diff options
Diffstat (limited to 'doc/rfc/rfc5352.txt')
-rw-r--r-- | doc/rfc/rfc5352.txt | 2971 |
1 files changed, 2971 insertions, 0 deletions
diff --git a/doc/rfc/rfc5352.txt b/doc/rfc/rfc5352.txt new file mode 100644 index 0000000..1369a30 --- /dev/null +++ b/doc/rfc/rfc5352.txt @@ -0,0 +1,2971 @@ + + + + + + +Network Working Group R. Stewart +Request for Comments: 5352 Q. Xie +Category: Experimental The Resource Group + M. Stillman + Nokia + M. Tuexen + Muenster Univ. of Applied Sciences + September 2008 + + + Aggregate Server Access Protocol (ASAP) + +Status of This Memo + + This memo defines an Experimental Protocol for the Internet + community. It does not specify an Internet standard of any kind. + Discussion and suggestions for improvement are requested. + Distribution of this memo is unlimited. + +Abstract + + Aggregate Server Access Protocol (ASAP; RFC 5352), in conjunction + with the Endpoint Handlespace Redundancy Protocol (ENRP; RFC 5353), + provides a high-availability data transfer mechanism over IP + networks. ASAP uses a handle-based addressing model that isolates a + logical communication endpoint from its IP address(es), thus + effectively eliminating the binding between the communication + endpoint and its physical IP address(es), which normally constitutes + a single point of failure. + + In addition, ASAP defines each logical communication destination as a + pool, providing full transparent support for server pooling and load + sharing. It also allows dynamic system scalability -- members of a + server pool can be added or removed at any time without interrupting + the service. + + ASAP is designed to take full advantage of the network level + redundancy provided by the Stream Transmission Control Protocol + (SCTP; RFC 4960). Each transport protocol, other than SCTP, MUST + have an accompanying transport mapping document. It should be noted + that ASAP messages passed between Pool Elements (PEs) and ENRP + servers MUST use the SCTP transport protocol. + + The high-availability server pooling is gained by combining two + protocols, namely ASAP and ENRP, in which ASAP provides the user + interface for Pool Handle to address translation, load sharing + management, and fault management, while ENRP defines the high- + availability Pool Handle translation service. + + + +Stewart, et al. Experimental [Page 1] + +RFC 5352 Aggregate Server Access Protocol September 2008 + + +Table of Contents + + 1. Introduction ....................................................4 + 1.1. Definitions ................................................4 + 1.2. Conventions ................................................5 + 1.3. Organization of This Document ..............................6 + 1.4. Scope of ASAP ..............................................6 + 1.4.1. Extent of the Handlespace ...........................6 + 2. Message Definitions .............................................6 + 2.1. ASAP Parameter Formats .....................................7 + 2.2. ASAP Messages ..............................................7 + 2.2.1. ASAP_REGISTRATION Message ...........................7 + 2.2.2. ASAP_DEREGISTRATION Message .........................8 + 2.2.3. ASAP_REGISTRATION_RESPONSE Message ..................9 + 2.2.4. ASAP_DEREGISTRATION_RESPONSE Message ...............10 + 2.2.5. ASAP_HANDLE_RESOLUTION Message .....................10 + 2.2.6. ASAP_HANDLE_RESOLUTION_RESPONSE Message ............11 + 2.2.7. ASAP_ENDPOINT_KEEP_ALIVE Message ...................13 + 2.2.8. ASAP_ENDPOINT_KEEP_ALIVE_ACK Message ...............14 + 2.2.9. ASAP_ENDPOINT_UNREACHABLE Message ..................14 + 2.2.10. ASAP_SERVER_ANNOUNCE Message ......................15 + 2.2.11. ASAP_COOKIE Message ...............................16 + 2.2.12. ASAP_COOKIE_ECHO Message ..........................16 + 2.2.13. ASAP_BUSINESS_CARD Message ........................17 + 2.2.14. ASAP_ERROR Message ................................17 + 3. Procedures .....................................................18 + 3.1. Registration ..............................................18 + 3.2. De-Registration ...........................................21 + 3.3. Handle Resolution .........................................23 + 3.4. Endpoint Keep Alive .......................................25 + 3.5. Unreachable Endpoints .....................................26 + 3.6. ENRP Server Hunt Procedures ...............................27 + 3.7. Handling ASAP Endpoint to ENRP Server + Communication Failures ....................................28 + 3.7.1. SCTP Send Failure ..................................28 + 3.7.2. T1-ENRPrequest Timer Expiration ....................29 + 3.7.3. Registration Failure ...............................29 + 3.8. Cookie Handling Procedures ................................29 + 3.9. Business Card Handling Procedures .........................30 + 4. Roles of Endpoints .............................................31 + 5. SCTP Considerations ............................................31 + 6. The ASAP Interfaces ............................................31 + 6.1. Registration.Request Primitive ............................32 + 6.2. Deregistration.Request Primitive ..........................32 + 6.3. CachePopulateRequest Primitive ............................33 + 6.4. CachePurgeRequest Primitive ...............................33 + 6.5. DataSendRequest Primitive .................................33 + 6.5.1. Sending to a Pool Handle ...........................34 + + + +Stewart, et al. Experimental [Page 2] + +RFC 5352 Aggregate Server Access Protocol September 2008 + + + 6.5.2. Pool Element Selection .............................35 + 6.5.2.1. Round-Robin Policy ........................35 + 6.5.3. Sending to a Pool Element Handle ...................35 + 6.5.4. Send by Transport Address ..........................37 + 6.5.5. Message Delivery Options ...........................37 + 6.6. Data.Received Notification ................................38 + 6.7. Error.Report Notification .................................39 + 6.8. Examples ..................................................39 + 6.8.1. Send to a New Pool .................................39 + 6.8.2. Send to a Cached Pool Handle .......................40 + 6.9. PE Send Failure ...........................................41 + 6.9.1. Translation.Request Primitive ......................41 + 6.9.2. Transport.Failure Primitive ........................42 + 7. Timers, Variables, and Thresholds ..............................42 + 7.1. Timers ....................................................42 + 7.2. Variables .................................................42 + 7.3. Thresholds ................................................43 + 8. IANA Considerations ............................................43 + 8.1. A New Table for ASAP Message Types ........................43 + 8.2. Port Numbers ..............................................44 + 8.3. SCTP Payload Protocol Identifier ..........................44 + 8.4. Multicast Addresses .......................................44 + 9. Security Considerations ........................................44 + 9.1. Summary of RSerPool Security Threats ......................45 + 9.2. Implementing Security Mechanisms ..........................46 + 9.3. Chain of Trust ............................................49 + 10. Acknowledgments ...............................................50 + 11. References ....................................................50 + 11.1. Normative References .....................................50 + 11.2. Informative References ...................................51 + + + + + + + + + + + + + + + + + + + + + +Stewart, et al. Experimental [Page 3] + +RFC 5352 Aggregate Server Access Protocol September 2008 + + +1. Introduction + + The Aggregate Server Access Protocol (ASAP), when used in conjunction + with Endpoint Name Resolution Protocol [RFC5353], provides a high- + availability data-transfer mechanism over IP networks. ASAP uses a + handle-based addressing model that isolates a logical communication + endpoint from its IP address(es), thus effectively eliminating the + binding between the communication endpoint and its physical IP + address(es), which normally constitutes a single point of failure. + + When multiple receiver instances exist under the same handle (aka a + server pool), an ASAP Endpoint will select one Pool Element (PE), + based on the current load sharing policy indicated by the server + pool, and deliver its message to the selected PE. + + While delivering the message, ASAP can be used to monitor the + reachability of the selected PE. If it is found unreachable, before + notifying the message sender (an ASAP User) of the failure, ASAP can + automatically select another PE (if one exists) under that pool and + attempt to deliver the message to that PE. In other words, ASAP is + capable of transparent failover amongst PE instances within a server + pool. + + ASAP depends on ENRP, which provides a high-availability Pool + Handlespace. ASAP is responsible for the abstraction of the + underlying transport technologies, load distribution management, + fault management, as well as presentation to the upper layer (aka an + ASAP User) via a unified primitive interface. + + When SCTP [RFC4960] is used as the transport layer protocol, ASAP can + seamlessly incorporate the link-layer redundancy provided by SCTP. + + This document defines the ASAP portion of the high-availability + server pool. + +1.1. Definitions + + This document uses the following terms: + + ASAP User: Either a PE or Pool User (PU) that uses ASAP. + + Business Card: When presented by a PU or PE, it specifies the pool + the sender belongs to and provides a list of alternate PEs in case + of failovers. + + + + + + + +Stewart, et al. Experimental [Page 4] + +RFC 5352 Aggregate Server Access Protocol September 2008 + + + Operational Scope: The part of the network visible to pool users by + a specific instance of the reliable server pooling protocols. + + Pool (or Server Pool): A collection of servers providing the same + application functionality. + + Pool Handle: A logical pointer to a pool. Each server pool will be + identifiable in the operational scope of the system by a unique + Pool Handle. + + Pool Element: A server entity having registered to a pool. + + Pool User: A server pool user. + + Pool Element Handle (or Endpoint Handle): A logical pointer to a + particular Pool Element in a pool, consisting of the Pool Handle + and a destination transport address of the Pool Element. + + Handlespace: A cohesive structure of Pool Handles and relations that + may be queried by an internal or external agent. + + Home ENRP Server: The ENRP server to which a PE or PU currently + sends all namespace service requests. A PE must only have one + Home ENRP server at any given time, and both the PE and its Home + ENRP server MUST know and keep track of this relationship. A PU + should select one of the available ENRP servers as its Home ENRP + server, but the collective ENRP servers may change this by the + sending of an ASAP_ENDPOINT_KEEP_ALIVE message. + + ENRP Client Channel: The communication channel through which an ASAP + User sends all namespace service requests. The client channel is + usually defined by the transport address of the Home ENRP server + and a well-known port number. The channel MAY make use of + multicast or a named list of ENRP servers. + + Network Byte Order: Most significant byte first, aka Big Endian. + + Transport Address: A transport address is traditionally defined by + Network Layer address, Transport Layer protocol and Transport + Layer port number. In the case of SCTP running over IP, a + transport address is defined by the combination of an IP address + and an SCTP port number (where SCTP is the Transport protocol). + +1.2. Conventions + + The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", + "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this + document are to be interpreted as described in [RFC2119]. + + + +Stewart, et al. Experimental [Page 5] + +RFC 5352 Aggregate Server Access Protocol September 2008 + + +1.3. Organization of This Document + + Section 2 details the ASAP message formats. In Section 3, we provide + detailed ASAP procedures for the ASAP implementer. Section 4 + summarizes which messages need to be supported by which nodes, and + Section 5 describes the usage of SCTP. In Section 6, details of the + ASAP interface are given, focusing on the communication primitives + between ASAP, the applications above ASAP, and ASAP itself, and the + communications primitives between ASAP and SCTP (or other transport + layers). Also included in this discussion are relevant timers and + configurable parameters, as appropriate. Section 7 provides + threshold and protocol variables. + + It should be noted that variables, timers, and constants are used in + the text when necessary. The complete list can be found in + Section 7. + +1.4. Scope of ASAP + + The requirements for high availability and scalability do not imply + requirements on shared state and data. ASAP does not provide + transaction failover. If a host or application fails during the + processing of a transaction, this transaction may be lost. Some + services MAY provide a way to handle the failure, but this is not + guaranteed. ASAP MAY provide hooks to assist an application in + building a mechanism to share state but ASAP in itself does NOT share + any state. + +1.4.1. Extent of the Handlespace + + The scope of ASAP/ENRP is NOT Internet-wide. The handlespace is + neither hierarchical nor arbitrarily large like DNS. A flat peer-to- + peer model is detailed. Pools of servers will exist in different + administrative domains. For example, suppose the use of ASAP and + ENRP is wanted. First, the PU may use DNS to contact an ENRP server. + Suppose a PU in North America wishes to contact a server pool in + Japan instead of North America. The PU would use DNS to get the list + of IP addresses of the Japanese server pool; that is, the ENRP client + channel in Japan. From there, the PU would query the Home ENRP + server it established and then directly contact the PE(s) of + interest. + +2. Message Definitions + + All messages, as well as their fields described below, shall be in + network byte order during transmission. For fields with a length + bigger than 4 bytes, a number in a pair of parentheses may follow the + field name to indicate the length of the field in number of bytes. + + + +Stewart, et al. Experimental [Page 6] + +RFC 5352 Aggregate Server Access Protocol September 2008 + + +2.1. ASAP Parameter Formats + + The basic message format and all parameter formats can be found in + [RFC5354]. Note also that *all* ASAP messages exchanged between an + ENRP server and a PE MUST use SCTP as transport, while ASAP messages + exchanged between an ENRP server and a PU MUST use either SCTP or TCP + as transport. PE to PU data traffic MAY use any transport protocol + specified by the PE during registration. + +2.2. ASAP Messages + + This section details the individual messages used by ASAP. These + messages are composed of a standard message format found in Section 4 + of [RFC5354]. The parameter descriptions can be found in [RFC5354]. + + The following ASAP message types are defined in this section: + + Type Message Name + ----- ------------------------- + 0x00 - (Reserved by IETF) + 0x01 - ASAP_REGISTRATION + 0x02 - ASAP_DEREGISTRATION + 0x03 - ASAP_REGISTRATION_RESPONSE + 0x04 - ASAP_DEREGISTRATION_RESPONSE + 0x05 - ASAP_HANDLE_RESOLUTION + 0x06 - ASAP_HANDLE_RESOLUTION_RESPONSE + 0x07 - ASAP_ENDPOINT_KEEP_ALIVE + 0x08 - ASAP_ENDPOINT_KEEP_ALIVE_ACK + 0x09 - ASAP_ENDPOINT_UNREACHABLE + 0x0a - ASAP_SERVER_ANNOUNCE + 0x0b - ASAP_COOKIE + 0x0c - ASAP_COOKIE_ECHO + 0x0d - ASAP_BUSINESS_CARD + 0x0e - ASAP_ERROR + others - (Reserved by IETF) + + Figure 1 + +2.2.1. ASAP_REGISTRATION Message + + The ASAP_REGISTRATION message is sent by a PE to its Home ENRP server + to either create a new pool or to add itself to an existing pool. + The PE sending the ASAP_REGISTRATION message MUST fill in the Pool + Handle parameter and the Pool Element parameter. The Pool Handle + parameter specifies the name to be registered. The Pool Element + parameter MUST be filled in by the registrant, as outlined in + Section 3.1. Note that the PE sending the registration message MUST + + + + +Stewart, et al. Experimental [Page 7] + +RFC 5352 Aggregate Server Access Protocol September 2008 + + + send the message using an SCTP association. Furthermore, the IP + address(es) of the PE that is registered within the Pool Element + parameter MUST be a subset of the IP address(es) used in the SCTP + association, regardless of the registered transport protocol. + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Type = 0x01 |0|0|0|0|0|0|0|0| Message Length | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + : Pool Handle Parameter : + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + : Pool Element Parameter : + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + Pool Handle Parameter: + + See [RFC5354]. + + Pool Element Parameter: + + See [RFC5354]. + +2.2.2. ASAP_DEREGISTRATION Message + + The ASAP_DEREGISTRATION message is sent by a PE to its Home ENRP + server to remove itself from a pool to which it registered. + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Type = 0x02 |0|0|0|0|0|0|0|0| Message Length | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + : Pool Handle Parameter : + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + : PE Identifier Parameter : + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+++ + + Pool Handle Parameter: + + See [RFC5354]. + + PE Identifier Parameter: + + See [RFC5354]. + + + + + + +Stewart, et al. Experimental [Page 8] + +RFC 5352 Aggregate Server Access Protocol September 2008 + + + The PE sending the ASAP_DEREGISTRATION MUST fill in the Pool Handle + and the PE identifier parameter in order to allow the ENRP server to + verify the identity of the endpoint. Note that de-registration is + NOT allowed by proxy; in other words, a PE may only de-register + itself. + +2.2.3. ASAP_REGISTRATION_RESPONSE Message + + The ASAP_REGISTRATION_RESPONSE message is sent in response by the + Home ENRP server to the PE that sent an ASAP_REGISTRATION message. + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Type = 0x03 |0|0|0|0|0|0|0|R| Message Length | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + : Pool Handle Parameter : + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + : PE Identifier Parameter : + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + : Operational Error (optional) : + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + R (Reject) Flag: + + When set to '1', this flag indicates that the ENRP server sending + this message has rejected the registration. Otherwise, when this + flag is set to '0', this indicates the registration has been granted. + + Pool Handle Parameter: + + See [RFC5354]. + + PE Identifier Parameter: + + See [RFC5354]. + + Operational Error Parameter (optional): + + See [RFC5354]. + + This parameter is included if an error or some atypical events + occurred during the registration process. When the R flag is set to + '1', this parameter, if present, indicates the cause of the + rejection. When the R flag is set to '0', this parameter, if + present, serves as a warning to the registering PE, informing it that + + + + + +Stewart, et al. Experimental [Page 9] + +RFC 5352 Aggregate Server Access Protocol September 2008 + + + some of its registration values may have been modified by the ENRP + server. If the registration was successful and there is no warning, + this parameter is not included. + +2.2.4. ASAP_DEREGISTRATION_RESPONSE Message + + The ASAP_DEREGISTRATION_RESPONSE message is returned by the Home ENRP + server to a PE in response to an ASAP_DEREGISTRATION message or due + to the expiration of the registration life of the PE in the pool. + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Type = 0x04 |0|0|0|0|0|0|0|0| Message Length | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + : Pool Handle Parameter : + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + : PE Identifier Parameter : + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + : Operational Error (optional) : + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + Pool Handle Parameter: + + See [RFC5354]. + + PE Identifier Parameter: + + See [RFC5354]. + + Operational Error: + + See [RFC5354]. + + This parameter is included if an error or some atypical events + occurred during the de-registration process. If the de-registration + was successful this parameter is not included. + +2.2.5. ASAP_HANDLE_RESOLUTION Message + + The ASAP_HANDLE_RESOLUTION message is sent by either a PE or PU to + its Home ENRP server to resolve a Pool Handle into a list of Pool + Elements that are members of the pool indicated by the Pool Handle. + + + + + + + + +Stewart, et al. Experimental [Page 10] + +RFC 5352 Aggregate Server Access Protocol September 2008 + + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Type = 0x05 |0|0|0|0|0|0|0|S| Message Length | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + : Pool Handle Parameter : + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + The 'S' bit: + + The 'S' bit, if set to '1', requests the Home ENRP server to send + updates to this Pool dynamically when the Pool changes for the + lifetime of the SCTP association. Dynamic updates to the pool will + consist of additional ASAP_HANDLE_RESOLUTION_RESPONSE messages, + without the user needing to send in an ASAP_HANDLE_RESOLUTION. + + If the 'S' bit is set to '0', no Dynamic updates are requested. + + Note that if a new Home ENRP server is adopted, any 'dynamic update + request' will need to be re-sent to the new Home ENPR server if the + endpoint would like to continue to receive updates. In other words, + the ENRP servers do NOT share state regarding which of its PU's are + requesting automatic update of state. Thus, upon change of Home ENRP + server, the PU will need to re-send an ASAP_HANDLE_RESOLUTION message + with the 'S' bit set to '1'. Note also, that the 'S' bit will only + cause Dynamic update of a Pool when the Pool exists. If a negative + response is returned, no further updates to the Pool (when it is + created) will occur. + + Pool Handle Parameter: + + See [RFC5354]. + +2.2.6. ASAP_HANDLE_RESOLUTION_RESPONSE Message + + The ASAP_HANDLE_RESOLUTION_RESPONSE message is sent in response by + the Home ENRP server of the PU or PE that sent an + ASAP_HANDLE_RESOLUTION message or is sent periodically upon Pool + changes if the PU has requested Dynamic updates. + + + + + + + + + + + + +Stewart, et al. Experimental [Page 11] + +RFC 5352 Aggregate Server Access Protocol September 2008 + + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Type = 0x06 |0|0|0|0|0|0|0|A| Message Length | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + : Pool Handle Parameter : + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + : Overall PE Selection Policy (optional) : + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + : Pool Element Parameter 1 (optional) : + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + : ... : + : : + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + : Pool Element Parameter N (optional) : + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + : Operational Error (optional) : + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + 'A' bit: + + This bit is set to '1' if the ENRP server accepts the request to send + automatic updates (i.e., the 'S' bit was set on the request). If + this bit is set to '0', either the ENRP server does NOT support + automatic updates, it has resource issues and cannot supply this + feature, or the user did not request it. + + Pool Handle Parameter: + + See [RFC5354]. + + Overall PE Selection Policy (optional): + + See [RFC5354]. + + This parameter can be present when the response is positive. If + present, it indicates the overall pool member selection policy of the + pool. If not present, a Round-Robin overall pool member selection + policy is assumed. This parameter is not present when the response + is negative. + + Note, any load policy parameter within a Pool Element parameter (if + present) MUST be ignored, and MUST NOT be used to determine the + overall pool member selection policy. + + Pool Element Parameters (optional): + + See [RFC5354]. + + + +Stewart, et al. Experimental [Page 12] + +RFC 5352 Aggregate Server Access Protocol September 2008 + + + When the response is positive, an array of PE parameters are + included, indicating the current information about the PEs in the + named pool. At least one PE parameter MUST be present. When the + response is negative, no PE parameters are included. + + Operational Error (optional): + + See [RFC5354]. + + The presence of this parameter indicates that the response is + negative (the handle resolution request was rejected by the ENRP + server). The cause code in this parameter (if present) will indicate + the reason the handle resolution request was rejected (e.g., the + requested Pool Handle was not found). The absence of this parameter + indicates that the response is positive. + +2.2.7. ASAP_ENDPOINT_KEEP_ALIVE Message + + The ASAP_ENDPOINT_KEEP_ALIVE message is sent by an ENRP server to a + PE. The ASAP_ENDPOINT_KEEP_ALIVE message is used to verify that the + PE is reachable and requires the PE to adopt the sending server as + its new Home ENRP server if the 'H' bit is set to '1'. Regardless of + the setting of the 'H' bit, an ASAP Endpoint MUST respond with an + ASAP_ENDPOINT_KEEP_ALIVE_ACK to any ASAP_ENDPOINT_KEEP_ALIVE messages + that arrive. + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Type = 0x07 |0|0|0|0|0|0|0|H| Message Length | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Server Identifier | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + : Pool Handle Parameter : + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + H (Home ENRP server) Flag: + + When set to '1', indicates that the ENRP server that sends this + message wants to be the Home ENRP server of the receiver of this + message. + + Server Identifier: 32 bits (unsigned integer) + + This is the ID of the ENRP server, as discussed in [RFC5353]. + + + + + + +Stewart, et al. Experimental [Page 13] + +RFC 5352 Aggregate Server Access Protocol September 2008 + + + Pool Handle Parameter: + + See [RFC5354]. + +2.2.8. ASAP_ENDPOINT_KEEP_ALIVE_ACK Message + + The ASAP_ENDPOINT_KEEP_ALIVE_ACK message is sent by a PE in response + to an ASAP_ENDPOINT_KEEP_ALIVE message sent by an ENRP server. + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Type = 0x08 |0|0|0|0|0|0|0|0| Message Length | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + : Pool Handle Parameter : + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + : PE Identifier Parameter : + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + Pool Handle Parameter: + + See [RFC5354]. + + PE Identifier Parameter: + + See [RFC5354]. + +2.2.9. ASAP_ENDPOINT_UNREACHABLE Message + + The ASAP_ENDPOINT_UNREACHABLE message is sent by either a PE or PU to + its Home ENRP server to report an unreachable PE. + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Type = 0x09 |0|0|0|0|0|0|0|0| Message Length | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + : Pool Handle Parameter : + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + : PE Identifier Parameter : + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + Pool Handle Parameter: + + See [RFC5354]. + + + + + + +Stewart, et al. Experimental [Page 14] + +RFC 5352 Aggregate Server Access Protocol September 2008 + + + PE Identifier Parameter: + + See [RFC5354]. + +2.2.10. ASAP_SERVER_ANNOUNCE Message + + The ASAP_SERVER_ANNOUNCE message is sent by an ENRP server such that + PUs and PEs know the transport information necessary to connect to + the ENRP server. + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Type = 0x0a |0|0|0|0|0|0|0|0| Message Length | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Server Identifier | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + : Transport Param #1 : + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + : Transport Param #2 : + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + : : + : ..... : + : : + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + : Transport Param #n : + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + Server Identifier: 32 bits (unsigned integer) + + This is the ID of the ENRP server, as discussed in [RFC5353]. + + Transport Parameters (optional): + + See [RFC5354] for the SCTP and TCP Transport parameters. + + Only SCTP and TCP Transport parameters are allowed for use within the + SERVER_ANNOUNCE message. + + + + + + + + + + + + + +Stewart, et al. Experimental [Page 15] + +RFC 5352 Aggregate Server Access Protocol September 2008 + + +2.2.11. ASAP_COOKIE Message + + The ASAP_COOKIE message is sent by a PE to a PU, allowing the PE to + convey information it wishes to share using a control channel. + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Type = 0x0b |0|0|0|0|0|0|0|0| Message Length | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + : Cookie Parameter : + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + Cookie Parameter : + + See [RFC5354]. + +2.2.12. ASAP_COOKIE_ECHO Message + + The ASAP_COOKIE_ECHO message is sent by a PU to a new PE when it + detects a failure with the current PE to aid in failover. The Cookie + Parameter sent by the PE is the latest one received from the failed + PE. + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Type = 0x0c |0|0|0|0|0|0|0|0| Message Length | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + : Cookie Parameter : + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + Cookie Parameter: + + See [RFC5354]. + + + + + + + + + + + + + + + + +Stewart, et al. Experimental [Page 16] + +RFC 5352 Aggregate Server Access Protocol September 2008 + + +2.2.13. ASAP_BUSINESS_CARD Message + + The ASAP_BUSINESS_CARD message is sent by a PU to a PE or from a PE + to a PU using a control channel to convey the pool handle and a + preferred failover ordering. + + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Type = 0x0d |0|0|0|0|0|0|0|0| Message Length | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + : Pool Handle Parameter : + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + : Pool Element Parameter-1 : + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + : .. : + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + : Pool Element Parameter-N : + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + Pool Handle Parameter: + + See [RFC5354]. + + Pool Element Parameters: + + See [RFC5354]. + +2.2.14. ASAP_ERROR Message + + The ASAP_ERROR message is sent in response by an ASAP Endpoint + receiving an unknown message or an unknown parameter to the sending + ASAP Endpoint to report the problem or issue. + + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Type = 0x0e |0|0|0|0|0|0|0|0| Message Length | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + : Operational Error Parameter : + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + Operational Error Parameter: + + See [RFC5354]. + + + + +Stewart, et al. Experimental [Page 17] + +RFC 5352 Aggregate Server Access Protocol September 2008 + + + When an ASAP Endpoint receives an ASAP message with an unknown + message type or a message of known type that contains an unknown + parameter, it SHOULD handle the unknown message or the unknown + parameter according to the unrecognized message and parameter + handling rules, defined in Section 3. + + According to the rules, if an error report to the message sender is + needed, the ASAP endpoint that discovered the error SHOULD send back + an ASAP_ERROR message that includes an Operational Error parameter + with the proper cause code, cause length, and case-specific + information. + +3. Procedures + + This section will focus on the methods and procedures used by an + internal ASAP Endpoint. Appropriate timers and recovery actions for + failure detection and management are also discussed. Also, please + note that ASAP messages sent between a PE and PU are identified by an + SCTP Payload Protocol Identifier (PPID). + +3.1. Registration + + When a PE wishes to initiate or join a server pool, it MUST use the + procedures outlined in this section for registration. Often, the + registration will be triggered by a user request primitive (discussed + in Section 6.1). The PE MUST register using an SCTP association + established between itself and the Home ENRP server. If the PE has + not established its Home ENRP server, it MUST follow the procedures + specified in Section 3.6. + + Once the PE's ASAP Endpoint has established its Home ENRP server, the + following procedures MUST be followed to register: + + R1) The PE's SCTP endpoint used to communicate with the Home ENRP + server MUST be bound to all IP addresses that will be used by the + PE (regardless of which transport protocol will be used to service + user requests to the PE). + + R2) The PE's ASAP Endpoint MUST formulate an ASAP_REGISTRATION + message, as defined in Section 2.2.1. In formulating the message, + the PE MUST: + + R2.1) Fill in the Pool Handle parameter to specify which server + pool the ASAP Endpoint wishes to join. + + R2.2) Fill in the PE identifier using a good-quality randomly + generated number ([RFC4086] provides some information on + randomness guidelines). + + + +Stewart, et al. Experimental [Page 18] + +RFC 5352 Aggregate Server Access Protocol September 2008 + + + R2.3) Fill in the Registration Lifetime parameter with the number + of seconds that this registration is valid for. Note that a PE + that wishes to continue service MUST re-register before the + registration expires. + + R2.4) Fill in a User Transport parameter to specify the type of + transport and the data/control channel usage the PE is willing + to support. Note, in joining an existing server pool, the PE + MUST follow the overall transport type and overall data/control + channel usage of the pool. Otherwise, the registration may be + rejected by the ENRP server. + + R2.5) Fill in the preferred Pool Member Selection Policy + parameter. + + R3) Send the ASAP_REGISTRATION message to the Home ENRP server using + SCTP. + + R4) Start a T2-registration timer. + + Note: the PE does not need to fill in the optional ASAP transport + parameter. The ASAP transport parameter will be filled in and used + by the Home ENRP server. + + If the T2-registration timer expires before receiving an + ASAP_REGISTRATION_RESPONSE message, or a SEND.FAILURE notification is + received from the SCTP layer, the PE shall start the Server Hunt + procedure (see Section 3.6) in an attempt to get service from a + different ENRP server. After establishing a new Home ENRP server, + the PE SHOULD restart the registration procedure. + + At the reception of the registration response, the PE MUST stop the + T2-registration timer. If the response indicates success, the PE is + registered and will be considered an available member of the server + pool. If the registration response indicates a failure, the PE must + either re-attempt registration after correcting the error or return a + failure indication to the PE's upper layer. The PE MUST NOT re- + attempt registration without correcting the error condition. + + At any time, a registered PE MAY wish to re-register to either update + its member selection Policy Value or registration expiration time. + When re-registering, the PE MUST use the same PE identifier. + + After successful registration, the PE MUST start a T4-reregistration + timer. At its expiration, a re-registration SHOULD be made starting + at step R1, including (at completion) restarting the T4- + reregistration timer. + + + + +Stewart, et al. Experimental [Page 19] + +RFC 5352 Aggregate Server Access Protocol September 2008 + + + Note that an implementation SHOULD keep a record of the number of + registration (and re-registration) attempts it makes in a local + variable that gets set to zero before the initial registration + attempt to the Home ENRP server or after a successful re- + registration. If repeated registration timeouts or failures occurs + and the local count exceeds the Threshold 'MAX-REG-ATTEMPT', the + implementation SHOULD report the error to its upper layer and stop + attempting registration. + + The ENRP server handles the ASAP_REGISTRATION message according to + the following rules: + + 1. If the named pool does not exist in the handlespace, the ENRP + server MUST create a new pool with that handle in the handlespace + and add the PE to the pool as its first PE. + + When a new pool is created, the overall member selection policy + of the pool MUST be set to the policy type indicated by the first + PE, the overall pool transport type MUST be set to the transport + type indicated by the PE, and the overall pool data/control + channel configuration MUST be set to what is indicated in the + Transport Use field of the User Transport parameter by the + registering PE. + + 2. If the named pool already exists in the handlespace, but the + requesting PE is not currently a member of the pool, the ENRP + server will add the PE as a new member to the pool. + + However, before adding the PE to the pool, the server MUST check + if the policy type, transport type, and transport usage indicated + by the registering PE is consistent with those of the pool. If + different, the ENRP server MUST reject the registration. + + 3. If the named pool already exists in the handlespace *and* the + requesting PE is already a member of the pool, the ENRP server + SHOULD consider this as a re-registration case. The ENRP server + MUST perform the same tests on policy, transport type, and + transport use, as described above. If the re-registration is + accepted after the test, the ENRP server SHOULD replace the + attributes of the existing PE with the information carried in the + received ASAP_REGISTRATION message. + + 4. After accepting the registration, the ENRP server MUST assign + itself the owner of this PE. If this is a re-registration, the + ENRP server MUST take over ownership of this PE, regardless of + whether the PE was previously owned by this server or by another + + + + + +Stewart, et al. Experimental [Page 20] + +RFC 5352 Aggregate Server Access Protocol September 2008 + + + server. The ENRP server MUST also record the SCTP transport + address from which it received the ASAP_REGISTRATION in the ASAP + Transport parameter TLV inside the PE parameter of this PE. + + 5. The ENRP server may reject the registration due to other reasons + such as invalid values, lack of resource, authentication failure, + etc. + + In all above cases, the ENRP server MUST reply to the requesting PE + with an ASAP_REGISTRATION_RESPONSE message. If the registration is + accepted, the ENRP server MUST set the R flag in the + ASAP_REGISTRATION_RESPONSE to '0'. If the registration is rejected, + the ENRP server MUST indicate the rejection by setting the R flag in + the ASAP_REGISTRATION_RESPONSE to '1'. + + If the registration is rejected, the ENRP server SHOULD include the + proper error cause(s) in the ASAP_REGISTRATION_RESPONSE message. + + If the registration is granted (either a new registration or a re- + registration case), the ENRP server MUST assign itself to be the Home + ENRP server of the PE, i.e., to "own" the PE. + + Implementation note: For better performance, the ENRP server may + find it both efficient and convenient to internally maintain two + separate PE lists or tables -- one is for the PEs that are owned + by the ENRP server and the other is for all the PEs owned by their + peer(s). + + Moreover, if the registration is granted, the ENRP server MUST take + the handlespace update action to inform its peers about the change + just made. If the registration is denied, no message will be sent to + its peers. + +3.2. De-Registration + + In the event a PE wishes to de-register from its server pool + (normally, via an upper-layer request, see Section 6.2), it SHOULD + use the following procedure. It should be noted that an alternate + method of de-registration is to NOT re-register and to allow the + registration life of the PE to expire. In this case, an + ASAP_DEREGISTRATION_RESPONSE message is sent to the PE's ASAP + Endpoint to indicate the removal of the PE from the pool it + registered. + + When de-registering, the PE SHOULD use the SCTP association that was + used for registration with its Home ENRP server. To de-register, the + PE's ASAP Endpoint MUST take the following actions: + + + + +Stewart, et al. Experimental [Page 21] + +RFC 5352 Aggregate Server Access Protocol September 2008 + + + D1) Fill in the Pool Handle parameter of the ASAP_DEREGISTRATION + message (Section 2.2.2) using the same Pool Handle parameter sent + during registration. + + D2) Fill in the PE Identifier parameter of the ASAP_DEREGISTRATION + message. The identifier MUST be the same as used during + registration. The use of the same Pool Handle and Pool Identifier + parameters used in registration allows the identity of the PE ASAP + Endpoint to be verified before de-registration can occur. + + D3) Send the ASAP_DEREGISTRATION message to the Home ENRP server + using the PE's SCTP association. + + D4) Start a T3-Deregistration timer. + + If the T3-Deregistration timer expires before receiving either an + ASAP_REGISTRATION_RESPONSE message, or a SEND.FAILURE notification + from the PE's SCTP endpoint, the PE's ASAP Endpoint shall start the + ENRP Server Hunt procedure (see Section 3.6) in an attempt to get + service from another ENRP server. After establishing a new Home ENRP + server, the ASAP Endpoint SHOULD restart the de-registration + procedure. + + At the reception of the ASAP_DEREGISTRATION_RESPONSE, the PE's ASAP + endpoint MUST stop the T3-Deregistration timer. + + It should be noted that after a successful de-registration, the PE + MAY still receive requests for some period of time. The PE MAY wish + to remain active and service these requests or to exit and ignore + these requests. + + Upon receiving the message, the ENRP server SHALL remove the PE from + its handlespace. Moreover, if the PE is the last one of the named + pool, the ENRP server will remove the pool from the handlespace as + well. + + If the ENRP server fails to find any record of the PE in its + handlespace, it SHOULD consider the de-registration granted and + completed, and send an ASAP_DEREGISTRATION_RESPONSE message to the + PE. + + The ENRP server may reject the de-registration request for various + reasons, such as invalid parameters, authentication failure, etc. + + In response, the ENRP server MUST send an + ASAP_DEREGISTRATION_RESPONSE message to the PE. If the de- + registration is rejected, the ENRP server MUST indicate the rejection + by including the proper Operational Error parameter. + + + +Stewart, et al. Experimental [Page 22] + +RFC 5352 Aggregate Server Access Protocol September 2008 + + + It should be noted that de-registration does not stop the PE from + sending or receiving application messages. + + Once the de-registration request is granted *and* the PE removed from + its local copy of the handlespace, the ENRP server MUST take the + handlespace update action to inform its peers about the change just + made. Otherwise, the ENRP server MUST NOT inform its peers. + +3.3. Handle Resolution + + At any time, a PE or PU may wish to resolve a handle. This usually + will occur when an ASAP Endpoint sends a Pool Handle (Section 6.5.1) + to its Home ENRP server or requests a cache population (Section 6.3). + It may also occur for other reasons (e.g., the internal ASAP PE + wishes to know its peers to send a message to all of them). When an + ASAP Endpoint (PE or PU) wishes to resolve a pool handle to a list of + accessible transport addresses of the member PEs of the pool, it MUST + take the following actions: + + NR1) Fill in an ASAP_HANDLE_RESOLUTION message (Section 2.2.5) with + the Pool Handle to be resolved. + + NR2) If the endpoint does not have a Home ENRP server, start the + ENRP Server Hunt procedures specified in Section 3.6 to obtain + one. Otherwise, proceed to step NR3. + + NR3) If a PE, send the ASAP_HANDLE_RESOLUTION message to the Home + ENRP server using SCTP; if a PU, send the ASAP_HANDLE_RESOLUTION + message to the Home ENRP server using either TCP or SCTP. If sent + from a PE, the SCTP association used for registration SHOULD be + used. + + NR4) Start a T1-ENRPrequest timer. + + If the T1-ENRPrequest timer expires before receiving a response + message, the ASAP Endpoint SHOULD take the steps described in + Section 3.7.2. If a SEND.FAILURE notification is received from the + SCTP or TCP layer, the ASAP Endpoint SHOULD start the Server Hunt + procedure (see Section 3.6) in an attempt to get service from a + different ENRP server. After establishing a new Home ENRP server, + the ASAP Endpoint SHOULD restart the handle resolution procedure. + + At the reception of the ASAP_HANDLE_RESOLUTION_RESPONSE message, the + ASAP Endpoint MUST stop its T1-ENRPrequest timer. After stopping the + T1-ENRPrequest timer, the ASAP Endpoint SHOULD process the message as + appropriate (e.g., populate a local cache, give the response to the + ASAP User, and/or use the response to send the ASAP User's message). + + + + +Stewart, et al. Experimental [Page 23] + +RFC 5352 Aggregate Server Access Protocol September 2008 + + + Note that some ASAP Endpoints MAY use a cache to minimize the number + of handle resolutions sent. If a cache is used, it SHOULD: + + C1) Be consulted before sending a handle resolution. + + C2) Have a stale timeout timer associated with each cache entry. If + the cache entry is determined to be stale upon a cache hit, a + handle resolution message SHOULD be sent so the cache can be + updated. + + C3) In the case of a stale cache entry, the implementation may, in + parallel, update the cache and answer the request, or it may block + the user and wait for an updated cache before proceeding with the + users request. + + C4) If the cache entry is NOT stale, the endpoint SHOULD NOT send a + handle resolution request but instead SHOULD use the entry from + the cache. + + It should be noted that the impact of using a cache depends on the + policy and the requirements of the application. For some + applications, cache-usage can increase the performance of the system; + for some, it can decrease it. + + An ENRP server SHOULD be prepared to receive ASAP_HANDLE_RESOLUTION + requests from PUs, either over an SCTP association on the well-known + SCTP port, or over a TCP connection on the well-known TCP port. + + Upon reception of the ASAP_HANDLE_RESOLUTION message, the ENRP server + MUST first look up the pool handle in its handlespace. If the pool + exists, the Home ENRP server MUST compose and send back an + ASAP_HANDLE_RESOLUTION_RESPONSE message to the requesting PU. + + In the response message, the ENRP server SHOULD list all the PEs + currently registered in this pool, in a list of PE parameters. The + ENRP server MUST also include a pool member selection policy + parameter to indicate the overall member selection policy for the + pool, if the current pool member selection policy is not Round-Robin. + + If the named pool does not exist in the handlespace, the ENRP server + MUST reject the handle resolution request by responding with an + ASAP_HANDLE_RESOLUTION_RESPONSE message carrying an Unknown Pool + Handle error. + + + + + + + + +Stewart, et al. Experimental [Page 24] + +RFC 5352 Aggregate Server Access Protocol September 2008 + + +3.4. Endpoint Keep Alive + + The ASAP_ENDPOINT_KEEP_ALIVE message is sent by an ENRP server to a + PE in order to verify it is reachable. If the transport level + heartbeat mechanism is insufficient, this message can be used in a + heartbeat mechanism for the ASAP level whose goal is determining the + health status of the ASAP level in a timely fashion. (The transport + level heartbeat mechanism may be insufficient due to either the + timeouts or the heartbeat interval being set too long, or, that the + transport level heartbeat mechanism's coverage is limited only to the + transport level at the two ends.) Additionally, the + ASAP_ENDPOINT_KEEP_ALIVE message has value in the reliability of + fault detection if the SCTP stack is in the kernel. In such a case, + while the SCTP-level heartbeat monitors the end-to-end connectivity + between the two SCTP stacks, the ASAP-level heartbeat monitors the + end-to-end liveliness of the ASAP layer above it. + + The use of the ASAP_ENDPOINT_KEEP_ALIVE message (Section 2.2.7) and + the ASAP_ENDPOINT_KEEP_ALIVE_ACK (Section 2.2.8) is described below. + Upon reception of an ASAP_ENDPOINT_KEEP_ALIVE message, the following + actions MUST be taken: + + KA1) The PE must verify that the Pool Handle is correct and matches + the Pool Handle sent in its earlier ASAP_REGISTRATION message. If + the Pool Handle does not match, the PE MUST silently discard the + message. + + KA2) Send an ASAP_ENDPOINT_KEEP_ALIVE_ACK (Section 2.2.8) as + follows: + + KA2.1) Fill in the Pool Handle parameter with the PE's Pool + Handle. + + KA2.2) Fill in the PE Identifier parameter using the PE + identifier used by this PE for registration. + + KA2.3) Send the ASAP_ENDPOINT_KEEP_ALIVE_ACK message via the + appropriate SCTP association for the ENRP server that sent the + ASAP_ENDPOINT_KEEP_ALIVE message. + + KA2.4) If the H flag in the received ASAP_ENDPOINT_KEEP_ALIVE + message is set, and the Server Identifier in the message is NOT + the identity of your Home ENRP server (or it is not set, e.g., + you have a no Home ENRP server) adopt the sender of the + ASAP_ENDPOINT_KEEP_ALIVE message as the new Home ENRP server. + + + + + + +Stewart, et al. Experimental [Page 25] + +RFC 5352 Aggregate Server Access Protocol September 2008 + + +3.5. Unreachable Endpoints + + Occasionally, an ASAP Endpoint may realize a PE is unreachable. This + may occur by a specific SCTP error realized by the ASAP endpoint or + via an ASAP User report via the Transport.Failure Primitive + (Section 6.9.2). In either case, the ASAP Endpoint SHOULD report the + unavailability of the PE by sending an ASAP_ENDPOINT_UNREACHABLE + message to any ENRP server. Before sending the + ASAP_ENDPOINT_UNREACHABLE message, the ASAP Endpoint should fill in + the Pool Handle parameter and PE Identifier parameter of the + unreachable endpoint. If the sender is a PE, the message MUST be + sent via SCTP. It should be noted that an ASAP Endpoint MUST report + no more than once each time it encounters such an event. + Additionally, when processing a Transport.Failure Primitive + (Section 6.9.2), the ASAP Endpoint MUST NOT send an + ASAP_ENDPOINT_UNREACHABLE message unless the user has made a previous + request to send data to the PE specified by the primitive. + + Upon the reception of an ASAP_ENDPOINT_UNREACHABLE message, an ENRP + server MUST immediately send a point-to-point + ASAP_ENDPOINT_KEEP_ALIVE message to the PE in question (the H flag in + the message SHOULD be set to '0', in this case). If this + ASAP_ENDPOINT_KEEP_ALIVE fails (e.g., it results in an SCTP + SEND.FAILURE notification), the ENRP server MUST consider the PE as + truly unreachable and MUST remove the PE from its handlespace. + + If the ASAP_ENDPOINT_KEEP_ALIVE message is transmitted successfully + to the PE, the ENRP server MUST retain the PE in its handlespace. + Moreover, the server SHOULD keep a counter to record how many + ASAP_ENDPOINT_UNREACHABLE messages it has received reporting + reachability problem relating to this PE. If the counter exceeds the + protocol threshold MAX-BAD-PE-REPORT, the ENRP server SHOULD remove + the PE from its handlespace. + + Optionally, an ENRP server may also periodically send point-to-point + ASAP_ENDPOINT_KEEP_ALIVE (with the H flag set to '0') messages to + each of the PEs owned by the ENRP server in order to check their + reachability status. If the sending of ASAP_ENDPOINT_KEEP_ALIVE to a + PE fails, the ENRP server MUST consider the PE as unreachable and + MUST remove the PE from its handlespace. Note, if an ENRP server + owns a large number of PEs, the implementation should pay attention + not to flood the network with bursts of ASAP_ENDPOINT_KEEP_ALIVE + messages. Instead, the implementation MUST distribute the + ASAP_ENDPOINT_KEEP_ALIVE message traffic over a time period. This + can be achieved by varying the time between two + ASAP_ENDPOINT_KEEP_ALIVE messages to the same PE randomly by plus/ + minus 50 percent. + + + + +Stewart, et al. Experimental [Page 26] + +RFC 5352 Aggregate Server Access Protocol September 2008 + + +3.6. ENRP Server Hunt Procedures + + Each PU and PE manages a list of transport addresses of ENRP servers + it knows about. + + If multicast capabilities are used within the operational scope, an + ENRP server MUST send periodically every (N+1)*T6-Serverannounce an + ASAP_SERVER_ANNOUNCE message (Section 2.2.10), which includes all the + transport addresses available for ASAP communication on the multicast + ENRP client channel, where N is the number of ENRP servers the server + has found via receiving ASAP_SERVER_ANNOUNCE messages. This should + result in a message rate of approximately 1 ASAP_SERVER_ANNOUNCE per + T6-Serverannounce. + + If an ASAP_SERVER_ANNOUNCE message is received by a PU or PE, it + SHOULD insert all new included transport addresses into its list of + ENRP server addresses and start a T7-ENRPoutdate timer for each + address. For all already-known, included transport addresses, the + T7-ENRPoutdate timer MUST be restarted for each address. If no + transport parameters are included in the ASAP_SERVER_ANNOUNCE + message, the SCTP transport protocol is assumed to be used and the + source IP address and the IANA-registered ASAP port number is used + for communication with the ENRP server. If a T7-ENRPoutdate timer + for a transport address expires, the corresponding address is deleted + from the managed list of transport addresses of the PU or PE. + + If multicast capabilities are not used within the operational scope, + each PU and PE MUST have a configured list of transport addresses of + ENRP servers. + + At its startup, or when it fails to communicate with its Home ENRP + server (i.e., timed out on an ENRP request), a PE or PU MUST + establish a new Home ENRP server (i.e., set up a TCP connection or + SCTP association with a different ENRP server). + + To establish a Home ENRP server, the following rules MUST be + followed: + + SH1) The PE or PU SHOULD try to establish an association or + connection, with no more than three ENRP servers. An ASAP + Endpoint MUST NOT establish more than three associations or + connections. + + SH2) The ASAP Endpoint shall start a T5-Serverhunt timer. + + + + + + + +Stewart, et al. Experimental [Page 27] + +RFC 5352 Aggregate Server Access Protocol September 2008 + + + SH3) If the ASAP Endpoint establishes an association or connection + it MUST stop its T5-Serverhunt timer. The ASAP Endpoint SHOULD + also reset the T5-Serverhunt timer to its initial value and then + proceed to step SH6. + + SH4) If an association or connection establishment fails, the ASAP + Endpoint SHOULD try to establish an association or connection + using a different transport address. + + SH5) If the T5-Serverhunt timer expires, the following should be + performed: + + SH5.1) The ASAP Endpoint MUST double the value of the T5- + Serverhunt timer. Note that this doubling is capped at the + value RETRAN.max. + + SH5.2) The ASAP Endpoint SHOULD stop the establishment of + associations and connections with the transport addresses + selected in step SH1. + + SH5.2) The ASAP Endpoint SHOULD repeat trying to establish an + association or connection by proceeding to step SH1. It SHOULD + attempt to select a different set of transport addresses with + which to connect. + + SH6) The PE or PU shall pick one of the ENRP servers with which it + was able to establish an association or connection, and send all + subsequent ENRP request messages to this new Home ENRP server. + +3.7. Handling ASAP Endpoint to ENRP Server Communication Failures + + Three types of failure may occur when the ASAP Endpoint at either the + PE or PU tries to communicate with an ENRP server: + + A) SCTP send failure + + B) T1-ENRPrequest timer expiration + + C) Registration failure + +3.7.1. SCTP Send Failure + + This communication failure indicates that the SCTP layer was unable + to deliver a message sent to an ENRP server. In other words, the + ENRP server is unreachable. + + + + + + +Stewart, et al. Experimental [Page 28] + +RFC 5352 Aggregate Server Access Protocol September 2008 + + + In such a case, the ASAP Endpoint MUST NOT re-send the undeliverable + message. Instead, it SHOULD discard the message and start the ENRP + Server Hunt procedure as described in Section 3.6. After finding a + new Home ENRP server, the ASAP Endpoint should re-send the request. + + Note that an ASAP Endpoint MAY also choose to NOT discard the + message, but to queue it for retransmission after a new Home ENRP + server is found. If an ASAP Endpoint does choose to discard the + message, after a new Home ENRP server is found, the ASAP Endpoint + MUST be capable of reconstructing the original request. + +3.7.2. T1-ENRPrequest Timer Expiration + + When the T1-ENRPrequest timer expires, the ASAP Endpoint should re- + send the original request to the ENRP server and restart the T1- + ENRPrequest timer. In parallel, the ASAP Endpoint should begin the + ENRP server hunt procedures described in Section 3.6. + + This should be repeated up to MAX-REQUEST-RETRANSMIT times. After + that, an Error.Report notification should be generated to inform the + ASAP User, and the ENRP request message associated with the T1- + ENRPrequest timer should be discarded. It should be noted that if an + alternate ENRP server responds, the ASAP Endpoint SHOULD adopt the + responding ENRP server as its new Home ENRP server and re-send the + request to the new Home ENRP server. + +3.7.3. Registration Failure + + Registration failure is discussed in Section 3.1. + +3.8. Cookie Handling Procedures + + Whenever a PE wants, and a control channel exists, it can send an + ASAP_COOKIE message to a PU via the control channel. The PU's ASAP + endpoint stores the Cookie parameter and discards an older cookie if + it is previously stored. + + Note: A control channel is a communication channel between a PU and + PE that does not carry data passed to the user. This is accomplished + with SCTP by using a PPID to separate the ASAP messages (Cookie and + Business Card) from normal data messages. + + If the PU's ASAP Endpoint detects a failure and initiates a failover + to a different PE, it SHOULD send the latest received cookie + parameter in an ASAP_COOKIE_ECHO message to the new PE as the first + message on the control channel. Upper layers may be involved in the + failover procedure. + + + + +Stewart, et al. Experimental [Page 29] + +RFC 5352 Aggregate Server Access Protocol September 2008 + + + The cookie handling procedure can be used for state sharing. + Therefore, a cookie should be signed by the sending PE ASAP Endpoint + and the cookie should be verified by the receiving PE's ASAP + Endpoint. The details of the verification procedure are out of scope + for this document. It is only important that the PU always stores + the last received Cookie parameter and sends that back unmodified in + case of a PE failure. + +3.9. Business Card Handling Procedures + + When communication begins between a PU and a PE, either of which + could be part of a PU/PE combination (i.e., a message is sent between + the entities), a PE should always send an ASAP_BUSINESS_CARD message + to a PU. A PU should send an ASAP_BUSINESS_CARD message to a PE only + if it is part of a PU/PE combination. An ASAP_BUSINESS_CARD message + MUST ONLY be sent if a control channel exists between a PU and PE. + After communication has been established between a PE and PU, a new + ASAP_BUSINESS_CARD message may be sent at any time by either entity + to update its failover order. + + The ASAP_BUSINESS_CARD message serves two purposes. First, it lists + the pool handle. For a PU that is part of a PU/PE combination that + is contacting a PE, this is essential so that the PE learns the pool + handle of the PU/PE combination requesting service. Secondly, the + ASAP_BUSINESS_CARD message tells the receiving entity a failover + order that is recommended to follow. This should facilitate + rendezvous between entities that have been working together, as well + as to control the load redistribution upon the failure of any PE. + + Upon receipt of an ASAP_BUSINESS_CARD message (see Section 2.2.13), + the receiving ASAP Endpoint SHOULD: + + BC1) Unpack the message, and if no entry exists in the translation + cache of the receiving ASAP Endpoint for the pool handle listed + within the ASAP_BUSINESS_CARD message, perform an + ASAP_HANDLE_RESOLUTION for that pool handle. If the translation + cache does hold an entry for the pool handle, then it may be + necessary to update the peer endpoint. + + BC2) Unpack the message and populate a preferred list for failover + order. If the peer's PE should fail, this preferred list will be + used to guide the ASAP Endpoint in the selection of an alternate + PE. + + + + + + + + +Stewart, et al. Experimental [Page 30] + +RFC 5352 Aggregate Server Access Protocol September 2008 + + +4. Roles of Endpoints + + A PU MUST implement the handling of ASAP_HANDLE_RESOLUTION and + ASAP_HANDLE_RESOLUTION_RESPONSE messages. Furthermore, it MUST + support the handling of ASAP_ERROR messages. It MAY implement the + handling of ASAP_COOKIE, ASAP_COOKIE_ECHO, and ASAP_BUSINESS_CARD + messages. It MAY also implement the handling of ASAP_SERVER_ANNOUNCE + messages. + + A PE MUST implement the handling of ASAP_REGISTRATION, + ASAP_DEREGISTRATION, ASAP_REGISTRATION_RESPONSE, and + ASAP_DEREGISTRATION_RESPONSE messages. Furthermore, it MUST support + the handling of ASAP_ENDPOINT_KEEP_ALIVE, + ASAP_ENDPOINT_KEEP_ALIVE_ACK, ASAP_ENDPOINT_UNREACHABLE, and + ASAP_ERROR messages. It SHOULD support the handling of ASAP_COOKIE, + ASAP_COOKIE_ECHO, and ASAP_BUSINESS_CARD messages. Furthermore, it + MAY support the handling of ASAP_SERVER_ANNOUNCE messages. + + An ENRP server MUST implement the handling of ASAP_REGISTRATION, + ASAP_DEREGISTRATION, ASAP_REGISTRATION_RESPONSE, and + ASAP_DEREGISTRATION_RESPONSE messages. Furthermore, it MUST support + the handling of ASAP_ENDPOINT_KEEP_ALIVE, + ASAP_ENDPOINT_KEEP_ALIVE_ACK, ASAP_ENDPOINT_UNREACHABLE, and + ASAP_ERROR messages. Furthermore, it MAY support the handling of + ASAP_SERVER_ANNOUNCE messages. + + If a node acts as a PU and a PE, it MUST fulfill both roles. + +5. SCTP Considerations + + Each ASAP message is considered as an SCTP user message. The PPID + registered for ASAP SHOULD be used. The SCTP port used at the ENRP + server might be preconfigured or announced in the + ASAP_SERVER_ANNOUNCE message or the well-known ASAP port. + + ASAP messages belonging to the control channel MUST be sent using the + PPID registered for ASAP. Messages belonging to the data channel + MUST NOT use the PPID registered for ASAP. + +6. The ASAP Interfaces + + This chapter will focus primarily on the primitives and notifications + that form the interface between the ASAP User and ASAP and that + between ASAP and its lower-layer transport protocol (e.g., SCTP). + + + + + + + +Stewart, et al. Experimental [Page 31] + +RFC 5352 Aggregate Server Access Protocol September 2008 + + + Note, the following primitive and notification descriptions are shown + for illustrative purposes. We believe that including these + descriptions in this document is important to the understanding of + the operation of many aspects of ASAP; but an ASAP implementation is + not required to use the exact syntax described in this section. + + An ASAP User passes primitives to the ASAP sub-layer to request + certain actions. Upon the completion of those actions or upon the + detection of certain events, the ASAP layer will notify the ASAP + User. + +6.1. Registration.Request Primitive + + Format: registration.request(Pool Handle, + User Transport parameter(s)) + + The Pool Handle parameter contains a NULL terminated ASCII string of + fixed length. The optional User Transport parameter(s) indicates + specific transport parameters and types with which to register. If + this optional parameter is left off, then the SCTP endpoint used to + communicate with the ENRP server is used as the default User + Transport parameter. Note that any IP address contained within a + User Transport parameter MUST be a bound IP address in the SCTP + endpoint used to communicate with the ENRP server. + + The ASAP User invokes this primitive to add itself to the + handlespace, thus becoming a Pool Element of a pool. The ASAP User + must register itself with the ENRP server by using this primitive + before other ASAP Users using the handlespace can send message(s) to + this ASAP User by Pool Handle or by PE handle (see Sections 6.5.1 and + 6.5.3). + + In response to the registration primitive, the ASAP Endpoint will + send an ASAP_REGISTRATION message to the Home ENRP server (see + Sections 2.2.1 and 3.1), and start a T2-registration timer. + +6.2. Deregistration.Request Primitive + + Format: deregistration.request(Pool Handle) + + The ASAP PE invokes this primitive to remove itself from the Server + Pool. This should be used as a part of the graceful shutdown process + by the application. + + An ASAP_DEREGISTRATION message will be sent by the ASAP Endpoint to + the Home ENRP server (see Sections 2.2.2 and 3.2). + + + + + +Stewart, et al. Experimental [Page 32] + +RFC 5352 Aggregate Server Access Protocol September 2008 + + +6.3. CachePopulateRequest Primitive + + Format: cache_populate_request([Pool-Handle | + Pool-Element-Handle]) + + If the address type is a Pool Handle and a local handle translation + cache exists, the ASAP Endpoint should initiate a mapping information + query by sending an ASAP_HANDLE_RESOLUTION message on the Pool handle + and updating its local cache when the response comes back from the + ENRP server. + + If a Pool-Element-Handle is passed, then the Pool Handle is unpacked + from the Pool-Element-Handle and the ASAP_HANDLE_RESOLUTION message + is sent to the ENRP server for resolution. When the response message + returns from the ENRP server, the local cache is updated. + + Note that if the ASAP service does NOT support a local cache, this + primitive performs NO action. + +6.4. CachePurgeRequest Primitive + + Format: cache_purge_request([Pool-Handle | Pool-Element-Handle]) + + If the user passes a Pool Handle and local handle translation cache + exists, the ASAP Endpoint should remove the mapping information on + the Pool Handle from its local cache. If the user passes a Pool- + Element-Handle, then the Pool Handle within is used for the + cache_purge_request. + + Note that if the ASAP service does NOT support a local cache, this + primitive performs NO action. + +6.5. DataSendRequest Primitive + + Format: data_send_request(destinationAddress, typeOfAddress, + message, sizeOfMessage, Options); + + This primitive requests ASAP to send a message to some specified Pool + or Pool Element within the current Operational scope. + + Depending on the address type used for the send request, the sender's + ASAP Endpoint may perform address translation and Pool Element + selection before sending the message out. This MAY also dictate the + creation of a local transport endpoint in order to meet the required + transport type. + + The data_send_request primitive can take different forms of address + types, as described in the following sections. + + + +Stewart, et al. Experimental [Page 33] + +RFC 5352 Aggregate Server Access Protocol September 2008 + + +6.5.1. Sending to a Pool Handle + + In this case, the destinationAddress and typeOfAddress together + indicate a pool handle. + + This is the simplest form of send_data_request primitive. By + default, this directs ASAP to send the message to one of the Pool + Elements in the specified pool. + + Before sending the message out to the pool, the sender's ASAP + endpoint MUST first perform a pool handle to address translation. It + may also need to perform Pool Element selection if multiple Pool + Elements exist in the pool. + + If the sender's ASAP implementation does not support a local cache of + the mapping information, or if it does not have the mapping + information on the pool in its local cache, it will transmit an + ASAP_HANDLE_RESOLUTION message (see Sections 2.2.5 and 3.3) to the + current Home ENRP server and MUST hold the outbound message in queue + while awaiting the response from the ENRP server (any further send + request to this pool before the ENRP server responds SHOULD also be + queued). + + Once the necessary mapping information arrives from the ENRP server, + the sender's ASAP will: + + A) map the pool handle into a list of transport addresses of the + destination PE(s); + + B) if multiple PEs exist in the pool, choose one of them and transmit + the message to it. In that case, the choice of the PE is made by + the ASAP Endpoint of the sender based on the server pooling + policy, as discussed in Section 6.5.2; + + C) optionally create any transport endpoint that may be needed to + communicate with the PE selected; + + D) if no transport association or connection exists towards the + destination PE, establish any needed transport state; + + E) send out the queued message(s) to the appropriate transport + connection using the appropriate send mechanism (e.g., for SCTP, + the SEND primitive in [RFC4960] would be used); and, + + F) if the local cache is implemented, append/update the local cache + with the mapping information received in the ENRP server's + response. Also, record the local transport information (e.g., the + SCTP association id) if any new transport state was created. + + + +Stewart, et al. Experimental [Page 34] + +RFC 5352 Aggregate Server Access Protocol September 2008 + + + For more on the ENRP server request procedures see [RFC5353]. + + Optionally, the ASAP Endpoint of the sender may return a Pool Element + handle of the selected PE to the application after sending the + message. This PE handle can then be used for future transmissions to + that same PE (see Section 6.5.3). + + Section 3.7 defines the failover procedures for cases where the + selected PE is found unreachable. + +6.5.2. Pool Element Selection + + Each time an ASAP User sends a message to a pool that contains more + than one PE, the sender's ASAP Endpoint must select one of the PEs in + the pool as the receiver of the current message. The selection is + made according to the current server pooling policy of the pool to + which the message is sent. + + Note, no selection is needed if the ASAP_SEND_TOALL option is set + (see Section 6.5.5). + + Together with the server pooling policy, each PE can also specify a + Policy Value for itself at the registration time. The meaning of the + Policy Value depends on the current server pooling policy of the + group. A PE can also change its Policy Value whenever it desires, by + re-registering itself with the handlespace with a new Policy Value. + Re-registration shall be done by simply sending another + ASAP_REGISTRATION to its Home ENRP server (see Section 2.2.1). + + One basic policy is defined in this document; others can be found in + [RFC5356] + +6.5.2.1. Round-Robin Policy + + When an ASAP Endpoint sends messages by Pool Handle and Round-Robin + is the current policy of that Pool, the ASAP Endpoint of the sender + will select the receiver for each outbound message by Round-Robining + through all the registered PEs in that Pool, in an attempt to achieve + an even distribution of outbound messages. Note that in a large + server pool, the ENRP server might not send back all PEs to the ASAP + client. In this case, the client or PU will be performing a Round- + Robin policy on a subset of the entire Pool. + +6.5.3. Sending to a Pool Element Handle + + In this case, the destinationAddress and typeOfAddress together + indicate an ASAP Pool Element handle. + + + + +Stewart, et al. Experimental [Page 35] + +RFC 5352 Aggregate Server Access Protocol September 2008 + + + This requests that the ASAP Endpoint deliver the message to the PE + identified by the Pool Element handle. + + The Pool Element handle should contain the Pool Handle and a + destination transport address of the destination PE or the Pool + Handle and the transport type. Other implementation dependent + elements may also be cached in a Pool Element handle. + + The ASAP Endpoint shall use the transport address and transport type + to identify the endpoint with which to communicate. If no + communication state exists with the peer endpoint (and is required by + the transport protocol), the ASAP Endpoint MAY set up the needed + state and then invoke the SEND primitive for the particular transport + protocol to send the message to the PE. + + In addition, if a local translation cache is supported, the endpoint + will: + + A) send out the message to the transport address (or association id) + designated by the PE handle. + + B) determine if the Pool Handle is in the local cache. + + If it is *not*, the endpoint will: + + + i) ask the Home ENRP server for handle resolution on the pool + handle by sending an ASAP_HANDLE_RESOLUTION message (see + Section 2.2.5), and + + ii) use the response to update the local cache. + + If the pool handle is in the cache, the endpoint will only + update the pool handle if the cache is stale. A stale cache is + indicated by it being older than the protocol parameter + 'stale.cache.value' (see Section 7.2). + + Sections 3.5 and 6.9 define the failover procedures for cases where + the PE pointed to by the Pool Element handle is found to be + unreachable. + + Optionally, the ASAP Endpoint may return the actual Pool Element + handle to which the message was sent (this may be different from the + Pool Element handle specified when the primitive is invoked, due to + the possibility of automatic failover). + + + + + + +Stewart, et al. Experimental [Page 36] + +RFC 5352 Aggregate Server Access Protocol September 2008 + + +6.5.4. Send by Transport Address + + In this case, the destinationAddress and typeOfAddress together + indicate a transport address and transport type. + + This directs the sender's ASAP Endpoint to send the message out to + the specified transport address. + + No endpoint failover is supported when this form of send request is + used. This form of send request effectively bypasses the ASAP + endpoint. + +6.5.5. Message Delivery Options + + The Options parameter passed in the various forms of the above + data_send_request primitive gives directions to the sender's ASAP + endpoint on special handling of the message delivery. + + The value of the Options parameter is generated by bit-wise "OR"ing + of the following pre-defined constants: + + ASAP_USE_DEFAULT: 0x0000 Use default setting. + + ASAP_SEND_FAILOVER: 0x0001 Enables PE failover on this message. In + the case where the first selected PE or the PE pointed to by the + PE handle is found unreachable, the sender's ASAP Endpoint SHOULD + re-select an alternate PE from the same pool if one exists, and + silently re-send the message to this newly selected endpoint. + + Note that this is a best-effort service. Applications should be + aware that messages can be lost during the failover process, even + if the underlying transport supports retrieval of unacknowledged + data (e.g., SCTP). (Example: messages acknowledged by the SCTP + layer at a PE, but not yet read by the PE when a PE failure + occurs.) In the case where the underlying transport does not + support such retrieval (e.g., TCP), any data already submitted by + ASAP to the transport layer may be lost upon failover. + + ASAP_SEND_NO_FAILOVER: 0x0002 This option prohibits the sender's + ASAP Endpoint from re-sending the message to any alternate PE in + case that the first selected PE, or the PE pointed to by the PE + handle, is found to be unreachable. Instead, the sender's ASAP + Endpoint shall notify its upper layer about the unreachability + with an Error.Report and return any unsent data. + + ASAP_SEND_TO_LAST: 0x0004 This option requests that the sender's + ASAP Endpoint send the message to the same PE in the pool to which + the previous message destined to this pool was sent. + + + +Stewart, et al. Experimental [Page 37] + +RFC 5352 Aggregate Server Access Protocol September 2008 + + + ASAP_SEND_TO_ALL: 0x0008 When sending by Pool Handle, this option + directs the sender's ASAP endpoint to send a copy of the message + to all the PEs, except for the sender itself if the sender is a PE + in that pool. + + ASAP_SEND_TO_SELF: 0x0010 This option only applies in combination + with the ASAP_SEND_TO_ALL option. It permits the sender's ASAP + Endpoint to also deliver a copy of the message to itself if the + sender is a PE of the pool (i.e., loop-back). + + ASAP_SCTP_UNORDER: 0x1000 This option requests that the transport + layer send the current message using un-ordered delivery (note the + underlying transport must support un-ordered delivery for this + option to be effective). + +6.6. Data.Received Notification + + Format: data.received(messageReceived, sizeOfMessage, + senderAddress, typeOfAddress) + + When a new user message is received, the ASAP Endpoint of the + receiver uses this notification to pass the message to its upper + layer. + + Along with the message being passed, the ASAP Endpoint of the + receiver should also indicate to its upper layer the message senders + address. The sender's address can be in the form of either an SCTP + association id, TCP transport address, UDP transport address, or an + ASAP Pool Element handle. + + A) If the handle translation local cache is implemented at the + receiver's ASAP Endpoint, a reverse mapping from the sender's IP + address to the pool handle should be performed, and if the mapping + is successful, the sender's ASAP Pool Element handle should be + constructed and passed in the senderAddress field. + + B) If there is no local cache or the reverse mapping is not + successful, the SCTP association id or other transport specific + identification (if SCTP is not being used) should be passed in the + senderAddress field. + + + + + + + + + + + +Stewart, et al. Experimental [Page 38] + +RFC 5352 Aggregate Server Access Protocol September 2008 + + +6.7. Error.Report Notification + + Format: error.report(destinationAddress, typeOfAddress, + failedMessage, sizeOfMessage) + + An error.report should be generated to notify the ASAP User about + failed message delivery as well as other abnormalities. + + The destinationAddress and typeOfAddress together indicate to whom + the message was originally sent. The address type can be either an + ASAP Pool Element handle, association id, or a transport address. + + The original message (or the first portion of it if the message is + too big) and its size should be passed in the failedMessage and + sizeOfMessage fields, respectively. + +6.8. Examples + + These examples assume an underlying SCTP transport between the PE and + PU. Other transports are possible, but SCTP is utilized in the + examples for illustrative purposes. Note that all communication + between the PU and ENRP server and the PE and ENRP servers would be + using SCTP. + +6.8.1. Send to a New Pool + + This example shows the event sequence when a Pool User sends the + message "hello" to a pool that is not in the local translation cache + (assuming local caching is supported). + + ENRP Server PU new-handle:PEx + + | | | + | +---+ | + | | 1 | | + |2. ASAP_HANDLE_RESOLUTION +---+ | + |<-------------------------------| | + | +---+ | + | | 3 | | + |4. ASAP_HANDLE_RESOLUTION_RSP +---+ | + |------------------------------->| | + | +---+ | + | | 5 | | + | +---+ 6. "hello1" | + | |---------------->| + | | | + + + + + +Stewart, et al. Experimental [Page 39] + +RFC 5352 Aggregate Server Access Protocol September 2008 + + + 1) The user at PU invokes: + + data_send_request("new-handle", handle-type, "hello1", 6, 0); + + The ASAP Endpoint, in response, looks up the pool "new-handle" in + its local cache, but fails to find it. + + + 2) The ASAP Endpoint of the PU queues the message and sends an + ASAP_HANDLE_RESOLUTION request to the ENRP server asking for all + information about pool "new-handle". + + 3) A T1-ENRPrequest timer is started while the ASAP Endpoint is + waiting for the response from the ENRP server. + + 4) The ENRP server responds to the query with an + ASAP_HANDLE_RESOLUTION_RESPONSE message that contains all the + information about pool "new-handle". + + 5) ASAP at PU cancels the T1-ENRPrequest timer and populate its local + cache with information on pool "new-handle". + + 6) Based on the server pooling policy of pool "new-handle", ASAP at + PU selects the destination PE (PEx), sets up, if necessary, an + SCTP association towards PEx (explicitly or implicitly), and sends + out the queued "hello1" user message. + +6.8.2. Send to a Cached Pool Handle + + This shows the event sequence when the ASAP User PU sends another + message to the pool "new-handle" after what happened in + Section 6.8.1. + + + ENRP Server PU new-handle:PEx + + | | | + | +---+ | + | | 1 | | + | +---+ 2. "hello2" | + | |---------------->| + | | | + + + + + + + + + +Stewart, et al. Experimental [Page 40] + +RFC 5352 Aggregate Server Access Protocol September 2008 + + + 1) The user at PU invokes: + + data_send_request("new-handle", handle-type, "hello2", 6, 0); + + The ASAP Endpoint, in response, looks up the pool "new-handle" in + its local cache and finds the mapping information. + + 2) Based on the server pooling policy of "new-handle", ASAP at PU + selects the PE (assuming EPx is selected again), and sends out + "hello2" message (assuming the SCTP association is already set + up). + +6.9. PE Send Failure + + When the ASAP Endpoint in a PE or PU attempts to send a message to a + PE and fails, the failed sender will report the event as described in + Section 3.5. + + Additional primitives are also defined in this section to support + those user applications that do not wish to use ASAP as the actual + transport. + +6.9.1. Translation.Request Primitive + + Format: translation.request(Pool-Handle) + + If the address type is a Pool Handle and a local handle translation + cache exists, the ASAP Endpoint should look within its translation + cache and return the current known transport types, ports, and + addresses to the caller. + + If the Pool Handle does not exist in the local handle cache or no + handle cache exists, the ASAP Endpoint will send an + ASAP_HANDLE_RESOLUTION request using the Pool Handle. Upon + completion of the handle resolution, the ASAP Endpoint should + populate the local handle cache (if a local handle cache is + supported) and return the transport types, ports, and addresses to + the caller. + + + + + + + + + + + + + +Stewart, et al. Experimental [Page 41] + +RFC 5352 Aggregate Server Access Protocol September 2008 + + +6.9.2. Transport.Failure Primitive + + Format: transport.failure(Pool-Handle, Transport-address) + + If an external user encounters a failure in sending to a PE and is + *not* using ASAP, it can use this primitive to report the failure to + the ASAP endpoint. ASAP will send an ASAP_ENDPOINT_UNREACHABLE to + the "Home" ENRP server in response to this primitive. Note ASAP + SHOULD NOT send an ASAP_ENDPOINT_UNREACHABLE *unless* the user has + actually made a previous request to send data to the PE. + +7. Timers, Variables, and Thresholds + + The following is a summary of the timers, variables, and pre-set + protocol constants used in ASAP. + +7.1. Timers + + T1-ENRPrequest - A timer started when a request is sent by ASAP to + the ENRP server (providing application information is queued). + Normally set to 15 seconds. + + T2-registration - A timer started when sending an ASAP_REGISTRATION + request to the Home ENRP server, normally set to 30 seconds. + + T3-deregistration - A timer started when sending a de-registration + request to the Home ENRP server, normally set to 30 seconds. + + T4-reregistration - This timer is started after successful + registration into the ENRP handlespace and is used to cause a re- + registration at a periodic interval. This timer is normally set + to 10 minutes or 20 seconds less than the Lifetime parameter used + in the registration request (whichever is less). + + T5-Serverhunt - This timer is used during the ENRP Server Hunt + procedure and is normally set to 10 seconds. + + T6-Serverannounce - This timer gives the time between the sending of + consecutive ASAP_SERVER_ANNOUNCE messages. It is normally set to + 1 second. + + T7-ENRPoutdate - This timer gives the time a server announcement is + valid. It is normally set to 5 seconds. + +7.2. Variables + + stale_cache_value - A threshold variable that indicates how long a + cache entry is valid for. + + + +Stewart, et al. Experimental [Page 42] + +RFC 5352 Aggregate Server Access Protocol September 2008 + + +7.3. Thresholds + + MAX-REG-ATTEMPT - The maximum number of registration attempts to be + made before a server hunt is issued. The default value of this is + set to 2. + + MAX-REQUEST-RETRANSMIT - The maximum number of attempts to be made + when requesting information from the local ENRP server before a + server hunt is issued. The default value for this is 2. + + RETRAN-MAX - This value represents the maximum time between + registration attempts and puts a ceiling on how far the + registration timer will back off. The default value for this is + normally set to 60 seconds. + +8. IANA Considerations + + This document (RFC 5352) is the reference for all registrations + described in this section. All registrations have been listed on the + Reliable Server Pooling (RSerPool) Parameters page. + +8.1. A New Table for ASAP Message Types + + ASAP Message Types are maintained by IANA. Fourteen initial values + have been assigned by IANA as described in Figure 1. IANA created a + new table, "ASAP Message Types": + + Type Message Name Reference + ----- ------------------------- --------- + 0x00 (Reserved by IETF) RFC 5352 + 0x01 ASAP_REGISTRATION RFC 5352 + 0x02 ASAP_DEREGISTRATION RFC 5352 + 0x03 ASAP_REGISTRATION_RESPONSE RFC 5352 + 0x04 ASAP_DEREGISTRATION_RESPONSE RFC 5352 + 0x05 ASAP_HANDLE_RESOLUTION RFC 5352 + 0x06 ASAP_HANDLE_RESOLUTION_RESPONSE RFC 5352 + 0x07 ASAP_ENDPOINT_KEEP_ALIVE RFC 5352 + 0x08 ASAP_ENDPOINT_KEEP_ALIVE_ACK RFC 5352 + 0x09 ASAP_ENDPOINT_UNREACHABLE RFC 5352 + 0x0a ASAP_SERVER_ANNOUNCE RFC 5352 + 0x0b ASAP_COOKIE RFC 5352 + 0x0c ASAP_COOKIE_ECHO RFC 5352 + 0x0d ASAP_BUSINESS_CARD RFC 5352 + 0x0e ASAP_ERROR RFC 5352 + 0x0b-0xff (Available for Assignment) RFC 5352 + + + + + + +Stewart, et al. Experimental [Page 43] + +RFC 5352 Aggregate Server Access Protocol September 2008 + + + Requests to register an ASAP Message Type in this table should be + sent to IANA. The number must be unique. The "Specification + Required" policy of [RFC5226] MUST be applied. + +8.2. Port Numbers + + The references for the already assigned port numbers + + asap-tcp 3863/tcp + + asap-udp 3863/udp + + asap-sctp 3863/sctp + + asap-tcp-tls 3864/tcp + + asap-sctp-tls 3864/sctp + + have been updated to RFC 5352. + +8.3. SCTP Payload Protocol Identifier + + The reference for the already assigned ASAP payload protocol + identifier 11 has been updated to RFC 5352. + +8.4. Multicast Addresses + + IANA has assigned an IPv4 multicast address (224.0.1.185) and an IPv6 + multicast address (FF0X:0:0:0:0:0:0:133). The IPv4 address is part + of the Internetwork Control Block (224.0.1/24). + +9. Security Considerations + + We present a summary of the of the threats to the RSerPool + architecture and describe security requirements in response in order + to mitigate the threats. Next, we present the security mechanisms, + based on TLS, that are implementation requirements in response to the + threats. Finally, we present a chain-of-trust argument that examines + critical data paths in RSerPool and shows how these paths are + protected by the TLS implementation. + + + + + + + + + + + +Stewart, et al. Experimental [Page 44] + +RFC 5352 Aggregate Server Access Protocol September 2008 + + +9.1. Summary of RSerPool Security Threats + + "Threats Introduced by Reliable Server Pooling (RSerPool) and + Requirements for Security in Response to Threats" [RFC5355] describes + the threats to the RSerPool architecture in detail and lists the + security requirements in response to each threat. From the threats + described in this document, the security services required for the + RSerPool protocol are enumerated below. + + Threat 1) PE registration/de-registration flooding or spoofing. + ----------- + Security mechanism in response: ENRP server authenticates the PE. + + Threat 2) PE registers with a malicious ENRP server. + ----------- + Security mechanism in response: PE authenticates the ENRP server. + + Threats 1 and 2, taken together, result in mutual authentication of + the ENRP server and the PE. + + Threat 3) Malicious ENRP server joins the ENRP server pool. + ----------- + Security mechanism in response: ENRP servers mutually authenticate. + + Threat 4) A PU communicates with a malicious ENRP server for handle + resolution. + ----------- + Security mechanism in response: The PU authenticates the ENRP server. + + Threat 5) Replay attack. + ----------- + Security mechanism in response: Security protocol that has protection + from replay attacks. + + Threat 6) Corrupted data that causes a PU to have misinformation + concerning a pool handle resolution. + ----------- + Security mechanism in response: Security protocol that supports + integrity protection. + + Threat 7) Eavesdropper snooping on handlespace information. + ----------- + Security mechanism in response: Security protocol that supports data + confidentiality. + + + + + + + +Stewart, et al. Experimental [Page 45] + +RFC 5352 Aggregate Server Access Protocol September 2008 + + + Threat 8) Flood of ASAP_ENDPOINT_UNREACHABLE messages from the PU to + ENRP server. + ----------- + Security mechanism in response: ASAP must control the number of ASAP + Endpoint unreachable messages transmitted from the PU to the ENRP + server. + + Threat 9) Flood of ASAP_ENDPOINT_KEEP_ALIVE messages to the PE from + the ENRP server. + ----------- + Security mechanism in response: ENRP server must control the number + of ASAP_ENDPOINT_KEEP_ALIVE messages to the PE. + + To summarize, the threats 1-7 require security mechanisms that + support authentication, integrity, data confidentiality, and + protection from replay attacks. + + For RSerPool we need to authenticate the following: + + PU <---- ENRP server (PU authenticates the ENRP server) + PE <----> ENRP server (mutual authentication) + ENRP server <-----> ENRP server (mutual authentication) + +9.2. Implementing Security Mechanisms + + We do not define any new security mechanisms specifically for + responding to threats 1-7. Rather, we use an existing IETF security + protocol, specifically [RFC3237], to provide the security services + required. TLS supports all these requirements and MUST be + implemented. The TLS_RSA_WITH_AES_128_CBC_SHA ciphersuite MUST be + supported, at a minimum, by implementers of TLS for RSerPool. For + purposes of backwards compatibility, ENRP SHOULD support + TLS_RSA_WITH_3DES_EDE_CBC_SHA. Implementers MAY also support any + other IETF-approved ciphersuites. + + ENRP servers, PEs, and PUs MUST implement TLS. ENRP servers and PEs + MUST support mutual authentication using PSK (pre-shared-key). ENRP + servers MUST support mutual authentication among themselves using + PSK. PUs MUST authenticate ENRP servers using certificates. + + TLS with PSK is mandatory to implement as the authentication + mechanism for ENRP to ENRP authentication and PE to ENRP + authentication. For PSK, having a pre-shared-key constitutes + authorization. The network administrators of a pool need to decide + which nodes are authorized to participate in the pool. The + justification for PSK is that we assume that one administrative + domain will control and manage the server pool. This allows for PSK + to be implemented and managed by a central security administrator. + + + +Stewart, et al. Experimental [Page 46] + +RFC 5352 Aggregate Server Access Protocol September 2008 + + + TLS with certificates is mandatory to implement as the authentication + mechanism for PUs to the ENRP server. PUs MUST authenticate ENRP + servers using certificates. ENRP servers MUST possess a site + certificate whose subject corresponds to their canonical hostname. + PUs MAY have certificates of their own for mutual authentication with + TLS, but no provisions are set forth in this document for their use. + All RSerPool Elements that support TLS MUST have a mechanism for + validating certificates received during TLS negotiation; this entails + possession of one or more root certificates issued by certificate + authorities (preferably, well-known distributors of site certificates + comparable to those that issue root certificates for web browsers). + + In order to prevent man-in-the-middle attacks, the client MUST verify + the server's identity (as presented in the server's Certificate + message). The client's understanding of the server's identity + (typically, the identity used to establish the transport connection) + is called the "reference identity". The client determines the type + (e.g., DNS name or IP address) of the reference identity and performs + a comparison between the reference identity and each subjectAltName + value of the corresponding type until a match is produced. Once a + match is produced, the server's identity has been verified, and the + server identity check is complete. Different subjectAltName types + are matched in different ways. The client may map the reference + identity to a different type prior to performing a comparison. + Mappings may be performed for all available subjectAltName types to + which the reference identity can be mapped; however, the reference + identity should only be mapped to types for which the mapping is + either inherently secure (e.g., extracting the DNS name from a URI to + compare with a subjectAltName of type dNSName) or for which the + mapping is performed in a secure manner (e.g., using DNS Security + (DNSSEC), or using user- or admin-configured host-to-address/ + address-to-host lookup tables). + + If the server identity check fails, user-oriented clients SHOULD + either notify the user or close the transport connection and indicate + that the server's identity is suspect. Automated clients SHOULD + close the transport connection and then return or log an error + indicating that the server's identity is suspect, or both. Beyond + the server identity check described in this section, clients should + be prepared to do further checking to ensure that the server is + authorized to provide the service it is requested to provide. The + client may need to make use of local policy information in making + this determination. + + If the reference identity is an internationalized domain name, + conforming implementations MUST convert it to the ASCII Compatible + Encoding (ACE) format, as specified in Section 4 of [RFC3490], before + comparison with subjectAltName values of type dNSName. Specifically, + + + +Stewart, et al. Experimental [Page 47] + +RFC 5352 Aggregate Server Access Protocol September 2008 + + + conforming implementations MUST perform the conversion operation + specified in Section 4 of [RFC3490] as follows: * in step 1, the + domain name SHALL be considered a "stored string"; * in step 3, set + the flag called "UseSTD3ASCIIRules"; * in step 4, process each label + with the "ToASCII" operation; and * in step 5, change all label + separators to U+002E (full stop). + + After performing the "to-ASCII" conversion, the DNS labels and names + MUST be compared for equality, according to the rules specified in + Section 3 of RFC 3490. The '*' (ASCII 42) wildcard character is + allowed in subjectAltName values of type dNSName, and then, only as + the left-most (least significant) DNS label in that value. This + wildcard matches any left-most DNS label in the server name. That + is, the subject *.example.com matches the server names a.example.com + and b.example.com, but does not match example.com or a.b.example.com. + + When the reference identity is an IP address, the identity MUST be + converted to the "network byte order" octet string representation in + [RFC0791] and [RFC2460]. For IP version 4, as specified in RFC 791, + the octet string will contain exactly four octets. For IP version 6, + as specified in RFC 2460, the octet string will contain exactly + sixteen octets. This octet string is then compared against + subjectAltName values of type iPAddress. A match occurs if the + reference identity octet string and value octet strings are + identical. + + After a TLS layer is established in a session, both parties are to + independently decide whether or not to continue based on local policy + and the security level achieved. If either party decides that the + security level is inadequate for it to continue, it SHOULD remove the + TLS layer immediately after the TLS (re)negotiation has completed + (see RFC 4511)[RFC4511]. Implementations may re-evaluate the + security level at any time and, upon finding it inadequate, should + remove the TLS layer. + + Implementations MUST support TLS with SCTP, as described in [RFC3436] + or TLS over TCP, as described in [RFC5246]. When using TLS/SCTP we + must ensure that RSerPool does not use any features of SCTP that are + not available to a TLS/SCTP user. This is not a difficult technical + problem, but simply a requirement. When describing an API of the + RSerPool lower layer, we also have to take into account the + differences between TLS and SCTP. + + Threat 8 requires the ASAP protocol to limit the number of + ASAP_ENDPOINT_UNREACHABLE messages (see Section 3.5) to the ENRP + server. + + + + + +Stewart, et al. Experimental [Page 48] + +RFC 5352 Aggregate Server Access Protocol September 2008 + + + Threat 9 requires the ENRP protocol to limit the number of + ASAP_ENDPOINT_KEEP_ALIVE messages from the ENRP server to the PE (see + [RFC5353]). + + There is no security mechanism defined for the multicast + announcements. Therefore, a receiver of such an announcement cannot + consider the source address of such a message to be a trustworthy + address of an ENRP server. A receiver must also be prepared to + receive a large number of multicast announcements from attackers. + +9.3. Chain of Trust + + Security is mandatory to implement in RSerPool and is based on TLS + implementation in all three architecture components that comprise + RSerPool -- namely PU, PE, and ENRP server. We define an ENRP server + that uses TLS for all communication and authenticates ENRP peers and + PE registrants to be a secured ENRP server. + + Here is a description of all possible data paths and a description of + the security. + + PU <---> secured ENRP server (authentication of ENRP server; + queries over TLS) + PE <---> secured ENRP server (mutual authentication; + registration/de-registration over TLS) + secured ENRP server <---> secured ENRP server (mutual authentication; + database updates using TLS) + + If all components of the system authenticate and communicate using + TLS, the chain of trust is sound. The root of the trust chain is the + ENRP server. If that is secured using TLS, then security will be + enforced for all ENRP and PE components that try to connect to it. + + Summary of interaction between secured and unsecured components: If + the PE does not use TLS and tries to register with a secure ENRP + server, it will receive an error message response indicated as an + error due to security considerations and the registration will be + rejected. If an ENRP server that does not use TLS tries to update + the database of a secure ENRP server, then the update will be + rejected. If a PU does not use TLS and communicates with a secure + ENRP server, it will get a response with the understanding that the + response is not secure, as the response can be tampered with in + transit even if the ENRP database is secured. + + The final case is the PU sending a secure request to ENRP. It might + be that ENRP and PEs are not secured and this is an allowable + configuration. The intent is to secure the communication over the + Internet between the PU and the ENRP server. + + + +Stewart, et al. Experimental [Page 49] + +RFC 5352 Aggregate Server Access Protocol September 2008 + + + Summary: + + RSerPool architecture components can communicate with each other to + establish a chain of trust. Secured PE and ENRP servers reject any + communications with unsecured ENRP or PE servers. + + If the above is enforced, then a chain of trust is established for + the RSerPool user. + +10. Acknowledgments + + The authors wish to thank John Loughney, Lyndon Ong, Walter Johnson, + Thomas Dreibholz, and many others for their invaluable comments and + feedback. + +11. References + +11.1. Normative References + + [RFC0791] Postel, J., "Internet Protocol", STD 5, RFC 791, + September 1981. + + [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate + Requirement Levels", BCP 14, RFC 2119, March 1997. + + [RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6 + (IPv6) Specification", RFC 2460, December 1998. + + [RFC3237] Tuexen, M., Xie, Q., Stewart, R., Shore, M., Ong, L., + Loughney, J., and M. Stillman, "Requirements for Reliable + Server Pooling", RFC 3237, January 2002. + + [RFC3436] Jungmaier, A., Rescorla, E., and M. Tuexen, "Transport + Layer Security over Stream Control Transmission Protocol", + RFC 3436, December 2002. + + [RFC3490] Faltstrom, P., Hoffman, P., and A. Costello, + "Internationalizing Domain Names in Applications (IDNA)", + RFC 3490, March 2003. + + [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security + (TLS) Protocol Version 1.2", RFC 5246, August 2008. + + [RFC4511] Sermersheim, J., "Lightweight Directory Access Protocol + (LDAP): The Protocol", RFC 4511, June 2006. + + [RFC4960] Stewart, R., "Stream Control Transmission Protocol", + RFC 4960, September 2007. + + + +Stewart, et al. Experimental [Page 50] + +RFC 5352 Aggregate Server Access Protocol September 2008 + + + [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an + IANA Considerations Section in RFCs", BCP 26, RFC 5226, + May 2008. + + [RFC5356] Dreibholz, T. and M. Tuexen, "Reliable Server Pooling + Policies", RFC 5356, September 2008. + + [RFC5354] Stewart, R., Xie, Q., Stillman, M., and M. Tuexen, + "Aggregate Server Access Protocol (ASAP) and Endpoint + Handlespace Redundancy Protocol (ENRP) Parameters", + RFC 5354, September 2008. + + [RFC5353] Xie, Q., Stewart, R., Stillman, M., Tuexen, M., and A. + Silverton, "Endpoint Handlespace Redundancy Protocol + (ENRP)", RFC 5353, September 2008. + + [RFC5355] Stillman, M., Ed., Gopal, R., Guttman, E., Holdrege, M., + and S. Sengodan, "Threats Introduced by Reliable Server + Pooling (RSerPool) and Requirements for Security in + Response to Threats", RFC 5355, September 2008. + +11.2. Informative References + + [RFC4086] Eastlake, D., Schiller, J., and S. Crocker, "Randomness + Requirements for Security", BCP 106, RFC 4086, June 2005. + + + + + + + + + + + + + + + + + + + + + + + + + + +Stewart, et al. Experimental [Page 51] + +RFC 5352 Aggregate Server Access Protocol September 2008 + + +Authors' Addresses + + Randall R. Stewart + The Resource Group + 1700 Pennsylvania Ave NW + Suite 560 + Washington, D.C., 20006 + USA + + EMail: randall@lakerest.net + + Qiaobing Xie + The Resource Group + 1700 Pennsylvania Ave NW + Suite 560 + Washington, D.C., 20006 + USA + + Phone: +1 224-465-5954 + EMail: Qiaobing.Xie@gmail.com + + + Maureen Stillman + Nokia + 1167 Peachtree Ct. + Naperville, IL 60540 + USA + + EMail: maureen.stillman@nokia.com + + + Michael Tuexen + Muenster Univ. of Applied Sciences + Stegerwaldstr. 39 + 48565 Steinfurt + Germany + + EMail: tuexen@fh-muenster.de + + + + + + + + + + + + + +Stewart, et al. Experimental [Page 52] + +RFC 5352 Aggregate Server Access Protocol September 2008 + + +Full Copyright Statement + + Copyright (C) The IETF Trust (2008). + + This document is subject to the rights, licenses and restrictions + contained in BCP 78, and except as set forth therein, the authors + retain all their rights. + + This document and the information contained herein are provided on an + "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS + OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND + THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS + OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF + THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED + WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. + +Intellectual Property + + The IETF takes no position regarding the validity or scope of any + Intellectual Property Rights or other rights that might be claimed to + pertain to the implementation or use of the technology described in + this document or the extent to which any license under such rights + might or might not be available; nor does it represent that it has + made any independent effort to identify any such rights. Information + on the procedures with respect to rights in RFC documents can be + found in BCP 78 and BCP 79. + + Copies of IPR disclosures made to the IETF Secretariat and any + assurances of licenses to be made available, or the result of an + attempt made to obtain a general license or permission for the use of + such proprietary rights by implementers or users of this + specification can be obtained from the IETF on-line IPR repository at + http://www.ietf.org/ipr. + + The IETF invites any interested party to bring to its attention any + copyrights, patents or patent applications, or other proprietary + rights that may cover technology that may be required to implement + this standard. Please address the information to the IETF at + ietf-ipr@ietf.org. + + + + + + + + + + + + +Stewart, et al. Experimental [Page 53] + |