Network Working Group                                         P. Rzewski
Request for Comments: 3570                         Media Publisher, Inc.
Category: Informational                                           M. Day
                                                                   Cisco
                                                             D. Gilletti
                                                               July 2003


                Content Internetworking (CDI) Scenarios

Status of this Memo

   This memo provides information for the Internet community.  It does
   not specify an Internet standard of any kind.  Distribution of this
   memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2003).  All Rights Reserved.

Abstract

   In describing content internetworking as a technology targeted for
   use in production networks, it is useful to provide examples of the
   sequence of events that may occur when two content networks decide to
   interconnect.  The scenarios presented here seek to provide some
   concrete examples of what content internetworking is, and also to
   provide a basis for evaluating content internetworking proposals.

Table of Contents

   1.  Introduction...................................................2
       1.1.  Terminology..............................................3
   2.  Special Cases of Content Networks..............................3
       2.1.  Publishing Content Network...............................3
       2.2.  Brokering Content Network................................3
       2.3.  Local Request-Routing Content Network....................4
   3.  Content Internetworking Arrangements...........................5
   4.  Content Internetworking Scenarios..............................5
       4.1.  General Content Internetworking..........................6
       4.2.  BCN providing ACCOUNTING INTERNETWORKING and
             REQUEST-ROUTING INTERNETWORKING..........................9
       4.3.  BCN providing ACCOUNTING INTERNETWORKING................11
       4.4.  PCN ENLISTS multiple CNs................................12
       4.5.  Multiple CNs ENLIST LCN.................................13
   5.  Security Considerations.......................................15
       5.1.  Threats to Content Internetworking......................15
           5.1.1.  Threats to the CLIENT.............................15



Rzewski, et al.              Informational                      [Page 1]

RFC 3570                     CDI Scenarios                     July 2003


           5.1.2.  Threats to the PUBLISHER..........................17
           5.1.3.  Threats to a CN...................................17
   6.  Acknowledgements..............................................18
   7.  References....................................................18
   8.  Authors' Addresses............................................19
   9.  Full Copyright Statement......................................20

1.  Introduction

   In [1], the concept of a "content network" is introduced and
   described.  In addition to describing some general types of content
   networks, it also describes motivations for allowing content networks
   to interconnect (defined as "content internetworking").

   In describing content internetworking as a technology targeted for
   use in production networks, it's useful to provide examples of the
   sequence of events that may occur when two content networks decide to
   interconnect.  Naturally, different types of content networks may be
   created due to different business motivations, and so many
   combinations are likely.

   This document first provides detailed examples of special cases of
   content networks that are specifically designed to participate in
   content internetworking (Section 2).  We then discuss the steps that
   would be taken in order to "bring up" or "tear down" a content
   internetworking arrangement (Section 3).  Next we provide some
   detailed examples of how content networks (such as those from Section
   2) could interconnect (Section 4).  Finally, we describe any security
   considerations that arise specifically from the examples presented
   here (Section 5).

   The scenarios presented here answer two distinct needs:

   1. To provide some concrete examples of what content internetworking
      is, and

   2. To provide a basis for evaluating content internetworking
      proposals.

   A number of content internetworking systems have been implemented,
   but there are few published descriptions. One such description is
   [2].

1.1.  Terminology

   Terms in ALL CAPS are defined in [1] except for the following terms
   defined below in this document: PCN, BCN, and LCN.  Additionally, the
   term SLA is used as an abbreviation for Service Level Agreement.



Rzewski, et al.              Informational                      [Page 2]

RFC 3570                     CDI Scenarios                     July 2003


2.  Special Cases of Content Networks

   A CN may have REQUEST-ROUTING, DISTRIBUTION, and ACCOUNTING
   interfaces.  However, some participating networks may gravitate
   toward particular subsets of the CONTENT INTERNETWORKING interfaces.
   Others may be seen differently in terms of how they relate to their
   CLIENT bases.  This section describes these refined cases of the
   general CN case so they may be available for easier reference in the
   further development of CONTENT INTERNETWORKING scenarios.  The
   special cases described are the Publishing Content Network, the
   Brokering Content Network, and the Local Request-Routing Content
   Network.

2.1.  Publishing Content Network

   A Publishing Content Network (PCN), maintained by a PUBLISHER,
   contains an ORIGIN and has a NEGOTIATED RELATIONSHIP with two or more
   CNs.  A PCN may contain SURROGATES for the benefit of serving some
   CONTENT REQUESTS locally, but does not intend to allow its SURROGATES
   to serve CONTENT on behalf of other PUBLISHERS.

   Several implications follow from knowing that a particular CN is a
   PCN.  First, the PCN contains the AUTHORITATIVE REQUEST-ROUTING
   SYSTEM for the PUBLISHER's CONTENT.  This arrangement allows the
   PUBLISHER to determine the distribution of CONTENT REQUESTS among
   ENLISTED CNs.  Second, it implies that the PCN need only participate
   in a subset of CONTENT INTERNETWORKING.  For example, a PCN's
   DISTRIBUTION INTERNETWORKING SYSTEM need only be able to receive
   DISTRIBUTION ADVERTISEMENTS, it need not send them.  Similarly, a
   PCN's REQUEST-ROUTING INTERNETWORKING SYSTEM has no reason to send
   AREA ADVERTISEMENTS.  Finally, a PCN's ACCOUNTING INTERNETWORKING
   SYSTEM need only be able to receive ACCOUNTING data, it need not send
   it.

2.2.  Brokering Content Network

   A Brokering Content Network (BCN) is a network that does not operate
   its own SURROGATES.  Instead, a BCN operates only CIGs as a service
   on behalf other CNs.  A BCN may therefore be regarded as a
   "clearinghouse" for CONTENT INTERNETWORKING information.

   For example, a BCN may choose to participate in DISTRIBUTION
   INTERNETWORKING and/or REQUEST-ROUTING INTERNETWORKING in order to
   aggregate ADVERTISEMENTS from one set of CNs into a single update
   stream for the benefit of other CNs.  To name a single specific
   example, a BCN could aggregate CONTENT SIGNALS from CNs that
   represent PUBLISHERS into a single update stream for the benefit of
   CNs that contain SURROGATES.  A BCN may also choose to participate in



Rzewski, et al.              Informational                      [Page 3]

RFC 3570                     CDI Scenarios                     July 2003


   ACCOUNTING INTERNETWORKING in order to aggregate utilization data
   from several CNs into combined reports for CNs that represent
   PUBLISHERS.

   This definition of a BCN implies that a BCN's CIGs would implement
   the sending and/or receiving of any combination of ADVERTISEMENTS and
   ACCOUNTING data as is necessary to provide desired services to other
   CONTENT NETWORKS.  For example, if a BCN is only interested in
   aggregating ACCOUNTING data on behalf of other CNs, it would only
   need to have an ACCOUNTING INTERNETWORKING interface on its CIGs.

2.3.  Local Request-Routing Content Network

   Another type of CN is the Local Request-Routing CONTENT NETWORK
   (LCN).  An LCN is defined as a type of network where CLIENTS' CONTENT
   REQUESTS are always handled by some local SERVER (such as a caching
   proxy [1]).  In this context, "local" is taken to mean that both the
   CLIENT and SERVER are within the same administrative domain, and
   there is an administrative motivation for forcing the local mapping.
   This type of arrangement is common in enterprises where all CONTENT
   REQUESTS must be directed through a local SERVER for access control
   purposes.

   As implied by the name, the LCN creates an exception to the rule that
   there is a single AUTHORITATIVE REQUEST-ROUTING SYSTEM for a
   particular item of CONTENT.  By directing CONTENT REQUESTS through
   the local SERVER, CONTENT RESPONSES may be given to CLIENTS without
   first referring to the AUTHORITATIVE REQUEST-ROUTING SYSTEM.  Knowing
   this to be true, other CNs may seek a NEGOTIATED RELATIONSHIP with an
   LCN in order to perform DISTRIBUTION into the LCN and receive
   ACCOUNTING data from it.  Note that once SERVERS participate in
   DISTRIBUTION INTERNETWORKING and ACCOUNTING INTERNETWORKING, they
   effectively take on the role of SURROGATES.  However, an LCN would
   not intend to allow its SURROGATES to be accessed by non-local
   CLIENTS.

   This set of assumptions implies multiple things about the LCN's
   CONTENT INTERNETWORKING relationships.  First, it is implied that the
   LCN's DISTRIBUTION INTERNETWORKING SYSTEM need only be able to send
   DISTRIBUTION ADVERTISEMENTS, it need not receive them.  Second, it is
   implied that an LCN's ACCOUNTING INTERNETWORKING SYSTEM need only be
   able to send ACCOUNTING data, it need not receive it.  Finally, due
   to the locally defined REQUEST-ROUTING, the LCN would not participate
   in REQUEST-ROUTING INTERNETWORKING.







Rzewski, et al.              Informational                      [Page 4]

RFC 3570                     CDI Scenarios                     July 2003


3.  Content Internetworking Arrangements

   When the controlling interests of two CNs decide to interconnect
   their respective networks (such as for business reasons), it is
   expected that multiple steps would need to occur.

   The first step would be the creation of a NEGOTIATED RELATIONSHIP.
   This relationship would most likely take the form of a legal document
   that describes the services to be provided, cost of services, SLAs,
   and other stipulations.  For example, if an ORIGINATING CN wished to
   leverage another CN's reach into a particular country, this would be
   laid out in the NEGOTIATED RELATIONSHIP.

   The next step would be to configure CONTENT INTERNETWORKING protocols
   on the CIGs of the respective CNs in order to technically support the
   terms of the NEGOTIATED RELATIONSHIP.  To follow our previous
   example, this could include the configuration of the ENLISTED CN's
   CIGs in a particular country to send DISTRIBUTION ADVERTISEMENTS to
   the CIGs of the ORIGINATING CN.  In order to configure these
   protocols, technical details (such as CIG addresses/hostnames and
   authentication information) would be exchanged by administrators of
   the respective CNs.

   Note also that some terms of the NEGOTIATED RELATIONSHIP would be
   upheld through means outside the scope of CDI protocols.  These could
   include non-technical terms (such as financial settlement) or other
   technical terms (such as SLAs).

   In the event that the controlling interests of two CNs no longer wish
   to have their networks interconnected, it is expected that these
   tasks would be undone.  That is, the protocol configurations would be
   changed to cease the movement of ADVERTISEMENTS and/or ACCOUNTING
   data between the networks, and the NEGOTIATED RELATIONSHIP would be
   legally terminated.

4.  Content Internetworking Scenarios

   This section provides several scenarios that may arise in CONTENT
   INTERNETWORKING implementations.

   Note that we obviously cannot examine every single permutation.
   Specifically, it should be noted that:

   o  Any one of the interconnected CNs may have other CONTENT
      INTERNETWORKING arrangements that may or may not be transitive to
      the relationships being described in the diagram.





Rzewski, et al.              Informational                      [Page 5]

RFC 3570                     CDI Scenarios                     July 2003


   o  The graphical figures do not illustrate the CONTENT REQUEST paths.
      It is assumed that a REQUEST-ROUTING SYSTEM eventually returns to
      the CLIENT the IP address of the SURROGATE deemed appropriate to
      honor the CLIENT's CONTENT REQUEST.

   The scenarios described include a general case, two cases in which
   BCNs provide limited interfaces, a case in which a PCN enlists the
   services of multiple CNs, and a case in which multiple CNs enlist the
   services of an LCN.

4.1.  General Content Internetworking

   This scenario considers the general case where two or more existing
   CNs wish to establish a CONTENT INTERNETWORKING relationship in order
   to provide increased scale and reach for their existing customers.
   It assumes that all of these CNs already provide REQUEST-ROUTING,
   DISTRIBUTION, and ACCOUNTING services and that they will continue to
   provide these services to existing customers as well as offering them
   to other CNs.

   In this scenario, these CNs would interconnect with others via a CIG
   that provides a REQUEST-ROUTING INTERNETWORKING SYSTEM, a
   DISTRIBUTION INTERNETWORKING SYSTEM, and an ACCOUNTING
   INTERNETWORKING SYSTEM.  The net result of this interconnection would
   be that a larger set of SURROGATES will now be available to the
   CLIENTS.

   Figure 1 shows three CNs which have interconnected to provide greater
   scale and reach to their existing customers.  They are all
   participating in DISTRIBUTION INTERNETWORKING, REQUEST-ROUTING
   INTERNETWORKING, and ACCOUNTING INTERNETWORKING.

   As a result of the NEGOTIATED RELATIONSHIPS it is assumed that:

   1. CONTENT that has been INJECTED into any one of these ORIGINATING
      CNs may be distributed into any other ENLISTED CN.

   2. Commands affecting the DISTRIBUTION of CONTENT may be issued
      within the ORIGINATING CN, or may also be issued within the
      ENLISTED CN.  The latter case allows local decisions to be made
      about DISTRIBUTION within the ENLISTED CN, but such commands would
      not control DISTRIBUTION within the ORIGINATING CN.

   3. ACCOUNTING information regarding CLIENT access and/or DISTRIBUTION
      actions will be made available to the ORIGINATING CN by the
      ENLISTED CN.





Rzewski, et al.              Informational                      [Page 6]

RFC 3570                     CDI Scenarios                     July 2003


   4. The ORIGINATING CN would provide this ACCOUNTING information to
      the PUBLISHER based on existing Service Level Agreements (SLAs).

   5. CONTENT REQUESTS by CLIENTS may be directed to SURROGATES within
      any of the ENLISTED CNs.

   The decision of where to direct an individual CONTENT REQUEST may be
   dependent upon the DISTRIBUTION and REQUEST-ROUTING policies
   associated with the CONTENT being requested as well as the specific
   algorithms and methods used for directing these requests.  For
   example, a REQUEST-ROUTING policy for a piece of CONTENT may indicate
   multiple versions exist based on the spoken language of a CLIENT.
   Therefore, the REQUEST-ROUTING SYSTEM of an ENLISTED CN would likely
   direct a CONTENT REQUEST to a SURROGATE known to be holding a version
   of CONTENT of a language that matches that of a CLIENT.




































Rzewski, et al.              Informational                      [Page 7]

RFC 3570                     CDI Scenarios                     July 2003


              Figure 1 - General CONTENT INTERNETWORKING

   +--------------+                               +--------------+
   |     CN A     |                               |     CN B     |
   |..............|   +---------+   +---------+   |..............+
   | REQ-ROUTING  |<=>|         |<=>|         |<=>| REQ-ROUTING  |
   |..............|   | CONTENT |   | CONTENT |   |..............|
   | DISTRIBUTION |<=>|INTWRKING|<=>|INTWRKING|<=>| DISTRIBUTION |
   |..............|   | GATEWAY |   | GATEWAY |   |..............|
   |  ACCOUNTING  |<=>|         |<=>|         |<=>|  ACCOUNTING  |
   +--------------+   +---------+   +---------+   +--------------+
         | ^           \^ \ \       ^/ ^/ ^/           | ^
         v |            \\ \\ \\     // // //            v |
   +--------------+      \\ \\ \\   // // //      +--------------+
   |  SURROGATES  |       \\ v\ v\ /v /v //       |  SURROGATES  |
   +--------------+        \\+---------+//        +--------------+
          ^ |               v|         |v                ^ |
          | |                | CONTENT |                 | |
          | |                |INTWRKING|                 | |
          | |                | GATEWAY |                 | |
          | |                |         |                 | |
          | |                +---------+                 | |
          | |                  ^| ^| ^|                  | |
          | |                  || || ||                  | |
          | |                  |v |v |v                  | |
          | |              +--------------+              | |
          | |              |     CN C     |              | |
          | |              |..............|              | |
          | |              | REQ-ROUTING  |              | |
          | |              |..............|              | |
          \ \              | DISTRIBUTION |             / /
           \ \             |..............|            / /
            \ \            |  ACCOUNTING  |           / /
             \ \           |--------------|          / /
              \ \                | ^                / /
               \ \               v |               / /
                \ \        +--------------+       / /
                 \ \       |  SURROGATES  |      / /
                  \ \      +--------------+     / /
                   \ \           | ^           / /
                    \ \          | |          / /
                     \ \         v |         / /
                      \ \    +---------+    / /
                       \ \-->| CLIENTS |---/ /
                        \----|         |<---/
                             +---------+





Rzewski, et al.              Informational                      [Page 8]

RFC 3570                     CDI Scenarios                     July 2003


4.2.  BCN providing ACCOUNTING INTERNETWORKING and REQUEST-ROUTING
      INTERNETWORKING

   This scenario describes the case where a single entity (BCN A)
   performs ACCOUNTING INTERNETWORKING and REQUEST-ROUTING
   INTERNETWORKING functions, but has no inherent DISTRIBUTION or
   DELIVERY capabilities.  A potential configuration which illustrates
   this concept is given in Figure 2.

   In the scenario shown in Figure 2, BCN A is responsible for
   collecting ACCOUNTING information from multiple CONTENT NETWORKS (CN
   A and CN B) to provide a clearinghouse/settlement function, as well
   as providing a REQUEST-ROUTING service for CN A and CN B.

   In this scenario, CONTENT is injected into either CN A or CN B and
   its DISTRIBUTION between these CNs is controlled via the DISTRIBUTION
   INTERNETWORKING SYSTEMS within the CIGs.  The REQUEST-ROUTING SYSTEM
   provided by BCN A is informed of the ability to serve a piece of
   CONTENT from a particular CONTENT NETWORK by the REQUEST-ROUTING
   SYSTEMS within the interconnected CIGs.

   BCN A collects statistics and usage information via the ACCOUNTING
   INTERNETWORKING SYSTEM and disseminates that information to CN A and
   CN B as appropriate.

   As illustrated in Figure 2, there are separate REQUEST-ROUTING
   SYSTEMS employed within CN A and CN B.  If the REQUEST-ROUTING SYSTEM
   provided by BCN A is the AUTHORITATIVE REQUEST-ROUTING SYSTEM for a
   given piece of CONTENT this is not a problem.  However, each
   individual CN may also provide the AUTHORITATIVE REQUEST-ROUTING
   SYSTEM for some portion of its PUBLISHER customers.  In this case
   care must be taken to ensure that the there is one and only one
   AUTHORITATIVE REQUEST-ROUTING SYSTEM identified for each given
   CONTENT object.

















Rzewski, et al.              Informational                      [Page 9]

RFC 3570                     CDI Scenarios                     July 2003


          Figure 2 - BCN providing ACCOUNTING INTERNETWORKING and
                        REQUEST-ROUTING INTERNETWORKING

       +--------------+
       |    BCN A     |
       |..............|     +-----------+
       | REQ-ROUTING  |<===>|           |
       |..............|     |  CONTENT  |
       |  ACCOUNTING  |<===>| INTWRKING |
       +--------------+     |  GATEWAY  |
                            |           |
                            +-----------+
                             ^| ^| ^| ^|
   +--------------+         // //   \\ \\         +--------------+
   |     CN A     |        |v |v     |v |v        |     CN B     |
   |..............|   +---------+   +---------+   |..............|
   | REQ-ROUTING  |<=>|         |   |         |<=>| REQ-ROUTING  |
   |..............|   | CONTENT |   | CONTENT |   |..............|
   | DISTRIBUTION |<=>|INTWRKING|<=>|INTWRKING|<=>| DISTRIBUTION |
   |..............|   | GATEWAY |   | GATEWAY |   |..............|
   |  ACCOUNTING  |<=>|         |   |         |<=>|  ACCOUNTING  |
   +--------------+   +---------+   +---------+   +--------------+
         | ^                                             | ^
         v |                                             v |
   +--------------+                               +--------------+
   |  SURROGATES  |                               |  SURROGATES  |
   +--------------+                               +--------------+
                ^ \                               ^ /
                 \ \                             / /
                  \ \                           / /
                   \ \                         / /
                    \ \      +---------+      / /
                     \ \---->| CLIENTS |-----/ /
                      \------|         |<-----/
                             +---------+
















Rzewski, et al.              Informational                     [Page 10]

RFC 3570                     CDI Scenarios                     July 2003


4.3.  BCN providing ACCOUNTING INTERNETWORKING

   This scenario describes the case where a single entity (BCN A)
   performs ACCOUNTING INTERNETWORKING to provide a clearinghouse/
   settlement function only.  In this scenario, BCN A would enter into
   NEGOTIATED RELATIONSHIPS with multiple CNs that each perform their
   own DISTRIBUTION INTERNETOWRKING and REQUEST-ROUTING INTERNETWORKING
   as shown in FIGURE 3.

        Figure 3 - BCN providing ACCOUNTING INTERNETWORKING

       +--------------+
       |    BCN A     |
       |..............|     +-----------+
       |  ACCOUNTING  |<===>|           |
       +--------------+     |  CONTENT  |
                            | INTWRKING |
                            |  GATEWAY  |
                            |           |
                            +-----------+
                                ^| ^|
   +--------------+            //   \\            +--------------+
   |     CN A     |           |v     |v           |     CN B     |
   |..............|   +---------+   +---------+   |..............|
   | REQ-ROUTING  |<=>|         |<=>|         |<=>| REQ-ROUTING  |
   |..............|   | CONTENT |   | CONTENT |   |..............|
   | DISTRIBUTION |<=>|INTWRKING|<=>|INTWRKING|<=>| DISTRIBUTION |
   |..............|   | GATEWAY |   | GATEWAY |   |..............|
   |  ACCOUNTING  |<=>|         |   |         |<=>|  ACCOUNTING  |
   +--------------+   +---------+   +---------+   +--------------+
         | ^                                             | ^
         v |                                             v |
   +--------------+                               +--------------+
   |  SURROGATES  |                               |  SURROGATES  |
   +--------------+                               +--------------+
                ^ \                               ^ /
                 \ \                             / /
                  \ \                           / /
                   \ \                         / /
                    \ \      +---------+      / /
                     \ \---->| CLIENTS |-----/ /
                      \------|         |<-----/
                             +---------+








Rzewski, et al.              Informational                     [Page 11]

RFC 3570                     CDI Scenarios                     July 2003


4.4.  PCN ENLISTS multiple CNs

   In the previously enumerated scenarios, PUBLISHERS have not been
   discussed.  Much of the time, it is assumed that the PUBLISHERS will
   allow CNs to act on their behalf.  For example, a PUBLISHER may
   designate a particular CN to be the AUTHORITATIVE REQUEST-ROUTING
   SYSTEM for its CONTENT.  Similarly, a PUBLISHER may rely on a
   particular CN to aggregate all its ACCOUNTING data, even though that
   data may originate at SURROGATES in multiple distant CNs.  Finally, a
   PUBLISHER may INJECT content only into a single CN and rely on that
   CN to ENLIST other CNs to obtain scale and reach.

   However, a PUBLISHER may wish to maintain more control and take on
   the task of ENLISTING CNs itself, therefore acting as a PCN (Section
   2.1).  This scenario, shown in Figure 4, describes the case where a
   PCN wishes to directly enter into NEGOTIATED RELATIONSHIPS with
   multiple CNs.  In this scenario, the PCN would operate its own CIG
   and enter into DISTRIBUTION INTERNETWORKING, ACCOUNTING
   INTERNETWORKING, and REQUEST-ROUTING INTERNETWORKING relationships
   with two or more CNs.































Rzewski, et al.              Informational                     [Page 12]

RFC 3570                     CDI Scenarios                     July 2003


                    Figure 4 - PCN ENLISTS multiple CNs

   +--------------+
   |     PCN      |
   |..............|   +-----------+
   | REQ-ROUTING  |<=>|           |<---\
   |..............|   |  CONTENT  |----\\
   | DISTRIBUTION |<=>| INTWRKING |     \\
   |..............|   |  GATEWAY  |--\   \\
   |  ACCOUNTING  |<=>|           |<-\\   \\
   +--------------+   +-----------+   \\   \\
                        ^| ^| ^|  ^|   \\   ||
   +--------------+     || || ||   \\   ||  ||    +--------------+
   |     CN A     |     |v |v |v    \v  |v  |v    |     CN B     |
   |..............|   +---------+   +---------+   |..............|
   | REQ-ROUTING  |<=>|         |   |         |<=>| REQ-ROUTING  |
   |..............|   | CONTENT |   | CONTENT |   |..............|
   | DISTRIBUTION |<=>|INTWRKING|   |INTWRKING|<=>| DISTRIBUTION |
   |..............|   | GATEWAY |   | GATEWAY |   |..............|
   |  ACCOUNTING  |<=>|         |   |         |<=>|  ACCOUNTING  |
   +--------------+   +---------+   +---------+   +--------------+
         | ^                                             | ^
         v |                                             v |
   +--------------+                               +--------------+
   |  SURROGATES  |                               |  SURROGATES  |
   +--------------+                               +--------------+
                ^ \                               ^ /
                 \ \                             / /
                  \ \                           / /
                   \ \                         / /
                    \ \      +---------+      / /
                     \ \---->| CLIENTS |-----/ /
                      \------|         |<-----/
                             +---------+

4.5.  Multiple CNs ENLIST LCN

   A type of CN described in Section 2.3 is the LCN.  In this scenario,
   we imagine a tightly administered CN (such as within an enterprise)
   has determined that all CONTENT REQUESTS from CLIENTS must be
   serviced locally.  Likely due to a large CLIENT base in the LCN,
   multiple CNs determine they would like to engage in DISTRIBUTION
   INTERNETWORKING with the LCN in order to extend control over CONTENT
   objects held in the LCN's SURROGATES.  Similarly, the CNs would like
   to engage in ACCOUNTING INTERNETWORKING with the LCN in order to
   receive ACCOUNTING data regarding the usage of the content in the
   local SURROGATES.  This scenario is shown in Figure 5.  Although this
   diagram shows a DISTRIBUTION INTERNETWORKING connection between CN A



Rzewski, et al.              Informational                     [Page 13]

RFC 3570                     CDI Scenarios                     July 2003


   and CN B, it should be recognized that this connection is optional
   and not a requirement in this scenario.

                    Figure 5 - Multiple CNs ENLIST LCN

   +--------------+                               +--------------+
   |     CN A     |                               |     CN B     |
   +..............|   +---------+   +---------+   |..............+
   | REQ-ROUTING  |<=>|         |<=>|         |<=>| REQ-ROUTING  |
   |..............|   | CONTENT |   | CONTENT |   |..............|
   | DISTRIBUTION |<=>|INTWRKING|<=>|INTWRKING|<=>| DISTRIBUTION |
   |..............|   | GATEWAY |   | GATEWAY |   |..............|
   |  ACCOUNTING  |<=>|         |<=>|         |<=>|  ACCOUNTING  |
   +--------------+   +---------+   +---------+   +--------------+
         | ^              \^ \^       ^/ ^/              | ^
         v |               \\ \\     // //               v |
   +--------------+         \\ \\   // //         +--------------+
   |  SURROGATES  |          v\ v\ /v /v          |  SURROGATES  |
   +--------------+          +---------+          +--------------+
                             |         |
                             | CONTENT |
                             |INTWRKING|
                             | GATEWAY |
                             |         |
                             +---------+
                                ^| ^|
                                || ||
                                |v |v
                           +--------------+
                           |    LCN A     |
                           |..............|
                           | DISTRIBUTION |
                           |..............|
                           |  ACCOUNTING  |
                           |--------------|
                                 | ^
                                 v |
                           +--------------+
                           |  SURROGATES  |
                           +--------------+
                                 | ^
                                 | |
                                 v |
                             +---------+
                             | CLIENTS |
                             |         |
                             +---------+




Rzewski, et al.              Informational                     [Page 14]

RFC 3570                     CDI Scenarios                     July 2003


5.  Security Considerations

   Security concerns with respect to Content Internetworking can be
   generally categorized into trust within the system and protection of
   the system from threats.  The trust model utilized with Content
   Internetworking is predicated largely on transitive trust between the
   ORIGIN, REQUEST-ROUTING INTERNETWORKING SYSTEM, DISTRIBUTION
   INTERNETWORKING SYSTEM, ACCOUNTING INTERNETWORING SYSTEM, and
   SURROGATES.  Network elements within the Content Internetworking
   system are considered to be "insiders" and therefore trusted.

5.1.  Threats to Content Internetworking

   The following sections document key threats to CLIENTs, PUBLISHERs,
   and CNs.  The threats are classified according to the party that they
   most directly harm, but, of course, a threat to any party is
   ultimately a threat to all.  (For example, having a credit card
   number stolen may most directly affect a CLIENT; however, the
   resulting dissatisfaction and publicity will almost certainly cause
   some harm to the PUBLISHER and CN, even if the harm is only to those
   organizations' reputations.)

5.1.1.  Threats to the CLIENT

5.1.1.1.  Defeat of CLIENT's Security Settings

   Because the SURROGATE's location may differ from that of the ORIGIN,
   the use of a SURROGATE may inadvertently or maliciously defeat any
   location-based security settings employed by the CLIENT.  And since
   the SURROGATE's location is generally transparent to the CLIENT, the
   CLIENT may be unaware that its protections are no longer in force.
   For example, a CN may relocate CONTENT from a Internet Explorer
   user's "Internet Web Content Zone" to that user's "Local Intranet Web
   Content Zone".  If the relocation is visible to the Internet Explorer
   browser but otherwise invisible to the user, the browser may be
   employing less stringent security protections than the user is
   expecting for that CONTENT.  (Note that this threat differs, at least
   in degree, from the substitution of security parameters threat below,
   as Web Content Zones can control whether or not, for example, the
   browser executes unsigned active content.)

5.1.1.2.  Delivery of Bad Accounting Information

   In the case of CONTENT with value, CLIENTs may be inappropriately
   charged for viewing content that they did not successfully access.
   Conversely, some PUBLISHERs may reward CLIENTs for viewing certain





Rzewski, et al.              Informational                     [Page 15]

RFC 3570                     CDI Scenarios                     July 2003


   CONTENT (e.g., programs that "pay" users to surf the Web).  Should a
   CN fail to deliver appropriate accounting information, the CLIENT may
   not receive appropriate credit for viewing the required CONTENT.

5.1.1.3.  Delivery of Bad CONTENT

   A CN that does not deliver the appropriate CONTENT may provide the
   user misleading information (either maliciously or inadvertently).
   This threat can be manifested as a failure of either the DISTRIBUTION
   SYSTEM (inappropriate content delivered to appropriate SURROGATEs) or
   REQUEST-ROUTING SYSTEM (request routing to inappropriate SURROGATEs,
   even though they may have appropriate CONTENT), or both.  A REQUEST-
   ROUTING SYSTEM may also fail by forwarding the CLIENT request when no
   forwarding is appropriate, or by failing to forward the CLIENT
   request when forwarding is appropriate.

5.1.1.4.  Denial of Service

   A CN that does not forward the CLIENT appropriately may deny the
   CLIENT access to CONTENT.

5.1.1.5.  Exposure of Private Information

   CNs may inadvertently or maliciously expose private information
   (passwords, buying patterns, page views, credit card numbers) as it
   transmits from SURROGATEs to ORIGINs and/or PUBLISHERs.

5.1.1.6.  Substitution of Security Parameters

   If a SURROGATE does not duplicate completely the security facilities
   of the ORIGIN (e.g., encryption algorithms, key lengths, certificate
   authorities) CONTENT delivered through the SURROGATE may be less
   secure than the CLIENT expects.

5.1.1.7.  Substitution of Security Policies

   If a SURROGATE does not employ the same security policies and
   procedures as the ORIGIN, the CLIENT's private information may be
   treated with less care than the CLIENT expects.  For example, the
   operator of a SURROGATE may not have as rigorous protection for the
   CLIENT's password as does the operator of the ORIGIN server.  This
   threat may also manifest itself if the legal jurisdiction of the
   SURROGATE differs from that of the ORIGIN, should, for example, legal
   differences between the jurisdictions require or permit different
   treatment of the CLIENT's private information.






Rzewski, et al.              Informational                     [Page 16]

RFC 3570                     CDI Scenarios                     July 2003


5.1.2.  Threats to the PUBLISHER

5.1.2.1.  Delivery of Bad Accounting Information

   If a CN does not deliver accurate accounting information, the
   PUBLISHER may be unable to charge CLIENTs for accessing CONTENT or it
   may reward CLIENTs inappropriately.  Inaccurate accounting
   information may also cause a PUBLISHER to pay for services (e.g.,
   content distribution) that were not actually rendered.  Invalid
   accounting information may also effect PUBLISHERs indirectly by, for
   example, undercounting the number of site visitors (and, thus,
   reducing the PUBLISHER's advertising revenue).

5.1.2.2.  Denial of Service

   A CN that does not distribute CONTENT appropriately may deny CLIENTs
   access to CONTENT.

5.1.2.3.  Substitution of Security Parameters

   If a SURROGATE does not duplicate completely the security services of
   the ORIGIN (e.g., encryption algorithms, key lengths, certificate
   authorities, client authentication) CONTENT stored on the SURROGATE
   may be less secure than the PUBLISHER prefers.

5.1.2.4.  Substitution of Security Policies

   If a SURROGATE does not employ the same security policies and
   procedures as the ORIGIN, the CONTENT may be treated with less care
   than the PUBLISHER expects.  This threat may also manifest itself if
   the legal jurisdiction of the SURROGATE differs from that of the
   ORIGIN, should, for example, legal differences between the
   jurisdictions require or permit different treatment of the CONTENT.

5.1.3.  Threats to a CN

5.1.3.1.  Bad Accounting Information

   If a CN is unable to collect or receive accurate accounting
   information, it may be unable to collect compensation for its
   services from PUBLISHERs.










Rzewski, et al.              Informational                     [Page 17]

RFC 3570                     CDI Scenarios                     July 2003


5.1.3.2.  Denial of Service

   Misuse of a CN may make that CN's facilities unavailable, or
   available only at reduced functionality, to legitimate customers or
   the CN provider itself.  Denial of service attacks can be targeted at
   a CN's ACCOUNTING SYSTEM, DISTRIBUTION SYSTEM, or REQUEST-ROUTING
   SYSTEM.

5.1.3.3.  Transitive Threats

   To the extent that a CN acts as either a CLIENT or a PUBLISHER (such
   as, for example, in transitive implementations) such a CN may be
   exposed to any or all of the threats described above for both roles.

6.  Acknowledgements

   The authors acknowledge the contributions and comments of Fred
   Douglis (AT&T), Raj Nair (Cisco), Gary Tomlinson (CacheFlow), John
   Scharber (CacheFlow), Nalin Mistry (Nortel), Steve Rudkin (BT),
   Christian Hoertnagl (IBM), Christian Langkamp (Oxford University),
   and Don Estberg (Activate).

7.  References

   [1]  Day, M., Cain, B., Tomlinson, G. and P. Rzewski, "A Model for
        Content Internetworking (CDI)", RFC 3466, February 2003.

   [2]  Biliris, A., Cranor, C., Douglis, F., Rabinovich, M., Sibal, S.,
        Spatscheck, O. and W. Sturm, "CDN Brokering", Proceedings of the
        6th International Workshop on Web Caching and Content
        Distribution, Boston, MA, June 2001.




















Rzewski, et al.              Informational                     [Page 18]

RFC 3570                     CDI Scenarios                     July 2003


8.  Authors' Addresses

   Mark S. Day
   Cisco Systems
   1414 Massachusetts Avenue
   Boxborough, MA 01719
   US

   Phone: +1 978 936 1089
   EMail: mday@alum.mit.edu


   Don Gilletti
   21 22nd Ave.
   San Mateo, CA 94403
   US

   Phone +1 408 569 6813
   EMail: dgilletti@yahoo.com


   Phil Rzewski
   30 Jennifer Place
   San Francisco, CA  94107
   US

   Phone: +1 650 303 3790
   EMail: philrz@yahoo.com























Rzewski, et al.              Informational                     [Page 19]

RFC 3570                     CDI Scenarios                     July 2003


9.  Full Copyright Statement

   Copyright (C) The Internet Society (2003).  All Rights Reserved.

   This document and translations of it may be copied and furnished to
   others, and derivative works that comment on or otherwise explain it
   or assist in its implementation may be prepared, copied, published
   and distributed, in whole or in part, without restriction of any
   kind, provided that the above copyright notice and this paragraph are
   included on all such copies and derivative works.  However, this
   document itself may not be modified in any way, such as by removing
   the copyright notice or references to the Internet Society or other
   Internet organizations, except as needed for the purpose of
   developing Internet standards in which case the procedures for
   copyrights defined in the Internet Standards process must be
   followed, or as required to translate it into languages other than
   English.

   The limited permissions granted above are perpetual and will not be
   revoked by the Internet Society or its successors or assignees.

   This document and the information contained herein is provided on an
   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Acknowledgement

   Funding for the RFC Editor function is currently provided by the
   Internet Society.



















Rzewski, et al.              Informational                     [Page 20]