Framework for Content Distribution Network Interconnection (CDNI)
RFC 7336

Note: This ballot was opened for revision 10 and is now closed.

Spencer Dawkins Yes

(Martin Stiemerling) Yes

(Jari Arkko) No Objection

(Alia Atlas) No Objection

Alissa Cooper (was Discuss) No Objection

Comment (2014-05-28 for -12)
No email
send info
Thanks for addressing my DISCUSS points.

Original comments:

(1) Section 3.2 says:

"These problems are generally soluble, but the
   solutions complicate the example, so we do not discuss them further
   in this version of the draft."

Was there an intention to discuss these solutions in this draft (assuming at some point soon we will hit its final version)?

(2) During IETF LC, Ray said that the reference to the (expired) draft-vandergaast-edns-client-subnet would be removed. Is that still the plan? I think removing it is appropriate. 

(3) I'm confused about this text in Section 4.6:

"Fine-grain control over how the downstream CDN delivers content on
   behalf of the upstream CDN is also possible.  For example, by
   including the Forwarded HTTP header [I-D.ietf-appsawg-http-forwarded]
   with the conditional GET request, the downstream CDN can report the
   end-user's IP address to the upstream CDN, giving it an opportunity
   to control whether the downstream CDN should serve the content to
   this particular end-user.  The upstream CDN would communicate its
   directive through its response to the conditional GET."

This is characterized as an in-band mechanism. But how does the dCDN know whether to include the Forwarded header, other than by some out-of-band arrangement with the uCDN? Or is the assumption that the dCDN includes it with every conditional GET request?

(Adrian Farrel) No Objection

(Stephen Farrell) (was Discuss) No Objection

Comment (2014-05-28 for -12)
No email
send info
Thanks for addressing my discuss points. There was one that
is not addressed in -12, but which I'll make a comment since
it'd not be correct to block on this, but I'd encourage fixing
it if possible. The discuss point said:

"
(3) section 6: Am I right in thinking that this is the
first time we're standardising protocols related to CDNs?
(That is, we have not prevously standardised any CDNi or
CSP/CDN protocols.) If so, then I question whether the
"main trust issue" is transitive trust. That is an issue
certainly, but we are also here standardising the logging
that has until now been handled in proprietary ways by CSPs
and CDNs, which arguably means that the associated privacy
issues for the end user need to be considered as in scope
and it is not sufficient to simply say "do what CDNs do."
"

I think s/main trust issue/a trust issue/ would be a good
change, since (I hope) we're not only dealing with the 
perspectives of content holders and CDNs.


-- Original comments below, I've not checked how they 
were all handled, but feel free to ping me if chatting 
more would be useful.

- 1.1: Does the CDN-Domain include or exclude a default or
non-default port number? Saying exactly which part of the
RFC 3986 ABNF you mean might help here. Or if that's for
later, maybe say that now here so folks don't get confused.

- 1.1: Also on CDN-Domain - how does this play with the SOP
and/or CORS or does it and what if the URL is not an HTTP
URL? I'd be fine if you want to punt until later on other
URI schemes btw, not asking that you boil an ocean now, but
better to be a bit more precise on this I think.

- 1.1: I think it might help to define (or reference a
definition for) "footprint" - for me at least its not clear
what combination(s) of topological, geographic or other
information is intended here.  I'm not asking that you
provide the data model in 1.1 though but I think a
definition could help.

- 2.1.1: You don't say why DNAME might be preferable to
CNAME. I wondered:-) And btw, I assume mention of wildcards
in DNS zone files isn't needed here as relevant DNS servers
maybe don't tend to do that?

- 2.1.2: The client IP will only be known if there's no
proxy or the proxy passes on the client IP via XFF or
similar though. Worth noting?

- 4.8: I could imagine CDNs serving up frequently loaded
static content that's not tiny, like maybe JS libraries
that are widely used. W3C have an early piece of work
that's related [1] so just noting that and wondering if it
might be wise to take it into account here at some stage.
(It *might* be a problem if that's not considered, but that
might be ok for now since the W3C stuff is drafty. Maybe
worth a look if the WG didn't already.)

   [1] http://www.w3.org/TR/SRI/

- section 8: As with section 6, I think the "just consider
the delta between CDN and CDNi" is not the right approach
here as that could result in CDNi making e.g. HTTPS less
easy to deploy. There is a significiant enough history of
that approach to security going wrong, e.g. when IEEE did
Wired *Equivalent* Privacy (WEP) they ended up addressing
the wrong target and had to go back and substantially re-do
stuff a number of times. I would suggest that simply
referring to [2] here would be a better approach.  This is
not a discuss because I assume that CDNi protocol documents
will in any case have to deal with how they meet those
requirements and will not be able to point here and say
"same as CDN, nothing to see here." If that last was the
WG's plan, then maybe we should chat more about that now
too. (Since we will later otherwise:-)

   [2] https://tools.ietf.org/html/draft-ietf-cdni-requirements-17#section-9

- Section 8: Requirement SEC-2 (DoS resistance) is not
mentioned at all. Did the WG consider whether or not that
requirement ought result in text here? I could buy an
argument that this requirement won't really be discussed
in any detail until later, but wanted to check.

(Brian Haberman) No Objection

Comment (2014-04-07 for -10)
No email
send info
1. Section 1.2 references the CDNI WG, but that reference could be re-worded to point at this document.

2. Should the discussion of HTTP redirection in section 2.1.2 mention as a limitation that this approach won't work for non-HTTP traffic?  It is obvious, but if DNS redirection is not feasible, what other option would a CDN operator use?

(Joel Jaeggli) No Objection

(Barry Leiba) (was Discuss) No Objection

Comment (2014-04-09 for -10)
No email
send info
As noted in my discussion response, I'm moving this to a non-blocking comment, and I'm happy to accept what Spencer and the authors think is best.  Thanks for the discussion.

-------------------------------------------------

This is a fine document, and I quite approve of its publication.

I'd like to discuss a small point on the obsolescence of 3466:
It's my sense that it isn't this document alone that obsoletes 3466, but the combination of this document and RFC 6707.  6707 replaced the problem statement part, and this nukes the rest.  Is that correct?  If not, whack me in the snout with a rolled-up newspaper and I'll clear this DISCUSS forthwith.  But if so, I suggest a tweak that will make that clear:

OLD (Abstract)
It obsoletes RFC 3466.
NEW
This document, in combination with RFC 6707, obsoletes RFC 3466.
END

OLD (Introduction)
To avoid confusion, this document obsoletes [RFC3466].
NEW
To avoid confusion, this document and [RFC6707] together obsolete
[RFC3466].
END

(Ted Lemon) (was Discuss) No Objection

Comment (2014-05-26 for -12)
No email
send info
Some non-binding suggestions:

In section 1.1, this is really unclear:
   Recursive CDNI Request Redirection: When an upstream CDN elects to
   redirect a request towards a downstream CDN, the upstream CDN can
   query the downstream CDN Request Routing system via the CDNI Request
   Routing Redirection Interface (or use information cached from earlier
   similar queries) to find out how the downstream CDN wants the request
   to be redirected, which allows the upstream CDN to factor in the
   downstream CDN response when redirecting the user agent.  This
   approach is referred to as "Recursive" CDNI Request Redirection.
   Note that the downstream CDN may elect to have the request redirected
   directly to a Surrogate inside the downstream CDN, to the Request
   Routing System of the downstream CDN, to another CDN, or to whatever
   system is necessary to handle the redirected request appropriately.

I think this means that the uCDN gets a query from a user agent, queries the dCDN to find out what URL will reach the desired delivery node, and then sends a redirect to the UA with that URL.   But it might mean something else.   Maybe I will learn what it means later on in the document, but if this is to be helpful, it needs to make sense _before_ I've read the document! :)   So it would be good if it could be rephrased, and I would be happy to help iterate on that if it's useful.

Ah.   In fact, there's some much clearer text about this at the end of section 3.2.   I suggest adapting that text for the terminology section.   It might be better to explain iterative request redirection first and then explain recursive redirection in terms of how it differs, which I guess is why I like the text at the end of 3.2 so much...
 
Also in section 1.1, CSP is never expanded, and probably should be:
OLD:
   Trigger Interface: a subset of the CDNI Control interface that
   includes operations to pre-position, revalidate, and purge both
   metadata and content.  These operations are typically called in
   response to some action (Trigger) by the CSP on the upstream CDN.
NEW:
   Trigger Interface: a subset of the CDNI Control interface that
   includes operations to pre-position, revalidate, and purge both
   metadata and content.  These operations are typically called in
   response to some action (Trigger) by the Content Service
   Provider (CSP) on the upstream CDN.

Or just add an entry in this section for Content Service Provider.   This would be a win for me, but possibly not for a reader with more knowledge of the subject matter.

Also:
OLD:
   We also sometimes use uCDN and dCDN as shorthand for upstream CDN and
   downstream CDN, respectively.
NEW:
   uCDN: Upstream Content Delivery Network
   dCDN: Downstream Content Delivery Network

I think this is useful additional emphasis, but won't be offended if you ignore this suggestion. :)

Section 3.4, paragraph 2:
   As before, Operator A has to learn the set of requests that dCDN is
   willing or able to serve (e.g. which client IP address prefixes or
   geographic regions are part of the dCDN footprint).  We assume
   Operator has and makes known to operator A some unique identifier
            ^
You are missing (I suspect) a B here.

In section 3.5:
   This example differs from the one in Figure 5 only in the addition of
   a FCI request (step 2) and corresponding response (step 3).

The diagram shows an RI request and response, not an FCI request and response.   Is there a disagreement between the text and the diagram, or am I just misunderstanding something?

In 3.6, has the uCDN remembered that the dCDN might have cached a particular bit of content?   This seems like a really heavyweight solution.   What happens if this information is lost?

Former DISCUSS:
This DISCUSS is just because I am not clear on what is being done, so to address the DISCUSS all that's necessary is to answer the question and possibly engage in further discussion.   It may be that there's an issue here, in which case that would need to be corrected, but that's not clear to me at the moment.

In 3.4:
       The Request Router returns a DNS CNAME response by "stacking" the
       distinguished identifier for Operator B onto the original CDN-
       Domain (e.g., b.cdn.csp.example), plus an NS record that maps
       b.cdn.csp.example to B's Request Router.

   2.  The end-user does a DNS lookup using the modified CDN-Domain
       (i.e., b.cdn.csp.example).  This causes B's Request Router to
       respond with a suitable delivery node.

What's up with the NS record here?   Are you relying on glue to make sure that the query goes to the right nameserver?

(Kathleen Moriarty) No Objection

Comment (2014-04-09 for -10)
No email
send info
I just have a few comments/questions, but otherwise the document looks good.

Section 6. Trust Model:  In practice, do the trust relationships described rely on contracts or other agreements that are enforceable?  I would think so and if that's the case, should they be mentioned (Security Levels of Service, etc.)?

In either the Trust Model or Security Considerations sections, I expected to see a discussion on fraud concerns in CDNI.  Could you add in mention of fraud and some of the explicit concerns/risks?

Additionally, I support Stephen's positions.  For the privacy concerns he raises, there are several points in the draft that discuss which of the parties have access to what types of data (what users access, just metrics, monitoring capabilities, etc.).  It would be very helpful to call this out in a privacy section and enumerate on the limits/restrictions to assist with privacy concerns.  The draft does have some of this detailed, but it does not call out privacy as a concern and is not organized around privacy in a section of the document.

(Pete Resnick) No Objection

Comment (2014-04-10 for -10)
No email
send info
It's not really clear to me that Informational is the appropriate status for this document. Aside from the "people would have reviewed it more carefully" argument (which I'm not sure actually holds water), this document does define the message flow between end users and operators, which really is part and parcel of the protocol. Take a look at the nature of the ballot comments from others; they sure read like protocol reviews. Just because this document doesn't define all of the message formats and particular HTTP exchanges doesn't means it's not a protocol document; it's just one *piece* of a protocol, and I'm guessing that this document will be normative upon any future protocol documents coming out of this group.

That said, I'm not going to stand in the way of publication if we decide that Informational is OK. But if we think that the WG did a diligent job of producing this thing, and that future protocol documents are going to conform to it, an additional 2-week LC and a raise in status doesn't seem like all that bad a thing to do.