Rfc | 2872 |
Title | Application and Sub Application Identity Policy Element for Use with
RSVP |
Author | Y. Bernet, R. Pabbati |
Date | June 2000 |
Format: | TXT, HTML |
Status: | PROPOSED STANDARD |
|
Network Working Group Y. Bernet
Request for Comments: 2872 R. Pabbati
Category: Standards Track Microsoft
June 2000
Application and Sub Application Identity Policy Element for
Use with RSVP
Status of this Memo
This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2000). All Rights Reserved.
Conventions used in this document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
Abstract
RSVP [RFC 2205] signaling messages typically include policy data
objects, which in turn contain policy elements. Policy elements may
describe user and/or application information, which may be used by
RSVP aware network elements to apply appropriate policy decisions to
a traffic flow. This memo details the usage of policy elements that
provide application information.
1. Overview
RSVP aware network elements may act as policy enforcement points
(PEPs). These work together with policy decision points (PDPs) to
enforce QoS policy. Briefly, PEPs extract policy information from
RSVP signaling requests and compare the information against
information stored by a PDP in a (possibly remotely located) policy
database or directory. A policy decision is made based on the results
of the comparison.
One type of policy information describes the application on behalf of
which an RSVP signaling request is generated. When application policy
information is available, network administrators are able to manage
QoS based on application type. So, for example, a network
administrator may establish a policy that prioritizes known mission-
critical applications over games.
This memo describes a structure for a policy element that can be used
to identify application traffic flows. The policy element includes a
number of attributes, one of which is a policy locator. This policy
locator includes the following hierarchically ordered sub-elements
(in descending levels of hierarchy):
1. identifier that uniquely identifies the application vendor
2. identifier of the application
3. version number of the application
4. sub-application identifier
An arbitrary number of sub-application identifiers may be included in
the policy locator. An example of such an identifier is 'print
transaction'.
This memo specifies the structure of the application policy element
and proposes keywords for the sub-elements at each level of the
hierarchy. It does not enumerate specific values for the sub-
elements: such an enumeration is beyond the scope of this memo.
2. Simple Application Identity Policy Element Structure
General application identity policy elements are defined in
[RFC2752]. These are policy elements with a P-type of AUTH_APP.
Following the policy element header is a list of authentication
attributes.
The first authentication attribute is of the A-type POLICY_LOCATOR.
The sub-type of the POLICY_LOCATOR attribute is of type ASCII_DN
[RFC1779] or UNICODE_DN. The actual attribute data is formatted as an
X.500 distinguished name (DN), representing a globally unique
identifier, the application, version number and sub-application in a
hierarchical structure. The POLICY_LOCATOR attribute contains
keywords as described in section 2. For further details on the format
of the POLICY_LOCATOR attribute, see [RFC2752].
The second authentication attribute is of the A-type CREDENTIAL. The
sub-type of the CREDENTIAL attribute is of type ASCII_ID or
UNICODE_ID. The actual attribute data is an ASCII or Unicode string
representing the application name. This structure is illustrated in
the following diagram:
0 1 2 3
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| PE Length (8) | P-type = AUTH_APP |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Attribute Length | A-type = | Sub-type = |
| | POLICY_LOCATOR| ASCII_DN |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Application policy locator attribute data in X.500 DN format |
| (see below) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Attribute Length | A-type = | Sub-type = |
| | CREDENTIAL | ASCII_ID |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Application name as ASCII string |
| (e.g. SAP.EXE) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The following keywords are recommended although others MAY be used:
Key Attribute
--------------
GUID Globally Unique Identifier (optional)
APP Application Name
VER Application Version Number
SAPP Sub Application (optional)
The following are examples of conformant policy locators:
"APP=SAP, VER=1.1, SAPP=Print"
"GUID=http://www.microsoft.com/apps, APP=MyApplication, VER=1.2.3"
The APP, VER and SAPP attributes SHOULD describe the application to a
human reader in as unique and unambiguous a way as possible. The GUID
attribute MAY be used when absolute uniqueness of application
identification is required and its contents MUST be an identifier
from a globally-unique source (e.g. domain names as assigned by the
corresponding registration authorities). Note that publication of the
chosen identifiers in a suitable format is strongly encouraged.
3. Security Considerations
The proposed simple policy element does not guarantee that element is
indeed associated with the application it claims to be associated
with. In order to provide such guarantees, it is necessary to sign
applications. Signed application policy elements may be proposed at a
future date. Note that, typically, the application policy element
will be included in an RSVP message with an encrypted and
authenticated user policy element. A level of security is provided by
trusting the application policy element only if the user policy
element is trusted.
All RSVP integrity considerations apply to the message containing the
application policy element.
4. References
[RFC2205] Braden, R., Zhang, L., Berson, L., Herzog, S. and S. Jamin,
"Resource Reservation Protocol (RSVP) - Version 1
Functional Specification", RFC 2205, September 1997.
[RFC1779] Kille, S., "A String Representation of Distinguished
Names", RFC 1779, March 1995.
[RFC2752] Yadav, S., Yavatkar, R., Pabbati, R,. Ford, P., Moore, T.
and S. Herzog, "Identity Representation for RSVP", RFC
2752, January 2000.
[ASCII] Coded Character Set -- 7-Bit American Standard Code for
Information Interchange, ANSI X3.4-1986.
[UNICODE] The Unicode Consortium, "The Unicode Standard, Version
2.0", Addison-Wesley, Reading, MA, 1996.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
5. Acknowledgments
Thanks to Tim Moore, Shai Mohaban, Andrew Smith, Ulrich Homann and
other contributors to the IETF's RAP WG for their input.
6. Authors' Addresses
Yoram Bernet
Microsoft
One Microsoft Way
Redmond, WA 98052
Phone: (425) 936-9568
EMail: yoramb@microsoft.com
Ramesh Pabbati
One Microsoft Way
Redmond, WA 98052
EMail: rameshpa@microsoft.com
7. Full Copyright Statement
Copyright (C) The Internet Society (2000). All Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Acknowledgement
Funding for the RFC Editor function is currently provided by the
Internet Society.