From 4bfd864f10b68b71482b35c818559068ef8d5797 Mon Sep 17 00:00:00 2001 From: Thomas Voss Date: Wed, 27 Nov 2024 20:54:24 +0100 Subject: doc: Add RFC documents --- doc/rfc/rfc3238.txt | 955 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 955 insertions(+) create mode 100644 doc/rfc/rfc3238.txt (limited to 'doc/rfc/rfc3238.txt') diff --git a/doc/rfc/rfc3238.txt b/doc/rfc/rfc3238.txt new file mode 100644 index 0000000..a45a265 --- /dev/null +++ b/doc/rfc/rfc3238.txt @@ -0,0 +1,955 @@ + + + + + + +Network Working Group Internet Architecture Board (IAB) +Request for Comments: 3238 S. Floyd +Category: Informational L. Daigle + January 2002 + + + IAB Architectural and Policy Considerations for + Open Pluggable Edge Services + +Status of this Memo + + This memo provides information for the Internet community. It does + not specify an Internet standard of any kind. Distribution of this + memo is unlimited. + +Copyright Notice + + Copyright (C) The Internet Society (2002). All Rights Reserved. + +Abstract + + This document includes comments and recommendations by the IAB on + some architectural and policy issues related to the chartering of + Open Pluggable Edge Services (OPES) in the IETF. OPES are services + that would be deployed at application-level intermediaries in the + network, for example, at a web proxy cache between the origin server + and the client. These intermediaries would transform or filter + content, with the explicit consent of either the content provider or + the end user. + +1. Introduction + + Open Pluggable Edge Services (OPES) are services that would be + deployed in the network, for example, at a web proxy cache between + the origin server and the client, that would transform or filter + content. Examples of proposed OPES services include assembling + personalized web pages, adding user-specific regional information to + web pages, virus scanning, content adaptation for clients with + limited bandwidth, language translation, and the like [OPES]. + + The question of chartering OPES in the IETF ([OPESBOF1], [OPESBOF2], + [OPESBOF3]) and the related controversy in the IETF community + ([Carr01], [CDT01], [Morris01], [Orman01], [Routson01]) have raised + to the fore several architectural and policy issues about robustness + and the end-to-end integrity of data (in terms of the disparities + between what the "origin server" makes available and what the client + receives). In particular, questions have been raised about the + possible requirements, for a protocol to be developed and + + + +IAB Informational [Page 1] + +RFC 3238 IAB Considerations for OPES January 2002 + + + standardized in the IETF, for that protocol to protect the end-to-end + privacy and integrity of data. This document attempts to address + some of the architectural and policy issues that have been unresolved + in the chartering of OPES, and to come to some common recommendations + from the IAB regarding these issues. + + The purpose of this document is not to recommend specific solutions + for OPES, or even to mandate specific functional requirements. This + is also not a recommendation to the IESG about whether or not OPES + should be chartered. Instead, these are recommendations on issues + that any OPES solutions standardized in the IETF should be required + to address, similar to the "Security Considerations" currently + required in IETF documents [RFC2316]. As an example, one way to + address security issues is to show that appropriate security + mechanisms have been provided in the protocol, and another way to + address security issues is to demonstrate that no security issues + apply to this particular protocol. (Note however that a blanket + sentence that "no security issues are involved" is never considered + sufficient to address security concerns in a protocol with known + security issues.) + + This document will try to make our concerns underlying integrity, + privacy, and security as clear as possible. We recommend that the + IESG require that OPES documents address integrity, privacy, and + security concerns in one way or another, either directly by + demonstrating appropriate mechanisms, or by making a convincing case + that there are no integrity or privacy concerns relevant to a + particular document. + + In particular, it seems unavoidable that at some point in the future + some OPES service will perform inappropriately (e.g., a virus scanner + rejecting content that does not include a virus), and some OPES + intermediary will be compromised either inadvertently or with + malicious intent. Given this, it seems necessary for the overall + architecture to help protect end-to-end data integrity by addressing, + from the beginning of the design process, the requirement of helping + end hosts to detect and respond to inappropriate behavior by OPES + intermediaries. + + One of the goals of the OPES architecture must be to maintain the + robustness long cited as one of the overriding goals of the Internet + architecture [Clark88]. Given this, we recommend that the IESG + require that the OPES architecture protect end-to-end data integrity + by supporting end-host detection and response to inappropriate + behavior by OPES intermediaries. We note that in this case by + "supporting end-host detection", we are referring to supporting + detection by the humans responsible for the end hosts at the content + provider and client. We would note that many of these concerns about + + + +IAB Informational [Page 2] + +RFC 3238 IAB Considerations for OPES January 2002 + + + the ability of end hosts to detect and respond to the inappropriate + behavior of intermediaries could be applied to the architectures for + web caches and content distribution infrastructures even without the + additional complication of OPES. + + Each section of the document contains a set of IAB Considerations + that we would recommend be addressed by the OPES architecture. + Section 6 summarizes by listing all of these considerations in one + place. + + In this document we try to use terminology consistent with RFC 3040 + [RFC 3040] and with OPES works in progress. + +2. Some history of the controversy about chartering OPES + + One view on OPES has been that "OPES is deeply evil and the IETF + should stay far, far away from this hideous abomination" [ODell01]. + Others have suggested that "OPES would reduce both the integrity, and + the perception of integrity, of communications over the Internet, and + would significantly increase uncertainly about what might have been + done to content as it moved through the network", and that therefore + the risks of OPES outweigh the benefits [CDT01]. This view of the + risks of OPES was revised in later email, based on the proposals from + [Carr01], "assuming that certain privacy and integrity protections + can be incorporated into the goals of the working group" [Morris01]. + + One issue concerns the one-party consent model. In the one-party + consent model, one of the end-nodes (that is, either the content + provider or the end user) is required to explicitly authorize the + OPES service, but authorization is not required from both parties. + [CDT01] comments that relying only on a one-party consent model in + the OPES charter "could facilitate third-party or state-sponsored + censorship of Internet content without the knowledge or consent of + end users", among other undesirable scenarios. + + A natural first question is whether there is any architectural + benefit to putting specific services inside the network (e.g., at the + application-level web cache) instead of positioning all services + either at the content provider or the end user. (Note that we are + asking here whether there is architectural benefit, which is not the + same as asking if there is a business model.) Client-centric + services suggested for OPES include virus scanning, language + translation, limited client bandwidth adaptation, request filtering, + and adaptation of streaming media, and suggested server-centric + services include location-based services and personalized web pages. + + + + + + +IAB Informational [Page 3] + +RFC 3238 IAB Considerations for OPES January 2002 + + + It seems clear that there can indeed be significant architectural + benefit in providing some OPES services inside the network at the + application-level OPES intermediary. For example, if some content is + already available from a local or regional web cache, and the end + user requires some transformation (such as adaptation to a limited- + bandwidth path) applied to that data, providing that service at the + web cache itself can prevent the wasted bandwidth of having to + retrieve more data from the content provider, and at the same time + avoid unnecessary delays in providing the service to the end user. + + A second question is whether the architectural benefits of providing + services in the middle of the network outweigh the architectural + costs, such as the potential costs concerning data integrity. This + is similar to the issues considered in RFC 3135 [RFC 3135] of the + relative costs and benefits of placing performance-enhancing proxies + (PEPs) in the middle of a network to address link-related + degradations. In the case of PEPs, the potential costs include + disabling the end-to-end use of IP layer security mechanisms; + introducing a new possible point of failure that is not under the + control of the end systems; adding increased difficulty in diagnosing + and dealing with failures; and introducing possible complications + with asymmetric routing or mobile hosts. RFC 3135 carefully + considers these possible costs, the mitigations that can be + introduced, and the cases when the benefits of performance-enhancing + proxies to the user are likely to outweigh the costs. A similar + approach could be applied to OPES services (though we do not attempt + that here). + + A third question is whether an OPES service, designed primarily for a + single retrieval action, has an impact on the application layer + addressing architecture. This is related to the integrity issue + above, but is independent of whether these services are applied in + the middle of the network or at either end. + + Most of this document deals with the specific issue of data integrity + with OPES services, including the goal of enabling end hosts to + detect and respond to inappropriate behavior from broken or + compromised OPES intermediaries. + + We agree that one-party consent, with one of the end-hosts explicitly + authorizing the OPES service, must be a requirement for OPES to be + standardized in the IETF. + + However, as we discuss in the next section of this document, we agree + with [CDT01] that the one-party consent model by itself (e.g., with + one of the end-hosts authorizing the OPES service, and the other + end-host perhaps being unaware of the OPES service) is insufficient + for protecting data integrity in the network. We also agree with + + + +IAB Informational [Page 4] + +RFC 3238 IAB Considerations for OPES January 2002 + + + [CDT01] that, regardless of the security and authorization mechanisms + standardized for OPES in the IETF, OPES implementations could + probably be modified to circumvent these mechanisms, resulting in the + unauthorized modification of content. Many of the protocols in the + IETF could be modified for anti-social purposes - transport protocols + could be modified to evade end-to-end congestion control, routing + protocols could be modified to inject invalid routes, web proxy + caches could be used for the unauthorized modification of content + even without OPES, and so on. None of these seem like compelling + reasons not to standardize transport protocols, routing protocols, + web caching protocols, or OPES itself. In our view, it means instead + that the infrastructure needs, as much as possible, to be designed to + detect and defend itself against compromised implementations, and + misuses of protocols need to be addressed directly, each in the + appropriate venue. + + Mechanisms such as digital signatures, which help users to verify for + themselves that content has not been altered, are a first step + towards the detection of the unauthorized modification of content in + the network. However, in the case of OPES, additional protection to + ensure the end-to-end integrity of data is desirable as well, for + example, to help end-users to detect cases where OPES intermediaries + were authorized to modify content, but perform inappropriate + modifications. We would note that mechanisms can *help* end-users to + detect compromised OPES intermediaries in some cases even if they do + not *guarantee* that end-users will be able to detect compromised + OPES intermediaries in all cases. + + If OPES is chartered, the OPES working group will also have to + explicitly decide and document whether the OPES architecture must be + compatible with the use of end-to-end encryption by one or more ends + of an OPES-involved session. If OPES was compatible with end-to-end + encryption, this would effectively ensure that OPES boxes would be + restricted to ones that are known, trusted, explicitly addressed at + the IP layer, and authorized (by the provision of decryption keys) by + at least one of the ends. Compatibility with end-to-end encryption + would also help to prevent the widespread deployment of yet another + set of services that, to benefit from, require one to keep one's + packet contents in the clear for all to snoop. + + IAB Considerations: + + (2.1) One-party consent: An OPES framework standardized in the IETF + must require that the use of any OPES service be explicitly + authorized by one of the application-layer end-hosts (that is, either + the content provider or the client). + + + + + +IAB Informational [Page 5] + +RFC 3238 IAB Considerations for OPES January 2002 + + + (2.2) IP-layer communications: For an OPES framework standardized in + the IETF, the OPES intermediary must be explicitly addressed at the + IP layer by the end user. + + We note that (2.2) is not intended to preclude a chain of + intermediaries, with the first intermediary in the chain explicitly + addressed at the IP layer by the end user. + +3. End-to-end Integrity + + The proposed OPES services have several possible forms, including + server-centric services, such as the dynamic assembling of web pages, + explicitly authorized by the content provider; client-centric + services such as virus scanning or language translation explicitly + authorized by the end user to act on the response from the content + provider; and client-centric services such as privacy-based services + or content-filtering explicitly authorized by the end user to act on + the request from the end user to the content provider. We consider + the issue of the end-to-end integrity of data separately for these + different classes of services. + + For each specific service, the question arises of whether it is + necessary for both the content provider and the end user to be able + to detect and respond to inappropriate behavior by OPES + intermediaries, or if it is sufficient for just one of the two end- + hosts to have this ability. We don't attempt a general answer, but + we do discuss the issues further in the sections below. + +3.1. Data integrity with client-centric OPES services on responses + + Why is there any concern about the end-to-end integrity of data in a + client-centric OPES service acting on a response from a content + provider? If the client requests a service such as virus scanning or + language translation, why is that of any concern to the content + provider one way or another? One answer is that one of the proper + concerns of the IETF is to design architectures that enable end-hosts + to detect and respond to inappropriate actions in the network. This + seems of particular importance for powerful devices in the network + such as OPES intermediaries, which are authorized by one of the end- + nodes to act on or transform data in the network, but other than that + are not under the direct control of that end-node. + + Consider as an example the services of virus scanning or language + translation. The end user has reasonable power in detecting and + dealing with imperfect or corrupted virus scanners or language + translators that are under her direct control (e.g., on her own + machine). The end user knows exactly what program is installed, and + has direct access to the content before and after the service is + + + +IAB Informational [Page 6] + +RFC 3238 IAB Considerations for OPES January 2002 + + + applied. The end user would have less control over similar services + offered by OPES in the network itself, where the end user's only + control might be the binary one of authorizing or not authorizing the + service. (We also note that services deployed on the end host in a + self-contained fashion, such as a local virus scanning program, are + not a service in the network, and therefore are not in the province + of the IETF one way or another.) + + For a OPES service such as virus scanning or language translation, + the end user could detect a corrupted intermediary, but only through + a "black-box" approach of comparing the input with the output. This + is also imprecise and requires some effort, compared to the effort + required to detect a corrupted virus scanner installed on one's own + machine. For example, the user could retrieve the "non-OPES" version + of the content directly from the content provider, if there is a + "non-OPES" version, and compare this with the "OPES" version of the + content available from the OPES intermediary. However, in the case + of dynamic content, the "non-OPES" version of the content retrieved + by the user directly from the content provider might not necessarily + be the same as the "non-OPES" version of the content considered by + the OPES intermediary. This limited control by the end user of the + OPES service, and the limited ability of the end user to detect + imperfect or corrupted intermediaries, argues for an architecture + that helps the content provider to detect and respond to imperfect or + corrupted OPES intermediaries as well. + + We consider the specific example of virus scanning, authorized by the + end user as an OPES service. One could imagine virus scanning as a + widely deployed OPES service, augmenting the virus scanning done on + the end host itself. If I ask for, say, a paper by Steve Bellovin on + security and viruses in the network, and am informed by my authorized + OPES virus-scanning service that this content does not pass the + virus-scan, there are a number of possibilities: + + (1) Unknown to Steve, the content (that is, Steve's paper) contains a + harmful virus. + + (2) Steve inserted a harmful virus in the content on purpose, with + playful or malicious intent. + + (3) The OPES virus scanner can't distinguish between a true harmful + virus, and Steve's paper about harmful viruses. + + (4) My local OPES virus scanner has been hacked, with malicious + intent, to reject all content from Steve Bellovin. + + + + + + +IAB Informational [Page 7] + +RFC 3238 IAB Considerations for OPES January 2002 + + + At some point, for some content, some widely-deployed implementation + of some OPES virus scanner is likely to result in problem (3), and + some OPES implementation is likely to be corrupted to result in + problem (4). Because the end user has limited control over the OPES + virus scanner, the end user also is limited in its ability to detect + problems (3) or (4) in the OPES virus scanner. In addition, the + content provider is probably the one with the strongest incentive to + detect problems (3) or (4) in the OPES virus scanner. (The content + provider generally has a strong incentive to detect problem (1) as + well.) In this case, it seems prudent that the overall OPES + architecture should be carefully designed to prevent the OPES service + of virus scanning, as authorized by the client, from unnecessarily + preventing the distribution of content that in fact does not have + viruses. + + Obviously, it is not viable to propose that content providers simply + indicate that some content should be passed to the end user without + virus scanning - the point of virus scanning is for the end user to + exercise control in this regard. However, if some form of end-system + notification allows the content provider to find out that the content + is being rejected by a virus scanning service instead of being + delivered to the end user, then the content provider (Steve, in this + case) might want to inform end users that this content is known by + the content provider not to pass some OPES virus scanning services. + End users could then make their own decisions about whether or not to + retrieve that content bypassing the OPES virus scanning service, + relying on their own virus scanner or an alternate virus scanning + service for this particular content. Such end-system notification to + the content provider, if requested, cannot be enforced, and cannot be + relied upon from corrupted intermediaries, but it seems important + nevertheless. + + Of course, malicious users can also use their awareness of the virus + scanning service to perfect their ability to construct malicious + viruses that can evade the virus scanning service. This will be done + anyway, with any virus scanning service, and seems like an acceptable + cost to allow content providers some protection against the vagaries + of imperfect or corrupted OPES services in the network. + + Thus, for client-requested services such as virus scanning and + language translation, it is clearly desirable for the origin server + to have notification, if it requests it, that these services are + being performed on its content before the content is sent to the + client. Any such end-system notification might be accompanied by + reduced performance (in terms of overhead, delays, etc.) for the OPES + service applied to that content. But some form of end-system + + + + + +IAB Informational [Page 8] + +RFC 3238 IAB Considerations for OPES January 2002 + + + notification is clearly necessary if content providers are to be able + to detect and respond to actions by OPES intermediaries that are + deemed inappropriate by the content provider. + + Similarly for a client-based OPES service of language translation, it + is clearly desirable for content providers to be able to inform end + users when some content is deemed by the content provider to be + incompatible with language translation. In this case, the important + issue is not to prevent the OPES language translation from being + performed on the content, but instead to give the content provider + some mechanism to discover the language translation, and to inform + the end user (or more precisely, to inform the end user's host + computer) if the content provider believes that this language + translation is incompatible with this particular content. + + IAB Considerations: + + (3.1) Notification: The overall OPES framework needs to assist + content providers in detecting and responding to client-centric + actions by OPES intermediaries that are deemed inappropriate by the + content provider. + +3.2. Data integrity with server-centric OPES services + + What are the concerns, if any, with the end-to-end integrity of data + in a server-centric OPES service such as location-based services? + For example, CNN could authorize a location-based OPES service, where + the OPES intermediary inserts the weather report or news headline of + regional interest into the requested web page. The same issue of the + detection and response to broken or modified OPES intermediaries + occurs with server-centric OPES as with client-centric OPES services. + We only consider server-centric services on responses, as we are not + aware of any proposals for server-centric OPES services on requests + from the client to the content provider. + + How are the end-nodes to detect inappropriate actions from OPES + services authorized by the content provider? The OPES service is + being performed at an OPES intermediary in the network itself, and + not under the direct control of the content provider; in particular, + the content provider might not have the ability to monitor directly + the output of the OPES intermediary. One could argue that the + content provider and server-centric OPES intermediary are part of a + single distributed application, and can be responsible on their own + for detecting and dealing with broken or modified OPES + intermediaries, without involving the end user. But this is + unconvincing, basically arguing that standardizing protocols for + performing OPES services is a network issue properly in the domain of + the IETF, but the ensuring the overall integrity of the service is a + + + +IAB Informational [Page 9] + +RFC 3238 IAB Considerations for OPES January 2002 + + + distributed application matter, and not in the province of the IETF + at all. It would seem to us that you can't have it both ways. + Simply labeling the content provider and the OPES intermediary as + part of the same distributed application does not give the content + provider the ability to monitor the actions of the OPES intermediary. + + However, if the end user receives some form of notification that + these OPES services have been provided, and has some mechanism for + receiving the "non-OPES" content from the content provider without + the OPES intermediary's modifications (if there is such a thing as a + non-OPES version of the content), then the end user is in a better + position to detect and react to inappropriate actions from + compromised or poorly-designed OPES intermediaries. Thus, it is + clear that some form of end-system notification is required to allow + the end user to detect and respond to broken or modified OPES + intermediaries. If the end user has notification of action by OPES + intermediaries, it could "veto" an OPES service simply by throwing + the OPES-modified content away. And if the client wants to talk + directly to the origin server to receive the "non-OPES" version, and + the origin server is configured to allow this, then the OPES + intermediary must be designed to permit this end-to-end + communication. + + In addition to concerns about detecting and responding to faulty or + compromised OPES intermediaries, there are purely policy-based + concerns about the integrity of data. If the content provider looks + at the source IP address from the HTTP request, or tosses a coin, in + order to decide what content to provide, then that is the content + provider's business. But if there exists a "non-OPES" version of + some content available from the content provider, and also modified + versions available from OPES intermediaries, then it is important + that end users would be able to discover that they are receiving a + modified version from the network, and not the "non-OPES" version + that is also available from the content provider directly. + + IAB Considerations: + + (3.2) Notification: The overall OPES framework should assist end + users in detecting the behavior of OPES intermediaries, potentially + allowing them to identify imperfect or compromised intermediaries. + + (3.3) Non-blocking: If there exists a "non-OPES" version of content + available from the content provider, the OPES architecture must not + prevent users from retrieving this "non-OPES" version from the + content provider. + + + + + + +IAB Informational [Page 10] + +RFC 3238 IAB Considerations for OPES January 2002 + + +3.3. Data integrity with client-centric OPES services on requests + + There have also been proposals for OPES services authorized by the + client on requests from the client to the content provider. Examples + include services that remove fields from the HTTP header for added + privacy, and content-filtering services that filter requests based on + the requested URL. For such services, there is still a need for end + hosts to be assisted in detecting and responding to imperfect or + corrupted intermediaries, but it seems less clear to what extent this + applies to the content provider, and to what extent it applies to the + end user that authorized the service. The requirements will probably + have to be determined by the OPES and wider IETF communities on a + case-by-case basis for each specific service. + +4. Application Layer Addresses + + Most application layer addressing revolves around URIs, which, for + the most part, give a structured method to refer to a single data + entity on a remote server. URIs are universal in that, in principle, + the same result is obtained irrespective of the location of the + client performing the resolution. + + Practice often differs from this theory -- ad-strippers remove data + from pages at the client end; web server farms redirect clients to + one of several potential target machines for load-balancing or to + give the user "localized" content. + + However, from an architectural standpoint, it is important to be + clear about what is being done here. In all cases, URI resolution + standards (as defined for individual URI schemes, such as HTTP) apply + unchanged between the client and the OPES intermediary. What the + intermediary does to fulfill the request is not material to the + discussion, and must produce a result that is compliant with the + applicable URI scheme definition. In this sense, the OPES + intermediary is the "endpoint" of URI resolution. + + In client-centric OPES, the intermediary is resolving the URI on + behalf of the client, and then applying client-requested services to + provide a data response to the client. The client gets the data it + wanted, but it did not carry out the URI resolution. + + In server-centric OPES, the "origin server" cedes its authority to + the intermediary to determine what is the "appropriate" content to + supply for a given URI. The client may well perform standard URI + resolution, but that reaches no further than the intermediary. + + With those distinctions firmly in mind, there are two particular + areas of concern for OPES-like services. + + + +IAB Informational [Page 11] + +RFC 3238 IAB Considerations for OPES January 2002 + + + The first is the consideration of the effect of a series of + interactions, over time and location (i.e., not just one document + retrieval). Potential problems include inconsistencies in intra- + and inter-document references -- depending on what content is + changed, references from one version of a document might not exist in + a modified target, etc. + + The other concern is whether this leads to the creation of content + that is exclusively accessible through the use of an intermediary. + That is, there is no "non-OPES" version. Either this should not be + allowed, or this would argue for an extension to the Internet + application layer addressing architecture. + + IAB Considerations: + + (4.1) URI resolution: OPES documentation must be clear in describing + these services as being applied to the result of URI resolution, not + as URI resolution itself. + + (4.2) Reference validity: All proposed services must define their + impact on inter- and intra-document reference validity. + + (4.3) Any services that cannot be achieved while respecting the above + two considerations may be reviewed as potential requirements for + Internet application addressing architecture extensions, but must not + be undertaken as ad hoc fixes. + +5. Privacy + + Intermediaries in the middle of the network increase the number of + locations where the privacy of an end-to-end transaction could be + compromised. Some of these privacy concerns apply to web caches and + CDNs in general as well as specifically to OPES intermediaries. It + seems a reasonable requirement, for OPES to be chartered in the IETF, + that the issue of providing mechanisms for end users to determine the + privacy policies of OPES intermediaries should be addressed. These + mechanisms could be quite different for client-centric and server- + centric OPES services. + + For a complex issue such as an OPES architecture, which interacts + with protocols from other standards bodies as well as from other IETF + working groups, it seems necessary to keep in mind the overall + picture while, at the same time, breaking out specific parts of the + problem to be standardized in particular working groups. Thus, a + requirement that the overall OPES architecture address privacy + concerns does not necessarily mean that the mechanisms for this need + to be developed in the IETF, or in the OPES working group (if it is + chartered). + + + +IAB Informational [Page 12] + +RFC 3238 IAB Considerations for OPES January 2002 + + + IAB Considerations: + + (5.1) Privacy: The overall OPES framework must provide for mechanisms + for end users to determine the privacy policies of OPES + intermediaries. + +6. Summary of IAB Considerations + + (2.1) One-party consent: An OPES framework standardized in the IETF + must require that the use of any OPES service be explicitly + authorized by one of the application-layer end-hosts (that is, either + the content provider or the client). + + (2.2) IP-layer communications: For an OPES framework standardized in + the IETF, the OPES intermediary must be explicitly addressed at the + IP layer by the end user. + + (3.1) Notification: The overall OPES framework needs to assist + content providers in detecting and responding to client-centric + actions by OPES intermediaries that are deemed inappropriate by the + content provider. + + (3.2) Notification: The overall OPES framework should assist end + users in detecting the behavior of OPES intermediaries, potentially + allowing them to identify imperfect or compromised intermediaries. + + (3.3) Non-blocking: If there exists a "non-OPES" version of content + available from the content provider, the OPES architecture must not + prevent users from retrieving this "non-OPES" version from the + content provider. + + (4.1) URI resolution: OPES documentation must be clear in describing + these services as being applied to the result of URI resolution, not + as URI resolution itself. + + (4.2) Reference validity: All proposed services must define their + impact on inter- and intra-document reference validity. + + (4.3) Any services that cannot be achieved while respecting the above + two considerations may be reviewed as potential requirements for + Internet application addressing architecture extensions, but must not + be undertaken as ad hoc fixes. + + (5.1) Privacy: The overall OPES framework must provide for mechanisms + for end users to determine the privacy policies of OPES + intermediaries. + + + + + +IAB Informational [Page 13] + +RFC 3238 IAB Considerations for OPES January 2002 + + +7. Conclusions + + This document includes comments and recommendations by the IAB on + some architectural and policy issues related to the chartering of + OPES in the IETF. + +8. Acknowledgements + + This document has benefited from discussions with members of the IAB + and the IESG, contributors to OPES, John Wroclawski, and others. + However, this is a document of the IAB, and we do not claim that the + other people listed above agree with the contents. + +9. References + + [Carr01] Wayne Carr, "Suggested OPES Requirements for Integrity, + Privacy and Security", email to ietf-openproxy@imc.org, + August 16, 2001. URL "http://www.imc.org/ietf- + openproxy/mail-archive/msg00869.html". + + [CDT01] Policy Concerns Raised by Proposed OPES Working Group + Efforts, email to the IESG, from the Center for Democracy + & Technology, August 3, 2001. URL + "http://www.imc.org/ietf-openproxy/mail- + archive/msg00828.html". + + [Clark88] David D. Clark, The Design Philosophy of the DARPA + Internet Protocols, SIGCOMM 1988. + + [Morris01] John Morris, "Re: corrected - Suggested OPES + Requirements for Integrity, Privacy and Security", + September 28, 2001. Email to ietf-openproxy@imc.org, URL + "http://www.imc.org/ietf-openproxy/mail- + archive/msg00935.html". + + [ODell01] Mike O'Dell, "OPES continuing froth...", Message-Id: + <200107101341.JAA30276@ccr.org>, July 10, 2001, email to + ietf@ietf.org. URL "http://www1.ietf.org/mail- + archive/ietf/Current/msg12650.html". + + [OPES] Open Pluggable Edge Services (OPES) Web Page, + "http://www.ietf-opes.org/". + + [OPESBOF1] OPES BOF, 49th IETF, December 12, 2000. Agenda: + "http://www.ietf.org/ietf/00dec/opes-agenda.txt". + Minutes: "http://www.ietf.cnri.reston.va.us/ + proceedings/00dec/toc.htm#P25_256". + + + + +IAB Informational [Page 14] + +RFC 3238 IAB Considerations for OPES January 2002 + + + [OPESBOF2] OPES BOF, 50th IETF, March 9, 2001. Minutes: + "http://www.ietf.org/proceedings/01mar/ietf50-40.htm". + + [OPESBOF3] OPES BOF, 51st IETF, August 2001. Agenda: + "http://www.ietf.org/ietf/01aug/opes.txt". Minutes: + "http://www.ietf.org/proceedings/01aug/minutes/OPES.HTM". + + [Orman01] Hilarie Orman, "Data Integrity for Open Pluggable + Services", email to ietf-openproxy@imc.org, August 15, + 2001. URL "http://www.imc.org/ietf-openproxy/mail- + archive/msg00865.html". + + [RFC 2316] Bellovin, S., "Report of the IAB Security Architecture + Workshop", RFC 2316, April 1998. + + [RFC2401] Kent, S. and R. Atkinson, "Security Architecture for the + Internet Protocol", RFC 2401, November 1998. + + [RFC 3040] Cooper, I., Melve, I. and G. Tomlinson, "Internet Web + Replication and Caching Taxonomy", RFC 3040, January + 2001. + + [RFC 3135] Border, J., Kojo, M., Griner, J., Montenegro, G. and Z. + Shelby, "Performance Enhancing Proxies Intended to + Mitigate Link-Related Degradations", RFC 3135, June 2001. + + [Routson01] Joyce Routson, IETF's Edge Standards Controversy, July + 11, 2001, Stardust CDN Week. URL + "http://www.stardust.com/cdnweek/articles/2001/07/09/ + opes.htm". + +10. Security Considerations + + This document does not propose any new protocols, and therefore does + not involve any security considerations in that sense. However, + throughout this document there are discussions of the privacy and + integrity issues of OPES services and the architectural requirements + created by those issues. + +11. IANA Considerations + + There are no IANA considerations regarding this document. + + + + + + + + + +IAB Informational [Page 15] + +RFC 3238 IAB Considerations for OPES January 2002 + + +Authors' Addresses + + Internet Architecture Board + EMail: iab@iab.org + + Membership at time this document was completed: + + Harald Alvestrand + Ran Atkinson + Rob Austein + Fred Baker + Steve Bellovin + Brian Carpenter + Jon Crowcroft + Leslie Daigle + Steve Deering + Sally Floyd + Geoff Huston + John Klensin + Henning Schulzrinne + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +IAB Informational [Page 16] + +RFC 3238 IAB Considerations for OPES January 2002 + + +12. Full Copyright Statement + + Copyright (C) The Internet Society (2002). All Rights Reserved. + + This document and translations of it may be copied and furnished to + others, and derivative works that comment on or otherwise explain it + or assist in its implementation may be prepared, copied, published + and distributed, in whole or in part, without restriction of any + kind, provided that the above copyright notice and this paragraph are + included on all such copies and derivative works. However, this + document itself may not be modified in any way, such as by removing + the copyright notice or references to the Internet Society or other + Internet organizations, except as needed for the purpose of + developing Internet standards in which case the procedures for + copyrights defined in the Internet Standards process must be + followed, or as required to translate it into languages other than + English. + + The limited permissions granted above are perpetual and will not be + revoked by the Internet Society or its successors or assigns. + + This document and the information contained herein is provided on an + "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING + TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING + BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION + HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF + MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. + +Acknowledgement + + Funding for the RFC Editor function is currently provided by the + Internet Society. + + + + + + + + + + + + + + + + + + + +IAB Informational [Page 17] + -- cgit v1.2.3