FLUTE - File Delivery over Unidirectional TransportNokiaItamerenkatu 11-13Helsinki00180Finlandtoni.paila@nokia.comNokiaVisiokatu 1TampereFIN-33720Finlandrod.walsh@nokia.comDigital FountainQualcomm, Inc.3165 Kifer Rd.Santa ClaraCA95051USluby@qualcomm.comINRIA655, av. de l'EuropeInovallee; MontbonnotST ISMIER cedex38334Francevincent.roca@inria.frTeliaSoneraHatanpaan valtatie 18TampereFIN-33100Finlandrami.lehtonen@teliasonera.com
Transport
Reliable Multicast Transport (RMT)FileDeliveryMulticastUnidirectionalThis document defines FLUTE, a protocol for the unidirectional delivery of files over the Internet,
which is particularly suited to multicast networks. The specification builds on Asynchronous Layered
Coding, the base protocol designed for massively scalable multicast distribution. This document
obsoletes RFC3926.This document defines FLUTE version 1, a protocol for unidirectional delivery of files over the Internet.
The specification builds on Asynchronous Layered Coding (ALC), version 1 ,
the base protocol designed for massively scalable multicast distribution. ALC defines transport of
arbitrary binary objects. For file delivery applications mere transport of objects is not enough,
however. The end systems need to know what the objects actually represent. This document specifies
a technique called FLUTE - a mechanism for signaling and mapping the properties of files to concepts
of ALC in a way that allows receivers to assign those parameters for received objects. Consequently,
throughout this document the term 'file' relates to an 'object' as discussed in ALC. Although this
specification frequently makes use of multicast addressing as an example, the techniques are similarly
applicable for use with unicast addressing.This document defines a specific transport application of ALC, adding the following specifications:
Definition of a file delivery session built on top of ALC, including transport details
and timing constraints.In-band signalling of the transport parameters of the ALC session.In-band signalling of the properties of delivered files.Details associated with the multiplexing of multiple files within a session.This specification is structured as follows. Section 3 begins by defining the concept of the file delivery
session. Following that it introduces the File Delivery Table that forms the core part of this specification.
Further, it discusses multiplexing issues of transmission objects within a file delivery session. Section 4
describes the use of congestion control and channels with FLUTE. Section 5 defines how the Forward Error
Correction (FEC) Object Transmission Information is to be delivered within a file delivery session. Section 6
defines the required parameters for describing file delivery sessions in a general case. Section 7 outlines
security considerations regarding file delivery with FLUTE. Last, there are two informative appendices. The
first appendix describes an envisioned receiver operation for the receiver of the file delivery session. The
second appendix gives an example of File Delivery Table.This specification contains part of the definitions necessary to fully specify a Reliable Multicast Transport
protocol in accordance with RFC2357.This document obsoletes RFC3926 which contained a previous version of this specification and was
published in the "Experimental" category.
This Proposed Standard specification is thus based on RFC3926 updated according to accumulated experience
and growing protocol maturity since the publication of RFC3926. Said experience applies both to this
specification itself and to congestion control strategies related to the use of this specification.The differences between RFC3926 and this document listed in .FLUTE is applicable to the delivery of large and small files to many hosts, using delivery
sessions of several seconds or more. For instance, FLUTE could be used for the delivery of large
software updates to many hosts simultaneously. It could also be used for continuous, but segmented,
data such as time-lined text for subtitling - potentially leveraging its layering inheritance from
ALC and LCT to scale the richness of the session to the congestion status of the network. It is also
suitable for the basic transport of metadata, for example SDP files which
enable user applications to access multimedia sessions.Massive scalability is a primary design goal for FLUTE. IP multicast is inherently massively
scalable, but the best effort service that it provides does not provide session management
functionality, congestion control or reliability. FLUTE provides all of this using ALC and IP
multicast without sacrificing any of the inherent scalability of IP multicast.All of the environmental requirements and considerations that apply to the ALC building block
and to any additional building blocks that FLUTE uses also apply to
FLUTE.FLUTE can be used with both multicast and unicast delivery, but it's primary application is for
unidirectional multicast file delivery. FLUTE requires connectivity between a sender and receivers
but does not require connectivity from receivers to a sender. FLUTE inherently works with all types
of networks, including LANs, WANs, Intranets, the Internet, asymmetric networks, wireless networks,
and satellite networks.FLUTE is compatible with both IPv4 or IPv6 as no part of the packet is IP version specific. FLUTE
works with both multicast models: Any-Source Multicast (ASM) and the
Source-Specific Multicast (SSM) .FLUTE is applicable for both Internet use, with a suitable congestion control building block,
and provisioned/controlled systems, such as delivery over wireless broadcast radio systems.Some networks are not amenable to some congestion control protocols that could be used with FLUTE.
In particular, for a satellite or wireless network, there may be no mechanism for receivers to
effectively reduce their reception rate since there may be a fixed transmission rate allocated to
the session.FLUTE can also be used for point-to-point (unicast) communications.
At a minimum, implementions of ALC MUST support the WEBRC multiple rate
congestion control scheme .
However, since WEBRC has been designed for massively scalable multicast flows,
it is not clear how appropriate it is to the particular case of unicast flows.
Using a separate point-to-point congestion control scheme is another alternative.
How to do do that is outside the scope of the present document.FLUTE provides reliability using the FEC building block. This will reduce the error rate as seen
by applications. However, FLUTE does not provide a method for senders to verify the reception
success of receivers, and the specification of such a method is outside the scope of this document.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED",
"MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119
.The terms "object" and "transmission object" are consistent with the definitions in ALC
and LCT . The terms "file" and "source object"
are pseudonyms for "object".Asynchronous Layered Coding is a protocol designed for delivery of arbitrary binary
objects. It is especially suitable for massively scalable, unidirectional, multicast distribution. ALC provides
the basic transport for FLUTE, and thus FLUTE inherits the requirements of ALC.This specification is designed for the delivery of files. The core of this specification is to define how the
properties of the files are carried in-band together with the delivered files.As an example, let us consider a 5200 byte file referred to by "http://www.example.com/docs/file.txt".
Using the example, the following properties describe the properties that need to be conveyed by the file
delivery protocol.Identifier of the file, expressed as a URI. This identifier may be globally unique. The
identifier may also provide a location for the file. In the above example:
"http://www.example.com/docs/file.txt".File name (usually, this can be concluded from the URI). In the above example: "file.txt".File type, expressed as MIME media type (usually, this can also be concluded from the extension
of the file name). In the above example: "text/plain". If an explicit value for the MIME type
is provided separately from the file extension and does not match the MIME type of the file
extension then the explicitly provided value MUST be used as the MIME type.File size, expressed in bytes. In the above example: "5200". If the file is content encoded then
this is the file size before content encoding.Content encoding of the file, within transport. In the above example, the file could be encoded
using ZLIB . In this case the size of the transmission object carrying the
file would probably differ from the file size. The transmission object size is delivered to receivers
as part of the FLUTE protocol.Security properties of the file such as digital signatures, message digests, etc. For example,
one could use S/MIME as the content encoding type for files with this
authentication wrapper, and one could use XML-DSIG to digitally
sign an FDT Instance. XML-DSIG can also be used to provide tamper prevention e.g. on the
Content-Location field.ALC is a protocol instantiation of Layered Coding Transport building block (LCT) .
Thus ALC inherits the session concept of LCT. In this document we will use the concept ALC/LCT session to
collectively denote the interchangeable terms ALC session and LCT session.An ALC/LCT session consists of a set of logically grouped ALC/LCT channels associated with a single sender
sending packets with ALC/LCT headers for one or more objects. An ALC/LCT channel is defined by the
combination of a sender and an address associated with the channel by the sender. A receiver joins a channel
to start receiving the data packets sent to the channel by the sender, and a receiver leaves a channel to
stop receiving data packets from the channel.One of the fields carried in the ALC/LCT header is the Transport Session Identifier (TSI). The TSI is
scoped by the source IP address, and the (source IP address, TSI) pair uniquely identifies a session,
i.e., the receiver uses this pair carried in each packet to uniquely identify from which session the
packet was received. In case multiple objects are carried within a session, the Transmission Object
Identifier (TOI) field within the ALC/LCT header identifies from which object the data in the packet was
generated. Note that each object is associated with a unique TOI within the scope of a session.If the sender is not assigned a permanent IP address accessible to receivers, but instead, packets that
can be received by receivers containing a temporary IP address for packets sent by the sender, then the TSI
is scoped by this temporary IP address of the sender for the duration of the session. As an example,
the sender may be behind a Network Address Translation (NAT) device that temporarily assigns an IP address
for the sender that is accessible to receivers, and in this case the TSI is scoped by the temporary IP
address assigned by the NAT that will appear in packets received by the receiver. As another example,
the sender may send its original packets using IPv6, but some portions of the network may not be IPv6
capable and thus there may be an IPv6 to IPv4 translator that changes the IP address of the packets to a
different IPv4 address. In this case, receivers in the IPv4 portion of the network will receive packets
containing the IPv4 address, and thus the TSI for them is scoped by the IPv4 address. How the IP address
of the sender to be used to scope the session by receivers is delivered to receivers, whether it is a
permanent IP address or a temporary IP address, is outside the scope of this document.When FLUTE is used for file delivery over ALC the following rules apply:
The ALC/LCT session is called file delivery session.The ALC/LCT concept of 'object' denotes either a 'file' or a 'File Delivery Table Instance'
(section 3.2)The TOI field MUST be included in ALC packets sent within a FLUTE session, with the
exception that ALC packets sent in a FLUTE session with the Close Session (A) flag set to 1 (signaling
the end of the session) and that contain no payload (carrying no information for any file or FDT)
SHALL NOT carry the TOI. See Section 5.1 of RFC 3451 for the LCT definition
of the Close Session flag, and see Section 4.2 of RFC 3450 for an example of
its use within an ALC packet.The TOI value '0' is reserved for delivery of File Delivery Table Instances. Each non expired
File Delivery Table Instance is uniquely identified by an FDT Instance ID.Each file in a file delivery session MUST be associated with a TOI (>0) in the scope of
that session.Information carried in the headers and the payload of a packet is scoped by the source
IP address and the TSI. Information particular to the object carried in the headers and
the payload of a packet is further scoped by the TOI for file objects, and is further scoped
by both the TOI and the FDT Instance ID for FDT Instance objects.The File Delivery Table (FDT) provides a means to describe various attributes associated with files that are
to be delivered within the file delivery session. The following lists are examples of such attributes, and are
not intended to be mutually exclusive nor exhaustive.Attributes related to the delivery of file:
TOI value that represents the fileFEC Object Transmission Information (including the FEC Encoding ID and, if relevant,
the FEC Instance ID)Size of the transmission object carrying the fileAggregate rate of sending packets to all channelsAttributes related to the file itself:
Name, Identification and Location of file (specified by the URI)MIME media type of fileSize of fileEncoding of fileMessage digest of fileSome of these attributes MUST be included in the file description entry for a file, others are optional, as
defined in section 3.4.2.Logically, the FDT is a set of file description entries for files to be delivered in the session. Each file
description entry MUST include the TOI for the file that it describes and the URI identifying the file. The
TOI is included in each ALC/LCT data packet during the delivery of the file, and thus the TOI carried in the
file description entry is how the receiver determines which ALC/LCT data packets contain information about
which file. Each file description entry may also contain one or more descriptors that map the above-mentioned
attributes to the file.Each file delivery session MUST have an FDT that is local to the given session. The FDT MUST provide a file
description entry mapped to a TOI for each file appearing within the session. An object that is delivered
within the ALC session, but not described in the FDT, is not considered a 'file' belonging to the file
delivery session. Handling of these unmapped TOIs (TOIs that are not resolved by the FDT) is out of scope
of this specification.Within the file delivery session the FDT is delivered as FDT Instances. An FDT Instance contains one or more
file description entries of the FDT. Any FDT Instance can be equal to, a subset of, a superset of, or
complement any other FDT Instance. A certain FDT Instance may be repeated several times during a session,
even after subsequent FDT Instances (with higher FDT Instance ID numbers) have been transmitted. Each FDT
Instance contains at least a single file description entry and at most the exhaustive set of file description
entries of the files being delivered in the file delivery session.A receiver of the file delivery session keeps an FDT database for received file description entries.
The receiver maintains the database, for example, upon reception of FDT Instances. Thus, at any given
time the contents of the FDT database represent the receiver's current view of the FDT of the file delivery
session. Since each receiver behaves independently of other receivers, it SHOULD NOT be assumed that the
contents of the FDT database are the same for all the receivers of a given file delivery session.Since FDT database is an abstract concept, the structure and the maintaining of the FDT database are
left to individual implementations and are thus out of scope of this specification.The following rules define the dynamics of the FDT Instances within a file delivery session:
For every file delivered within a file delivery session there MUST be a file description entry
included in at least one FDT Instance sent within the session. A file description entry contains
at a minimum the mapping between the TOI and the URI.An FDT Instance MAY appear in any part of the file delivery session and packets for an FDT
Instance MAY be interleaved with packets for other files or other FDT Instances
within a session.The TOI value of '0' MUST be reserved for delivery of FDT Instances. The use of other TOI values
for FDT Instances is outside the scope of this specification.FDT Instance is identified by the use of a new fixed length LCT Header Extension EXT_FDT
(defined later in this section). Each non expired FDT Instance is uniquely identified within the
file delivery session by its FDT Instance ID. Any ALC/LCT packet carrying FDT Instance
(indicated by TOI = 0) MUST include EXT_FDT.It is RECOMMENDED that an FDT Instance that contains the file description entry for a file is sent
prior to the sending of the described file within a file delivery session. Within a file delivery session, any TOI > 0 MAY be described more than once. An example: previous
FDT Instance 0 describes TOI of value '3'. Now, subsequent FDT Instances can either keep
TOI '3' unmodified on the table, not include it, or complement the description. However,
subsequent FDT Instances MUST NOT change the parameters already described for a specific TOI.An FDT Instance is valid until its expiration time. The expiration time is expressed within the
FDT Instance payload as a 32 bit data field. The value of the data field represents the 32 most
significant bits of a 64 bit Network Time Protocol (NTP) time value.
These 32 bits provide an unsigned integer representing the time in seconds relative to 0
hours 1 January 1900 in case of the prime epoch (era 0) .
The handling of time wraparound (to happen in 2036) requires to consider the associated epoch.
In any case, both a sender and a receiver can easily determine to which (136 year) epoch the
FDT Instance expiration time value pertains to.The receiver SHOULD NOT use a received FDT Instance to interpret packets received beyond the
expiration time of the FDT Instance.A sender MUST use an expiry time in the future upon creation of an FDT Instance relative to
its Sender Current Time (SCT).Any FEC Encoding ID MAY be used for the sending of FDT Instances. The default is to use
FEC Encoding ID 0 for the sending of FDT Instances.
(Note that since FEC Encoding ID 0 is the
default for FLUTE, this implies that Source Block Number and Encoding Symbol ID lengths both
default to 16 bits each.)Generally, a receiver needs to receive an FDT Instance describing a file before it is able to recover
the file itself. In this sense FDT Instances are of higher priority than files.
Additionally, a FLUTE sender SHOULD assume receivers will not receive all packets pertaining to FDT Instances,
i.e., it is RECOMMENDED that FDT Instances be managed in such a way that a receiver will be able to recover at
least one FDT Instance describing a file delivered within the file delivery session with as much or greater
reliability as the receiver is able to receive enough packets containing encoding symbols to recover the file.
From this point of view, the way a given FDT Instance is transmitted has great impacts.
As an example, one way to satisfy this recommendation is to repeat FDT Instances describing the file often enough.
As another example, if an FDT Instance is longer than one packet payload in length, it is RECOMMENDED that an FEC
code that provides protection against loss be used for delivering this FDT Instance.
The way the FDT is delivered as FDT Instances has also great impacts.
As an example, a way to satisfy this recommendation is to use an FDT Instance that describes all the files
being transmitted at that time, and to transmit this FDT Instance reliably, as explained above.
If instead those files are described in separate FDT Instances, another way to satisfy this recommendation
is to transmit all the relevant FDT Instances reliably, as explained above.
In any case, how often the description of a file is sent in an FDT Instance, how often an FDT Instance is sent,
and how much FEC protection is provided for an FDT Instance (if longer than one packet payload) are dependent on
the particular application and are outside the scope of this document.FDT Instances are carried in ALC packets with TOI = 0 and with an additional REQUIRED LCT Header extension
called the FDT Instance Header. The FDT Instance Header (EXT_FDT) contains the FDT Instance ID that uniquely
identifies FDT Instances within a file delivery session. The FDT Instance Header is placed in the same way as
any other LCT extension header. There MAY be other LCT extension headers in use.The LCT extension headers are followed by the FEC Payload ID, and finally the Encoding Symbols for the
FDT Instance which contains one or more file description entries. A FDT Instance MAY span several ALC
packets - the number of ALC packets is a function of the file attributes associated with the FDT Instance.
The FDT Instance Header is carried in each ALC packet carrying the FDT Instance. The FDT Instance Header
is identical for all ALC/LCT packets for a particular FDT Instance.The overall format of ALC/LCT packets carrying an FDT Instance is depicted in the Figure 1 below.
All integer fields are carried in "big-endian" or "network order" format, that is, most significant
byte (octet) first. As defined in , all ALC/LCT packets are sent using UDP.FDT Instance Header (EXT_FDT) is a new fixed length, ALC PI specific LCT header extension
. The Header Extension Type (HET) for the extension is 192. Its
format is defined below:Version of FLUTE (V), 4 bits:This document specifies FLUTE version 1. Hence in any ALC packet that carries FDT Instance and that belongs
to the file delivery session as specified in this specification MUST set this field to '1'.FDT Instance ID, 20 bits:For each file delivery session the numbering of FDT Instances starts from '0' and is incremented by
one for each subsequent FDT Instance. After reaching the maximum value (2^20-1), the numbering
starts from the smallest FDT Instance value assigned to an expired FDT Instance. When wraparound from
a greater FDT Instance ID value to a smaller FDT Instance ID value occurs, the smaller FDT Instance ID value
is considered logically higher than the greater FDT Instance ID value. A new FDT Instance reusing a previous
FDT Instance ID number, due to wraparound, does not implicitly expire the previous FDT Instance with the same ID.
Sender behavior when all the FDT Instance IDs are used by non expired FEC Instances is outside the scope of
this specification and left to individual implementations of FLUTE.
Receiver behavior when receiving an FDT Instance that reuses an FDT Instance ID value that is currently
used by a non expired FDT Instance is outside the scope of this specification and left to individual
implementations of FLUTE.
However a receiver MUST be ready to handle FDT Instance ID wraparound and situations where
missing FDT Instance IDs result in increments larger than one.The FDT Instance contains file description entries that provide the mapping functionality described in
3.2 above.The FDT Instance is an XML structure that has a single root element "FDT-Instance". The "FDT-Instance"
element MUST contain "Expires" attribute, which tells the expiry time of the FDT Instance. In addition,
the "FDT-Instance" element MAY contain the "Complete" attribute (boolean), which, when TRUE, signals that
this "FDT Instance" includes the set of "File" entries that exhausts both the set of files delivered so far
and also the set of files to be delivered in the session. This implies that no new data will be provided in
future FDT Instances within this session (i.e., that either FDT Instances
with higher ID numbers will not be used or if they are used, will only provide identical file parameters to
those already given in this and previous FDT Instances). The "Complete" attribute is therefore used to provide
a complete list of files in an entire FLUTE session (a "complete FDT").The "FDT-Instance" element MAY contain attributes that give common parameters for all files of an FDT
Instance. These attributes MAY also be provided for individual files in the "File" element. Where the same
attribute appears in both the "FDT-Instance" and the "File" elements, the value of the attribute provided in
the "File" element takes precedence.For each file to be declared in the given FDT Instance there is a single file description entry in the FDT
Instance. Each entry is represented by element "File" which is a child element of the FDT Instance structure.The attributes of "File" element in the XML structure represent the attributes given to the file that
is delivered in the file delivery session. The value of the XML attribute name corresponds to MIME
field name and the XML attribute value corresponds to the value of the MIME field body. Each "File"
element MUST contain at least two attributes "TOI" and "Content-Location". "TOI" MUST be assigned a
valid TOI value as described in section 3.3 above. "Content-Location" MUST be assigned a valid URI as
defined in . The semantics for any two "File" elements declaring the same
"Content-Location" but differing "TOI" is that the element appearing in the FDT Instance with the greater
FDT Instance ID is considered to declare newer instance (e.g. version) of the same "File".In addition to mandatory attributes, the "FDT-Instance" element and the "File" element MAY contain other
attributes of which the following are specifically pointed out.
Where the MIME type is described, the attribute "Content-Type" MUST be used for the
purpose as defined in .Where the length is described, the attribute "Content-Length" MUST be used for the purpose
as defined in . The transfer length is defined to be the length
of the object transported in bytes. It is often important to convey the transfer length to
receivers, because the source block structure needs to be known for the FEC decoder to be
applied to recover source blocks of the file, and the transfer length is often needed to
properly determine the source block structure of the file. There generally will be a difference
between the length of the original file and the transfer length if content encoding is applied
to the file before transport, and thus the "Content-Encoding" attribute is used. If the file is
not content encoded before transport (and thus the "Content-Encoding" attribute is not used)
then the transfer length is the length of the original file, and in this case the
"Content-Length" is also the transfer length. However, if the file is content encoded before
transport (and thus the "Content-Encoding" attribute is used), e.g., if compression is applied
before transport to reduce the number of bytes that need to be transferred, then the transfer
length is generally different than the length of the original file, and in this case the
attribute "Transfer-Length" MAY be used to carry the transfer length.Where the content encoding scheme is described, the attribute "Content-Encoding" MUST be used
for the purpose as defined in .Where the MD5 message digest is described, the attribute "Content-MD5" MUST be used for the
purpose as defined in .The FEC Object Transmission Information attributes as described in section 5.2.The following specifies the XML Schema
for FDT Instance:Any valid FDT Instance must use the above XML Schema. This way FDT provides extensibility to support private
attributes within the file description entries. Those could be, for example, the attributes related to the
delivery of the file (timing, packet transmission rate, etc.).In case the basic FDT XML Schema is extended in terms of new descriptors (attributes or elements), for descriptors
applying to a single file, those MUST be placed within the element "File". For descriptors applying to
all files described by the current FDT Instance, those MUST be placed within the element "FDT-Instance".
It is RECOMMENDED that the new attributes applied in the FDT are in the format of MIME fields and are
either defined in the HTTP/1.1 specification or another well-known
specification.The FDT Instance itself MAY be content encoded, for example compressed. This specification defines FDT Instance
Content Encoding Header (EXT_CENC). EXT_CENC is a new fixed length, ALC PI specific LCT header extension
. The Header Extension Type (HET) for the extension is 193. If the FDT Instance is
content encoded, the EXT_CENC MUST be used to signal the content encoding type. In that case, EXT_CENC header
extension MUST be used in all ALC packets carrying the same FDT Instance ID. Consequently, when EXT_CENC header
is used, it MUST be used together with a proper FDT Instance Header (EXT_FDT). Within a file delivery session,
FDT Instances that are not content encoded and FDT Instances that are content encoded MAY both appear. If content
encoding is not used for a given FDT Instance, the EXT_CENC MUST NOT be used in any packet carrying the FDT
Instance. The format of EXT_CENC is defined below:Content Encoding Algorithm (CENC), 8 bits:This field signals the content encoding algorithm used in the FDT Instance payload. This subsection reserves
the Content Encoding Algorithm values 0, 1, 2 and 3 for null, ZLIB ,
DEFLATE and GZIP respectively.Reserved, 16 bits:This field MUST be set to all '0'. This field SHOULD be ignored on reception.The delivered files are carried as transmission objects (identified with TOIs) in the file delivery session.
All these objects, including the FDT Instances, MAY be multiplexed in any order and in parallel with each
other within a session, i.e., packets for one file MAY be interleaved with packets for other files or other
FDT Instances within a session.Multiple FDT Instances MAY be delivered in a single session using TOI = 0. In this case, it is RECOMMENDED
that the sending of a previous FDT Instance SHOULD end before the sending of the next FDT Instance starts.
However, due to unexpected network conditions, packets for the FDT Instances MAY be interleaved. A receiver
can determine which FDT Instance a packet contains information about since the FDT Instances are uniquely
identified by their FDT Instance ID carried in the EXT_FDT headers.ALC/LCT has a concept of channels and congestion control. There are four scenarios FLUTE is envisioned
to be applied.
Use a single channel and a single-rate congestion control protocol.Use multiple channels and a multiple-rate congestion control protocol. In this case
the FDT Instances MAY be delivered on more than one channel.Use a single channel without congestion control supplied by ALC, but only when in a
controlled network environment where flow/congestion control is being provided by
other means.Use multiple channels without congestion control supplied by ALC, but only when in a
controlled network environment where flow/congestion control is being provided by other
means. In this case the FDT Instances MAY be delivered on more than one channel.When using just one channel for a file delivery session, as in (a) and (c), the notion of 'prior' and 'after'
are intuitively defined for the delivery of objects with respect to their delivery times.However, if multiple channels are used, as in (b) and (d), it is not straightforward to state that an object
was delivered 'prior' to the other. An object may begin to be delivered on one or more of those channels
before the delivery of a second object begins. However, the use of multiple channels/layers may complete the
delivery of the second object before the first. This is not a problem when objects are delivered sequentially
using a single channel. Thus, if the application of FLUTE has a mandatory or critical requirement that the
first transmission object must complete 'prior' to the second one, it is RECOMMENDED that only a single channel
is used for the file delivery session.Furthermore, if multiple channels are used then a receiver joined to the session at a low reception rate will
only be joined to the lower layers of the session. Thus, since the reception of FDT Instances is of higher
priority than the reception of files (because the reception of files depends on the reception of an FDT Instance
describing it), the following is RECOMMENDED:
The layers to which packets for FDT Instances are sent SHOULD NOT be biased towards those
layers to which lower rate receivers are not joined. For example, it is okay to put all the packets for an FDT
Instance into the lowest layer (if this layer carries enough packets to deliver the FDT to higher rate receivers
in a reasonable amount of time), but it is not okay to put all the packets for an FDT Instance into the higher
layers that only high rate receivers will receive.If FDT Instances are generally longer than one Encoding Symbol in length and some packets
for FDT Instances are sent to layers that lower rate receivers do not receive, an FEC Encoding other than
FEC Encoding ID 0 SHOULD be used to deliver FDT Instances. This is because in this case, even when there
is no packet loss in the network, a lower rate receiver will not receive all packets sent for an FDT Instance.FLUTE inherits the use of FEC building block from ALC. When using FLUTE for file delivery
over ALC the FEC Object Transmission Information MUST be delivered in-band within the file delivery session. There are
two methods to achieve this: the use of ALC specific LCT extension header EXT_FTI
and the use of FDT. The latter method is specified in this section.The receiver of file delivery session MUST support delivery of FEC Object Transmission Information using the
EXT_FTI for the FDT Instances carried using TOI value 0. For the TOI values other than 0 the receiver MUST support
both methods: the use of EXT_FTI and the use of FDT.The FEC Object Transmission Information that needs to be delivered to receivers MUST be exactly the same whether it
is delivered using EXT_FTI or using FDT (or both). The FEC Object Transmission Information that MUST be delivered to
receivers is defined by the FEC Scheme. This section describes the
delivery using FDT.The FEC Object Transmission Information regarding a given TOI may be available from several sources. In this case,
it is RECOMMENDED that the receiver of the file delivery session prioritizes the sources in the following way (in the
order of decreasing priority).
FEC Object Transmission Information that is available in EXT_FTI.FEC Object Transmission Information that is available in the FDT.The FDT delivers FEC Object Transmission Information for each file using an appropriate attribute within the
"FDT-Instance" or the "File" element of the FDT structure.
"Transfer-Length" carries the Transfer-Length Object Transmission Information element defined in ."FEC-OTI-FEC-Encoding-ID" carries the "FEC Encoding ID" Object Transmission Information element defined in , as carried in the Codepoint field of the ALC/LCT header."FEC-OTI-FEC-Instance-ID" carries the "FEC Instance ID" Object Transmission Information element defined in for Under-specified FEC Schemes."FEC-OTI-Maximum-Source-Block-Length" carries the "Maximum Source Block Length" Object Transmission Information element defined in , if required by the FEC Scheme."FEC-OTI-Encoding-Symbol-Length" carries the "Encoding Symbol Length" Object Transmission Information element defined in , if required by the FEC Scheme."FEC-OTI-Max-Number-of-Encoding-Symbols" carries the "Maximum Number of Encoding Symbols" Object Transmission Information element defined in , if required by the FEC Scheme."FEC-OTI-Scheme-specific-information" carries the "encoded scheme-specific FEC Object Transmission Information" as defined in , if required by the FEC Scheme.In FLUTE, the FEC Encoding ID (8 bits) for a given TOI MUST be carried in the Codepoint field of the ALC/LCT
header. When the FEC Object Transmission Information for this TOI is delivered through the FDT, then the
associated "FEC-OTI-FEC-Encoding-ID" attribute and the Codepoint field of all packets for this TOI MUST
be the same.To start receiving a file delivery session, the receiver needs to know transport parameters associated
with the session. Interpreting these parameters and starting the reception therefore represents the entry point
from which thereafter the receiver operation falls into the scope of this specification. According to
, the transport parameters of an ALC/LCT session that the receiver needs to know are:
The source IP address;The number of channels in the session;The destination IP address and port number for each channel in the session;The Transport Session Identifier (TSI) of the session;An indication that the session is a FLUTE session. The need to demultiplex objects upon reception
is implicit in any use of FLUTE, and this fulfills the ALC requirement of an indication of whether or not a session
carries packets for more than one object (all FLUTE sessions carry packets for more than one object).Optionally, the following parameters MAY be associated with the session (Note, the list is not exhaustive):
The start time and end time of the session;FEC Encoding ID and FEC Instance ID when the default FEC Encoding ID 0 is not used for the delivery
of FDT;Content Encoding format if optional content encoding of FDT Instance is used, e.g., compression;Some information that tells receiver, in the first place, that the session contains files that are
of interest;Definition and configuration of congestion control mechanism for the session
;Security parameters relevant for the session.It is envisioned that these parameters would be described according to some session description syntax (such as
SDP or XML based) and held in a file which would be acquired by the receiver before the FLUTE
session begins by means of some transport protocol (such as Session Announcement Protocol ,
email, HTTP , SIP , manual pre-configuration, etc.) However, the
way in which the receiver discovers the above-mentioned parameters is out of scope of this document, as it is for LCT
and ALC. In particular, this specification does not mandate or exclude any mechanism.A content delivery system is potentially subject to attacks. Attacks may target:
the network (to compromise the routing infrastructure, e.g., by creating congestion),the Content Delivery Protocol (CDP) (e.g., to compromise the normal behaviour of FLUTE), orthe content itself (e.g., to corrupt the files being transmitted).
These attacks can be launched either:
against the data flow itself (e.g., by sending forged packets),against the session control parameters (e.g., by corrupting the session description, the FDT Instances, or the ALC/LCT control parameters) that are sent either in-band or out-of-band, oragainst some associated building blocks (e.g., the congestion control component).
In the following sections we provide more details on these possible attacks and sketch some possible counter-measures.
We finally provide recommendations in .
Let us consider attacks against the data flow first. At least, the following types of attacks exist:
attacks that are meant to give access to a confidential file (e.g., in case of a non-free content) and attacks that try to corrupt the file being transmitted (e.g., to inject malicious code within a file,
or to prevent a receiver from using a file, which is a kind of Denial of Service, DoS).Access control to the file being transmitted is typically provided by means of encryption. This encryption can be done over the whole file (e.g., by the content provider, before submitting the file to FLUTE), or be done on a packet per packet basis (e.g., when IPsec/ESP is used , see ). If confidentiality is a concern, it is RECOMMENDED that one of these solutions be used.Protection against corruptions (e.g., if an attacker sends forged packets) is achieved by means of a content integrity verification/sender authentication scheme. This service can be provided at the file level, but in that case a receiver has no way to identify which symbol(s) is(are) corrupted if the file is detected as corrupted. This service can also be provided at the packet level. In this case, after removing all corrupted packets, the file may be in some cases recovered. Several techniques can provide this source authentication/content integrity service:
at the file level, the file MAY be digitally signed, for instance by using RSASSA-PKCS1-v1_5 . This signature enables a receiver to check the file integrity, once this latter has been fully decoded. Even if digital signatures are computationally expensive, this calculation
occurs only once per file, which is usually acceptable;at the packet level, each packet can be digitally signed . A major limitation is the high computational and transmission overheads that this solution requires. To avoid this problem, the signature may span a set of symbols (instead of a single one) in order to amortize the signature calculation, but if a single symbol is missing, the integrity of the whole set cannot be checked;at the packet level, a Group Message Authentication Code (MAC) scheme can be used, for instance by using HMAC-SHA-256 with a secret key shared by all the group members, senders and receivers. This technique creates a cryptographically secured digest of a packet that is sent along with the packet. The Group MAC scheme does not create prohibitive processing load nor transmission overhead, but it has a major limitation: it only provides a group authentication/integrity service since all group members share the same secret group key, which means that each member can send a forged packet. It is therefore restricted to situations where group members are fully trusted (or in association with another technique as a pre-check);at the packet level, TESLA is an attractive solution that is robust to losses, provides a true authentication/integrity service, and does not create any prohibitive processing load or transmission overhead. Yet checking a packet requires a small delay (a second or more) after its reception;at the packet level, IPsec/ESP can be used to check the integrity and authenticate the sender of all the packets being exchanged in a session (see ).
Techniques relying on public key cryptography (digital signatures and TESLA during the bootstrap process, when used) require that public keys be securely associated to the entities. This can be achieved by a Public Key Infrastructure (PKI), or by a PGP Web of Trust, or by pre-distributing the public keys of each group member.Techniques relying on symmetric key cryptography (Group MAC) require that a secret key be shared by all group members. This can be achieved by means of a group key management protocol, or simply by pre-distributing the secret key (but this manual solution has many limitations).It is up to the developer and deployer, who know the security requirements and features of the target application area, to define which solution is the most appropriate. Nonetheless, in case there is any concern of the threat of file corruption, it is RECOMMENDED that at least one of these techniques be used. Let us now consider attacks against the session control parameters and the associated building blocks. The attacker has at least the following opportunities to launch an attack:
the attack can target the session description,the attack can target the FDT Instances,the attack can target the ALC/LCT parameters, carried within the LCT header orthe attack can target the FLUTE associated building blocks, for instance the multiple rate congestion control protocol.
The consequences of these attacks are potentially serious, since they might compromise the behavior of content delivery system itself.
A FLUTE receiver may potentially obtain an incorrect Session Description for the session. The consequence of this is that legitimate receivers with the wrong Session Description are unable to correctly receive the session content, or that receivers inadvertently try to receive at a much higher rate than they are capable of, thereby possibly disrupting other traffic in the network.To avoid these problems, it is RECOMMENDED that measures be taken to prevent receivers from accepting incorrect Session Descriptions. One such measure is source authentication to ensure that receivers only accept legitimate Session Descriptions from authorized senders. How these measures are achieved is outside the scope of this document since this session description is usually carried out-of-band.Corrupting the FDT Instances is one way to create a Denial of Service attack. For example, the attacker changes the MD5 sum associated to a file. This possibly leads a receiver to reject the files received, no matter whether the files have been correctly received or not.Corrupting the FDT Instances is also a way to make the reception process more costly than it should be. This can be achieved by changing the FEC Object Transmission Information when the FEC Object Transmission Information is included in the FDT Instance. For example, an attacker may corrupt the FDT Instance in such a way that Reed-Solomon over GF(2^^16) be used instead of GF(2^^8) with FEC Encoding ID 2. This may significantly increase the processing load while compromising FEC decoding.It is therefore RECOMMENDED that measures be taken to guarantee the integrity and to check the sender's identity of the FDT Instances. To that purpose, one of the counter-measures mentioned above () SHOULD be used. These measures will either be applied on a packet level, or globally over the whole FDT Instance object. Additionally, XML digital signatures are a way to protect the FDT Instance by digitally signing it. When there is no packet level integrity verification scheme, it is RECOMMENDED to rely on XML digital signatures of the FDT Instances.By corrupting the ALC/LCT header (or header extensions) one can execute attacks on underlying ALC/LCT implementation. For example, sending forged ALC packets with the Close Session flag (A) set to one can lead the receiver to prematurely close the session. Similarly, sending forged ALC packets with the Close Object flag (B) set to one can lead the receiver to prematurely give up the reception of an object.It is therefore RECOMMENDED that measures be taken to guarantee the integrity and to check the sender's identity of the ALC packets received. To that purpose, one of the counter-measures mentioned above () SHOULD be used.Let us first focus on the congestion control building block, that may be used in the ALC session. A receiver with an incorrect or corrupted implementation of the multiple rate congestion control building block may affect the health of the network in the path between the sender and the receiver. That may also affect the reception rates of other receivers who joined the session.When congestion control building block is applied with FLUTE, it is therefore RECOMMENDED that receivers be required to identify themselves as legitimate before they receive the Session Description needed to join the session. How receivers identify themselves as legitimate is outside the scope of this document. If authenticating a receiver does not prevent this latter to launch an attack, it will enable the network operator to identify him and to take counter-measures.When congestion control building block is applied with FLUTE, it is also RECOMMENDED that a packet level authentication scheme be used, as explained in . Some of them, like TESLA, only provide a delayed authentication service, whereas congestion control requires a rapid reaction. It is therefore RECOMMENDED that a receiver using TESLA quickly reduces its subscription level when the receiver believes that a congestion did occur, even if the packet has not yet been authenticated. Therefore TESLA will not prevent DoS attacks where an attacker makes the receiver believe that a congestion occurred. This is an issue for the receiver, but this will not compromise the network. Other authentication methods that do not feature this delayed authentication could be preferred, or a group MAC scheme could be used in parallel to TESLA to prevent attacks launched from outside of the group.Lastly, we note that the security considerations that apply to, and are described in, ALC , LCT and FEC also apply to FLUTE as FLUTE builds on those specifications. In addition, any security considerations that apply to any congestion control building block used in conjunction with FLUTE also apply to FLUTE.
We now introduce a mandatory to implement but not necessarily to use security configuration,
in the sense of .
Since FLUTE relies on ALC/LCT, it inherits the "baseline secure ALC operation" of .
More precisely, security is achieved by means of IPsec/ESP in transport mode.
explains that ESP can be used to potentially provide confidentiality, data origin
authentication, content integrity, anti-replay and (limited) traffic flow confidentiality.
specifies that the data origin authentication, content integrity and
anti-replay services SHALL be used, and that the confidentiality service is RECOMMENDED.
If a short lived session MAY rely on manual keying, it is also RECOMMENDED that an automated key management
scheme be used, especially in case of long lived sessions.
Therefore, the RECOMMENDED solution for FLUTE provides per-packet security, with data origin
authentication, integrity verification and anti-replay.
This is sufficient to prevent most of the in-band attacks listed above.
If confidentiality is required, a per-packet encryption SHOULD also be used.
This specification contains three separate items for IANA Considerations:
Registration Request for XML Schema of FDT Instance.Media-Type Registration Request for application/fdt+xml.Content Encoding Algorithm Registration Request.Document defines an IANA maintained registry of XML documents used within IETF
protocols. The following is the registration request for the FDT XML schema.Registrant Contact: Toni Paila (toni.paila (at) nokia.com)XML: The XML Schema specified in This section provides the registration request, as per , and
, to be submitted to IANA following IESG approval.Type name: applicationSubtype name: fdt+xmlRequired parameters: noneOptional parameters: noneEncoding considerations: The fdt+xml type consists of UTF-8 ASCII characters and
must be well-formed XML.Additional content and transfer encodings may be used with fdt+xml
files, with the appropriate encoding for any specific file being
entirely dependant upon the deployed application.Restrictions on usage: Only for usage with FDT Instances which are
valid according to the XML schema of section 3.4.2.Security considerations: fdt+xml data is passive, and does not
generally represent a unique or new security threat. However, there
is some risk in sharing any kind of data, in that unintentional
information may be exposed, and that risk applies to fdt+xml
data as well.Interoperability considerations: NonePublished specification: The present document including section 3.4.2. The specified
FDT Instance functions as an actual media format of use to the general Internet community
and thus media type registration under the Standards Tree is appropriate to maximize
interoperability.Applications which use this media type: Not restricted to any particular
applicationAdditional information:Person and email address to contact for further information: Toni Paila
(toni.paila (at) nokia.com)Intended usage: CommonAuthor/Change controller: IETFValues of Content Encoding Algorithms are subject to IANA registration.
The value of Content Encoding Algorithm is a numeric non-negative index.
In this document, the range of values for Content Encoding Algorithms
is 0 to 255. This specification already assigns the values 0, 1, 2 and 3
as described in section 3.4.3.This document defines a name-space called "Content Encoding Algorithms".IANA has established and manages the new registry for the
"Content Encoding Algorithm" name-space. The values that can be assigned
within this name-space are numeric indexes in
the range [0, 255], boundaries included. Assignment requests are
granted on a "Specification Required" basis as defined in RFC 2434
. Note that the values 0,
1, 2 and 3 of this registry are already assigned by this document as
described in section 3.4.3.The following persons have contributed to this specification: Brian Adamson, Mark Handley, Esa Jalonen,
Roger Kermode, Juha-Pekka Luoma, Topi Pohjolainen, Lorenzo Vicisano, and Mark Watson. The authors would like to
thank all the contributors for their valuable work in reviewing and providing feedback regarding this specification.Jani Peltotalo
Tampere University of Technology
P.O. Box 553 (Korkeakoulunkatu 1)
Tampere FIN-33101
Finland
Email: jani.peltotalo (at) tut.fiSami Peltotalo
Tampere University of Technology
P.O. Box 553 (Korkeakoulunkatu 1)
Tampere FIN-33101
Finland
Email: sami.peltotalo (at) tut.fiMagnus Westerlund
Ericsson Research
Ericsson AB
SE-164 80 Stockholm
Sweden
EMail: magnus.westerlund (at) ericsson.comThorsten Lohmar
Ericsson Research (EDD)
Ericsson Allee 1
52134 Herzogenrath, Germany
EMail: thorsten.lohmar (at) ericsson.comAdded clarification for the use of FLUTE for unicast communications in .Clarified how to reliably deliver the FDT in .Clarified how to address FDT Instance expiry time wraparound with the notion of "epoch"
of NTPv4 in .Clarified what should be considered as erroneous situations in
(definition of FDT Instance ID).
In particular a receiver MUST be ready to handle FDT Instance ID wraparounds and
missing FDT Instances.Updated the security section to define IPsec/ESP as a mandatory to implement security
solution in .Removed the 'Statement of Intent' from the . The statement
of intent was meant to clarify the "Experimental" status of RFC3926.
It does not apply to this draft that is intended for "Standard Track"
submission.Added clarification on XML-DSIG in the end of .Revised the use of word "complete" in the .Clarified WRT "Encoding Symbol(s) for FDT Instance".Clarified the FDT Instance ID wrap-around in the end of .Clarification for "Complete FDT" in the .Added semantics for the case two TOIs refer to same Content-Location. Now it is
in line how 3GPP and DVB interpret the case.In the XML Schema of FDT instance is modified to various advices.
For example, extension by element was missing but is now supported. Also namespace definition is
changed to URN format.Clarified FDT-schema extensibility in the end of .The CENC value allocation is added in the end of . is modified so that EXT_FTI and the FEC issues are replaced by a reference
to LCT specification. We count on revised LCT specification to specify the EXT_FTI.Added a clarifying paragraph on the use of Codepoint in the very end of .Reworked - IANA Considerations. Now it contains three IANA registration requests:
Registration Request for XML Schema of FDT Instance (urn:ietf:params:xml:schema:fdt)Media-Type Registration Request for application/fdt+xmlContent Encoding Algorithm Registration Request (ietf:rmt:cenc)Added - Contributors.Revised list of both Normative as well as Informative references.Added a clarification that receiver should ignore reserved bits of Header Extension type 193 upon reception.Key words for use in RFCs to Indicate Requirement LevelsAsynchronous Layered Coding (ALC) Protocol InstantiationLayered Coding Transport (LCT) Building BlockForward Error Correction (FEC) Building BlockBasic Forward Error Correction (FEC) SchemesNetwork Time Protocol (Version 3), Specification, Implementation and AnalysisHypertext Transfer Protocol -- HTTP/1.1XML Schema Part 1: StructuresXML Schema Part 2: DatatypesXML Media TypesUTF-8, a transformation format of ISO 10646Guidelines for Writing an IANA Considerations Section in RFCsZLIB Compressed Data Format Specification version 3.3DEFLATE Compressed Data Format Specification version 1.3GZIP file format specification version 4.3Session Announcement ProtocolSession Description ProtocolHost Extensions for IP MulticastingA Channel Model for Multicast, Ph.D. Dissertation, Stanford University, Department of Computer Science,
Stanford, CaliforniaNetwork Time Protocol Version 4 Protocol And Algorithms SpecificationStrong Security Requirements for Internet Engineering Task Force Standard ProtocolsSecure/Multipurpose Internet Mail Extensions (S/MIME) Version 3.1 Message Specification(Extensible Markup Language) XML-Signature Syntax and ProcessingMedia Type Specifications and Registration ProceduresMultipurpose Internet Mail Extensions (MIME) Part Four: Registration ProceduresSIP: session initiation protocolWave and Equation Based Rate Control (WEBRC) Building BlockThe IETF XML RegistryPublic-Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1Encapsulating Security Payload (ESP)HMAC: Keyed-Hashing for Message AuthenticationTimed Efficient Stream Loss-Tolerant Authentication (TESLA): Multicast Source Authentication Transform IntroductionUse of TESLA in the ALC and NORM ProtocolsSimple Authentication Schemes for the ALC and NORM ProtocolsThis section gives an example how the receiver of the file delivery session may operate. Instead of a detailed
state-by-state specification the following should be interpreted as a rough sequence of an envisioned file delivery
receiver.
The receiver obtains the description of the file delivery session identified by the pair: (source IP address,
Transport Session Identifier). The receiver also obtains the destination IP addresses and respective ports associated
with the file delivery session.The receiver joins the channels in order to receive packets associated with the file delivery session. The
receiver may schedule this join operation utilizing the timing information contained in a possible description
of the file delivery session.The receiver receives ALC/LCT packets associated with the file delivery session. The receiver checks that the
packets match the declared Transport Session Identifier. If not, packets are silently discarded.While receiving, the receiver demultiplexes packets based on their TOI and stores the relevant packet
information in an appropriate area for recovery of the corresponding file. Multiple files can be reconstructed
concurrently.Receiver recovers an object. An object can be recovered when an appropriate set of packets containing Encoding
Symbols for the transmission object have been received. An appropriate set of packets is dependent on the properties
of the FEC Encoding ID and FEC Instance ID, and on other information contained in the FEC Object Transmission
Information.If the recovered object was an FDT Instance with FDT Instance ID 'N', the receiver parses the payload of the
instance 'N' of FDT and updates its FDT database accordingly. The receiver identifies FDT Instances within a file
delivery session by the EXT_FDT header extension. Any object that is delivered using EXT_FDT header extension is
an FDT Instance, uniquely identified by the FDT Instance ID. Note that TOI '0' is exclusively reserved for FDT
delivery.If the object recovered is not an FDT Instance but a file, the receiver looks up its FDT database to get the
properties described in the database, and assigns file with the given properties. The receiver also checks that
received content length matches with the description in the database. Optionally, if MD5 checksum has been used,
the receiver checks that calculated MD5 matches with the description in the FDT database.The actions the receiver takes with imperfectly received files (missing data, mismatching digestive, etc.) is
outside the scope of this specification. When a file is recovered before the associated file description entry
is available, a possible behavior is to wait until an FDT Instance is received that includes the missing
properties.If the file delivery session end time has not been reached go back to 3. Otherwise end.