1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
|
Independent Submission C. Chung
Request for Comments: 6108 A. Kasyanov
Category: Informational J. Livingood
ISSN: 2070-1721 N. Mody
Comcast
B. Van Lieu
Unaffiliated
February 2011
Comcast's Web Notification System Design
Abstract
The objective of this document is to describe a method of providing
critical end-user notifications to web browsers, which has been
deployed by Comcast, an Internet Service Provider (ISP). Such a
notification system is being used to provide near-immediate
notifications to customers, such as to warn them that their traffic
exhibits patterns that are indicative of malware or virus infection.
There are other proprietary systems that can perform such
notifications, but those systems utilize Deep Packet Inspection (DPI)
technology. In contrast to DPI, this document describes a system
that does not rely upon DPI, and is instead based in open IETF
standards and open source applications.
Status of This Memo
This document is not an Internet Standards Track specification; it is
published for informational purposes.
This is a contribution to the RFC Series, independently of any other
RFC stream. The RFC Editor has chosen to publish this document at
its discretion and makes no statement about its value for
implementation or deployment. Documents approved for publication by
the RFC Editor are not a candidate for any level of Internet
Standard; see Section 2 of RFC 5741.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
http://www.rfc-editor.org/info/rfc6108.
Chung, et al. Informational [Page 1]
^L
RFC 6108 Comcast's Web Notification System February 2011
Copyright Notice
Copyright (c) 2011 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document.
Table of Contents
1. Introduction ....................................................3
2. High-Level Design of the System .................................3
3. Design Requirements .............................................3
3.1. General Requirements .......................................4
3.2. Web Proxy Requirements .....................................6
3.3. ICAP Server Requirements ...................................7
3.4. Messaging Service Requirements .............................8
4. Implementation Details ..........................................8
4.1. Functional Components Described, as Implemented ............9
4.2. Functional Diagram, as Implemented ........................10
5. High-Level Communication Flow, as Implemented ..................11
6. Communication between Web Proxy and ICAP Server, as
Implemented ....................................................12
7. End-to-End Web Notification Flow, as Implemented ...............13
7.1. Step-by-Step Description of the End-to-End Web
Notification Flow .........................................14
7.2. Diagram of the End-to-End Web Notification Flow ...........15
8. Example HTTP Headers and JavaScript for a Web Notification .....16
9. Deployment Considerations ......................................18
10. Security Considerations .......................................19
11. Debating the Necessity of Such a Critical Notification
System ........................................................19
12. Suggesting a Walled Garden as an Alternative ..................20
13. Intended Next Steps ...........................................21
14. Acknowledgements ..............................................21
15. References ....................................................21
15.1. Normative References .....................................21
15.2. Informative References ...................................23
Chung, et al. Informational [Page 2]
^L
RFC 6108 Comcast's Web Notification System February 2011
1. Introduction
Internet Service Providers (ISPs) have a need for a system that is
capable of communicating with customers in a nearly immediate manner,
to convey critical service notices such as warnings concerning likely
malware infection. Given the prevalence of the web browser as the
predominant client software in use by Internet users, the web browser
is an ideal vehicle for providing these notifications. This document
describes a system that has been deployed by Comcast, a broadband
ISP, to provide near-immediate notifications to web browsers.
In the course of evaluating potential solutions, the authors
discovered that the large majority of commercially available systems
utilized Deep Packet Inspection (DPI) technology. While a DPI-based
system would certainly work, Comcast and other ISPs are trying to
avoid widespread deployment and use of DPI, and are searching for
alternatives. Thus, Comcast desired to use a system that is based on
open standards and non-proprietary software, and that did not require
the use of DPI. While the system described herein is specific to the
Data-Over-Cable Service Interface Specifications (DOCSIS,
[CableLabs_DOCSIS]) networks used by most cable-based broadband ISPs,
concepts described in this document can generally be applied to many
different types of networks should those ISPs be interested in
alternatives to DPI.
2. High-Level Design of the System
The web notification system design is based on the use of the
Internet Content Adaptation Protocol (ICAP) [RFC3507]. The design
uses open source applications, which are the Squid web proxy,
GreasySpoon ICAP server, and Apache Tomcat. ICAP, an existing IETF
protocol, allows for message transformation or adaptation. An ICAP
client passes a HyperText Transport Protocol (HTTP, [RFC2616])
response to an ICAP server for content adaption. The ICAP server in
turn responds back to the client with the HTTP response containing
the notification message by using the "respmod" method defined in
Section 3.2 of [RFC3507].
3. Design Requirements
This section describes all of the key requirements taken into
consideration by Comcast for the design of this system. This
information is provided in order to convey important design choices
that were made in order to avoid the use of DPI, among other things.
An "Additional Background" paragraph is included with each
requirement to provide additional information, context, or other
useful explanation.
Chung, et al. Informational [Page 3]
^L
RFC 6108 Comcast's Web Notification System February 2011
3.1. General Requirements
R3.1.1. Must Only Be Used for Critical Service Notifications
Additional Background: The system must only provide
critical notifications, rather than trivial notifications.
An example of a critical, non-trivial notification, which
is also the primary motivation of this system, is to advise
the user that their computer is infected with malware, that
their security is at severe risk and/or has already been
compromised, and that it is recommended that they take
immediate, corrective action NOW.
R3.1.2. Must Use TCP Port 80
Additional Background: The system must provide
notifications via TCP port 80, the well-known port for HTTP
traffic. Since the large majority of customers use a web
browser as their primary application, this was deemed the
best method to provide them with an immediate, critical
notification.
R3.1.3. Must Support Block Listing
Additional Background: While unlikely, it is possible that
the HyperText Markup Language (HTML, [RFC2854]) or
JavaScript [RFC4329] used for notifications may cause
problems while accessing a particular website. Therefore,
such a system must be capable of using a block list of
website Uniform Resource Identifiers (URIs, [RFC3986]) or
Fully Qualified Domain Names (FQDNs, Section 5.1 of
[RFC1035]) that conflict with the system, so that the
system does not provide notifications in these cases, in
order to minimize any errors or unexpected results. Also,
while extensive development and testing has been performed
to ensure that this system does not behave in unexpected
ways, and standard ICAP (which has been in use for many
years) is utilized, it is critical that if it does behave
in such a way, there must be a method to rapidly exempt
specific URIs or FQDNs.
R3.1.4. Must Not Cause Problems with Instant Messaging (IM) Clients
Using TCP Port 80
Additional Background: Some IM clients use TCP port 80 in
their communications, often as an alternate port when
standard, well-known ports do not work. Other IM clients
may in fact use TCP port 80 by default, in some cases even
being based in a web browser. Therefore, this system must
not conflict with or cause unexpected results for IM
clients (or any other client types) that use TCP port 80.
Chung, et al. Informational [Page 4]
^L
RFC 6108 Comcast's Web Notification System February 2011
R3.1.5. Must Handle Pre-Existing Active TCP Sessions Gracefully
Additional Background: Since the web notification system
may temporarily re-route TCP port 80 traffic in order to
provide a critical notification, previously established TCP
port 80 sessions must not be disrupted while being routed
to the proxy layer. Also, since the critical web
notification occurs at a well-defined point in time, it is
logical to conclude that an end user may well have an
active TCP port 80 session in progress before the
notification is sent, and which is still active at the time
of the notification. It is therefore important that any
such connections must not be reset, and that they instead
must be handled gracefully.
R3.1.6. Must Not Use TCP Resets
Additional Background: The use of TCP resets has been
widely criticized, both in the Internet community generally
and in [RFC3360]. In Comcast's recent history, for
example, the company was criticized for using TCP resets in
the course of operating a DPI-based network management
system. As such, TCP resets as a function of the system
must not be used.
R3.1.7. Must Be Non-Disruptive
Additional Background: The web notification system must not
disrupt the end-user experience, for example by causing
significant client errors.
R3.1.8. User Notification Acknowledgement Must Stop Further
Immediate Notifications
Additional Background: Once a user acknowledges a critical
notification, the notification should immediately stop.
Otherwise, the user may believe the system is stuck in an
error state and may not believe that the critical
notification is valid. In addition, it is quite possible
that the user will be annoyed that the system did not react
to his acknowledgement.
R3.1.9. Non-Modification of Content Should Be Maintained
Additional Background: The system should not significantly
alter the content of the HTTP response from any website the
user is accessing.
R3.1.10. Must Handle Unexpected Content Gracefully
Additional Background: Sometimes, developers and/or
implementers of software systems assume that a narrow range
of inputs to a system will occur, all of which have been
thought of beforehand by the designers. The authors
Chung, et al. Informational [Page 5]
^L
RFC 6108 Comcast's Web Notification System February 2011
believe this is a poor assumption to make in the design and
implementation of a system and, in contrast, that
unexpected or even malformed inputs should be assumed. As
a result, the system must gracefully and transparently
handle traffic that is unexpected, even though there will
be cases when the system cannot provide a critical web
notification as a result of this. Thus, widely varying
content should be expected, and all such unexpected traffic
must be handled by the system without generating user-
perceived errors or unexpected results.
R3.1.11. Web Content Must Not Be Cached
Additional Background: Maintaining the privacy of users is
important. As such, content flowing through or
incidentally observed by the system must not be cached.
R3.1.12. Advertising Replacement or Insertion Must Not Be Performed
Under ANY Circumstances
Additional Background: The system must not be used to
replace any advertising provided by a website, or to insert
advertising into websites. This therefore includes cases
where a web page already has space for advertising, as well
as cases where a web page does not have any advertising.
This is a critical area of concern for end users, privacy
advocates, and other members of the Internet community.
Therefore, it must be made abundantly clear that this
system will not be used for such purposes.
3.2. Web Proxy Requirements
R3.2.1. Open Source Software Must Be Used
Additional Background: The system must use an open source
web proxy server. (As noted in Section 2 and Section 4.1,
Squid has been chosen.) While it is possible to use any web
proxy, the use of open source enables others to easily
access openly available documentation for the software,
among the other benefits commonly attributed to the use of
open source software.
R3.2.2. ICAP Client Should Be Integrated
Additional Background: The web proxy server should have an
integrated ICAP client, which simplifies the design and
implementation of the system.
Chung, et al. Informational [Page 6]
^L
RFC 6108 Comcast's Web Notification System February 2011
R3.2.3. Access Control Must Be Implemented
Additional Background: Access to the proxy must be limited
exclusively to the IP addresses of users for which
notifications are intended, and only for limited periods of
time. Furthermore, since a Session Management Broker (SMB)
is utilized, as described in Section 4.1 below, then the
proxy must restrict access only to the address of the SMB.
3.3. ICAP Server Requirements
R3.3.1. Must Provide ICAP Response Support
Additional Background: The system must support response
adaptation, in accordance with [RFC3507]. An ICAP client
passes a HyperText Transport Protocol (HTTP, [RFC2616])
response to an ICAP server for content adaption. The ICAP
server in turn responds back to the client with the HTTP
response containing the notification message by using the
"respmod" method defined in Section 3.2 of [RFC3507].
R3.3.2. Must Provide Consistency of Critical Notifications
Additional Background: The system must be able to
consistently provide a specific notification. For example,
if a critical alert to notify a user that they are infected
with malware is desired, then that notification should
consistently look the same for all users and not vary.
R3.3.3. Must Support Multiple Notification Types
Additional Background: While the initial and sole critical
notification sent by the system is intended to alert users
of a malware infection, malware is a rapidly and
continuously evolving threat. As a result of this reality,
the system must be able to evolve to provide different types
of critical notifications. For example, if malware begins
to diverge into several different categories with
substantially different implications for end users, then it
may become desirable to provide a notification that has been
narrowly tailored to each category of malware.
R3.3.4. Must Support Notification to Multiple Users Simultaneously
Additional Background: The system must be able to
simultaneously serve notifications to different users. For
example, if 100 users have been infected with malware and
critically need to be notified about this security problem,
then the system must be capable of providing the
notification to several users at a time, or all of the users
at the same time, rather than to just one user at a time.
Chung, et al. Informational [Page 7]
^L
RFC 6108 Comcast's Web Notification System February 2011
3.4. Messaging Service Requirements
R3.4.1. A Messaging Service Must Be Used
Additional Background: The Messaging Service, as described
in Section 4.1 below, caches the notifications for each
specific user. Thus, the notification messages are cached
by the system and do not have to be retrieved each time a
notification is needed. As a result, the system can be more
easily scaled to provide notification to multiple users
simultaneously, as noted in an earlier requirement ("Must
Support Notification to Multiple Users Simultaneously").
R3.4.2. Must Process Acknowledgements on a Timely Basis
Additional Background: The Messaging Service must quickly
process notification acknowledgements by end users, as noted
in an earlier requirement ("User Notification
Acknowledgement Must Stop Further Immediate Notifications").
R3.4.3. Must Ensure Notification Targeting Accuracy
Additional Background: The Messaging Service must ensure
that notifications are presented to the intended users. For
example, if the system intends to provide a critical
notification to User A and User B, but not User C, then
User C must not be sent a notification.
R3.4.4. Should Keep Notification Records for Customer Support
Purposes
Additional Background: The Messaging Service should maintain
some type of record that a notification has been sent to a
user, in case that user inquires with customer support
personnel. For example, when a user is presented with the
critical notification advising them of a malware infection,
that user may choose to call Comcast's Customer Security
Assurance team, in the customer service organization. As a
result, a Customer Security Assurance representative should
be able to confirm that the user did in fact receive a
notification concerning malware infection in the course of
providing assistance to the end user in remediating the
malware infection.
4. Implementation Details
This section defines and documents the various core functional
components of the system, as they are implemented. These components
are then shown in a diagram to describe how the various components
are linked and relate to one another.
Chung, et al. Informational [Page 8]
^L
RFC 6108 Comcast's Web Notification System February 2011
4.1. Functional Components Described, as Implemented
This section accurately and transparently describes the software (S)
packages used by the system described herein, as well as all of the
details of how the system functions. The authors acknowledge that
there may be multiple alternative software choices for each
component; the purpose of this section is to describe those
selections that have been made and deployed.
S4.1.1. Web Proxy: The system uses Squid Proxy, an open source web
proxy application in wide use, which supports an integrated
ICAP client.
S4.1.2. ICAP Server: The system uses GreasySpoon, an open source
application. The ICAP server retrieves the notifications
from the Messaging Service cache when content adaption is
needed.
S4.1.3. Customer Database: The Customer Database holds the relevant
information that the system needs to provide a critical
notification to a given user. The database may also hold
the status of which users were notified and which users are
pending notification.
S4.1.4. Messaging Service: The system uses Apache Tomcat, an open
source application. This is a process engine that retrieves
specific web notification messages from a catalog of
possible notifications. While only one notification is
currently used, concerning malware infection, as noted in
Section 3.3 the system may eventually need to provide
multiple notifications (the specific requirement is "Must
Support Multiple Notification Types"). When a notification
for a specific user is not in the cache, the process
retrieves this information from the Customer Database and
populates the cache for a specific period of time.
S4.1.5. Session Management Broker (SMB): A Load Balancer (LB) with a
customized layer 7 inspection policy is used to
differentiate between HTTP and non-HTTP traffic on TCP
port 80, in order to meet the requirements documented in
Section 3 above. The system uses a LB from A10 Networks.
The SMB functions as a full stateful TCP proxy with the
ability to forward packets from existing TCP sessions that
do not exist in the internal session table (to meet the
specific requirement "Must Handle Pre-Existing Active TCP
Sessions Gracefully"). New HTTP sessions are load balanced
to the web proxy layer either transparently or using source
Network Address Translation (NAT [RFC3022]) from the SMB.
Chung, et al. Informational [Page 9]
^L
RFC 6108 Comcast's Web Notification System February 2011
Non-HTTP traffic for established TCP sessions not in the SMB
session table is simply forwarded to the destination
transparently via the TCP proxy layer (again, to meet the
specific requirement "Must Handle Pre-Existing Active TCP
Sessions Gracefully").
4.2. Functional Diagram, as Implemented
+--------+ +------------+ +----------+
| ICAP | <----> | Messaging | <----> | Customer |
| Server | | Service | | Database |
+--------+ +------------+ +----------+
^
| +----------+
| | |
| +-------> | Internet | <-------+
| | | | |
| | +----------+ |
| | ^ |
v v | |
+----------+ v v
|+--------+| +-------+ +--------+
|| ICAP || <----> | SMB | <---> | Access |
|| Client || +-------+ | Router |
|+--------+| +--------+
|| SQUID || ^
|| Proxy || |
|+--------+| v
+----------+ +----------+
| CMTS* |
+----------+
^
|
v
+------+
| PC |
+------+
* A Cable Modem Termination System (CMTS)
is an access network element.
Figure 1: Web Notification System - Functional Components
Chung, et al. Informational [Page 10]
^L
RFC 6108 Comcast's Web Notification System February 2011
5. High-Level Communication Flow, as Implemented
In Section 4, the functional components of the system were described,
and then shown in relation to one another in Figure 1 above. This
section describes the high-level communication (C) flow of a
transaction in the system, in order to explain the general way that
the functions work together in action. This will be further
explained in much more detail in later sections of this document.
C5.1. Setup of Differentiated Services (Diffserv): Using Diffserv
[RFC2474] [RFC2475] [RFC2597] [RFC3140] [RFC3246] [RFC3260]
[RFC4594], set a policy to direct TCP port 80 traffic to the
web notification system's web proxy.
C5.2. Session Management: TCP port 80 packets are routed to a
Session Management Broker (SMB) that distinguishes between
HTTP or non-HTTP traffic and between new and existing
sessions. HTTP packets are forwarded to the web proxy by the
SMB. Non-HTTP packets such as instant messaging (IM) traffic
are forwarded to a TCP proxy layer for routing to their
destination, or the SMB operates as a full TCP proxy and
forwards the non-HTTP packets to the destination.
Pre-established TCP sessions on port 80 are identified by the
SMB and forwarded with no impact.
C5.3. Web Proxy Forwards Request: The web proxy forwards the HTTP
request on to the destination site, a web server, as a web
proxy normally would do.
C5.4. On Response, Send Message to ICAP Server: When the HTTP
response is received from the destination server, the web
proxy sends a message to the ICAP server for the web
notification.
C5.5. Messaging Service: The Messaging Service should respond with
appropriate notification content or null response if no
notification is cached.
C5.6. ICAP Server Responds: The ICAP server responds and furnishes
the appropriate content for the web notification to the web
proxy.
C5.7. Web Proxy Sends Response: The web proxy then forwards the
HTTP response containing the web notification to the client
web browser.
Chung, et al. Informational [Page 11]
^L
RFC 6108 Comcast's Web Notification System February 2011
C5.8. User Response: The user observes the critical web
notification, and clicks an appropriate option, such as: OK/
acknowledged, snooze/remind me later, etc.
C5.9. More Information: Depending upon the notification, the user
may be provided with more information. For example, as noted
previously, the system was designed to provide critical
notifications concerning malware infection. Thus, in the
case of malware infection, the user may be advised to go to a
malware remediation web page that provides directions on how
to attempt to remove the malware and attempt to secure hosts
against future malware infection.
C5.10. Turn Down Diffserv: Once the notification transaction has
completed, remove any special Diffserv settings.
6. Communication between Web Proxy and ICAP Server, as Implemented
The web proxy and ICAP server are critical components of the system.
This section shows the communication that occurs between these two
components.
Chung, et al. Informational [Page 12]
^L
RFC 6108 Comcast's Web Notification System February 2011
+------------+
| www URI |
+------------+
^ |
(2)| |(3)
| v
+--------+ (4) +--------+ (4) +--------+
| |------------>| |------------>| |
| | (5) | | (5) | |
| Proxy |<------------| ICAP |<------------| ICAP |
| Module | (6) | Client | (6) | Server |
| |------------>| |------------>| |
| | (7) | | (7) | |
| |<------------| |<------------| |
+--------+ +--------+ +--------+
^ |
(1)| |(8)
| v
+------------+ (9) +------------+
| |----------------------------->| |
| Browser | (10) | Web Server |
| |<-----------------------------| |
+------------+ +------------+
(1) - HTTP GET (TCP 80)
(2) - Proxy HTTP GET (TCP 80)
(3) - HTTP 200 OK w/ Response
(4) - ICAP RESPMOD
(5) - ICAP 200 OK
(6) - TCP Stream - Encapsulate Header
(7) - ICAP 200 OK Insert Message
(8) - HTTP 200 OK w/ Response + Message Frame
(9) - HTTP GET for Message
(10) - HTTP 200 w/ Message Content
Figure 2: Communication between Web Proxy and ICAP Server
7. End-to-End Web Notification Flow, as Implemented
This section describes the exact flow of an end-to-end notification,
in order to show in detail how the system functions.
Chung, et al. Informational [Page 13]
^L
RFC 6108 Comcast's Web Notification System February 2011
7.1. Step-by-Step Description of the End-to-End Web Notification Flow
Policy-Based Routing
1. TCP port 80 packets from the user that needs to be notified are
routed to the web proxy via policy-based routing.
2. Packets are forwarded to the Session Management Broker, which
establishes a session with the web proxy and routes the packets
to the web proxy.
Web Proxy
1. The user's HTTP request is directed to the web proxy.
2. The web proxy receives HTTP traffic and retrieves content from
the requested website.
3. The web proxy receives the response and forwards it to the ICAP
server for response adaptation.
4. The ICAP server checks the HTTP content in order to determine
whether the notification message can be inserted.
5. The ICAP server initiates a request to the Messaging Service
cache process with the IP address of the user.
6. If a notification message for the user exists, then the
appropriate notification is cached on the Messaging Service.
The Messaging Service then returns the appropriate notification
content to the ICAP server.
7. Once the notification message is retrieved from the Messaging
Service cache, the ICAP server may insert the notification
message in the HTTP response body without altering or modifying
the original content of the HTTP response.
8. The ICAP server then sends the response back to the web proxy,
which in turn forwards the HTTP response back to the browser.
9. If the user's IP address is not found or provisioned for a
notification message, then the ICAP server should return a "204
No modifications needed" response to the ICAP client as defined
in Section 4.3.3 of [RFC3507]. As a result, the user will not
receive any web notification message.
Chung, et al. Informational [Page 14]
^L
RFC 6108 Comcast's Web Notification System February 2011
10. The user observes the web notification, and clicks an
appropriate option, such as: OK/acknowledged, snooze/remind me
later, etc.
7.2. Diagram of the End-to-End Web Notification Flow
The two figures below show the communications flow from the web
browser, through the web notification system.
Figure 3 illustrates what occurs when a notification request cannot
be inserted because the notification type for the user's IP address
is not cached in the Messaging Service.
ICAP ICAP Message Customer
Browser Proxy Client Server Service Internet DB
| HTTP | | | | | |
| GET | Proxy | | | | |
+------->| Request | | | | |
| +---------|---------|--------|------->| |
| | | | | 200 OK | |
| |<--------|---------|--------|--------+ |
| | ICAP | | | | |
| | RESPMOD | ICAP | | | |
| +-------->| RESPMOD | Check | | |
| | +-------->| Cache | | |
| | | | for IP | | |
| | | | Match | | |
| | | +------->| | |
| | | | Cache | | |
| | | | Miss | | |
| | | |<-------+ Request| |
| | | 204 No | | Type | |
| | | Modif. | +--------|------->|
| | | Needed | | | |
| | No |<--------+ | | Type |
| | Insert | | | |Returned|
| 200 OK |<--------+ | |<-------|--------+
| w/o | | | | | |
| Insert | | | | | |
|<-------+ | | | | |
| | | | | | |
Figure 3: End-to-End Web Notification Flow - with Cache Miss
Chung, et al. Informational [Page 15]
^L
RFC 6108 Comcast's Web Notification System February 2011
Figure 4 illustrates what occurs when a notification request for the
user's IP address is cached in the Messaging Service.
ICAP ICAP Message Customer
Browser Proxy Client Server Service Internet DB
| HTTP | | | | | |
| GET | Proxy | | | | |
+------->| Request | | | | |
| +---------|---------|--------|------->| |
| | | | | 200 OK | |
| |<--------|---------|--------|--------+ |
| | ICAP | | | | |
| | RESPMOD | ICAP | | | |
| +-------->| RESPMOD | Check | | |
| | +-------->| Cache | | |
| | | | for IP | | |
| | | | Match | | |
| | | +------->| | |
| | | | Cache | | |
| | | | Hit | | |
| | | Insert |<-------+ | |
| | Return | Type | | | |
| | 200 OK |<--------+ | | |
| | with | | | | |
| | Insert | | | | |
| 200 OK |<--------+ | | | |
| w/ | | | | | |
| Notify | | | | | |
|<-------+ | | | | |
| | | | | | |
Figure 4: End-to-End Web Notification Flow - with Cache Hit
8. Example HTTP Headers and JavaScript for a Web Notification
The figure below shows an example of a normal HTTP GET request from
the user's web browser to www.example.com, a web server on the
Internet.
Chung, et al. Informational [Page 16]
^L
RFC 6108 Comcast's Web Notification System February 2011
------------------------------------------------------------------------
1. HTTP GET Request to www.example.com
------------------------------------------------------------------------
http://www.example.com/
GET / HTTP/1.1
Host: www.example.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.14)
Gecko/20080404 Firefox/2.0.0.14
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Pragma: no-cache
------------------------------------------------------------------------
Figure 5: Example HTTP Headers for a Web Notification - HTTP GET
In the figure below, the traffic is routed via the web proxy, which
communicates with the ICAP server and returns the response from
www.example.com. In this case, that response is a 200 OK, with the
desired notification message inserted.
------------------------------------------------------------------------
2. Response from www.example.com via PROXY
------------------------------------------------------------------------
HTTP/1.x 200 OK
Date: Thu, 08 May 2008 16:26:29 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Tue, 15 Nov 2005 13:24:10 GMT
Etag: "b80f4-1b6-80bfd280"
Accept-Ranges: bytes
Content-Length: 438
Connection: close
Content-Type: text/html; charset=UTF-8
Age: 18
X-Cache: HIT from localhost.localdomain
Via: 1.0 localhost.localdomain (squid/3.0.STABLE5)
Proxy-Connection: keep-alive
------------------------------------------------------------------------
Figure 6: Example HTTP Headers for a Web Notification - HTTP Response
Chung, et al. Informational [Page 17]
^L
RFC 6108 Comcast's Web Notification System February 2011
The figure below shows an example of the web notification content
inserted in the 200 OK response, in this example JavaScript code.
------------------------------------------------------------------------
3. Example of JavaScript containing Notification Insertion
------------------------------------------------------------------------
<!--all elements used in a notification should have cascading style
sheet (css) properties defined to avoid unwanted inheritance from
parent page-->
<style type="text/css">
#example {
position: absolute; left: 100px; top: 50px;
z-index: 9999999; height: auto; width: 550px;
padding: 10px;
border: solid 2px black;
background-color:#FDD017;
opacity: 0.8; filter: alpha(opacity = 80);
}
</style>
<script language="javascript" type="text/javascript">
// ensure that content is not part of an iframe
if (self.location == top.location) {
// this is a floating div with 80% transparency
document.write('<div id="example" name="example">');
document.write('<h2>IMPORTANT MESSAGE</h2>');
document.write('<p>Lorem ipsum dolor sit amet, consecteteur ');
document.write('adipisicing elit, sed do eiusmod tempor ');
document.write('incididunt ut labore et dolore magna aliqua. ');
document.write('Ut enim ad minim veniam, quis nostrud ');
document.write('exercitation ullamco laboris nisi ut aliquip ex ');
document.write('ea commodo consequat.');
document.write('</div>');
}</script>
------------------------------------------------------------------------
Figure 7: Example JavaScript Used in a Web Notification
9. Deployment Considerations
The components of the web notification system should be distributed
throughout the network and close to end users. This ensures that the
routing performance and the user's web browsing experience remain
excellent. In addition, a HTTP-aware load balancer should be used in
each datacenter where servers are located, so that traffic can be
spread across N+1 servers and the system can be easily scaled.
Chung, et al. Informational [Page 18]
^L
RFC 6108 Comcast's Web Notification System February 2011
10. Security Considerations
This critical web notification system was conceived in order to
provide an additional method of notifying end user customers that
their computer has been infected with malware. Depending upon the
specific text of the notification, users could fear that it is some
kind of phishing attack. As a result, care has been taken with the
text and any links contained in the web notification itself. For
example, should the notification text change over time, it may be
best to provide a general URI or a telephone number. In contrast to
that, the notification must not ask for login credentials, and must
not ask a user to follow a link in order to change their password,
since these are common phishing techniques. Finally, care should be
taken to provide confidence that the web notification is valid and
from a trusted party, and/or that the user has an alternate method of
checking the validity of the web notification. One alternate method
of validating the notification may be to call customer support (in
this example, Comcast's Customer Security Assurance team); this
explains a key requirement (specifically, "Should Keep Notification
Records for Customer Support Purposes") in Section 3.4.
11. Debating the Necessity of Such a Critical Notification System
Some members of the community may question whether it is ever, under
any circumstances, acceptable to modify Internet content in order to
provide critical service notification concerning malware infection -
even in the smallest of ways, even if openly and transparently
documented, even if thoroughly tested, and even if for the best of
motivations. It is important that anyone with such concerns
recognize that this document is by no means the first to propose
this, particularly as a tactic to combat a security problem, and in
fact simply leverages previous work in the IETF, such as [RFC3507].
Such concerned parties should also study the many organizations using
ICAP and the many software systems that have implemented ICAP.
In addition, concerned members of the community should review
Section 1, which describes the fact that this is a common feature of
DPI systems, made by DPI vendors and many, if not most, major
networking equipment vendors. As described herein, the authors of
this document are motivated to AVOID the need for widespread,
ubiquitous deployment of DPI, via the use of both open source
software and open protocols, and are further motivated to
transparently describe the details of how such a system functions,
what it IS intended to do, what it IS NOT intended to do, and
purposes for which it WILL NOT be used.
Chung, et al. Informational [Page 19]
^L
RFC 6108 Comcast's Web Notification System February 2011
The authors also believe it is important for ISPs to transparently
disclose network management techniques and systems, and to have a
venue to do so, as has been done here. In addition, the authors
believe it is important for the IETF and other members of the
Internet community to encourage and positively reinforce such
disclosures. In the publishing of such a document for reference and
comment by the Internet community, this may serve to motivate other
ISPs to be similarly open and to engage the IETF and other
organizations that are part of the Internet community. Not
publishing such documents could motivate less disclosure on the part
of ISPs and other members of the Internet community, increase the use
of DPI, and decrease ISP participation in the critical technical
bodies that make up parts of the Internet community.
In addition, it is critical that members of the community recognize
the good motivations of ISPs like Comcast to combat the massive and
continuing proliferation of malware, which is a huge threat to the
security of average Internet users and now represents a multi-
billion-dollar underground economy engaged in identity theft,
financial fraud, transmission of spam, and other criminal activity.
Such a critical notification system in fact is only necessary due to
the failure of host-based security at defending against and
preventing malware infection. As such, ISPs such as Comcast are
being urged by their customers and by other parties such as security
and/or privacy organizations, as well as governmental organizations,
to take action to help solve this massive problem, since so many
other tactics have been unsuccessful. For example, as Howard
Schmidt, the Special Advisory for Cyber Security to President Obama,
of the United States of America, said in 2005: "As attacks on home-
based and unsecured networks become as prevalent as those against
large organizations, the need for ISPs to do everything they can to
make security easier for their subscribers is critical for the
preservation of our nation's information backbone. Additionally,
there is tremendous potential to grow further the use of broadband
around the world; and making safety and security part of an ISP's
core offering will enable the end user to fully experience the rich
and robust benefits broadband provides".
12. Suggesting a Walled Garden as an Alternative
A "walled garden" refers to an environment that controls the
information and services that a subscriber is allowed to utilize and
what network access permissions are granted. Placing a user in a
walled garden is therefore another approach that ISPs may take to
notify users, and this method is being explored as a possible
alternative in other documents and community efforts. As such, web
notifications should be considered one of many possible notification
methods that merit documentation.
Chung, et al. Informational [Page 20]
^L
RFC 6108 Comcast's Web Notification System February 2011
However, a walled-garden approach can pose challenges and may in some
cases be considered disruptive to end users. For example, a user
could be playing a game online, via the use of a dedicated, Internet-
connected game console, which would likely stop working when the user
was placed in the walled garden. In another example, the user may be
in the course of a telephone conversation, using a Voice Over IP
(VoIP) device of some type, which would also likely stop working when
the user was placed in the walled garden. In both cases, the user is
not using a web browser and would not have a way to determine the
reason why their service seemingly stopped working.
13. Intended Next Steps
Unfortunately, at the time of this writing, no existing working group
of the IETF is focused on issues of malware infection and related
issues. As a result, there was not a definite venue for this
document, so it was submitted to the Independent Submissions Editor
as an independent submission. While documentation and disclosure of
this system are beneficial for the Internet community in and of
itself, there are other benefits to having this document published.
One of those reasons is that members of the community, including
members of the IETF, have a stable document to refer to in the case
of any potential new work that the community may undertake in the
area of malware, security, and critical notification to end users.
It is also hoped that, in the tradition of a Request for Comment,
other members of the community may be motivated to propose
alternative systems or other improvements.
14. Acknowledgements
The authors wish to thank Alissa Cooper for her review of and
comments on the document, and Nevil Brownlee for his excellent
feedback, as well as others who reviewed the document.
15. References
15.1. Normative References
[RFC1035] Mockapetris, P., "Domain names - implementation and
specification", STD 13, RFC 1035, November 1987.
[RFC2474] Nichols, K., Blake, S., Baker, F., and D. Black,
"Definition of the Differentiated Services Field (DS
Field) in the IPv4 and IPv6 Headers", RFC 2474,
December 1998.
Chung, et al. Informational [Page 21]
^L
RFC 6108 Comcast's Web Notification System February 2011
[RFC2475] Blake, S., Black, D., Carlson, M., Davies, E., Wang, Z.,
and W. Weiss, "An Architecture for Differentiated
Services", RFC 2475, December 1998.
[RFC2597] Heinanen, J., Baker, F., Weiss, W., and J. Wroclawski,
"Assured Forwarding PHB Group", RFC 2597, June 1999.
[RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H.,
Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext
Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999.
[RFC2854] Connolly, D. and L. Masinter, "The 'text/html' Media
Type", RFC 2854, June 2000.
[RFC3022] Srisuresh, P. and K. Egevang, "Traditional IP Network
Address Translator (Traditional NAT)", RFC 3022,
January 2001.
[RFC3140] Black, D., Brim, S., Carpenter, B., and F. Le Faucheur,
"Per Hop Behavior Identification Codes", RFC 3140,
June 2001.
[RFC3246] Davie, B., Charny, A., Bennet, J., Benson, K., Le Boudec,
J., Courtney, W., Davari, S., Firoiu, V., and D.
Stiliadis, "An Expedited Forwarding PHB (Per-Hop
Behavior)", RFC 3246, March 2002.
[RFC3260] Grossman, D., "New Terminology and Clarifications for
Diffserv", RFC 3260, April 2002.
[RFC3507] Elson, J. and A. Cerpa, "Internet Content Adaptation
Protocol (ICAP)", RFC 3507, April 2003.
[RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
Resource Identifier (URI): Generic Syntax", STD 66,
RFC 3986, January 2005.
[RFC4329] Hoehrmann, B., "Scripting Media Types", RFC 4329,
April 2006.
[RFC4594] Babiarz, J., Chan, K., and F. Baker, "Configuration
Guidelines for DiffServ Service Classes", RFC 4594,
August 2006.
Chung, et al. Informational [Page 22]
^L
RFC 6108 Comcast's Web Notification System February 2011
15.2. Informative References
[CableLabs_DOCSIS]
CableLabs, "Data-Over-Cable Service Interface
Specifications", CableLabs Specifications, Various DOCSIS
Reference Documents, <http://www.cablelabs.com/
specifications/archives/docsis.html>.
[RFC3360] Floyd, S., "Inappropriate TCP Resets Considered Harmful",
BCP 60, RFC 3360, August 2002.
Chung, et al. Informational [Page 23]
^L
RFC 6108 Comcast's Web Notification System February 2011
Authors' Addresses
Chae Chung
Comcast Cable Communications
One Comcast Center
1701 John F. Kennedy Boulevard
Philadelphia, PA 19103
US
EMail: chae_chung@cable.comcast.com
URI: http://www.comcast.com
Alex Kasyanov
Comcast Cable Communications
One Comcast Center
1701 John F. Kennedy Boulevard
Philadelphia, PA 19103
US
EMail: alexander_kasyanov@cable.comcast.com
URI: http://www.comcast.com
Jason Livingood
Comcast Cable Communications
One Comcast Center
1701 John F. Kennedy Boulevard
Philadelphia, PA 19103
US
EMail: jason_livingood@cable.comcast.com
URI: http://www.comcast.com
Nirmal Mody
Comcast Cable Communications
One Comcast Center
1701 John F. Kennedy Boulevard
Philadelphia, PA 19103
US
EMail: nirmal_mody@cable.comcast.com
URI: http://www.comcast.com
Brian Van Lieu
Unaffiliated
Bethlehem, PA 18018
US
EMail: brian@vanlieu.net
Chung, et al. Informational [Page 24]
^L
|
