_TABLE_REQUEST is rejected by the + mentor peer, the initiating server SHOULD either wait for a few + seconds and re-send the ENRP_HANDLE_TABLE_REQUEST to the mentor + server, or if there is a backup mentor peer available, select another + mentor peer server and send the ENRP_HANDLE_TABLE_REQUEST to the new + mentor server. + + A handlespace download session that has been started may get + interrupted for some reason. To cope with this, the initiating + server SHOULD start a timer every time it finishes sending an + ENRP_HANDLE_TABLE_REQUEST to its mentor peer. If this timer expires + without receiving a response from the mentor peer, the initiating + server SHOULD abort the current download session and re-start a new + handlespace download with a backup mentor peer, if one is available. + + Similarly, after sending out an ENRP_HANDLE_TABLE_RESPONSE, and the + mentor peer setting the M-bit to '1' to indicate that it has more + data to send, it SHOULD start a session timer. If this timer expires + without receiving another request from the initiating server, the + mentor peer SHOULD abort the session, cleaning out any resource and + record of the session. + +3.3. Server Handlespace Update + + This includes a set of update operations used by an ENRP server to + inform its peers when its local handlespace is modified, e.g., + addition of a new PE, removal of an existing PE, change of pool or PE + properties. + +3.3.1. Announcing Additions or Updates of PE + + When a new PE is granted registration to the handlespace or an + existing PE is granted a re-registration, the Home ENRP server uses + this procedure to inform all its peers. + + This is an ENRP announcement and is sent to all the peer of the Home + ENRP server. See Section 3.1 on how announcements are sent. + + An ENRP server MUST announce this update to all its peers in a + ENRP_HANDLE_UPDATE message with the Update Action field set to + 'ADD_PE', indicating the addition of a new PE or the modification of + + + + + +Xie, et al. Experimental [Page 20] + +RFC 5353 Endpoint Handlespace Redundancy September 2008 + + + an existing PE. The complete new information of the PE and the pool + it belongs to MUST be indicated in the message with a PE parameter + and a Pool Handle parameter, respectively. + + The Home ENRP server SHOULD fill in its server ID in the Sending + Server's ID field and leave the Receiving Server's ID blank (i.e., + all 0s). + + When a peer receives this ENRP_HANDLE_UPDATE message, it MUST take + the following actions: + + 1. If the named pool indicated by the pool handle does not exist in + its local copy of the handlespace, the peer MUST create the named + pool in its local handlespace and add the PE to the pool as the + first PE. It MUST then copy in all other attributes of the PE + carried in the message. + + When the new pool is created, the overall member selection policy + of the pool MUST be set to the policy type indicated by the PE. + + 2. If the named pool already exists in the peer's local copy of the + handlespace *and* the PE does not exist, the peer MUST add the PE + to the pool as a new PE and copy in all attributes of the PE + carried in the message. + + 3. If the named pool exists *and* the PE is already a member of the + pool, the peer MUST replace the attributes of the PE with the new + information carried in the message. + +3.3.2. Announcing Removal of PE + + When an existing PE is granted de-registration or is removed from its + handlespace for some other reasons (e.g., purging an unreachable PE, + see Section 3.5 in [RFC5352]), the ENRP server MUST use this + procedure to inform all its peers about the change just made. + + This is an ENRP announcement and is sent to all the peers of the Home + ENRP server. See Section 3.1 on how announcements are sent. + + An ENRP server MUST announce the PE removal to all its peers in an + ENRP_HANDLE_UPDATE message with the Update Action field set to + DEL_PE, indicating the removal of an existing PE. The complete + information of the PE and the pool it belongs to MUST be indicated in + the message with a PE parameter and a Pool Handle parameter, + respectively. + + + + + + +Xie, et al. Experimental [Page 21] + +RFC 5353 Endpoint Handlespace Redundancy September 2008 + + + The sending server MUST fill in its server ID in the Sending Server's + ID field and leave the Receiving Server's ID blank (i.e., set to all + 0s). + + When a peer receives this ENRP_HANDLE_UPDATE message, it MUST first + find the pool and the PE in its own handlespace, and then remove the + PE from its local handlespace. If the removed PE is the last one in + the pool, the peer MUST also delete the pool from its local + handlespace. + + If the peer fails to find the PE or the pool in its handlespace, it + SHOULD take no further actions. + +3.4. Maintaining Peer List and Monitoring Peer Status + + An ENRP server MUST keep an internal record on the status of each of + its known peers. This record is referred to as the server's "peer + list". + +3.4.1. Discovering New Peer + + If a message of any type is received from a previously unknown peer, + the ENRP server MUST consider this peer a new peer in the operational + scope and add it to the peer list. + + The ENRP server MUST send an ENRP_PRESENCE message with the Reply- + required flag set to '1' to the source address found in the arrived + message. This will force the new peer to reply with its own + ENRP_PRESENCE containing its full server information (see + Section 2.1). + +3.4.2. Server Sending Heartbeat + + Every PEER-HEARTBEAT-CYCLE seconds, an ENRP server MUST announce its + continued presence to all its peer with a ENRP_PRESENCE message. In + the ENRP_PRESENCE message, the ENRP server MUST set the + 'Replay_required' flag to '0', indicating that no response is + required. + + The arrival of this periodic ENRP_PRESENCE message will cause all its + peers to update their internal variable "peer_last_heard" for the + sending server (see Section 3.4.3 for more details). + + + + + + + + + +Xie, et al. Experimental [Page 22] + +RFC 5353 Endpoint Handlespace Redundancy September 2008 + + +3.4.3. Detecting Peer Server Failure + + An ENRP server MUST keep an internal variable "peer_last_heard" for + each of its known peers and the value of this variable MUST be + updated to the current local time every time a message of any type + (point-to-point or announcement) is received from the corresponding + peer. + + If a peer has not been heard for more than MAX-TIME-LAST-HEARD + seconds, the ENRP server MUST immediately send a point-to-point + ENRP_PRESENCE with the Reply_request flag set to '1' to that peer. + + If the send fails or the peer does not reply after MAX-TIME-NO- + RESPONSE seconds, the ENRP server MUST consider the peer server dead + and SHOULD initiate the takeover procedure defined in Section 3.5. + +3.5. Taking Over a Failed Peer Server + + In the following descriptions, we call the ENRP server that detects + the failed peer server and initiates the takeover the "initiating + server" and the failed peer server the "target server". This allows + the PE to continue to operate in case of a failure of their Home ENRP + server. + +3.5.1. Initiating Server Take-over Arbitration + + The initiating server SHOULD first start the takeover arbitration + process by sending an ENRP_INIT_TAKEOVER message to all its peer + servers. See Section 3.1 on how announcements are sent. In the + message, the initiating server MUST fill in the Sending Server's ID + and Targeting Server's ID. The goal is that only one ENRP server + takes over the PE from the target. + + After announcing the ENRP_INIT_TAKEOVER message ("group-casting" to + all known peers, including the target server), the initiating server + SHOULD wait for an ENRP_INIT_TAKEOVER_ACK message from each of its + known peers, except that of the target server. + + Each peer receiving an ENRP_INIT_TAKEOVER message from the initiating + server MUST take the following actions: + + 1. If the peer server determines that it (itself) is the target + server indicated in the ENRP_INIT_TAKEOVER message, it MUST + immediately announce an ENRP_PRESENCE message to all its peer + ENRP servers in an attempt to stop this takeover process. This + + + + + + +Xie, et al. Experimental [Page 23] + +RFC 5353 Endpoint Handlespace Redundancy September 2008 + + + indicates a false failure-detection case by the initiating + server. The initiating server MUST stop the takeover operation + by marking the target server as "active" and taking no further + takeover actions. + + 2. If the peer server finds that it has already started its own + takeover arbitration process on the same target server, it MUST + perform the following arbitration: + + A. If the peer's server ID is smaller in value than the Sending + Server's ID in the arrived ENRP_INIT_TAKEOVER message, the + peer server MUST immediately abort its own take-over attempt + by taking no further takeover actions of its own. Moreover, + the peer MUST mark the target server as "not active" on its + internal peer list so that its status will no longer be + monitored by the peer, and reply to the initiating server + with an ENRP_INIT_TAKEOVER_ACK message. + + B. Otherwise, the peer MUST ignore the ENRP_INIT_TAKEOVER + message. + + 3. If the peer finds that it is neither the target server nor is in + its own takeover process, the peer MUST: a) mark the target + server as "not active" on its internal peer list so that its + status will no longer be monitored by this peer, and b) MUST + reply to the initiating server with an ENRP_INIT_TAKEOVER_ACK + message. + + Once the initiating server has received the ENRP_INIT_TAKEOVER_ACK + message from all of its currently known peers (except for the target + server), it MUST consider that it has won the arbitration and MUST + proceed to complete the takeover, following the steps described in + Section 3.5.2. + + However, if it receives an ENRP_PRESENCE from the target server at + any point in the arbitration process, the initiating server MUST + immediately stop the takeover process and mark the status of the + target server as "active". + +3.5.2. Takeover Target Peer Server + + The initiating ENRP server MUST first send, via an announcement, an + ENRP_TAKEOVER_SERVER message to inform all its active peers that the + takeover has been enforced. The target server's ID MUST be filled in + the message. The initiating server SHOULD then remove the target + server from its internal peer list. + + + + + +Xie, et al. Experimental [Page 24] + +RFC 5353 Endpoint Handlespace Redundancy September 2008 + + + Then, it SHOULD examine its local copy of the handlespace and claim + ownership of each of the PEs originally owned by the target server, + by following these steps: + + 1. mark itself as the Home ENRP server of each of the PEs originally + owned by the target server; + + 2. send a point-to-point ASAP_ENDPOINT_KEEP_ALIVE message, with the + 'H' flag set to '1', to each of the PEs. This will trigger the + PE to adopt the initiating sever as its new Home ENRP server. + + When a peer receives the ENRP_TAKEOVER_SERVER message from the + initiating server, it SHOULD update its local peer list and PE cache + by following these steps: + + 1. remove the target server from its internal peer list; + + 2. update the Home ENRP server of each PE in its local copy of the + handlespace to be the sender of the message, i.e., the initiating + server. + +3.6. Handlespace Data Auditing and Re-synchronization + + Message losses or certain temporary breaks in network connectivity + may result in data inconsistency in the local handlespace copy of + some of the ENRP servers in an operational scope. Therefore, each + ENRP server in the operational scope SHOULD periodically verify that + its local copy of handlespace data is still in sync with that of its + peers. + + This section defines the auditing and re-synchronization procedures + for an ENRP server to maintain its handlespace data consistency. + +3.6.1. Auditing Procedures + + A checksum covering the data that should be the same is exchanged to + figure out whether or not the data is the same. + + The auditing of handlespace consistency is based on the following + procedures: + + 1. An ENRP server SHOULD keep a separate PE checksum (a 16-bit + integer internal variable) for each of its known peers and for + itself. For an ENRP server with 'k' known peers, we denote these + internal variables as "pe_checksum_pr0", "pe_checksum_pr1", ..., + "pe_checksum_prk", where "pe_checksum_pr0" is the server's own PE + checksum. The list of what these checksums cover and a detailed + algorithm for calculating them is given in Section 3.6.2. + + + +Xie, et al. Experimental [Page 25] + +RFC 5353 Endpoint Handlespace Redundancy September 2008 + + + 2. Each time an ENRP server sends out an ENRP_PRESENCE, it MUST + include in the message its current PE checksum (i.e., + "pe_checksum_pr0"). + + 3. When an ENRP server (server A) receives a PE checksum (carried in + an arrived ENRP_PRESENCE) from a peer ENRP server (server B), + server A SHOULD compare the PE checksum found in the + ENRP_PRESENCE with its own internal PE checksum of server B + (i.e., "pe_checksum_prB"). + + 4. If the two values match, server A will consider that there is no + handlespace inconsistency between itself and server B, and it + should take no further actions. + + 5. If the two values do NOT match, server A SHOULD consider that + there is a handlespace inconsistency between itself and server B, + and a re-synchronization process SHOULD be carried out + immediately with server B (see Section 3.6.3). + +3.6.2. PE Checksum Calculation Algorithm + + When an ENRP server (server A) calculates an internal PE checksum for + a peer (server B), it MUST use the following algorithm. + + Let us assume that in server A's internal handlespace, there are + currently 'M' PEs that are owned by server B. Each of the 'M' PEs + will then contribute to the checksum calculation with the following + byte block: + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + : Pool handle string of the pool the PE belongs (padded with : + : zeros to next 32-bit word boundary, if needed) : + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | PE Id (4 octets) | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + Note, these are not TLVs. This byte block gives each PE a unique + byte pattern in the scope. The 16-bit PE checksum for server B + "pe_checksum_prB" is then calculated over the byte blocks contributed + by the 'M' PEs one by one. The PE checksum calculation MUST use the + Internet algorithm described in [RFC1071]. + + Server A MUST calculate its own PE checksum (i.e., "pe_checksum_pr0") + in the same fashion, using the byte blocks of all the PEs owned by + itself. + + + + +Xie, et al. Experimental [Page 26] + +RFC 5353 Endpoint Handlespace Redundancy September 2008 + + + Note, whenever an ENRP finds that its internal handlespace has + changed (e.g., due to PE registration/de-registration, receiving peer + updates, removing failed PEs, downloading handlespace pieces from a + peer, etc.), it MUST immediately update all its internal PE checksums + that are affected by the change. + + Implementation Note: when the internal handlespace changes (e.g., a + new PE added or an existing PE removed), an implementation need not + re-calculate the affected PE checksum; it can instead simply update + the checksum by adding or subtracting the byte block of the + corresponding PE from the previous checksum value. + +3.6.3. Re-Synchronization Procedures + + If an ENRP server determines that there is inconsistency between its + local handlespace data and a peer's handlespace data with regard to + the PEs owned by that peer, it MUST perform the following steps to + re-synchronize the data: + + 1. The ENRP server SHOULD first "mark" every PE it knows about that + is owned by the peer in its local handlespace database; + + 2. The ENRP server SHOULD then send an ENRP_HANDLE_TABLE_REQUEST + message with the W flag set to '1' to the peer to request a + complete list of PEs owned by the peer; + + 3. Upon reception of the ENRP_HANDLE_TABLE_REQUEST message with the + W flag set to '1', the peer server SHOULD immediately respond + with an ENRP_HANDLE_TABLE_RESPONSE message listing all PEs + currently owned by the peer. + + 4. Upon reception of the ENRP_HANDLE_TABLE_RESPONSE message, the + ENRP server SHOULD transfer the PE entries carried in the message + into its local handlespace database. If a PE entry being + transferred already exists in its local database, the ENRP server + MUST replace the entry with the copy found in the message and + remove the "mark" from the entry. + + 5. After transferring all the PE entries from the received + ENRP_HANDLE_TABLE_RESPONSE message into its local database, the + ENRP server SHOULD check whether there are still PE entries that + remain "marked" in its local handlespace. If so, the ENRP server + SHOULD silently remove those "marked" entries. + + Note, similar to what is described in Section 3.2.3, the peer may + reject the ENRP_HANDLE_TABLE_REQUEST or use more than one + ENRP_HANDLE_TABLE_RESPONSE message to respond. + + + + +Xie, et al. Experimental [Page 27] + +RFC 5353 Endpoint Handlespace Redundancy September 2008 + + +3.7. Handling Unrecognized Messages or Unrecognized Parameters + + When an ENRP server receives an ENRP message with an unknown message + type or a message of known type that contains an unknown parameter, + it SHOULD handle the unknown message or the unknown parameter + according to the unrecognized message and parameter handling rules + defined in Sections 3 and 4 in [RFC5354]. + + According to the rules, if an error report to the message sender is + needed, the ENRP server that discovered the error SHOULD send back an + ENRP_ERROR message with a proper error cause code. + +4. Variables and Thresholds + +4.1. Variables + + peer_last_heard - The local time that a peer server was last heard + (via receiving either a group-cast or point-to-point message from + the peer). + + pe_checksum_pr - The internal 16-bit PE checksum that an ENRP server + keeps for a peer. A separate PE checksum is kept for each of its + known peers as well as for itself. + +4.2. Thresholds + + PEER-HEARTBEAT-CYCLE - The period for an ENRP server to announce a + heartbeat message to all its known peers. (Default=30 secs.) + + MAX-TIME-LAST-HEARD - Pre-set threshold for how long an ENRP server + will wait before considering a silent peer server potentially + dead. (Default=61 secs.) + + MAX-TIME-NO-RESPONSE - Pre-set threshold for how long a message + sender will wait for a response after sending out a message. + (Default=5 secs.) + +5. IANA Considerations + + This document (RFC 5353) is the reference for all registrations + described in this section. All registrations have been listed on the + RSerPool Parameters page. + + + + + + + + + +Xie, et al. Experimental [Page 28] + +RFC 5353 Endpoint Handlespace Redundancy September 2008 + + +5.1. A New Table for ENRP Message Types + + ENRP Message Types are maintained by IANA. Ten initial values have + been assigned by IANA, as described in Figure 1. IANA created a new + table, "ENRP Message Types": + + Type Message Name Reference + ----- ------------------------- --------- + 0x00 (Reserved by IETF) RFC 5353 + 0x01 ENRP_PRESENCE RFC 5353 + 0x02 ENRP_HANDLE_TABLE_REQUEST RFC 5353 + 0x03 ENRP_HANDLE_TABLE_RESPONSE RFC 5353 + 0x04 ENRP_HANDLE_UPDATE RFC 5353 + 0x05 ENRP_LIST_REQUEST RFC 5353 + 0x06 ENRP_LIST_RESPONSE RFC 5353 + 0x07 ENRP_INIT_TAKEOVER RFC 5353 + 0x08 ENRP_INIT_TAKEOVER_ACK RFC 5353 + 0x09 ENRP_TAKEOVER_SERVER RFC 5353 + 0x0a ENRP_ERROR RFC 5353 + 0x0b-0xff (Available for assignment) RFC 5353 + + Requests to register an ENRP Message Type in this table should be + sent to IANA. The number must be unique. The "Specification + Required" policy of [RFC5226] MUST be applied. + +5.2. A New Table for Update Action Types + + Update Types are maintained by IANA. Two initial values have been + assigned by IANA. IANA created a new table, "Update Action Types": + + Type Update Action Reference + ------------- -------------------- --------- + 0x0000 ADD_PE RFC 5353 + 0x0001 DEL_PE RFC 5353 + 0x0002-0xffff (Available for assignment) RFC 5353 + + Requests to register an Update Action Type in this table should be + sent to IANA. The number must be unique. The "Specification + Required" policy of [RFC5226] MUST be applied. + + + + + + + + + + + + +Xie, et al. Experimental [Page 29] + +RFC 5353 Endpoint Handlespace Redundancy September 2008 + + +5.3. Port Numbers + + The references for the already assigned port numbers + + enrp-udp 9901/udp + + enrp-sctp 9901/sctp + + enrp-sctp-tls 9902/sctp + + have been updated to RFC 5353. + +5.4. SCTP Payload Protocol Identifier + + The reference for the already assigned ENRP payload protocol + identifier 12 have been updated to RFC 5353. + +6. Security Considerations + + We present a summary of the threats to the RSerPool architecture and + describe security requirements in response to mitigate the threats. + Next, we present the security mechanisms, based on TLS, that are + implementation requirements in response to the threats. Finally, we + present a chain-of-trust argument that examines critical data paths + in RSerPool and shows how these paths are protected by the TLS + implementation. + +6.1. Summary of RSerPool Security Threats + + "Threats Introduced by Reliable Server Pooling (RSerPool) and + Requirements for Security in Response to Threats" [RFC5355] describes + the threats to the RSerPool architecture in detail and lists the + security requirements in response to each threat. From the threats + described in this document, the security services required for the + RSerPool protocol are enumerated below. + + Threat 1) PE registration/de-registration flooding or spoofing + ----------- + Security mechanism in response: ENRP server authenticates the PE. + + Threat 2) PE registers with a malicious ENRP server + ----------- + Security mechanism in response: PE authenticates the ENRP server. + + Threats 1 and 2, taken together, result in mutual authentication of + the ENRP server and the PE. + + + + + +Xie, et al. Experimental [Page 30] + +RFC 5353 Endpoint Handlespace Redundancy September 2008 + + + Threat 3) Malicious ENRP server joins the ENRP server pool + ----------- + Security mechanism in response: ENRP servers mutually authenticate. + + Threat 4) A PU communicates with a malicious ENRP server for handle + resolution + ----------- + Security mechanism in response: The PU authenticates the ENRP server. + + Threat 5) Replay attack + ----------- + Security mechanism in response: Security protocol that has protection + from replay attacks. + + Threat 6) Corrupted data that causes a PU to have misinformation + concerning a pool handle resolution + ----------- + Security mechanism in response: Security protocol that supports + integrity protection + + Threat 7) Eavesdropper snooping on handlespace information + ----------- + Security mechanism in response: Security protocol that supports data + confidentiality. + + Threat 8) Flood of ASAP_ENDPOINT_UNREACHABLE messages from the PU to + ENRP server + ----------- + + Security mechanism in response: ASAP must control the number of ASAP + endpoint unreachable messages transmitted from the PU to the ENRP + server. + + Threat 9) Flood of ASAP_ENDPOINT_KEEP_ALIVE messages to the PE from + the ENRP server + ----------- + Security mechanism in response: ENRP server must control the number + of ASAP_ENDPOINT_KEEP_ALIVE messages to the PE. + + To summarize, threats 1-7 require security mechanisms that support + authentication, integrity, data confidentiality, and protection from + replay attacks. + + For RSerPool, we need to authenticate the following: + + PU <---- ENRP server (PU authenticates the ENRP server) + PE <----> ENRP server (mutual authentication) + ENRP server <-----> ENRP server (mutual authentication) + + + +Xie, et al. Experimental [Page 31] + +RFC 5353 Endpoint Handlespace Redundancy September 2008 + + +6.2. Implementing Security Mechanisms + + We do not define any new security mechanisms specifically for + responding to threats 1-7. Rather, we use an existing IETF security + protocol, specifically [RFC3237], to provide the security services + required. TLS supports all these requirements and MUST be + implemented. The TLS_RSA_WITH_AES_128_CBC_SHA ciphersuite MUST be + supported, at a minimum, by implementers of TLS for RSerPool. For + purposes of backwards compatibility, ENRP SHOULD support + TLS_RSA_WITH_3DES_EDE_CBC_SHA. Implementers MAY also support any + other IETF-approved ciphersuites. + + ENRP servers, PEs, and PUs MUST implement TLS. ENRP servers and PEs + MUST support mutual authentication using PSK. ENRP servers MUST + support mutual authentication among themselves using PSK. PUs MUST + authenticate ENRP servers using certificates. + + TLS with PSK is mandatory to implement as the authentication + mechanism for ENRP to ENRP authentication and PE to ENRP + authentication. For PSK, having a pre-shared-key constitutes + authorization. The network administrators of a pool need to decide + which nodes are authorized to participate in the pool. The + justification for PSK is that we assume that one administrative + domain will control and manage the server pool. This allows for PSK + to be implemented and managed by a central security administrator. + + TLS with certificates is mandatory to implement as the authentication + mechanism for PUs to the ENRP server. PUs MUST authenticate ENRP + servers using certificates. ENRP servers MUST possess a site + certificate whose subject corresponds to their canonical hostname. + PUs MAY have certificates of their own for mutual authentication with + TLS, but no provisions are set forth in this document for their use. + All RSerPool elements that support TLS MUST have a mechanism for + validating certificates received during TLS negotiation; this entails + possession of one or more root certificates issued by certificate + authorities (preferably, well-known distributors of site certificates + comparable to those that issue root certificates for web browsers). + + In order to prevent man-in-the-middle attacks, the client MUST verify + the server's identity (as presented in the server's Certificate + message). The client's understanding of the server's identity + (typically the identity used to establish the transport connection) + is called the "reference identity". The client determines the type + (e.g., DNS name or IP address) of the reference identity and performs + a comparison between the reference identity and each subjectAltName + value of the corresponding type until a match is produced. Once a + match is produced, the server's identity has been verified, and the + server identity check is complete. Different subjectAltName types + + + +Xie, et al. Experimental [Page 32] + +RFC 5353 Endpoint Handlespace Redundancy September 2008 + + + are matched in different ways. The client may map the reference + identity to a different type prior to performing a comparison. + Mappings may be performed for all available subjectAltName types to + which the reference identity can be mapped; however, the reference + identity should only be mapped to types for which the mapping is + either inherently secure (e.g., extracting the DNS name from a URI to + compare with a subjectAltName of type dNSName) or for which the + mapping is performed in a secure manner (e.g., using DNS Security + (DNSSEC), or using user- or admin-configured host-to-address/ + address-to-host lookup tables). + + If the server identity check fails, user-oriented clients SHOULD + either notify the user or close the transport connection and indicate + that the server's identity is suspect. Automated clients SHOULD + close the transport connection and then return or log an error + indicating that the server's identity is suspect, or both. Beyond + the server identity check described in this section, clients should + be prepared to do further checking to ensure that the server is + authorized to provide the service it is requested to provide. The + client may need to make use of local policy information in making + this determination. + + If the reference identity is an internationalized domain name, + conforming implementations MUST convert it to the ASCII Compatible + Encoding (ACE) format, as specified in Section 4 of [RFC3490], before + comparison with subjectAltName values of type dNSName. Specifically, + conforming implementations MUST perform the conversion operation + specified in Section 4 of [RFC3490] as follows: * in step 1, the + domain name SHALL be considered a "stored string"; * in step 3, set + the flag called "UseSTD3ASCIIRules"; * in step 4, process each label + with the "ToASCII" operation; and * in step 5, change all label + separators to U+002E (full stop). + + After performing the "to-ASCII" conversion, the DNS labels and names + MUST be compared for equality according to the rules specified in + Section 3 of RFC 3490. The '*' (ASCII 42) wildcard character is + allowed in subjectAltName values of type dNSName, and then, only as + the left-most (least significant) DNS label in that value. This + wildcard matches any left-most DNS label in the server name. That + is, the subject *.example.com matches the server names a.example.com + and b.example.com, but does not match example.com or a.b.example.com. + + When the reference identity is an IP address, the identity MUST be + converted to the "network byte order" octet string representation RFC + 791 [RFC0791] and RFC 2460 [RFC2460]. For IP version 4, as specified + in RFC 791, the octet string will contain exactly four octets. For + IP version 6, as specified in RFC 2460, the octet string will contain + exactly sixteen octets. This octet string is then compared against + + + +Xie, et al. Experimental [Page 33] + +RFC 5353 Endpoint Handlespace Redundancy September 2008 + + + subjectAltName values of type iPAddress. A match occurs if the + reference identity octet string and value octet strings are + identical. + + After a TLS layer is established in a session, both parties are to + independently decide whether or not to continue based on local policy + and the security level achieved. If either party decides that the + security level is inadequate for it to continue, it SHOULD remove the + TLS layer immediately after the TLS (re)negotiation has completed + (see RFC 4511)[RFC4511]. Implementations may re-evaluate the + security level at any time and, upon finding it inadequate, should + remove the TLS layer. + + Implementations MUST support TLS with SCTP, as described in [RFC3436] + or TLS over TCP, as described in [RFC5246]. When using TLS/SCTP we + must ensure that RSerPool does not use any features of SCTP that are + not available to a TLS/SCTP user. This is not a difficult technical + problem, but simply a requirement. When describing an API of the + RSerPool lower layer, we also have to take into account the + differences between TLS and SCTP. + + Threat 8 requires the ASAP protocol to limit the number of + ASAP_ENDPOINT_UNREACHABLE messages (see Section 3.5 of RFC 5352) to + the ENRP server. + + Threat 9 requires the ENRP protocol to limit the number of + ASAP_ENDPOINT_KEEP_ALIVE messages from the ENRP server to the PE. + + There is no security mechanism defined for the multicast + announcements. Therefore, a receiver of such an announcement cannot + consider the source address of such a message to be a trustworthy + address of an ENRP server. A receiver must also be prepared to + receive a large number of multicast announcements from attackers. + +6.3. Chain of Trust + + Security is mandatory to implement in RSerPool and is based on TLS + implementation in all three architecture components that comprise + RSerPool -- namely PU, PE, and the ENRP server. We define an ENRP + server that uses TLS for all communication and authenticates ENRP + peers and PE registrants to be a secured ENRP server. + + Here is a description of all possible data paths and a description of + the security. + + + + + + + +Xie, et al. Experimental [Page 34] + +RFC 5353 Endpoint Handlespace Redundancy September 2008 + + + PU <---> secured ENRP server (authentication of ENRP server; + queries over TLS) + PE <---> secured ENRP server (mutual authentication; + registration/de-registration over TLS) + secured ENRP server <---> secured ENRP server (mutual authentication; + database updates using TLS) + + If all components of the system authenticate and communicate using + TLS, the chain of trust is sound. The root of the trust chain is the + ENRP server. If that is secured using TLS, then security will be + enforced for all ENRP and PE components that try to connect to it. + + Summary of interaction between secured and unsecured components: If + the PE does not use TLS and tries to register with a secure ENRP + server, it will receive an error message response indicated as an + error due to security considerations and the registration will be + rejected. If an ENRP server that does not use TLS tries to update + the database of a secure ENRP server, then the update will be + rejected. If a PU does not use TLS and communicates with a secure + ENRP server, it will get a response with the understanding that the + response is not secure, as the response can be tampered with in + transit even if the ENRP database is secured. + + The final case is the PU sending a secure request to ENRP. It might + be that ENRP and PEs are not secured and this is an allowable + configuration. The intent is to secure the communication over the + Internet between the PU and the ENRP server. + + Summary: + + RSerPool architecture components can communicate with each other to + establish a chain of trust. Secured PE and ENRP servers reject any + communications with unsecured ENRP or PE servers. + + If the above is enforced, then a chain of trust is established for + the RSerPool user. + +7. Acknowledgments + + The authors wish to thank John Loughney, Lyndon Ong, Walter Johnson, + Thomas Dreibholz, Frank Volkmer, and many others for their invaluable + comments and feedback. + + + + + + + + + +Xie, et al. Experimental [Page 35] + +RFC 5353 Endpoint Handlespace Redundancy September 2008 + + +8. References + +8.1. Normative References + + [RFC0791] Postel, J., "Internet Protocol", STD 5, RFC 791, + September 1981. + + [RFC1071] Braden, R., Borman, D., Partridge, C., and W. Plummer, + "Computing the Internet checksum", RFC 1071, + September 1988. + + [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate + Requirement Levels", BCP 14, RFC 2119, March 1997. + + [RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version + 6 (IPv6) Specification", RFC 2460, December 1998. + + [RFC3237] Tuexen, M., Xie, Q., Stewart, R., Shore, M., Ong, L., + Loughney, J., and M. Stillman, "Requirements for + Reliable Server Pooling", RFC 3237, January 2002. + + [RFC3436] Jungmaier, A., Rescorla, E., and M. Tuexen, "Transport + Layer Security over Stream Control Transmission + Protocol", RFC 3436, December 2002. + + [RFC3490] Faltstrom, P., Hoffman, P., and A. Costello, + "Internationalizing Domain Names in Applications + (IDNA)", RFC 3490, March 2003. + + [RFC4511] Sermersheim, J., "Lightweight Directory Access Protocol + (LDAP): The Protocol", RFC 4511, June 2006. + + [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing + an IANA Considerations Section in RFCs", BCP 26, + RFC 5226, May 2008. + + [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer + Security (TLS) Protocol Version 1.2", RFC 5246, + August 2008. + + [RFC5354] Stewart, R., Xie, Q., Stillman, M., and M. Tuexen, + "Aggregate Server Access Protocol (ASAP) and Endpoint + Handlespace Redundancy Protocol (ENRP) Parameters", + RFC 5354, September 2008. + + [RFC5352] Stewart, R., Xie, Q., Stillman, M., and M. Tuexen, + "Aggregate Server Access Protocol (ASAP)", RFC 5352, + September 2008. + + + +Xie, et al. Experimental [Page 36] + +RFC 5353 Endpoint Handlespace Redundancy September 2008 + + + [RFC5355] Stillman, M., Ed., Gopal, R., Guttman, E., Holdrege, + M., and S. Sengodan, "Threats Introduced by Reliable + Server Pooling (RSerPool) and Requirements for Security + in Response to Threats", RFC 5355, September 2008. + +8.2. Informative References + + [RFC4086] Eastlake, D., Schiller, J., and S. Crocker, "Randomness + Requirements for Security", BCP 106, RFC 4086, + June 2005. + + [SCTPSOCKET] Stewart, R., Poon, K., Tuexen, M., Yasevich, V., and P. + Lei, "Sockets API Extensions for Stream Control + Transmission Protocol (SCTP)", Work in Progress, + July 2008. + +Authors' Addresses + + Qiaobing Xie + The Resource Group + 1700 Pennsylvania Ave NW + Suite 560 + Washington, D.C., 20006 + USA + + Phone: +1 224-465-5954 + EMail: Qiaobing.Xie@gmail.com + + + Randall R. Stewart + The Resource Group + 1700 Pennsylvania Ave NW + Suite 560 + Washington, D.C., 20006 + USA + + Phone: + EMail: randall@lakerest.net + + + Maureen Stillman + Nokia + 1167 Peachtree Ct. + Naperville, IL 60540 + US + + Phone: + EMail: maureen.stillman@nokia.com + + + +Xie, et al. Experimental [Page 37] + +RFC 5353 Endpoint Handlespace Redundancy September 2008 + + + Michael Tuexen + Muenster Univ. of Applied Sciences + Stegerwaldstr. 39 + 48565 Steinfurt + Germany + + EMail: tuexen@fh-muenster.de + + + Aron J. Silverton + Sun Microsystems, Inc. + 10 S. Wacker Drive + Suite 2000 + Chicago, IL 60606 + USA + + Phone: + EMail: ajs.ietf@gmail.com + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Xie, et al. Experimental [Page 38] + +RFC 5353 Endpoint Handlespace Redundancy September 2008 + + +Full Copyright Statement + + Copyright (C) The IETF Trust (2008). + + This document is subject to the rights, licenses and restrictions + contained in BCP 78, and except as set forth therein, the authors + retain all their rights. + + This document and the information contained herein are provided on an + "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS + OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND + THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS + OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF + THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED + WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. + +Intellectual Property + + The IETF takes no position regarding the validity or scope of any + Intellectual Property Rights or other rights that might be claimed to + pertain to the implementation or use of the technology described in + this document or the extent to which any license under such rights + might or might not be available; nor does it represent that it has + made any independent effort to identify any such rights. Information + on the procedures with respect to rights in RFC documents can be + found in BCP 78 and BCP 79. + + Copies of IPR disclosures made to the IETF Secretariat and any + assurances of licenses to be made available, or the result of an + attempt made to obtain a general license or permission for the use of + such proprietary rights by implementers or users of this + specification can be obtained from the IETF on-line IPR repository at + http://www.ietf.org/ipr. + + The IETF invites any interested party to bring to its attention any + copyrights, patents or patent applications, or other proprietary + rights that may cover technology that may be required to implement + this standard. Please address the information to the IETF at + ietf-ipr@ietf.org. + + + + + + + + + + + + +Xie, et al. Experimental [Page 39] + |