Network Working GroupInternet Engineering Task Force (IETF) B. Niven-JenkinsInternet-DraftRequest for Comments: 8006 R. MurrayIntended status:Category: Standards TrackVelocix (Alcatel-Lucent) Expires: March 1, 2017Nokia ISSN: 2070-1721 M. Caulfield Cisco Systems K. Ma EricssonAugust 28,December 2016CDNContent Delivery Network Interconnection (CDNI) Metadatadraft-ietf-cdni-metadata-21Abstract The Content DeliveryNetworksNetwork Interconnection (CDNI)metadataMetadata interface enables interconnected Content Delivery Networks (CDNs) to exchange content distribution metadata in order to enable content acquisition and delivery. The CDNImetadataMetadata associated with a piece of content provides a downstream CDN with sufficient information for the downstream CDN to service content requests on behalf of an upstream CDN. This document describes both a base set of CDNImetadataMetadata and the protocol for exchanging that metadata.Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119].Status of This Memo ThisInternet-Draftissubmitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documentsan Internet Standards Track document. This document is a product of the Internet Engineering Task Force (IETF).Note that other groups may also distribute working documents as Internet-Drafts. The listIt represents the consensus ofcurrent Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents validthe IETF community. It has received public review and has been approved fora maximumpublication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 7841. Information about the current status ofsix monthsthis document, any errata, and how to provide feedback on it may beupdated, replaced, or obsoleted by other documentsobtained atany time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on March 1, 2017.http://www.rfc-editor.org/info/rfc8006. Copyright Notice Copyright (c) 2016 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction. . . . . . . . . . . . . . . . . . . . . . . . 4....................................................5 1.1. Terminology. . . . . . . . . . . . . . . . . . . . . . . 5................................................5 1.2. Supported Metadata Capabilities. . . . . . . . . . . . . 5............................6 2. Design Principles. . . . . . . . . . . . . . . . . . . . . . 6...............................................7 3. CDNI Metadataobject model . . . . . . . . . . . . . . . . . 7Object Model ......................................8 3.1. HostIndex, HostMatch, HostMetadata, PathMatch,PatternMatchPatternMatch, and PathMetadataobjects . . . . . . . . . . 8Objects .....................9 3.2. Generic CDNI Metadata Objects. . . . . . . . . . . . . . 10.............................11 3.3. Metadata Inheritance and Override. . . . . . . . . . . . 13.........................14 4. CDNI Metadataobjects . . . . . . . . . . . . . . . . . . . . 14Objects ..........................................15 4.1. Definitions of the CDNIstructural metadata objects . . . 15Structural Metadata Objects .......16 4.1.1. HostIndex. . . . . . . . . . . . . . . . . . . . . . 15..........................................16 4.1.2. HostMatch. . . . . . . . . . . . . . . . . . . . . . 15..........................................17 4.1.3. HostMetadata. . . . . . . . . . . . . . . . . . . . 17.......................................18 4.1.4. PathMatch. . . . . . . . . . . . . . . . . . . . . . 18..........................................19 4.1.5. PatternMatch. . . . . . . . . . . . . . . . . . . . 19.......................................20 4.1.6. PathMetadata. . . . . . . . . . . . . . . . . . . . 20.......................................21 4.1.7. GenericMetadata. . . . . . . . . . . . . . . . . . . 21....................................23 4.2. Definitions of theinitial setInitial Set of CDNIGeneric Metadata objects . . . . . . . . . . . . . . . . . . . . . . . . . 23GenericMetadata Objects ...................................24 4.2.1. SourceMetadata. . . . . . . . . . . . . . . . . . . 23.....................................24 4.2.1.1. Source. . . . . . . . . . . . . . . . . . . . . 24....................................25 4.2.2. LocationACL Metadata. . . . . . . . . . . . . . . . 25...............................26 4.2.2.1. LocationRule. . . . . . . . . . . . . . . . . . 27..............................28 4.2.2.2. Footprint. . . . . . . . . . . . . . . . . . . . 27.................................29 4.2.3. TimeWindowACL. . . . . . . . . . . . . . . . . . . . 29......................................30 4.2.3.1. TimeWindowRule. . . . . . . . . . . . . . . . . 30............................31 4.2.3.2. TimeWindow. . . . . . . . . . . . . . . . . . . 31................................32 4.2.4. ProtocolACL Metadata. . . . . . . . . . . . . . . . 31...............................33 4.2.4.1. ProtocolRule. . . . . . . . . . . . . . . . . . 32..............................34 4.2.5. DeliveryAuthorization Metadata. . . . . . . . . . . 33.....................35 4.2.6. Cache. . . . . . . . . . . . . . . . . . . . . . . . 34..............................................35 4.2.7. Auth. . . . . . . . . . . . . . . . . . . . . . . . 36...............................................37 4.2.8. Grouping. . . . . . . . . . . . . . . . . . . . . . 37...........................................38 4.3. CDNI Metadata Simple Data Type Descriptions. . . . . . . 37...............39 4.3.1. Link. . . . . . . . . . . . . . . . . . . . . . . . 37...............................................39 4.3.1.1. Link Loop Prevention. . . . . . . . . . . . . . 39......................40 4.3.2. Protocol. . . . . . . . . . . . . . . . . . . . . . 39...........................................40 4.3.3. Endpoint. . . . . . . . . . . . . . . . . . . . . . 39...........................................40 4.3.4. Time. . . . . . . . . . . . . . . . . . . . . . . . 40...............................................41 4.3.5. IPv4CIDR. . . . . . . . . . . . . . . . . . . . . . 40...........................................41 4.3.6. IPv6CIDR. . . . . . . . . . . . . . . . . . . . . . 40...........................................42 4.3.7. ASN. . . . . . . . . . . . . . . . . . . . . . . . . 41................................................42 4.3.8.CountryCode . . . . . . . . . . . . . . . . . . . . . 41Country Code .......................................42 5. CDNI Metadata Capabilities. . . . . . . . . . . . . . . . . 41.....................................42 6. CDNI Metadatainterface . . . . . . . . . . . . . . . . . . . 42Interface ........................................43 6.1. Transport. . . . . . . . . . . . . . . . . . . . . . . . 42.................................................44 6.2. Retrieval of CDNI Metadataresources . . . . . . . . . . 43Resources ......................44 6.3. Bootstrapping. . . . . . . . . . . . . . . . . . . . . . 44.............................................45 6.4. Encoding. . . . . . . . . . . . . . . . . . . . . . . . 44..................................................46 6.5. Extensibility. . . . . . . . . . . . . . . . . . . . . . 45.............................................46 6.6. Metadata Enforcement. . . . . . . . . . . . . . . . . . 46......................................47 6.7. Metadata Conflicts. . . . . . . . . . . . . . . . . . . 46........................................47 6.8. Versioning. . . . . . . . . . . . . . . . . . . . . . . 47................................................48 6.9. Media Types. . . . . . . . . . . . . . . . . . . . . . . 48...............................................49 6.10. Complete CDNI Metadata Example. . . . . . . . . . . . . 48...........................50 7. IANA Considerations. . . . . . . . . . . . . . . . . . . . . 52............................................54 7.1. CDNI Payload Types. . . . . . . . . . . . . . . . . . . 52........................................54 7.1.1. CDNI MI HostIndex Payload Type. . . . . . . . . . . 53.....................54 7.1.2. CDNI MI HostMatch Payload Type. . . . . . . . . . . 53.....................55 7.1.3. CDNI MI HostMetadata Payload Type. . . . . . . . . . 54..................55 7.1.4. CDNI MI PathMatch Payload Type. . . . . . . . . . . 54.....................55 7.1.5. CDNI MI PatternMatch Payload Type. . . . . . . . . . 54..................55 7.1.6. CDNI MI PathMetadata Payload Type. . . . . . . . . . 54..................55 7.1.7. CDNI MI SourceMetadata Payload Type. . . . . . . . . 54................56 7.1.8. CDNI MI Source Payload Type. . . . . . . . . . . . . 55........................56 7.1.9. CDNI MI LocationACL Payload Type. . . . . . . . . . 55...................56 7.1.10. CDNI MI LocationRule Payload Type. . . . . . . . . . 55.................56 7.1.11. CDNI MI Footprint Payload Type. . . . . . . . . . . 55....................56 7.1.12. CDNI MI TimeWindowACL Payload Type. . . . . . . . . 55................57 7.1.13. CDNI MI TimeWindowRule Payload Type. . . . . . . . . 56...............57 7.1.14. CDNI MI TimeWindow Payload Type. . . . . . . . . . . 56...................57 7.1.15. CDNI MI ProtocolACL Payload Type. . . . . . . . . . 56..................57 7.1.16. CDNI MI ProtocolRule Payload Type. . . . . . . . . . 56.................57 7.1.17. CDNI MI DeliveryAuthorization Payload Type. . . . . 56........58 7.1.18. CDNI MI Cache Payload Type. . . . . . . . . . . . . 57........................58 7.1.19. CDNI MI Auth Payload Type. . . . . . . . . . . . . . 57.........................58 7.1.20. CDNI MI Grouping Payload Type. . . . . . . . . . . . 57.....................58 7.2.CDNI"CDNI Metadata FootprintTypesTypes" Registry. . . . . . . . . 57..................58 7.3.CDNI"CDNI Metadata ProtocolTypesTypes" Registry. . . . . . . . . . 58...................59 8. Security Considerations. . . . . . . . . . . . . . . . . . . 58........................................60 8.1. Authentication and Integrity. . . . . . . . . . . . . . 59..............................60 8.2. Confidentiality and Privacy. . . . . . . . . . . . . . . 59...............................60 8.3. Securing the CDNI Metadatainterface . . . . . . . . . . 60Interface ......................61 9.Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 60 10. Contributing Authors . . . . . . . . . . . . . . . . . . . . 60 11.References. . . . . . . . . . . . . . . . . . . . . . . . . 61 11.1......................................................62 9.1. Normative References. . . . . . . . . . . . . . . . . . 61 11.2.......................................62 9.2. Informative References. . . . . . . . . . . . . . . . . 63....................................63 Acknowledgments ...................................................65 Contributors ......................................................65 Authors' Addresses. . . . . . . . . . . . . . . . . . . . . . . 64................................................66 1. Introduction Content DeliveryNetworksNetwork Interconnection (CDNI) [RFC6707] enables a downstream Content Delivery Network (dCDN) to service content requests on behalf of an upstream CDN (uCDN). The CDNImetadataMetadata interface (MI) is discussed in [RFC7336] along with four other interfaces that can be used to compose a CDNI solution(CDNI(the CDNI Control interface, the CDNI Request Routing Redirection interface, the CDNI Footprint & Capabilities Advertisement interface (FCI), and the CDNI Logging interface). [RFC7336] describes each interface and the relationships between them. The requirements for the CDNImetadataMetadata interface are specified in [RFC7337]. The CDNImetadataMetadata associated with a piece of content (or with a set of content) provides a dCDN with sufficient information for servicing content requests on behalf ofana uCDN, in accordance with the policies defined by the uCDN. This document definesthea CDNImetadataMetadata interfacewhichthat enables a dCDN to obtain CDNImetadataMetadata fromana uCDN so that the dCDN can properly process and respond to: o Redirection requests received over the CDNI Request Routing Redirection interface[I-D.ietf-cdni-redirection].[RFC7975]. o Content requests received directly from User Agents. Specifically, this documentspecifies:defines: o A data structure for mapping content requests and redirection requests to CDNImetadataMetadata objects(Section(Sections 3 andSection4.1). o An initial set of CDNIGeneric metadataGenericMetadata objects (Section 4.2). oAAn HTTP web service for the transfer of CDNImetadataMetadata (Section 6). 1.1. Terminology This document reuses the terminology defined in [RFC6707]. Additionally, the following terms are used throughout this document and are defined as follows: o Object - a collection of properties. o Property - a key and value pair where the key is a property name and the value is the property value or another object. This document uses the phrase "[Object] A contains [Object] B" for simplicity when a strictly accurate phrase would be "[Object] A contains or references (via a Link object) [Object] B". The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. 1.2. Supported Metadata Capabilities Only the metadata for a small set of initial capabilities is specified in this document. This set provides the minimum amount of metadata for basic CDN interoperability while still meeting the requirements set forth by [RFC7337]. The following high-level functionality can be configured via the CDNImetadataMetadata objects specified in Section 4: o Acquisition Source: Metadata for allowing a dCDN to fetch content from a uCDN. o Delivery Access Control: Metadata for restricting (or permitting) access to content based on any of the following factors: * Location * TimeWindowwindow * DeliveryProtocolprotocol o Delivery Authorization: Metadata for authorizing dCDNuser agentUser Agent requests. o Cache Control: Metadata for controlling cache behavior of the dCDN. The metadata encoding described by this document is extensible in order to allow for future additions to this list. The set of metadata specified in this document covers the initial capabilities above. It is only intended to supportCDN interconnectionCDNI for the delivery of content by a dCDN using HTTP/1.1 [RFC7230] and for a dCDN to be able to acquire content from a uCDN using either HTTP/1.1 or HTTP/1.1 overTLSTransport Layer Security (TLS) [RFC2818]. SupportingCDN interconnectionCDNI for the delivery of content using unencrypted HTTP/2 [RFC7540] (as well as for a dCDN to acquire content using unencrypted HTTP/2 or HTTP/2 over TLS) requires the registration of these protocol names in theCDNI"CDNI Metadata ProtocolTypesTypes" registrySection 7.3.(Section 7.3). Delivery of content using HTTP/1.1 over TLS or HTTP/2 over TLS SHOULD follow the guidelines set forth in [RFC7525]. Offline configuration of TLS parameters between CDNs is beyond the scope of this document. 2. Design Principles The CDNImetadataMetadata interface was designed to achieve the following objectives: 1. Cacheability of CDNImetadataMetadata objects; 2. Deterministic mapping from redirection requests and content requests to CDNImetadataMetadata properties; 3. Support for DNS redirection as well as application-specific redirection (forexampleexample, HTTP redirection); 4. Minimal duplication of CDNImetadata;Metadata; and 5. Leveraging of existing protocols. Cacheability can decrease the latency of acquiring metadata while maintaining itsfreshness,freshness and can therefore decrease the latency of serving content requests and redirection requests, without sacrificing accuracy. The CDNImetadataMetadata interface uses HTTP and its existing caching mechanisms to achieve CDNImetadataMetadata cacheability. Deterministicmappingsmapping from content to metadata properties eliminates ambiguity and ensures that policies are applied consistently by all dCDNs. Support for both HTTP and DNS redirection ensures that the CDNImetadataMetadata meets the same design principles for bothHTTPHTTP-based andDNS basedDNS-based redirection schemes. Minimal duplication of CDNImetadataMetadata improves storage efficiency in the CDNs. Leveraging existing protocols avoids reinventing common mechanisms such as data structure encoding (by leveraging I-JSON (Internet JSON) [RFC7493]) and data transport (by leveraging HTTP [RFC7230]). 3. CDNI Metadataobject modelObject Model The CDNImetadataMetadata object model describes a data structure for mapping redirection requests and content requests to metadata properties. Metadata properties describe how to acquire content fromana uCDN, authorize access to content, and deliver content from a dCDN. The object model relies on the assumption that these metadata properties can be grouped based on the hostname of the content and subsequently on the resource path (URI) of the content. The object model associates a set of CDNImetadataMetadata properties with aHostnamehostname to form a default set of metadata properties for content delivered on behalf of thatHostname.hostname. That default set of metadata properties can be overridden by properties that apply to specific paths within a URI. DifferentHostnameshostnames and URI paths will be associated with different sets of CDNImetadataMetadata properties in order to describe the requiredbehaviourbehavior when a dCDNsurrogateSurrogate or request router is processing User Agent requests for content at thatHostnamehostname and URI path. As a result of this structure, significant commonality could exist between the CDNImetadataMetadata properties specified for differentHostnames,hostnames, different URI paths within aHostnamehostname, and different URI paths on differentHostnames.hostnames. Forexampleexample, the definition of which User Agent IP addresses should be grouped together into a single network or geographic location is likely to be common for a number of differentHostnames;hostnames; although a uCDN is likely to have several different policies configured to express geo-blocking rules, it is likely that a single geo-blocking policy could be applied to multipleHostnameshostnames delivered through the CDN. In order to enable the CDNImetadataMetadata for a givenHostnamehostname and URIPathpath to be decomposed into reusable sets of CDNImetadataMetadata properties, the CDNImetadataMetadata interface splits the CDNImetadataMetadata into separate objects. Efficiency is improved by enabling a single CDNImetadataMetadata object (that is shared acrossHostnamehostnames and/or URI paths) to be retrieved and stored by a dCDN once, even if it is referenced by the CDNImetadataMetadata for multipleHostnameshostnames and/or URI paths. Important Note: Any CDNImetadataMetadata object A that contains another CDNImetadataMetadata object B can include a Link object specifying a URI that can be used to retrieve object B, instead of embedding object B within object A. The remainder of this document uses the phrase "[Object] A contains [Object] B" for simplicity when a strictly accurate phrase would be "[Object] A contains or references (via a Link object) [Object] B". It is generally a deployment choice for the uCDN implementation to decide when to embed CDNImetadataMetadata objects and when to reference separate resources via Link objects. Section 3.1 introduces ahigh levelhigh-level description of the HostIndex, HostMatch, HostMetadata, PathMatch,PatternMatchPatternMatch, and PathMetadata objects, and describes the relationships between them. Section 3.2 introduces ahigh levelhigh-level description of the CDNI GenericMetadataobjectobject, which represents the level at which CDNImetadataMetadata override occurs between HostMetadata and PathMetadata objects. Section 4 describes in detail the specific CDNImetadataMetadata objects and properties specified by this documentwhichthat can be contained within a CDNI GenericMetadata object. 3.1. HostIndex, HostMatch, HostMetadata, PathMatch,PatternMatchPatternMatch, and PathMetadataobjectsObjects The relationships between the HostIndex, HostMatch, HostMetadata, PathMatch,PatternMatchPatternMatch, and PathMetadata objects are described in Figure 1. +---------+ +---------+ +------------+ |HostIndex+-(*)->|HostMatch+-(1)->|HostMetadata+-------(*)------+ +---------+ +---------+ +------+-----+ | | | (*) | | V --> Contains orReferencesreferences V*********************************** (1) One and only one +---------+*Generic Metadata**GenericMetadata* (*) Zero or more +--->|PathMatch| * Objects * | +----+---++*********************************** | | | ^ (*) (1) (1) +------------+ | | | +->|PatternMatch| | | V +------------+ | | +------------+ | +--+PathMetadata+-------(*)------+ +------------+ Figure 1: Relationships between CDNI Metadata Objects (Diagram Representation) A HostIndex object (see Section 4.1.1) contains an array of HostMatch objects (see Section 4.1.2) that containHostnameshostnames (and/or IP addresses) for which content requests might be delegated to the dCDN. The HostIndex is the starting point for accessing the uCDN CDNImetadataMetadata data store. It enables the dCDN to deterministically discover which CDNImetadataMetadata objects it requires in order to deliver a given piece of content. The HostIndex linksHostnameshostnames (and/or IP addresses) to HostMetadata objects (see Section 4.1.3) via HostMatch objects. A HostMatch object defines aHostnamehostname (or IP address) to match against a requested host and contains a HostMetadata object. HostMetadata objects contain the default GenericMetadata objects (see Section 4.1.7) required to serve content for that host. When looking up CDNImetadata,Metadata, the dCDN looks up the requestedHostnamehostname (or IP address) against the HostMatch entries in theHostIndex,HostIndex; fromtherethere, it can findHostMetadataHostMetadata, which describes the default metadata properties for each host as well as PathMetadata objects (see Section 4.1.6), via PathMatch objects (see Section 4.1.4). PathMatch objects define patterns, contained inside PatternMatch objects (see Section 4.1.5), to match against the requested URI path. PatternMatch objects contain the pattern strings and flags that describe the URI paththatto which a PathMatchapplies to.applies. PathMetadata objects contain the GenericMetadata objects that apply to content requests matching the defined URI path pattern. PathMetadata properties override properties previously defined in HostMetadata orless specificless-specific PathMatch paths. PathMetadata objects can contain additional PathMatch objects to recursively definemore specificmore-specific URI paths to which GenericMetadata properties might be applied. A GenericMetadata object contains individual CDNImetadataMetadata objectswhichthat define the specific policies and attributes needed to properly deliver the associated content. For example, a GenericMetadata object could describe the source from which a CDN can acquire a piece of content. The GenericMetadata object is an atomic unit that can be referenced by HostMetadata or PathMetadata objects. For example, if "example.com" is a content provider, a HostMatch object could include an entry for "example.com" with the URI of the associated HostMetadata object. The HostMetadata object for "example.com" describes the metadata propertieswhichthat apply to "example.com" and could contain PathMatches for"example.com/ movies/*""example.com/movies/*" and "example.com/music/*", which in turn reference corresponding PathMetadata objects that contain the properties for thosemore specificmore-specific URI paths. The PathMetadata object for "example.com/movies/*" describes the propertieswhichthat apply to that URI path. It could also contain a PathMatch object for"example.com/movies/hd/*""example.com/movies/hd/*", which would reference the corresponding PathMetadata object for the "example.com/movies/hd/" path prefix. The relationships in Figure 1 are also represented in tabular format in Table 1 below. +--------------+----------------------------------------------------+ | Data Object | Objects it contains or references | +--------------+----------------------------------------------------+ | HostIndex | 0 or more HostMatch objects. | | | | | HostMatch | 1 HostMetadata object. | | | | | HostMetadata | 0 or more PathMatch objects. 0 or more | | | GenericMetadata objects. | | | | | PathMatch | 1 PatternMatch object. 1 PathMetadata object. | | | | | PatternMatch | Does not contain or reference any other objects. | | | | | PathMetadata | 0 or more PathMatch objects. 0 or more | | | GenericMetadata objects. | +--------------+----------------------------------------------------+ Table 1: Relationships between CDNI Metadata Objects (Table Representation) 3.2. Generic CDNI Metadata Objects The HostMetadata and PathMetadata objects contain other CDNImetadataMetadata objects that contain propertieswhichthat describe how User Agent requests for content should beprocessed,processed -- forexampleexample, where to acquire the content from, authorization rules that should be applied, geo-blocking restrictions, and so on. Each such CDNImetadataMetadata object is a specialization of a CDNI GenericMetadata object. The GenericMetadata object abstracts the basic information required for metadata override and metadata distribution, from the specifics of any given property (i.e., property semantics, enforcement options, etc.). The GenericMetadata object defines the properties contained within it as well as whether or not the properties are "mandatory-to-enforce". If the dCDN does not understand or support a"mandatory-to-enforce"mandatory-to-enforce property, the dCDN MUST NOT serve the content. If the property is not"mandatory-to-enforce",mandatory-to-enforce, then that GenericMetadata object can be safely ignored and the content request can be processed in accordance with the rest of the CDNImetadata.Metadata. Although a CDN MUST NOT serve content to a User Agent if a"mandatory-to-enforce"mandatory-to-enforce property cannot be enforced, it could still be"safe-to-redistribute"safe to redistribute that metadata (the "safe-to-redistribute" property) to another CDN without modification. For example, in the cascaded CDN case, a transit CDN (tCDN) couldpass through "mandatory-to-enforce"convey mandatory-to-enforce metadata to a dCDN. For metadatawhichthat does not require customization or translation (i.e., metadata that is"safe-to-redistribute"),safe-to-redistribute), the data representation received off the wire MAY be stored and redistributed without being understood or supported by thetransit CDN.tCDN. However, for metadatawhichthat requires translation, transparent redistribution of the uCDN metadata values might not be appropriate. Certain metadata can be safely, though perhaps not optimally, redistributed unmodified. For example, a source acquisition address might not be optimal if transparently redistributed, but it might still work. Redistribution safety MUST be specified for each GenericMetadata property. If a CDN does not understand or support a given GenericMetadata property that is not"safe-to-redistribute",safe-to-redistribute, the CDN MUST set the "incomprehensible" flag to true for that GenericMetadata object before redistributing the metadata. The "incomprehensible" flag signals to a dCDN that the metadata was not properly transformed by thetransit CDN.tCDN. A CDN MUST NOT attempt to use metadata that has been marked as "incomprehensible" by a uCDN.Transit CDNstCDNs MUST NOT change the value of"mandatory-to-enforce"mandatory-to-enforce or"safe-to-redistribute"safe-to-redistribute when propagating metadata to a dCDN. Although atransit CDNtCDN can set the value of "incomprehensible" to true, atransit CDNtCDN MUST NOT change the value of "incomprehensible" from true to false. Table 2 describes the action to be taken by atransit CDN (tCDN)tCDN for the different combinations of"mandatory-to-enforce" (MtE)mandatory-to-enforce ("MtE") and"safe- to-redistribute" (StR) properties,safe-to-redistribute ("StR") properties when the tCDN either does or does not understand the metadata in question: +-------+-------+------------+--------------------------------------+ | MtE | StR | Metadata | Action | | | | Understood | | | | | by tCDN | | +-------+-------+------------+--------------------------------------+ | False | True | True | Can serve and redistribute. | | | | | | | False | True | False | Can serve and redistribute. | | | | | | | False | False | False | Can serve. MUST set | | | | | "incomprehensible" toTruetrue when | | | | | redistributing. | | | | | | | False | False | True | Can serve. Can redistribute after | | | | | transforming the metadata (if the | | | | | CDN knows how to do sosafely),safely); | | | | |otherwiseotherwise, MUST set | | | | | "incomprehensible" toTruetrue when | | | | | redistributing. | | | | | | | True | True | True | Can serve and redistribute. | | | | | | | True | True | False | MUST NOT serve but can redistribute. | | | | | | | True | False | True | Can serve. Can redistribute after | | | | | transforming the metadata (if the | | | | | CDN knows how to do sosafely),safely); | | | | |otherwiseotherwise, MUST set | | | | | "incomprehensible" toTruetrue when | | | | | redistributing. | | | | | | | True | False | False | MUST NOT serve. MUST set | | | | | "incomprehensible" toTruetrue when | | | | | redistributing. | +-------+-------+------------+--------------------------------------+ Table 2: Action tobe takenBe Taken by a tCDN for thedifferent combinationsDifferent Combinations of MtE and StRpropertiesProperties Table 3 describes the action to be taken by a dCDN for the different combinations of"mandatory-to-enforce" (MtE)mandatory-to-enforce and "incomprehensible" (Incomp) properties, when the dCDN either does or does not understand the metadata in question: +-------+--------+--------------+-----------------------------------+ | MtE | Incomp | Metadata | Action | | | | Understood | | | | | by dCDN | | +-------+--------+--------------+-----------------------------------+ | False | False | True | Can serve. | | | | | | | False | True | True | Can serve but MUST NOT | | | | | interpret/apply any metadata | | | | | markedincomprehensible.as "incomprehensible". | | | | | | | False | False | False | Can serve. | | | | | | | False | True | False | Can serve but MUST NOT | | | | | interpret/apply any metadata | | | | | markedincomprehensible.as "incomprehensible". | | | | | | | True | False | True | Can serve. | | | | | | | True | True | True | MUST NOT serve. | | | | | | | True | False | False | MUST NOT serve. | | | | | | | True | True | False | MUST NOT serve. | +-------+--------+--------------+-----------------------------------+ Table 3: Action tobe takenBe Taken by a dCDN for thedifferent combinationsDifferent Combinations of MtE and IncomppropertiesProperties 3.3. Metadata Inheritance and Override In the metadata object model, a HostMetadata object can contain multiple PathMetadata objects (via PathMatch objects). Each PathMetadata object can in turn contain other PathMetadata objects. HostMetadata and PathMetadata objects form an inheritance tree where each node in the tree inherits or overrides the property values set by its parent. GenericMetadata objects of a given type override all GenericMetadata objects of the same type previously defined by any parent object in the tree. GenericMetadata objects of a given type previously defined by a parent object in the tree are inherited when no object of the same type is defined by the child object. For example, if HostMetadata for the host "example.com" contains GenericMetadata objects oftypetypes LocationACL andTimeWindowACL,TimeWindowACL (where "ACL" means "Access Control List") while a PathMetadata objectwhichthat applies to "example.com/movies/*" defines an alternate GenericMetadata object of type TimeWindowACL, then: otheThe TimeWindowACL defined in the PathMetadata would override the TimeWindowACL defined in the HostMetadata for all User Agent requests for content under "example.com/movies/", and otheThe LocationACL defined in the HostMetadata would be inherited for all User Agent requests for content under "example.com/movies/". A single HostMetadata or PathMetadata object MUST NOT contain multiple GenericMetadata objects of the same type. If an array of GenericMetadata contains objects of duplicate types, the receiver MUST ignore all but the first object of each type. 4. CDNI MetadataobjectsObjects Section 4.1 provides the definitions of each metadata object type introduced in Section 3. These metadata objects are described as structural metadataobjectsobjects, as they provide the structure for host and URI path-based inheritance and identify which GenericMetadata objects apply to a given User Agent content request. Section 4.2 provides the definitions for a base set of core metadata objectswhichthat can be contained within a GenericMetadata object. These metadata objects govern how User Agent requests for content are handled. GenericMetadata objects can contain other GenericMetadata objects as properties; these can be referred to assub-objects).sub-objects. As with all CDNImetadataMetadata objects, the value of the GenericMetadata sub-objects can be either a complete serialized representation of thesub-object,sub-object or a Link object that contains a URI that can be dereferenced to retrieve the complete serialized representation of the propertysub- object.sub-object. Section 6.5 discusses the ability to extend the base set of GenericMetadata objects specified in this document with additional standards-based orvendor specificvendor-specific GenericMetadata objects that might be defined in the future in separate documents. dCDNs and tCDNs MUST support the parsing of all CDNImetadataMetadata objects specified in this document. A dCDN does not have to implement the underlying functionality represented by non-structural GenericMetadata objects (though that might restrict the content that a given dCDN will be able to serve). uCDNs as generators of CDNImetadataMetadata only need to support generating the CDNImetadataMetadata that they need in order to express the policies required by the content they are describing. See Section 6.4 for more details on the specific encoding rules for CDNImetadataMetadata objects. Note: In the following sections, the term "mandatory-to-specify" is used to convey which properties MUST be included for a given structural or GenericMetadata object. When mandatory-to-specify is specified as "Yes" for an individual property, it means that if the object containing that property is included in a metadata response, then the mandatory-to-specify property MUST also be included (directly or by reference) in theresponse, e.g.,response. For example, a HostMatch property object without a host to match against does not makesense,sense; therefore, thehost"host" property is mandatory-to-specify inside a HostMatch object. 4.1. Definitions of the CDNIstructural metadata objects Each of the sub-sectionsStructural Metadata Objects The subsections below describe the structural objects introduced in Section 3.1. 4.1.1. HostIndex The HostIndex object is the entry point into the CDNImetadataMetadata hierarchy. It contains an array of HostMatch objects. An incoming content request is checked against theHostnamehostname (or IP address) specified by each of the listed HostMatch objects to find the HostMatch objectwhichthat applies to the request. Property: hosts Description: Array of HostMatch objects. Hosts (HostMatch objects) MUST be evaluated in the order theyappearappear, and the first HostMatch object that matches the content request being processed MUST be used. Type: Array of HostMatch objects Mandatory-to-Specify: Yes. Example HostIndex object containing two HostMatch objects, where the first HostMatch object is embedded and the second HostMatch object is referenced: { "hosts": [ { <Properties of embedded HostMatch object> }, { "type": "MI.HostMatch", "href": "https://metadata.ucdn.example/hostmatch1234" } ] } 4.1.2. HostMatch The HostMatch object contains aHostnamehostname or IP address to match against content requests. The HostMatch object also contains a HostMetadata object to apply if a match is found. Property: host Description: Hostname or IP address and optional port to match against the requested host, i.e., the[RFC3986]host andport.port as described in [RFC3986]. In order for aHostnamehostname or IP address in a content request to match theHostnamehostname or IP address in thehost property"host" property, the value from the content request when converted to lowercase MUST be identical to the value of thehost"host" property when converted to lowercase. All implementations MUST support IPv4 addresses encoded as specified by the'IPv4address'"IPv4address" rule in Section 3.2.2 of [RFC3986]. IPv6 addresses MUST be encoded in one of the IPv6 address formats specified in[RFC5952][RFC5952], although receivers MUST support all IPv6 address formats specified in [RFC4291]. Hostnames MUST conform to the Domain Name System (DNS) syntax defined in [RFC1034] and [RFC1123]. Internationalized Domain Names(IDN)(IDNs) must first be transformed to thetheA-label form [RFC5890] as per [RFC5891]. Type: Endpoint Mandatory-to-Specify: Yes. Property: host-metadata Description: CDNImetadataMetadata to apply when delivering content that matches this host. Type: HostMetadata Mandatory-to-Specify: Yes. Example HostMatch object with an embedded HostMetadata object: { "host": "video.example.com","host-metadata" :"host-metadata": { <Properties of embedded HostMetadata object> } } Example HostMatch object referencing (via a Linkobject,object; see Section 4.3.1) a HostMetadata object: { "host": "video.example.com","host-metadata" :"host-metadata": { "type": "MI.HostMetadata", "href": "https://metadata.ucdn.example/host1234" } } 4.1.3. HostMetadata A HostMetadata object contains the CDNImetadataMetadata properties for content served for a particular host (defined in the HostMatch object) and possibly child PathMatch objects. Property: metadata Description: Array ofhost relatedhost-related metadata. Type: Array of GenericMetadata objects Mandatory-to-Specify: Yes. Property: paths Description:Path specificPath-specific rules. Path patterns (PathMatch objects) MUST be evaluated in the order theyappearappear, and the first (and only the first) PathMatch object that matches the content request being processed MUST be used. Type: Array of PathMatch objects Mandatory-to-Specify: No. Default is that there are no more-specific paths to evaluate (i.e., an empty list). Example HostMetadata object containing a number of embedded GenericMetadata objects that will describe the default metadata for the host and an embedded PathMatch object that contains a path for which metadata exists that overrides the default metadata for the host: { "metadata": [ { <Properties of1stfirst embedded GenericMetadata object> }, { <Properties of2ndsecond embedded GenericMetadata object> }, ... { <Properties of Nth embedded GenericMetadata object> } ], "paths": [ { <Properties of embedded PathMatch object> } ] } 4.1.4. PathMatch A PathMatch object contains a PatternMatch object with a path to match against a resource's URI path, as well as how to handle URI query parameters. The PathMatch object also contains a PathMetadata object with GenericMetadata to apply if the resource's URI matches the pattern within the PatternMatch object. Property: path-pattern Description: Pattern to match against the requested resource's URI. Type: PatternMatch Mandatory-to-Specify: Yes. Property: path-metadata Description: CDNImetadataMetadata to apply when delivering content that matches the associated PatternMatch. Type: PathMetadata Mandatory-to-Specify: Yes. Example PathMatch object referencing the PathMetadata object to use for URIs that match the case-sensitive URI path pattern "/movies/*" (contained within an embedded PatternMatch object): { "path-pattern": { "pattern": "/movies/*", "case-sensitive": true }, "path-metadata": { "type": "MI.PathMetadata", "href": "https://metadata.ucdn.example/host1234/pathDCE" } } 4.1.5. PatternMatch A PatternMatch object contains the pattern string and flags that describe the pattern expression. Property: pattern Description: A pattern for matching against the URI path, i.e., against the[RFC3986] path-absolute.path-absolute [RFC3986]. The pattern can contain the wildcards*"*" and?,"?", where*"*" matches any sequence of[RFC3986]pchar [RFC3986] or "/" characters (including the empty string) and?"?" matches exactly one[RFC3986]pchar character. The three literals$, *"$", "*", and?"?" MUST be escaped as$$, $*"$$", "$*", and$?"$?" (where$"$" is the designated escape character). All other characters are treated as literals. Type: String Mandatory-to-Specify: Yes. Property: case-sensitive Description: Flag indicating whether or not case-sensitive matching should be used. Note:Case-insensitivityCase insensitivity applies to ALPHA characters in the URI path prior to percent-decoding [RFC3986]. Type: Boolean Mandatory-to-Specify: No. Default is case-insensitivematch. Example PatternMatch object that matches the case-sensitive URI path pattern "/movies/*". All query parameters will be ignored when matching URIs requested from surrogates by content clients against this path pattern: { "pattern": "/movies/*", "case-sensitive": true }match (i.e., a value of False). Example PatternMatch object that matches the case-sensitive URI path pattern"/movies/*". Only the query parameter "sessionid" will be evaluated when matching URIs requested from surrogates by content clients against this path pattern:"/movies/*": { "pattern": "/movies/*", "case-sensitive": true } 4.1.6. PathMetadata A PathMetadata object contains the CDNImetadataMetadata properties for content requests that match against the associated URI path (defined in a PathMatch object). Note that if DNS-based redirection is employed, then a dCDN will be unable to evaluate any metadata at the PathMetadata level or below because only the hostname of the content request is available atrequest routingRequest Routing time. dCDNs SHOULD still process all PathMetadata for the host before responding to the redirection request to detect if any unsupported metadata is specified. If any metadata not supported by the dCDN is marked as"mandatory-to-enforce",mandatory-to-enforce, the dCDN SHOULD NOT accept the content redirection request, in order to avoid receiving content requests that it will not be able to satisfy/serve. Property: metadata Description: Array ofpath relatedpath-related metadata. Type: Array of GenericMetadata objects Mandatory-to-Specify: Yes. Property: paths Description:Path specificPath-specific rules. Path patterns (PathMatch objects) MUST be evaluated in the order theyappearappear, and the first (and only the first) PathMatch object that matches the content request being processed MUST be used. Type: Array of PathMatch objects Mandatory-to-Specify: No. Default is that there are no more-specific paths to evaluate (i.e., an empty list). Example PathMetadata object containing a number of embedded GenericMetadata objects that describe the metadata to apply for the URI path defined in the parent PathMatch object, as well as amore specificmore-specific PathMatch object. { "metadata": [ { <Properties of1stfirst embedded GenericMetadata object> }, { <Properties of2ndsecond embedded GenericMetadata object> }, ... { <Properties of Nth embedded GenericMetadata object> } ], "paths": [ { <Properties of embedded PathMatch object> } ] } 4.1.7. GenericMetadata A GenericMetadata object is a wrapper for managing individual CDNImetadataMetadata properties in an opaque manner. Property: generic-metadata-type Description: Case-insensitive CDNImetadataMetadata object type. Type: String containing the CDNI Payload Type [RFC7736] of the object contained in the generic-metadata-value property (see Table 4). Mandatory-to-Specify: Yes. Property: generic-metadata-value Description: CDNImetadataMetadata object. Type: Format/Type is defined by the value ofgeneric-metadata- typethe generic-metadata-type property above. Note: generic-metadata-values MUST NOT name any properties "href" (see Section 4.3.1). Mandatory-to-Specify: Yes. Property: mandatory-to-enforce Description: Flag identifying whether or not the enforcement of the property metadata is required. Type: Boolean Mandatory-to-Specify: No. Default is to treat metadata asmandatory to enforcemandatory-to-enforce (i.e., a value of True). Property: safe-to-redistribute Description: Flag identifying whether or not the property metadata can be safely redistributed without modification. Type: Boolean Mandatory-to-Specify: No. Default is to allow transparent redistribution (i.e., a value of True). Property: incomprehensible Description: Flag identifying whether or not any CDN in the chain of delegation has failed to understand and/or failed to properly transform this metadata object. Note: This flag only applies to metadata objects whose safe-to-redistribute property has a value of False. Type: Boolean Mandatory-to-Specify: No. Default is comprehensible (i.e., a value of False). Example GenericMetadata object containing a metadata object that applies to the applicable URI path and/or host (within a parent PathMetadata and/or HostMetadata object, respectively): { "mandatory-to-enforce": true, "safe-to-redistribute": true, "incomprehensible": false, "generic-metadata-type": <CDNI Payload Type of this metadata object>, "generic-metadata-value": { <Properties of this metadata object> } } 4.2. Definitions of theinitial setInitial Set of CDNIGeneric Metadata objectsGenericMetadata Objects The objects defined below are intended to be used in the GenericMetadataobjectobject's generic-metadata-value field as defined in Section4.1.74.1.7, and their generic-metadata-type property MUST be set to the appropriate CDNI Payload Type as defined in Table 4. 4.2.1. SourceMetadata Source metadata provides the dCDN with information about content acquisition, i.e., how to contactana uCDN Surrogate or anOrigin Serverorigin server to obtain the content to be served. The sources are not necessarily the actualOrigin Serversorigin servers operated by theCSPContent Service Provider (CSP) but might be a set of Surrogates in the uCDN. Property: sources Description: Sources from which the dCDN can acquire content, listed in order of preference. Type: Array of Source objects (see Section 4.2.1.1) Mandatory-to-Specify: No. Default is to use static configuration, out-of-band from themetadataCDNI Metadata interface. Example SourceMetadata object (which contains two Source objects) that describes which servers the dCDN should use for acquiring content for the applicable URI path and/or host: { "generic-metadata-type": "MI.SourceMetadata", "generic-metadata-value": { "sources": [ { "endpoints": [ "a.service123.ucdn.example", "b.service123.ucdn.example" ], "protocol": "http/1.1" }, { "endpoints": ["origin.service123.example"], "protocol": "http/1.1" } ] } } 4.2.1.1. Source A Source object describes the source to be used by the dCDN for content acquisition (e.g., a Surrogate within the uCDN or an alternateOrigin Server),origin server), the protocol to be used, and any authentication method to be used when contacting that source. Endpoints within a Source object MUST be treated as equivalent/equal. A uCDN can specify an array ofsources in preference ordersources, ordered by preference, within a SourceMetadataobject, and thenobject. Then, for eachpreference rankedSourceobject,object ranked by preference, a uCDN can specify an array of endpoints that are equivalent (e.g., a pool of servers that are not behind a load balancer). Property: acquisition-auth Description: Authentication method to use when requesting content from this source. Type: Auth (see Section 4.2.7) Mandatory-to-Specify: No. Default is no authentication required. Property: endpoints Description: Origins from which the dCDN can acquire content. If multiple endpoints arespecifiedspecified, they are all equal, i.e., the list is notin preference order (e.g., a pool of servers behind a load balancer).ordered by preference. Type: Array of Endpoint objects(See(see Section 4.3.3) Mandatory-to-Specify: Yes. Property: protocol Description: Network retrieval protocol to use when requesting content from this source. Type: Protocol (see Section 4.3.2) Mandatory-to-Specify: Yes. Example Source object that describes a pair of endpoints (servers) the dCDN can use for acquiring content for the applicable host and/or URI path: { "endpoints": [ "a.service123.ucdn.example", "b.service123.ucdn.example" ], "protocol": "http/1.1" } 4.2.2. LocationACL Metadata LocationACL metadata defines which locations a User Agent needs to be in, in order to be able to receive the associated content. A LocationACLwhichthat does not include alocations"locations" property results in an action ofallow all,"allow all", meaning that delivery can be performed regardless of the User Agent'slocation, otherwiselocation; otherwise, a CDN MUST take the action from the first footprint to match against the User Agent's location. If two or more footprints overlap, the first footprint that matches against the User Agent's location determines the action a CDN MUST take. If thelocations"locations" property is included but isempty,empty or if none of the listed footprintsmatchesmatch the User Agent's location, then the result is an action ofdeny."deny". Although the LocationACL, TimeWindowACL (see Section 4.2.3), and ProtocolACL (see Section 4.2.4) are independent GenericMetadata objects, they can provide conflicting information to a dCDN, e.g., a content requestwhichthat is simultaneously allowed based on the LocationACL and denied based on the TimeWindowACL. The dCDN MUST use the logical AND of all ACLs (where'allow'"allow" is true and'deny'"deny" is false) to determine whether or not a request should be allowed. Property: locations Description:Access control list whichACL that allows or denies (blocks) delivery based on the User Agent's location. Type: Array of LocationRule objects (see Section 4.2.2.1) Mandatory-to-Specify: No. Default is to allow all locations. Example LocationACL object that allows the dCDN to deliver content to anylocation/IPlocation / IP address: { "generic-metadata-type": "MI.LocationACL", "generic-metadata-value": { } } Example LocationACL object (which contains a LocationRule objectwhich itselfthat in turn contains a Footprint object) that only allows the dCDN to deliver content to User Agents in the USA: { "generic-metadata-type": "MI.LocationACL", "generic-metadata-value": { "locations": [ { "action": "allow", "footprints": [ { "footprint-type": "countrycode", "footprint-value": ["us"] } ] } ] } } 4.2.2.1. LocationRule A LocationRule contains or references an array of Footprint objects and the corresponding action. Property: footprints Description: Array of footprints to which the rule applies. Type: Array of Footprint objects (see Section 4.2.2.2) Mandatory-to-Specify: Yes. Property: action Description: Defines whether the rule specifies locations to allow or deny. Type: Enumeration [allow|deny] encoded as a lowercase string Mandatory-to-Specify: No. Default isdeny."deny". Example LocationRule object (which contains a Footprint object) that allows the dCDN to deliver content to clients in the USA: { "action": "allow", "footprints": [ { "footprint-type": "countrycode", "footprint-value": ["us"] } ] } 4.2.2.2. Footprint A Footprint object describes the footprint to which a LocationRule can beapplied to,applied, e.g., an IPv4 address range or a geographic location. Property: footprint-type Description: Registered footprint type (see Section 7.2). The footprint types specified by this documentare:are "ipv4cidr"(IPv4CIDR,(IPv4CIDR; see Section 4.3.5), "ipv6cidr"(IPv6CIDR,(IPv6CIDR; see Section 4.3.6), "asn" (Autonomous SystemNumber,Number; see Section4.3.7)4.3.7), and "countrycode" (CountryCode,Code; see Section 4.3.8). Type: LowercaseStringstring Mandatory-to-Specify: Yes. Property: footprint-value Description: Array of footprint values conforming to the specification associated with the registered footprint type. Footprint values can be simple strings (e.g., IPv4CIDR, IPv6CIDR, ASN, andCountryCode),Country Code); however, other Footprint objects can be defined in the future, along with a more complex encoding (e.g., GPS coordinate tuples). Type: Array of footprints Mandatory-to-Specify: Yes. Example Footprint object describing a footprint covering the USA: { "footprint-type": "countrycode", "footprint-value": ["us"] } Example Footprint object describing a footprint covering the IP address ranges 192.0.2.0/24 and 198.51.100.0/24: { "footprint-type": "ipv4cidr", "footprint-value": ["192.0.2.0/24", "198.51.100.0/24"] } Example Footprint object describing a footprint covering the IP address ranges 2001:db8::/32: { "footprint-type": "ipv6cidr", "footprint-value": ["2001:db8::/32"] } Example Footprint object describing a footprint covering the autonomous system 64496: { "footprint-type": "asn", "footprint-value": ["as64496"] } 4.2.3. TimeWindowACL TimeWindowACL metadata defines time-based restrictions. A TimeWindowACLwhichthat does not include atimes"times" property results in an action ofallow all,"allow all", meaning that delivery can be performed regardless of the time of the User Agent'srequest, otherwiserequest; otherwise, a CDN MUST take the action from the first window to match against the current time. If two or more windows overlap, the first window that matches against the current time determines the action a CDN MUST take. If thetimes"times" property is included but isempty,empty or if none of the listed windowsmatchesmatch the current time, then the result is an action ofdeny."deny". Although the LocationACL (see Section 4.2.2), TimeWindowACL, and ProtocolACL (see Section 4.2.4) are independent GenericMetadata objects, they can provide conflicting information to a dCDN, e.g., a content requestwhichthat is simultaneously allowed based on the LocationACL and denied based on the TimeWindowACL. The dCDN MUST use the logical AND of all ACLs (where'allow'"allow" is true and'deny'"deny" is false) to determine whether or not a request should be allowed. Property: times Description:Access control list whichACL that allows or denies (blocks) delivery based on the time of a User Agent's request. Type: Array of TimeWindowRule objects (see Section 4.2.3.1) Mandatory-to-Specify: No. Default is to allow all time windows. ExampleTimeWIndowACLTimeWindowACL object (which contains a TimeWindowRule objectwhich itselfthat in turn contains aTimeWIndowTimeWindow object) that only allows the dCDN to deliver content to clients between 09:00 01/01/2000 UTC and 17:00 01/01/2000 UTC: { "generic-metadata-type": "MI.TimeWindowACL", "generic-metadata-value": { "times": [ { "action": "allow", "windows": [ { "start": 946717200, "end": 946746000 } ] } ] } } 4.2.3.1. TimeWindowRule A TimeWindowRule contains or references an array of TimeWindow objects and the corresponding action. Property: windows Description: Array of time windows to which the rule applies. Type: Array of TimeWindow objects (see Section 4.2.3.2) Mandatory-to-Specify: Yes. Property: action Description: Defines whether the rule specifies time windows to allow or deny. Type: Enumeration [allow|deny] encoded as a lowercase string Mandatory-to-Specify: No. Default isdeny."deny". ExampleTimeWIndowRuleTimeWindowRule object (which contains aTimeWIndowTimeWindow object) that only allows the dCDN to deliver content to clients between 09:00 01/01/2000 UTC and 17:00 01/01/2000 UTC: { "action": "allow", "windows": [ { "start": 946717200, "end": 946746000 } ] } 4.2.3.2. TimeWindow A TimeWindow object describes a time rangewhichthat can be applied byana TimeWindowACL, e.g., start 946717200 (i.e., 09:00 01/01/2000 UTC), end: 946746000 (i.e., 17:00 01/01/2000 UTC). Property: start Description: The start time of the window. Type: Time (see Section 4.3.4) Mandatory-to-Specify: Yes. Property: end Description: The end time of the window. Type: Time (see Section 4.3.4) Mandatory-to-Specify: Yes. ExampleTimeWIndowTimeWindow object that describes a time window from 09:00 01/01/2000 UTC to 17:00 01/01/2000 UTC: { "start": 946717200, "end": 946746000 } 4.2.4. ProtocolACL Metadata ProtocolACL metadata defines delivery protocol restrictions. A ProtocolACLwhichthat does not include a protocol-acl property results in an action ofallow all,"allow all", meaning that delivery can be performed regardless of the protocol in the User Agent'srequest, otherwiserequest; otherwise, a CDN MUST take the action from the first protocol to match against the request protocol. If two or more request protocols overlap, the first protocol that matches the request protocol determines the action a CDN MUST take. If the protocol-acl property is included but isempty,empty or if none of the listedprotocol matchesprotocols match the request protocol, then the result is an action ofdeny."deny". Although theLocationACL, TimeWindowACL,LocationACL (see Section 4.2.2), TimeWindowACL (see Section 4.2.3), and ProtocolACL are independent GenericMetadata objects, they can provide conflicting information to a dCDN, e.g., a content requestwhichthat is simultaneously allowed based on the ProtocolACL and denied based on the TimeWindowACL. The dCDN MUST use the logical AND of all ACLs (where'allow'"allow" is true and'deny'"deny" is false) to determine whether or not a request should be allowed. Property: protocol-acl Description:Description: Access control list whichACL that allows or denies (blocks) delivery based on delivery protocol. Type: Array of ProtocolRule objects (see Section 4.2.4.1) Mandatory-to-Specify: No. Default is to allow all protocols. Example ProtocolACL object (which contains a ProtocolRule object) that only allows the dCDN to deliver content using HTTP/1.1: { "generic-metadata-type": "MI.ProtocolACL", "generic-metadata-value": { "protocol-acl": [ { "action": "allow", "protocols": ["http/1.1"] } ] } } 4.2.4.1. ProtocolRule A ProtocolRule contains or references an array of Protocol objects and the corresponding action. Property: protocols Description: Array of protocols to which the rule applies. Type: Array ofProtocolsProtocol objects (see Section 4.3.2) Mandatory-to-Specify: Yes. Property: action Description: Defines whether the rule specifies protocols to allow or deny. Type: Enumeration [allow|deny] encoded as a lowercase string Mandatory-to-Specify: No. Default isdeny."deny". Example ProtocolRule object (which contains aProtocolRuleProtocol object) that allows the dCDN to deliver content using HTTP/1.1: { "action": "allow", "protocols": ["http/1.1"] } 4.2.5. DeliveryAuthorization Metadata DeliveryAuthorizationauthorization defines authorization methods for the delivery of content to User Agents. Property: delivery-auth-methods Description: Options for authorizing content requests. Delivery for a content request is authorized if any one of the authorization methods in the list is satisfied for that request. Type: Array of Auth objects (see Section 4.2.7) Mandatory-to-Specify: No. Default is no authorization required. Example DeliveryAuthorization object (which contains an Auth object): { "generic-metadata-type": "MI.DeliveryAuthorization", "generic-metadata-value": { "delivery-auth-methods": [ { "auth-type": <CDNI Payload Type of this Auth object>, "auth-value": { <Properties of this Auth object> } } ] } } 4.2.6. Cache A Cache object describes the cache control parameters to be applied to the content by intermediate caches. Cache keys are generated from the URI of the content request [RFC7234]. In some cases, a CDN or content provider might want certain path segments or query parameters to be excluded from the cache key generation. The Cache object provides guidance on what parts of the path and query string to include. Property: exclude-path-pattern Description: A pattern for matching against the URI path, i.e., against the[RFC3986] path-absolute.path-absolute [RFC3986]. The pattern can contain the wildcards*"*" and?,"?", where*"*" matches any sequence of[RFC3986]pchar [RFC3986] or "/" characters (including the empty string) and?"?" matches exactly one[RFC3986]pchar character. The three literals$, *"$", "*", and?"?" MUST be escaped as$$, $*"$$", "$*", and$?"$?" (where$"$" is the designated escape character). All other characters are treated as literals. Cache key generation MUST only include the portion of the path-absolute that matches the wildcard portions of the pattern. Note: Inconsistency between the PatternMatch patternSection 4.1.5(Section 4.1.5) and the exclude-path-pattern can result in inefficient caching. Type: String Mandatory-to-Specify: No. Default is to use the full URIpath- absolutepath-absolute to generate the cache key. Property: include-query-strings Description: Allows a Surrogate to specify the URI query string parameters [RFC3986] to include when comparing the requested URI against the URIs in its cache for equivalence. Matching query parameters MUST becase-insensitive.case insensitive. If all query parameters should be ignored, then the list MUST be specified and MUST be empty. If a query parameter appears multiple times in the query string, each instance value MUST be aggregated prior to comparison. For consistent cache key generation, query parameters SHOULD be evaluated in the order specified in this array. Type: Array ofStringstrings Mandatory-to-Specify: No. Default is to consider all query string parameters when comparing URIs. Example Cache object that instructs the dCDN to use the full URI path and ignore all query parameters: { "generic-metadata-type": "MI.Cache", "generic-metadata-value": { "include-query-strings": [] } } Example Cache object that instructs the dCDN to exclude the "CDNX" path prefix and only include the (case-insensitive) query parameters named "mediaid" and "providerid": { "generic-metadata-type": "MI.Cache", "generic-metadata-value": { "exclude-path-pattern": "/CDNX/*", "include-query-strings": ["mediaid", "providerid"] } } Example Cache object that instructs the dCDN to exclude the "CDNX" pathprefix,prefix but includes all query parameters: { "generic-metadata-type": "MI.Cache", "generic-metadata-value": { "exclude-path-pattern": "/CDNX/*" } } 4.2.7. Auth An Auth object defines authentication and authorization methods to be used during content acquisition and content delivery, respectively. Note: This document does not define any Auth methods. Individual Auth methods are being defined separately (e.g., URI Signing[I-D.ietf-cdni-uri-signing]).[CDNI-URI-SIGNING]). The GenericMetadatawhich containobject that contains Auth objects is defined herein for convenience and so as not to be specific to any particular Auth method. Property: auth-type Description: Auth type (The CDNI Payload Type [RFC7736] of the GenericMetadata object contained in the auth-value property). Type: String Mandatory-to-Specify: Yes. Property: auth-value Description: An object conforming to the specification associated with the Auth type. Type: GenericMetadataObjectobject Mandatory-to-Specify: Yes. Example Auth object: { "generic-metadata-type": "MI.Auth", "generic-metadata-value": { "auth-type": <CDNI Payload Type of this Auth object>, "auth-value": { <Properties of this Auth object> } } } 4.2.8. Grouping A Grouping object identifies a group of content to which a given asset belongs. Property: ccid Description: Content CollectionidentifierIDentifier for an application- specific purpose such as logging aggregation. Type: String Mandatory-to-Specify: No. Default isan empty string.not to apply any grouping. Example Grouping object that specifies a Content CollectionIdentifierIDentifier for the content associated with the Grouping object's parent HostMetadata and PathMetadata: { "generic-metadata-type": "MI.Grouping", "generic-metadata-value": { "ccid": "ABCD" } } 4.3. CDNI Metadata Simple Data Type Descriptions This section describes the simple data types that are used for properties of CDNImetadataMetadata objects. 4.3.1. Link A Link object can be used in place of any of the objectsor propertiesdescribed above. Link objects can be used to avoid duplication if the same metadata information is repeated within the metadata tree. When a Link object replaces another object, itshref"href" property is set to the URI of the resource and itstype"type" property is set to the CDNI Payload Type of the object it is replacing. dCDNs can detect the presence of a Link object by detecting the presence of a property named "href" within the object. This means that GenericMetadata types MUST NOT contain a property named "href" because doing so would conflict with the ability for dCDNs to detect Link objects being used to reference a GenericMetadata object. Property: href Description: The URI of the addressable object being referenced. Type: String Mandatory-to-Specify: Yes. Property: type Description: The CDNI PayloadtypeType of the object being referenced. Type: String Mandatory-to-Specify: No. If the container specifies the type (e.g., the HostIndex object contains an array of HostMatch objects, so a Link object in the list of HostMatch objects must reference a HostMatch), then it is not necessary to explicitly specify a type. Example Link object referencing a HostMatch object: { "type": "MI.HostMatch", "href": "https://metadata.ucdn.example/hostmatch1234" } Example Link object referencing a HostMatch object, without an explicit type, inside a HostIndex object: { "hosts": [ { <Properties of embedded HostMatch object> }, { "href": "https://metadata.ucdn.example/hostmatch1234" } ] } 4.3.1.1. Link Loop Prevention When following aLink,link, CDNImetadataMetadata clients SHOULD verify that the CDNI Payload Type of the object retrieved matches the expected CDNI Payload Type, as indicated by thelink object.Link object or containing property. For GenericMetadata objects, type checks will preventselfself- references; however, incorrect linking can result in circular references for structuralmetadtatametadata objects,specifically,specifically PathMatch and PathMetadata objectsFigure 1.(Figure 1). To preventthecircular references, CDNImetadataMetadata clients SHOULD verify that no duplicateLinkslinks occur for PathMatch or PathMetadata objects. 4.3.2. Protocol Protocol objects are used to specifyregisteredprotocols (from the "CDNI Metadata Protocol Types" registry; see Section 7.3) for content acquisition ordelivery (see Section 7.3).delivery. Type: String Example: "http/1.1" 4.3.3. Endpoint AHostnamehostname (with optional port) or an IP address (with optional port). All implementations MUST support IPv4 addresses encoded as specified by the'IPv4address'"IPv4address" rule in Section 3.2.2 of [RFC3986]. IPv6 addresses MUST be encoded in one of the IPv6 address formats specified in[RFC5952][RFC5952], although receivers MUST support all IPv6 address formats specified in [RFC4291]. Hostnames MUST conform to the Domain Name System (DNS) syntax defined in [RFC1034] and [RFC1123]. Internationalized Domain Names(IDN)(IDNs) must first be transformed to the A-label form [RFC5890] as per [RFC5891]. Type: String ExampleHostname:hostname: "metadata.ucdn.example" Example IPv4 address: "192.0.2.1" Example IPv6 address (with port number): "[2001:db8::1]:81" 4.3.4. Time A time value expressed in seconds since theUnixUNIX epoch (i.e., zero hours, zero minutes, zero seconds, on January 1, 1970) Coordinated Universal Time (UTC) [POSIX]. Type: Integer ExampleTimetime representing 09:00:00 01/01/2000 UTC: 946717200 4.3.5. IPv4CIDR An IPv4addressCIDRClassless Inter-Domain Routing (CIDR) block encoded as specified by the'IPv4address'"IPv4address" rule in Section 3.2.2 of [RFC3986] followed by a/"/" followed by an unsigned integer representing the leading bits of the routing prefix (i.e., IPv4 CIDR notation). Single IP addresses can be expressed as /32. Type: String ExampleIPv4 CIDR:IPv4CIDR: "192.0.2.0/24" 4.3.6. IPv6CIDR An IPv6address CIDR block encoded in one of the IPv6 address formats specified in [RFC5952] followed by a/"/" followed by an unsigned integer representing the leading bits of the routing prefix (i.e., IPv6 CIDR notation). Single IP addresses can be expressed as /128. Type: String ExampleIPv6 CIDR:IPv6CIDR: "2001:db8::/32" 4.3.7. ASN AnAutonomous System NumberASN value encoded as a string consisting of the characters "as" (in lowercase) followed by theAutonomous System numberASN [RFC6793]. Type: String Example ASN: "as64496" 4.3.8.CountryCodeCountry Code An ISO 3166-1 alpha-2 code [ISO3166-1] in lowercase. Type: String Example Country Code representing the USA: "us" 5. CDNI Metadata Capabilities CDNImetadataMetadata is used to convey information pertaining to content delivery from the uCDN to the dCDN. For optional metadata, it can be useful for the uCDN toknowknow, prior to delegating any content requests to a given dCDN, ifthethat dCDN supports the underlying functionality described by themetadata, prior to delegating any content requests to the dCDN.metadata. If some metadata is"mandatory-to- enforce",mandatory-to-enforce and the dCDN does not support it, any delegated requests for content that requires that metadata will fail. The uCDN will likely want to avoid delegating those requests to that dCDN. Likewise, for any metadatawhichthat might be assigned optional values, it could be useful for the uCDN toknow which values a dCDN supports,know, prior to delegating any content requests to a given dCDN, which values thatdCDN.dCDN supports. If the optional value assigned to a given piece of content's metadata is not supported by the dCDN, any delegated requests for that content can fail, so again the uCDN is likely to want to avoid delegating those requests to that dCDN. The CDNI Footprintand& CapabilitiesInterfaceAdvertisement interface (FCI) provides a means of advertising capabilities from the dCDN to the uCDN[RFC7336].[RFC8008]. Support for optional metadata types and values can be advertised using the FCI. 6. CDNI MetadatainterfaceInterface This section specifies an interface to enable a dCDN to retrieve CDNImetadataMetadata objects from a uCDN. The interface can be used by a dCDN to retrieve CDNImetadataMetadata objectseither:in either of two ways: oDynamicallyDynamically, as required by the dCDN to process receivedrequests. For examplerequests -- for example, in response to a query fromana uCDN over the CDNI Request Routing Redirection interface (RI)[I-D.ietf-cdni-redirection][RFC7975] or in response to receiving a request for content from a User Agent.Or;o In advance of beingrequired. For examplerequired -- for example, in the case ofpre- positionedpre-positioned CDNImetadataMetadata acquisition, initiated through the "CDNI Control interface / Triggers" (CI/T) interface[I-D.ietf-cdni-control-triggers].[RFC8007]. The CDNImetadataMetadata interface is built on the principles of HTTP web services. In particular, this means that requests and responses over the interface arebuilt around the transfer of representations of hyperlinked resources. A resource in the context of the CDNI metadata interface is any object in the object model (as described in Section 3 and Section 4). To retrieve CDNI metadata, a CDNI metadata client (i.e., a client in the dCDN) first makes a HTTP GET request for the URI of the HostIndex which providesbuilt around theCDNI metadata client with an arraytransfer ofHostnames for whichrepresentations of hyperlinked resources. A resource in theuCDN can delegate content delivery tocontext of thedCDN. The CDNI metadata client can then obtain any otherCDNImetadata objects by making a HTTP GET requests forMetadata interface is anylinked metadata objects it requires.object in the object model (as described in Sections 3 and 4). CDNImetadataMetadata servers (i.e., servers in the uCDN) are free to assign whatever structure they desire to the URIs for CDNImetadata objectsMetadata objects, and CDNImetadataMetadata clients MUST NOT make any assumptions regarding the structure of CDNImetadataMetadata URIs or the mapping between CDNImetadataMetadata objects and their associated URIs.Therefore anyAny URIs present in the examples in this document are purely illustrative and are not intended to impose a definitive structure on CDNImetadataMetadata interface implementations. 6.1. Transport The CDNImetadataMetadata interface uses HTTP as the underlying protocol transport [RFC7230]. The HTTPMethodmethod in the request defines the operation the request would like to perform. A server implementation of the CDNImetadataMetadata interface MUST support the HTTP GET and HEAD methods. The corresponding HTTPResponseresponse returns the status of the operation in the HTTPStatus Codestatus code and returns the current representation of the resource (if appropriate) in theResponse Body.response body. HTTPResponsesresponses that contain a response body SHOULD include anETagentity-tag (ETag) to enable validation of cached versions of returned resources. As the CDNImetadataMetadata interface builds on top of HTTP, CDNImetadataMetadata server implementations MAY make use of any HTTP feature when implementing the CDNImetadata interface,Metadata interface; for example, a CDNImetadataMetadata server MAY make use of HTTP's caching mechanisms to indicate that the returned response/representation can be reused withoutre- contactingre-contacting the CDNImetadataMetadata server. 6.2. Retrieval of CDNI MetadataresourcesResources In the general case, a CDNImetadataMetadata server makes CDNImetadataMetadata objects available viaauniqueURIs andURIs; thus, in order to retrieve CDNImetadata,Metadata, a CDNImetadataMetadata client (i.e., a client in the dCDN) first makesaan HTTP GET request for the URI of theHostIndexHostIndex, which provides an array ofHostnameshostnames for which the uCDN can delegate content delivery to the dCDN. In order to retrieve the CDNImetadataMetadata for a particularrequestrequest, the CDNImetadataMetadata client processes the received HostIndex object and finds the corresponding HostMetadata entry (by matching the hostname in the request against the hostnames listed in the HostMatch objects). If the HostMetadata is linked (rather than embedded), the CDNImetadataMetadata client then makesaan HTTP GET request for the URI specified in thehref"href" property of the Linkobjectobject, which points to the HostMetadata object itself. In order to retrieve the most specific metadata for a particular request, the CDNImetadataMetadata client inspects the HostMetadata for references tomore specificmore-specific PathMetadata objects (by matching the URI path in the request against thepath-patternspath-pattern property items in any PathMatch objects listed in the HostMetadata object). Ifanya PathMetadataareobject is found to match (andareis linked rather than embedded), the CDNImetadataMetadata client makes another HTTP GET request for the PathMetadata. Each PathMetadata object can also include references toyet more specificadditional more-specific metadata. If this is the case, the CDNImetadataMetadata client continues requesting PathMatch and PathMetadata objects recursively. The CDNImetadataMetadata client repeats this approach of processing metadata objects and retrieving (via HTTP GETs) any linked objects until it has all the metadata objects it requires in order to process the redirection request fromanthe uCDN or the content request from a User Agent. In cases where a dCDN is not able to retrieve the entire set of CDNImetadataMetadata associated with a User Agent request, or it has retrieved that metadata but it is stale according to standard HTTP caching rules and cannot berevalidated,revalidated -- forexampleexample, because the uCDN is unreachable or returnsaan HTTP 4xx or 5xx status in response to some or all of the dCDN's CDNImetadata requests,Metadata requests -- the dCDN MUST NOT serve the requested content. Where a dCDN is interconnected with multiple uCDNs, the dCDN needs to determine which uCDN's CDNImetadataMetadata interface should be used to handle a particular User Agent request. Whenapplication levelHTTP redirection (e.g., HTTP 302 redirects) is being used between CDNs, it is expected that the dCDN will be able to determine the uCDN that redirected a particular request from information contained in the received request (e.g., via the URI). With knowledge of which uCDN routed the request, the dCDN can choose the correct uCDN from which to obtain the HostIndex. Note that the HostIndexes served by each uCDN can be unique. In the case of DNSredirectionredirection, there is not always sufficient information carried in the DNS request from User Agents to determine the uCDN that redirected a particular request (e.g., when content from a given host is redirected to a given dCDN by more than oneuCDN) and thereforeuCDN); therefore, dCDNs will have to apply local policy when deciding which uCDN'smetadataCDNI Metadata interface toapply.use. 6.3. Bootstrapping The URI for the HostIndex object of a given uCDN needs to be configured in the dCDN. All other objects/resources are then discoverable from the HostIndex object by following any links in the HostIndexobjectobject, and through the referenced HostMetadata and PathMetadata objects and their GenericMetadata sub-objects. Manual configuration of the URI for the HostIndex object is outside the scope of this document. 6.4. Encoding CDNImetadataMetadata objects MUST be encoded as I-JSON objects [RFC7493] containing a dictionary of (key,value) pairs where the keys are the property names and the values are the associated property values. The keys of the dictionary are the names of the properties associated with the object and are therefore dependent on the specific object being encoded (i.e., dependent on the CDNI Payload Type of the returned resource). Likewise, the values associated with each property (dictionary key) are dependent on the specific object being encoded (i.e., dependent on the CDNI Payload Type of the returned resource). Dictionary keys (properties) in I-JSON are case sensitive. By convention, any dictionary key (property) defined by this document (for example, the names of CDNImetadataMetadata object properties) MUST be lowercase. 6.5. Extensibility The set of GenericMetadata objects can be extended with additional(standards based(standards-based orvendor specific)vendor-specific) metadata objects through the specification of new GenericMetadata objects. The GenericMetadata object defined in Section 4.1.7 specifies a type field and a type- specific value field thatallowsallow any metadata to be included in either the HostMetadata or PathMetadata arrays. As with the initial GenericMetadata types defined in Section 4.2, future GenericMetadata types MUST specify the information necessary for constructing and decoding the GenericMetadata object. Any documentwhichthat defines a new GenericMetadata type MUST: 1.Specify and registerRegister the CDNI Payload Type [RFC7736] used to identify the new GenericMetadata type being specified. 2. Define the set of properties associated with the new GenericMetadata object. GenericMetadata MUST NOT contain a property named "href" because doing so would conflict with the ability to detect Link objects (see Section 4.3.1). 3.DefineFor each property, define a name, description, type, and whether or not the property is mandatory-to-specify. 4. Describe the semantics of the newtypetype, including itspurposepurpose, andexample ofprovide a use case to which itappliesapplies, including an example encoded in I-JSON. 5. Describe the security and privacy consequences, for both theuser-agentUser Agent and theCDN,CDNs, of the new GenericMetadata object. 6. Describe any relation to, conflict with, or obsolescence of other existing CDNImetadataMetadata objects. Note: In the case ofvendor specificvendor-specific extensions, vendor-identifying CDNI Payload Type names will decrease the possibility of GenericMetadata type collisions. It is RECOMMENDED that any vendor-specific extensions use vendor-identifying CDNI Payload Type names. 6.6. Metadata Enforcement At any given time, the set of GenericMetadata types supported by the uCDN might not match the set of GenericMetadata types supported by the dCDN. In cases where a uCDN sends metadata containing a GenericMetadata type that a dCDN does not support, the dCDN MUST enforce the semantics of the"mandatory-to-enforce"mandatory-to-enforce property. If a dCDN does not understand or is unable to perform the functions associated with any"mandatory-to-enforce"mandatory-to-enforce metadata, the dCDN MUST NOT service any requests for the corresponding content. Note: Ideally, uCDNs would not delegate content requests to a dCDN that does not support the"mandatory-to-enforce"mandatory-to-enforce metadata associated with the content being requested. However, even if the uCDN has a priori knowledge of the metadata supported by the dCDN (e.g., via the FCI or through out-of-band negotiation between CDN operators), metadata support can fluctuate or be inconsistent (e.g., due tomis- communication, mis-configuration,miscommunication, misconfiguration, or temporary outage). Thus, the dCDN MUST always evaluate all metadata associated with redirection and content requests and reject any requests where"mandatory-to- enforce"mandatory-to-enforce metadata associated with the content cannot be enforced. 6.7. Metadata Conflicts It is possible that new metadata definitions will obsolete or conflict with existing GenericMetadata (e.g., a future revision of the CDNImetadataMetadata interface could redefine the Auth GenericMetadata object or a custom vendor extension could implement an alternate Auth metadata option). If multiple metadata (e.g., MI.Auth.v2, vendor1.Auth, and vendor2.Auth) all conflict with an existing GenericMetadata object (i.e., MI.Auth) and all are marked as"mandatory-to-enforce",mandatory-to-enforce, it could be ambiguous as to which metadata should be applied, especiallyifin thefunctionalitycase ofthe metadata overlap.overlapping functionality. As described in Section 3.3, metadata override only applies to metadata objects of the same exact type found in HostMetadata and nested PathMetadata structures. The CDNImetadataMetadata interface does not support enforcement of dependencies between differentmetadataGenericMetadata types. It is the responsibility of the CSP and the CDN operators to ensure that metadata assigned to a given piece of content do not conflict. Note: Because metadata is inherently ordered in HostMetadata and PathMetadata arrays, as well as in the PathMatch hierarchy, multiple conflicting metadata types MAY beused,used; however, metadata hierarchies SHOULD ensure that independent PathMatch root objects are used to prevent ambiguous or conflicting metadata definitions. 6.8. Versioning The version of CDNImetadataMetadata objects is conveyed inside the CDNI Payload Type that is included in either (1) the HTTP Content-Typeheader, for example:header (for example, "Content-Type: application/cdni;ptype=MI.HostIndex",ptype=MI.HostIndex" when retrieved via alink,link) or (2) in the link type (Section 4.3.1), generic-metadata-type (Section 4.1.7), or auth-type (Section 4.2.7) properties in the JSON payload. The CDNI Payload Type uniquely identifies the specification defining that object, including any relation to, conflicts with, or obsolescence of other metadata. There is no explicit version mappingrequirement,requirement; however, for ease of understanding, metadata creators SHOULD make new versions of metadata easily visible via the CDNI Payload Type, e.g., by appending a version string. Note: A version string is optional on the firstversion, e.g., MI.HostIndex,version (e.g., MI.HostIndex) but could be added for subsequentversions, e.g., MI.HostIndex.v2,versions (MI.HostIndex.v2, MI.HostIndex.v3,etc.etc.). Except when referenced by a Link object, nested metadata objects (i.e., structural metadata below the HostIndex;Source objects; Location, TimeWindow,andProtocol Rule objects; and FootprintSource, LocationRule, TimeWindowRule, ProtocolRule, Footprint, and TimeWindow objects) can be serialized into a JSON payload without explicit CDNI Payload Type information. The type is inferred from the outer structural metadata,generic metadata,GenericMetadata, orauthAuth object CDNI Payload Type. To avoid ambiguity when revising nestable metadata objects, any outer metadata object(s) MUST be reversioned and allocated new CDNI Payload Type(s) at the same time. For example, the MI.HostIndex object defined in this document contains an array of MI.HostMatch objects,whicheach of which in turn contains a MI.HostMetadata object. If a new MI.HostMetadata.v2 object were required, the outer MI.HostIndex and MI.HostMatch objects would need to be revised, e.g., to MI.HostIndex.v2 and MI.HostMatch.v2, respectively. Similarly, if a new MI.TimeWindowRule.v2 objectwaswere required, the outer MI.TimeWindowACL object would need to be revised, e.g., to MI.TimeWindowACL.v2; however, the MI.TimeWindowRule.v2object, though,object could still contain MI.TimeWindow objects, if so specified. HTTP requests sent to a metadata server SHOULD include an Accept header with the CDNI Payload Type of the expected object. Metadata clients can specify multiple CDNI Payload Types in the Acceptheader,header; for example, if a metadata client is capable of processing two different versions of the same type of object (defined by different CDNI PayloadTypes)Types), it might decide to include both in the Accept header. 6.9. Media Types All CDNImetadataMetadata objects use theMedia Typemedia type "application/cdni". The CDNI Payload Type for each object then contains the object name of that object as defined by this document, prefixed with "MI.". Table 4 lists the CDNI PayloadTypeTypes for the metadata objects (resources) specified in this document. +-----------------------+--------------------------+ | Data Object | CDNI Payload Type | +-----------------------+--------------------------+ | HostIndex | MI.HostIndex | | HostMatch | MI.HostMatch | | HostMetadata | MI.HostMetadata | | PathMatch | MI.PathMatch | | PatternMatch | MI.PatternMatch | | PathMetadata | MI.PathMetadata | | SourceMetadata | MI.SourceMetadata | | Source | MI.Source | | LocationACL | MI.LocationACL | | LocationRule | MI.LocationRule | | Footprint | MI.Footprint | | TimeWindowACL | MI.TimeWindowACL | | TimeWindowRule | MI.TimeWindowRule | | TimeWindow | MI.TimeWindow | | ProtocolACL | MI.ProtocolACL | | ProtocolRule | MI.ProtocolRule | | DeliveryAuthorization | MI.DeliveryAuthorization | | Cache | MI.Cache | | Auth | MI.Auth | | Grouping | MI.Grouping | +-----------------------+--------------------------+ Table 4: CDNI Payload Types for CDNI MetadataobjectsObjects 6.10. Complete CDNI Metadata Example A dCDN requests the HostIndex andreceivereceives the following object with a CDNIpayload typePayload Type of "MI.HostIndex": { "hosts": [ { "host": "video.example.com","host-metadata" :"host-metadata": { "type": "MI.HostMetadata", "href": "https://metadata.ucdn.example/host1234" } }, { "host": "images.example.com","host-metadata" :"host-metadata": { "type": "MI.HostMetadata", "href": "https://metadata.ucdn.example/host5678" } } ] } If the incoming request has a Host header with"video.example.com""video.example.com", then the dCDN would fetch the HostMetadata object from "https://metadata.ucdn.example/host1234" expecting a CDNIpayload typePayload Type of "MI.HostMetadata": { "metadata": [ { "generic-metadata-type": "MI.SourceMetadata", "generic-metadata-value": { "sources": [ { "endpoint": ["acq1.ucdn.example"], "protocol": "http/1.1" }, { "endpoint": ["acq2.ucdn.example"], "protocol": "http/1.1" } ] } }, { "generic-metadata-type": "MI.LocationACL", "generic-metadata-value": { "locations": [ { "footprints": [ { "footprint-type": "ipv4cidr", "footprint-value": ["192.0.2.0/24"] }, { "footprint-type": "ipv6cidr", "footprint-value": ["2001:db8::/32"] }, { "footprint-type": "countrycode", "footprint-value": ["us"] }, { "footprint-type": "asn", "footprint-value": ["as64496"] } ], "action": "deny" } ] } }, { "generic-metadata-type": "MI.ProtocolACL", "generic-metadata-value": { "protocol-acl": [ { "protocols": [ "http/1.1" ], "action": "allow" } ] } } ], "paths": [ { "path-pattern": { "pattern":"/video/trailers/*""/videos/trailers/*" }, "path-metadata": { "type": "MI.PathMetadata", "href": "https://metadata.ucdn.example/host1234/pathABC" } }, { "path-pattern": { "pattern":"/video/movies/*""/videos/movies/*" }, "path-metadata": { "type": "MI.PathMetadata", "href": "https://metadata.ucdn.example/host1234/pathDEF" } } ] } Suppose that the path of the requested resource matches the"/video/ movies/*" pattern,"/videos/movies/*" pattern; the next metadata requested would be for"https://metadata.ucdn.example/host1234/pathDCE""https://metadata.ucdn.example/host1234/pathDEF" with an expected CDNIpayload typePayload Type of "MI.PathMetadata": { "metadata": [], "paths": [ { "path-pattern": { "pattern": "/videos/movies/hd/*" }, "path-metadata": { "type": "MI.PathMetadata", "href": "https://metadata.ucdn.example/host1234/pathDEF/path123" } } ] } Finally, if the path of the requested resource also matches the "/videos/movies/hd/*" pattern, the dCDN would also fetch the following object from "https://metadata.ucdn.example/host1234/pathDEF/path123" with a CDNIpayload typePayload Type of "MI.PathMetadata": { "metadata": [ { "generic-metadata-type": "MI.TimeWindowACL", "generic-metadata-value": { "times": [ "windows": [ { "start": "1213948800", "end":"1327393200""1478047392" } ], "action": "allow" ] } } ] } The final set of metadatawhichthat applies to the requested resource includes a SourceMetadata, a LocationACL, a ProtocolACL, and a TimeWindowACL. 7. IANA Considerations 7.1. CDNI Payload Types This document requests the registration of the followingCDNI Payload Typesentries under theIANA CDNI"CDNI PayloadType registry:Types" registry hosted by IANA: +--------------------------+---------------+ | Payload Type | Specification | +--------------------------+---------------+ | MI.HostIndex |RFCthisRFC 8006 | | MI.HostMatch |RFCthisRFC 8006 | | MI.HostMetadata |RFCthisRFC 8006 | | MI.PathMatch |RFCthisRFC 8006 | | MI.PatternMatch |RFCthisRFC 8006 | | MI.PathMetadata |RFCthisRFC 8006 | | MI.SourceMetadata |RFCthisRFC 8006 | | MI.Source |RFCthisRFC 8006 | | MI.LocationACL |RFCthisRFC 8006 | | MI.LocationRule |RFCthisRFC 8006 | | MI.Footprint |RFCthisRFC 8006 | | MI.TimeWindowACL |RFCthisRFC 8006 | | MI.TimeWindowRule |RFCthisRFC 8006 | | MI.TimeWindow |RFCthisRFC 8006 | | MI.ProtocolACL |RFCthisRFC 8006 | | MI.ProtocolRule |RFCthisRFC 8006 | | MI.DeliveryAuthorization |RFCthisRFC 8006 | | MI.Cache |RFCthisRFC 8006 | | MI.Auth |RFCthisRFC 8006 | | MI.Grouping |RFCthisRFC 8006 | +--------------------------+---------------+[RFC Editor: Please replace RFCthis with the published RFC number for this document.]7.1.1. CDNI MI HostIndex Payload Type Purpose: The purpose of thispayload typePayload Type is to distinguish HostIndex MI objects (and any associated capability advertisement) Interface: MI/FCI Encoding: see Section 4.1.1 7.1.2. CDNI MI HostMatch Payload Type Purpose: The purpose of thispayload typePayload Type is to distinguish HostMatch MI objects (and any associated capability advertisement) Interface: MI/FCI Encoding: see Section 4.1.2 7.1.3. CDNI MI HostMetadata Payload Type Purpose: The purpose of thispayload typePayload Type is to distinguish HostMetadata MI objects (and any associated capability advertisement) Interface: MI/FCI Encoding: see Section 4.1.3 7.1.4. CDNI MI PathMatch Payload Type Purpose: The purpose of thispayload typePayload Type is to distinguish PathMatch MI objects (and any associated capability advertisement) Interface: MI/FCI Encoding: see Section 4.1.4 7.1.5. CDNI MI PatternMatch Payload Type Purpose: The purpose of thispayload typePayload Type is to distinguish PatternMatch MI objects (and any associated capability advertisement) Interface: MI/FCI Encoding: see Section 4.1.5 7.1.6. CDNI MI PathMetadata Payload Type Purpose: The purpose of thispayload typePayload Type is to distinguish PathMetadata MI objects (and any associated capability advertisement) Interface: MI/FCI Encoding: see Section 4.1.6 7.1.7. CDNI MI SourceMetadata Payload Type Purpose: The purpose of thispayload typePayload Type is to distinguish SourceMetadata MI objects (and any associated capability advertisement) Interface: MI/FCI Encoding: see Section 4.2.1 7.1.8. CDNI MI Source Payload Type Purpose: The purpose of thispayload typePayload Type is to distinguish Source MI objects (and any associated capability advertisement) Interface: MI/FCI Encoding: see Section 4.2.1.1 7.1.9. CDNI MI LocationACL Payload Type Purpose: The purpose of thispayload typePayload Type is to distinguish LocationACL MI objects (and any associated capability advertisement) Interface: MI/FCI Encoding: see Section 4.2.2 7.1.10. CDNI MI LocationRule Payload Type Purpose: The purpose of thispayload typePayload Type is to distinguish LocationRule MI objects (and any associated capability advertisement) Interface: MI/FCI Encoding: see Section 4.2.2.1 7.1.11. CDNI MI Footprint Payload Type Purpose: The purpose of thispayload typePayload Type is to distinguish Footprint MI objects (and any associated capability advertisement) Interface: MI/FCI Encoding: see Section 4.2.2.2 7.1.12. CDNI MI TimeWindowACL Payload Type Purpose: The purpose of thispayload typePayload Type is to distinguish TimeWindowACL MI objects (and any associated capability advertisement) Interface: MI/FCI Encoding: see Section 4.2.3 7.1.13. CDNI MI TimeWindowRule Payload Type Purpose: The purpose of thispayload typePayload Type is to distinguish TimeWindowRule MI objects (and any associated capability advertisement) Interface: MI/FCI Encoding: see Section 4.2.3.1 7.1.14. CDNI MI TimeWindow Payload Type Purpose: The purpose of thispayload typePayload Type is to distinguish TimeWindow MI objects (and any associated capability advertisement) Interface: MI/FCI Encoding: see Section 4.2.3.2 7.1.15. CDNI MI ProtocolACL Payload Type Purpose: The purpose of thispayload typePayload Type is to distinguish ProtocolACL MI objects (and any associated capability advertisement) Interface: MI/FCI Encoding: see Section 4.2.4 7.1.16. CDNI MI ProtocolRule Payload Type Purpose: The purpose of thispayload typePayload Type is to distinguish ProtocolRule MI objects (and any associated capability advertisement) Interface: MI/FCI Encoding: see Section 4.2.4.1 7.1.17. CDNI MI DeliveryAuthorization Payload Type Purpose: The purpose of thispayload typePayload Type is to distinguish DeliveryAuthorization MI objects (and any associated capability advertisement) Interface: MI/FCI Encoding: see Section 4.2.5 7.1.18. CDNI MI Cache Payload Type Purpose: The purpose of thispayload typePayload Type is to distinguish Cache MI objects (and any associated capability advertisement) Interface: MI/FCI Encoding: see Section 4.2.6 7.1.19. CDNI MI Auth Payload Type Purpose: The purpose of thispayload typePayload Type is to distinguish Auth MI objects (and any associated capability advertisement) Interface: MI/FCI Encoding: see Section 4.2.7 7.1.20. CDNI MI Grouping Payload Type Purpose: The purpose of thispayload typePayload Type is to distinguish Grouping MI objects (and any associated capability advertisement) Interface: MI/FCI Encoding: see Section 4.2.8 7.2.CDNI"CDNI Metadata FootprintTypesTypes" RegistryTheIANAis requested to createhas created a new "CDNI Metadata Footprint Types" subregistry in the "Content DeliveryNetworksNetwork Interconnection (CDNI) Parameters" registry. The "CDNI Metadata Footprint Types" namespace defines the valid Footprint object type values used by the Footprint object described in Section 4.2.2.2. Additions to the "CDNI Metadata FootprinttypeTypes" namespace conform to the"Specification Required"Specification Required policy as defined in [RFC5226]. Thedesignated expertDesignated Expert will verify that new type definitions do not duplicate existing type definitions and prevent gratuitous additions to the namespace. New registrations are required to provide a clear description of how to interpret new footprint types. The following table defines the initial values for the "CDNI Metadata FootprintRegistry values: +----------------+-------------------------------+---------------+Types" registry: +----------------+--------------------------------+---------------+ | Footprint Type | Description | Specification |+----------------+-------------------------------+---------------++----------------+--------------------------------+---------------+ | ipv4cidr | IPv4 CIDR address block |RFCthisRFC 8006 | | ipv6cidr | IPv6 CIDR address block |RFCthisRFC 8006 | | asn | Autonomous System(AS)Number (ASN) |RFCthisRFC 8006 | | countrycode | ISO 3166-1 alpha-2 code |RFCthis | +----------------+-------------------------------+---------------+ [RFC Editor: Please replace RFCthis with the publishedRFCnumber for this document.]8006 | +----------------+--------------------------------+---------------+ 7.3.CDNI"CDNI Metadata ProtocolTypesTypes" RegistryTheIANAis requested to createhas created a new "CDNI Metadata Protocol Types" subregistry in the "Content DeliveryNetworksNetwork Interconnection (CDNI) Parameters" registry. The "CDNI Metadata Protocol Types" namespace defines the valid Protocol object valuesin Section 4.3.2,(Section 4.3.2) used by the SourceMetadata and ProtocolACL objects. Additions to the Protocol namespace conform to the"Specification Required"Specification Required policy as defined in [RFC5226], where the specification defines the Protocol Type and the protocol to which it is associated. Thedesignated expertDesignated Expert will verify that new protocol definitions do not duplicate existing protocol definitions and prevent gratuitous additions to the namespace. The following table defines the initial Protocol values corresponding to the HTTP and HTTPS protocols: +-----------+----------------------+---------------+----------------+ | Protocol | Description | Type | Protocol | | Type | | Specification | Specifications | +-----------+----------------------+---------------+----------------+ | http/1.1 | Hypertext Transfer |RFCthisRFC 8006 |RFC7230RFC 7230 | | | Protocol -- HTTP/1.1 | | | | | | | | | https/1.1 | HTTP/1.1Overover TLS |RFCthisRFC 8006 |RFC7230,RFC 7230, | | | | |RFC2818RFC 2818 | +-----------+----------------------+---------------+----------------+[RFC Editor: Please replace RFCthis with the published RFC number for this document.]8. Security Considerations 8.1. Authentication and Integrity A malicious metadata server, proxy server, orattacker,attacker impersonating an authentic uCDNmetadataCDNI Metadata interface without beingdetected,detected could provide false metadata to a dCDN that either: o Denies service for one or more pieces of content to one or more User Agents; o Directs dCDNs to contact malicious origin servers instead of the actual origin servers,and substitute legitimate content withso that malware or slanderous alternate content may be substituted for legitimate content; or o Removes delivery restrictions (e.g., LocationACL, TimeWindowACL, ProtocolACL, or Auth metadata), allowing access to content that would otherwise bedenied,denied and thus possibly violating license restrictions and incurring unwarranted delivery costs. Unauthorized access to metadata could also enable a malicious metadata client to continuously issue metadata requests in order to overload a uCDN's metadataserver(s).server or servers. Unauthorized access to metadata could further result in leakage of private information. A malicious metadata client could request metadata in order to gain access to origin servers, as well as information pertaining to content restrictions. An implementation of the CDNImetadataMetadata interface MUST use mutual authentication and message authentication codes to prevent unauthorized accesstoto, and undetected modificationofof, metadata (see Section 8.3). 8.2. Confidentiality and Privacy Unauthorized viewing of metadata could result in leakage of private information. Content provider origin and policy information is conveyed through the CDNImetadataMetadata interface. A third party could intercept metadata transactions in order to gain access to origin servers, as well as information pertaining to content restrictions and usage patterns. Note: The distribution of metadata by a uCDN to dCDNs could introduce privacy concerns for some content providers, e.g., dCDNs accepting content requests for a content provider's content might be able to obtain additional information and usage patterns relating to the users of a content provider's services. Content providers with concerns about divulging information to dCDNs can instruct their uCDN partners not to use CDNI when delivering their content. An implementation of the CDNImetadataMetadata interface MUST use strong encryption to prevent unauthorized interception or monitoring of metadata (see Section 8.3). 8.3. Securing the CDNI MetadatainterfaceInterface An implementation of the CDNImetadataMetadata interface MUST support TLS transport as per [RFC2818] and [RFC7230]. TLS MUST be used by theserver-side (dCDN)server side (uCDN) and theclient-side (uCDN)client side (dCDN) of the CDNImetadataMetadata interface, including authentication of the remote end, unless alternate methods are used for ensuring the security of the information in the CDNImetadataMetadata interface requests and responses (such as setting up an IPsec tunnel between the two CDNs or using a physically secured internal network between two CDNs that are owned by the same corporate entity). The use of TLS for transport of the CDNImetadataMetadata interface messagesallows: o Theallows the dCDN and uCDN to authenticate each other.and, once theyOnce the dCDN and uCDN have mutually authenticated each other,itTLS allows: o The dCDN and uCDN to authorize each other (to ensure that they are transmitting/receiving CDNImetadataMetadata requests and responses from an authorized CDN); o CDNImetadataMetadata interface requests and responses to be transmitted with confidentiality; and o The integrity of the CDNImetadataMetadata interface requests and responses to be protected during the exchange. When TLS is used, the general TLS usage guidance in [RFC7525] MUST be followed. 9.Acknowledgements The authors would like to thank David Ferguson, Francois Le Faucheur, Jan Seedorf and Matt Miller for their valuable comments and input to this document. 10. Contributing Authors [RFC Editor Note: Please move the contents of this section to the Authors' Addresses section prior to publication as an RFC.] Grant Watson Velocix (Alcatel-Lucent) 3 Ely Road Milton, Cambridge CB24 6AA UK Email: gwatson@velocix.com Kent Leung Cisco Systems 3625 Cisco Way San Jose, 95134 USA Email: kleung@cisco.com 11.References11.1.9.1. Normative References [ISO3166-1] The International Organization for Standardization, "Codes for the representation of names of countries and their subdivisions -- Part 1: Country codes", ISO 3166-1:2013, 2013. [POSIX] Institute of Electrical and Electronics Engineers, "Information Technology Portable Operating System Interface (POSIX) Part 1: System Application Program Interface (API) [C Language]", IEEE P1003.1, 1990. [RFC1034] Mockapetris, P., "Domain names - concepts and facilities", STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987, <http://www.rfc-editor.org/info/rfc1034>. [RFC1123] Braden, R., Ed., "Requirements for Internet Hosts - Application and Support", STD 3, RFC 1123, DOI 10.17487/RFC1123, October 1989, <http://www.rfc-editor.org/info/rfc1123>. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, <http://www.rfc-editor.org/info/rfc2119>. [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform Resource Identifier (URI): Generic Syntax", STD 66, RFC 3986, DOI 10.17487/RFC3986, January 2005, <http://www.rfc-editor.org/info/rfc3986>. [RFC4291] Hinden, R. and S. Deering, "IP Version 6 Addressing Architecture", RFC 4291, DOI 10.17487/RFC4291, February 2006, <http://www.rfc-editor.org/info/rfc4291>. [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA Considerations Section in RFCs", BCP 26, RFC 5226, DOI 10.17487/RFC5226, May 2008, <http://www.rfc-editor.org/info/rfc5226>. [RFC5890] Klensin, J., "Internationalized Domain Names for Applications (IDNA): Definitions and Document Framework", RFC 5890, DOI 10.17487/RFC5890, August 2010, <http://www.rfc-editor.org/info/rfc5890>. [RFC5891] Klensin, J., "Internationalized Domain Names in Applications (IDNA): Protocol", RFC 5891, DOI 10.17487/RFC5891, August 2010, <http://www.rfc-editor.org/info/rfc5891>. [RFC5952] Kawamura, S. and M. Kawashima, "A Recommendation for IPv6 Address Text Representation", RFC 5952, DOI 10.17487/RFC5952, August 2010, <http://www.rfc-editor.org/info/rfc5952>. [RFC6707] Niven-Jenkins, B., Le Faucheur, F., and N. Bitar, "Content Distribution Network Interconnection (CDNI) Problem Statement", RFC 6707, DOI 10.17487/RFC6707, September 2012, <http://www.rfc-editor.org/info/rfc6707>. [RFC7230] Fielding, R.,Ed.Ed., and J. Reschke, Ed., "Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing", RFC 7230, DOI 10.17487/RFC7230, June 2014, <http://www.rfc-editor.org/info/rfc7230>. [RFC7493] Bray, T., Ed., "The I-JSON Message Format", RFC 7493, DOI 10.17487/RFC7493, March 2015, <http://www.rfc-editor.org/info/rfc7493>. [RFC7525] Sheffer, Y., Holz, R., and P. Saint-Andre, "Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)", BCP 195, RFC 7525, DOI 10.17487/RFC7525, May 2015, <http://www.rfc-editor.org/info/rfc7525>.11.2.9.2. Informative References[I-D.ietf-cdni-control-triggers] Murray, R. and B. Niven-Jenkins, "CDNI Control Interface / Triggers", draft-ietf-cdni-control-triggers-15 (work in progress), May 2016. [I-D.ietf-cdni-redirection] Niven-Jenkins, B. and R.[CDNI-URI-SIGNING] van Brandenburg,"Request Routing Redirection interface for CDN Interconnection", draft- ietf-cdni-redirection-20 (work in progress), August 2016. [I-D.ietf-cdni-uri-signing]R., Leung, K.,Faucheur, F., Brandenburg, R., Downey, B.,Sorber, P., and M.Fisher,Miller, "URI Signing for CDN Interconnection (CDNI)",draft-ietf-cdni-uri-signing-09 (workWork inprogress), JuneProgress, draft-ietf-cdni-uri-signing-10, October 2016. [RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818, DOI 10.17487/RFC2818, May 2000, <http://www.rfc-editor.org/info/rfc2818>. [RFC6793] Vohra, Q. and E. Chen, "BGP Support for Four-Octet Autonomous System (AS) Number Space", RFC 6793, DOI 10.17487/RFC6793, December 2012, <http://www.rfc-editor.org/info/rfc6793>. [RFC7234] Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke, Ed., "Hypertext Transfer Protocol (HTTP/1.1): Caching", RFC 7234, DOI 10.17487/RFC7234, June 2014, <http://www.rfc-editor.org/info/rfc7234>. [RFC7336] Peterson, L., Davie, B., and R. van Brandenburg, Ed., "Framework for Content Distribution Network Interconnection (CDNI)", RFC 7336, DOI 10.17487/RFC7336, August 2014, <http://www.rfc-editor.org/info/rfc7336>. [RFC7337] Leung, K.,Ed.Ed., and Y. Lee, Ed., "Content Distribution Network Interconnection (CDNI) Requirements", RFC 7337, DOI 10.17487/RFC7337, August 2014, <http://www.rfc-editor.org/info/rfc7337>. [RFC7540] Belshe, M., Peon, R., and M. Thomson, Ed., "Hypertext Transfer Protocol Version 2 (HTTP/2)", RFC 7540, DOI 10.17487/RFC7540, May 2015, <http://www.rfc-editor.org/info/rfc7540>. [RFC7736] Ma, K., "Content Delivery Network Interconnection (CDNI) Media Type Registration", RFC 7736, DOI 10.17487/RFC7736, December 2015, <http://www.rfc-editor.org/info/rfc7736>. [RFC7975] Niven-Jenkins, B., Ed., and R. van Brandenburg, Ed., "Request Routing Redirection Interface for Content Delivery Network (CDN) Interconnection", RFC 7975, DOI 10.17487/RFC7975, October 2016, <http://www.rfc-editor.org/info/rfc7975>. [RFC8007] Murray, R. and B. Niven-Jenkins, "Content Delivery Network Interconnection (CDNI) Control Interface / Triggers", RFC 8007, DOI 10.17487/RFC8007, December 2016, <http://www.rfc-editor.org/info/rfc8007>. [RFC8008] Seedorf, J., Peterson, J., Previdi, S., van Brandenburg, R., and K. Ma, "Content Delivery Network Interconnection (CDNI) Request Routing: Footprint and Capabilities Semantics", RFC 8008, DOI 10.17487/RFC8008, December 2016, <http://www.rfc-editor.org/info/rfc8008>. Acknowledgments The authors would like to thank David Ferguson, Francois Le Faucheur, Jan Seedorf, and Matt Miller for their valuable comments and input to this document. Contributors The authors would also like to thank Grant Watson and Kent Leung for their contributions to this document. Authors' Addresses Ben Niven-JenkinsVelocix (Alcatel-Lucent)Nokia 3 Ely Road Milton, Cambridge CB246AA UK6DD United Kingdom Email:ben@velocix.comben.niven-jenkins@nokia.com Rob MurrayVelocix (Alcatel-Lucent)Nokia 3 Ely Road Milton, Cambridge CB246AA UK6DD United Kingdom Email:rmurray@velocix.comrob.murray@nokia.com Matt Caulfield Cisco Systems 1414 Massachusetts Avenue Boxborough, MA 01719USAUnited States of America Phone:+1 978 936 9307+1-978-936-9307 Email: mcaulfie@cisco.com Kevin J. Ma Ericsson 43 Nagog Park Acton, MA 01720USAUnited States of America Phone: +1 978-844-5100 Email: kevin.j.ma@ericsson.com