wdiff rfc8313.original rfc8313.txt

MBONED Working Group
Internet Engineering Task Force (IETF) P. Tarapore, Ed.
Internet-Draft
Request for Comments: 8313 R. Sayko
Intended status:
BCP: 213 AT&T
Category: Best Current Practice AT&T
Expires: May 3, 2018 G. Shepherd
ISSN: 2070-1721 Cisco
T. Eckert, Ed.
Huawei
R. Krishnan
SupportVectors
October 30, 2017
January 2018

Use of Multicast Across Inter-Domain across Inter-domain Peering Points
draft-ietf-mboned-interdomain-peering-bcp-14

Abstract

This document examines the use of Source Specific Source-Specific Multicast (SSM)
across inter-domain peering points for a specified set of deployment
scenarios. The objective is objectives are to (1) describe the setup process for
multicast-based delivery across administrative domains for these
scenarios and (2) document supporting functionality to enable this
process.

Status of This Memo

This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.

Internet-Drafts are working memo documents an Internet Best Current Practice.

This document is a product of the Internet Engineering Task Force
(IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list It represents the consensus of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid the IETF community. It has
received public review and has been approved for a maximum publication by the
Internet Engineering Steering Group (IESG). Further information on
BCPs is available in Section 2 of RFC 7841.

Information about the current status of six months this document, any errata,
and how to provide feedback on it may be updated, replaced, or obsoleted by other documents obtained at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."

This Internet-Draft will expire on May 3, 2018.
https://www.rfc-editor.org/info/rfc8313.

This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.

Table of Contents

1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 ....................................................4
2. Overview of Inter-domain Multicast Application Transport . . 5 ........6
3. Inter-domain Peering Point Requirements for Multicast . . . . 6 ...........7
3.1. Native Multicast . . . . . . . . . . . . . . . . . . . . 7 ...........................................8
3.2. Peering Point Enabled with GRE Tunnel . . . . . . . . . . 8 .....................10
3.3. Peering Point Enabled with an AMT - Both Domains
Multicast Enabled . . . . . . . . . . . . . . . . . . . . 10 .........................................12
3.4. Peering Point Enabled with an AMT - AD-2 Not
Multicast Enabled . . . . . . . . . . . . . . . . . . . . . . . . . 12 .........................................14
3.5. AD-2 Not Multicast Enabled - Multiple AMT Tunnels Through
through AD-2 . . . . . . . . . . . . . . . . . . . . . . . . . . 14 ..............................................16
4. Functional Guidelines . . . . . . . . . . . . . . . . . . . . 16 ..........................................18
4.1. Network Interconnection Transport Guidelines . . . . . . 16 ..............18
4.1.1. Bandwidth Management . . . . . . . . . . . . . . . . 16 ...............................19
4.2. Routing Aspects and Related Guidelines . . . . . . . . . 18 ....................20
4.2.1. Native Multicast Routing Aspects . . . . . . . . . . 19 ...................21
4.2.2. GRE Tunnel over Interconnecting Peering Point . . . . 19 ......22
4.2.3. Routing Aspects with AMT Tunnels . . . . . . . . . . 20 ...................22
4.2.4. Public Peering Routing Aspects . . . . . . . . . . . 22 .....................24
4.3. Back Office Back-Office Functions - Provisioning and Logging
Guidelines . . . . . . . . . . . . . . . . . . . . . . . 23 ................................................26
4.3.1. Provisioning Guidelines . . . . . . . . . . . . . . . 24 ............................26
4.3.2. Interdomain Inter-domain Authentication Guidelines . . . . . . . . 25 .............28
4.3.3. Log Management Log-Management Guidelines . . . . . . . . . . . . . . 26 ..........................28
4.4. Operations - Service Performance and Monitoring
Guidelines . . . . . . . . . . . . . . . . . . . . . . . 27 ................................................30
4.5. Client Reliability Models/Service Models / Service Assurance Guidelines . 29 ..32
4.6. Application Accounting Guidelines . . . . . . . . . . . . 29 .........................32
5. Troubleshooting and Diagnostics . . . . . . . . . . . . . . . 29 ................................32
6. Security Considerations . . . . . . . . . . . . . . . . . . . 30 ........................................33
6.1. DoS attacks Attacks (against state State and bandwidth) . . . . . . . . 30 Bandwidth) .................33
6.2. Content Security . . . . . . . . . . . . . . . . . . . . 32 ..........................................35
6.3. Peering Encryption . . . . . . . . . . . . . . . . . . . 34 ........................................37
6.4. Operational Aspects . . . . . . . . . . . . . . . . . . . 34 .......................................37
7. Privacy Considerations . . . . . . . . . . . . . . . . . . . 35 .........................................39
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 37 ............................................40
9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 37
10. Change log [RFC Editor: Please remove] . . . . . . . . . . . 37
11. References . . . . . . . . . . . . . . . . . . . . . . . . . 39
11.1. .....................................................40
9.1. Normative References . . . . . . . . . . . . . . . . . . 39
11.2. ......................................40
9.2. Informative References . . . . . . . . . . . . . . . . . 40 ....................................42
Acknowledgments ...................................................43
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 41 ................................................44

1. Introduction

Content and data from several types of applications (e.g., live video
streaming, software downloads) are well suited for delivery via
multicast means. The use of multicast for delivering such content or
other data offers significant savings in terms of utilization of
resources in any given administrative domain. End user User (EU) demand
for such content or other data is growing. Often, this requires
transporting the content or other data across administrative domains
via inter-domain peering points.

The objective objectives of this Best Current Practices document is are twofold:

o Describe the technical process and establish guidelines for
setting up multicast-based delivery of application content or
other data across inter-domain peering points via a set of
use
cases. cases (where "Use Case 3.1" corresponds to Section 3.1,
"Use Case 3.2" corresponds to Section 3.2, etc.).

o Catalog all required exchanges of information exchange between the
administrative domains to support multicast-based delivery. This
enables operators to initiate necessary processes to support
inter-domain peering with multicast.

The scope and assumptions for this document are as follows:

o Administrative Domain 1 (AD-1) sources content to one or more End
Users (EUs) EUs
in one or more Administrative Domain 2 (AD-2). (AD-2) entities. AD-1 and
AD-2 want to use IP multicast to allow supporting support for large and
growing EU populations populations, with a minimum amount of duplicated
traffic to send across network links.

* This document does not detail the case where EUs are
originating content. To support that additional service, it is
recommended to use that some method (outside the scope of this
document) be used by which the content from EUs is transmitted
to the application in AD-1 that this document refers to as the
multicast source and let it AD-1 can send out the traffic as
IP multicast. From that point on, the descriptions in this
document apply, except that they are not complete because they
do not cover the transport or operational aspects of the leg
from the EU to AD-1.

* This document does not detail the case where AD-1 and AD-2 are
not directly connected to each other but only and are instead connected
via one or more
AD-3 (transit providers). other ADs (as opposed to a peering point) that
serve as transit providers. The cases described in this
document where tunnels are used between AD-1 and AD-2 can be
applied to such scenarios, but SLA ("Service Level Agreement") control
control, for
example example, would be different. Other additional Additional issues
will likely exist as well in such scenarios. This topic is
left for further study.

o For the purpose purposes of this document, the term "peering point" refers
to a network connection ("link") between two administrative
network domains over which traffic is exchanged between them.
This is also referred to as a Network-to-Network Interface (NNI).
Unless otherwise noted, it is assumed that the peering point is assumed to be a
private peering point, where the network connection is a
physically or virtually isolated network connection solely between
AD-1 and AD-2. The other case is that of a broadcast peering
point
point, which is a common option in public Internet Exchange Points
(IXP).
(IXPs). See Section 4.2.2 4.2.4 for more details about that option. details.

o Administrative Domain 1 (AD-1) AD-1 is enabled with native multicast. A peering point exists
between AD-1 and AD-2.

o It is understood that several protocols are available for this
purpose
purpose, including PIM-SM Protocol-Independent Multicast - Sparse Mode
(PIM-SM) and Protocol Independent Protocol-Independent Multicast -
Source Specific Source-Specific
Multicast (PIM-SSM) [RFC7761], the Internet Group Management
Protocol (IGMP) [RFC3376], and Multicast Listener Discovery (MLD)
[RFC3810].

o As described in Section 2, the source IP address of the (so-called
"(S,G)") multicast stream in the originating AD (AD-1) is known.
Under this condition, using PIM-SSM use is beneficial beneficial, as it allows
the receiver's upstream router to directly send a JOIN join message directly to
the source without the need of invoking to invoke an intermediate Rendezvous
Point (RP). Use The use of SSM also presents an improved threat
mitigation profile against attack, as described in [RFC4609].
Hence, in the case of inter-domain peering, it is recommended to use that
only SSM
protocols; protocols be used; the setup of inter- domain inter-domain peering for
ASM (Any-Source Multicast) is not in out of scope for this document.

o The rest of the this document assumes that PIM-SSM and BGP are used
across the peering point point, plus AMT Automatic Multicast Tunneling (AMT)
[RFC7450] and/or GRE Generic Routing Encapsulation (GRE), according to
scenario.
the scenario in question. The use of other protocols is beyond
the scope of this document.

o An Automatic Multicast Tunnel (AMT) [RFC7450] AMT is setup set up at the peering point if either the peering point or
AD-2 is not multicast enabled. It is assumed that an AMT Relay relay
will be available to a client for multicast delivery. The
selection of an optimal AMT relay by a client is out of scope for
this document. Note that using AMT use is necessary only when native
multicast is unavailable in the peering point (Use Case 3.3) or in
the downstream administrative domain (Use Cases 3.4, 3.4 and 3.5).

o The It is assumed that the collection of billing data is assumed to be done at the
application level and is not considered to be a networking issue.
The settlements process for end user EU billing and/or inter-provider
billing is out of scope for this document.

o Inter-domain network connectivity troubleshooting is only
considered within the context of a cooperative process between the
two domains.

This document also attempts to identify ways by which the peering
process can be improved. Development of new methods for improvement
is beyond the scope of this document.

2. Overview of Inter-domain Multicast Application Transport

A multicast-based application delivery scenario is as follows:

o Two independent administrative domains are interconnected via a
peering point.

o The peering point is either multicast enabled (end-to-end native
multicast across the two domains) or it is connected by one of two
possible tunnel types:

* A Generic Routing Encapsulation (GRE) Tunnel GRE tunnel [RFC2784] allowing multicast tunneling across the
peering point, or

o An Automatic Multicast Tunnel (AMT)

* AMT [RFC7450].

o A service provider controls one or more application sources in
AD-1 which that will send multicast IP packets via one or more (S,G)s
(multicast traffic flows, flows; see Section 4.2.1 if you are unfamiliar
with IP multicast). It is assumed that the service being provided
is suitable for delivery via multicast (e.g. (e.g., live video streaming
of popular events, software downloads to many devices, etc.), devices) and that
the packet streams will be carried by a suitable multicast
transport protocol.

o An End User (EU) EU controls a device connected to AD-2, which runs an
application client compatible with the service provider's
application source.

o The application client joins appropriate (S,G)s in order to
receive the data necessary to provide the service to the EU. The
mechanisms by which the application client learns the appropriate
(S,G)s are an implementation detail of the application, application and are out
of scope for this document.

The assumption here is that AD-1 has ultimate responsibility for
delivering the multicast based multicast-based service on behalf of the content
source(s). All relevant interactions between the two domains
described in this document are based on this assumption.

Note that domain 2 AD-2 may be an independent network domain (e.g.: (e.g., a Tier 1
network operator domain). Alternately, domain 2 AD-2 could also be an
Enterprise
enterprise network domain operated by a single customer of AD-1. The
peering point architecture and requirements may have some unique
aspects associated with the Enterprise case.

The Use Cases describing various architectural configurations for the
multicast distribution along with associated requirements is
described in section 3. Unique aspects related to the Enterprise
network possibility will be described in this section. enterprise networks; see Section 4
contains a comprehensive list of pertinent information that needs to
be exchanged between the two domains in order to support functions to
enable the application transport.

Note that domain 2 may be an independent network domain (e.g., Tier 1
network operator domain). Alternately, domain 2 could also be an
Enterprise network domain operated by a single customer. 3.

The Use Cases use cases describing various architectural configurations for the
multicast distribution distribution, along with associated requirements is
described in Section 3. The peering point architecture and
requirements may have some unique aspects associated with the
Enterprise case. These unique aspects will also be requirements, are
described in Section 3. Section 4 contains a comprehensive list of
pertinent information that needs to be exchanged between the two
domains in order to support functions to enable the application
transport.

3. Inter-domain Peering Point Requirements for Multicast

The transport of applications using multicast requires that the
inter-domain peering point is be enabled to support such a process.
There are
This section presents five Use Cases use cases for consideration in this document. consideration.

3.1. Native Multicast

This Use Case use case involves end-to-end Native Multicast native multicast between the two
administrative domains domains, and the peering point is also native
multicast
enabled - see enabled. See Figure 1.

------------------- -------------------
/ AD-1 \ / AD-2 \
/ (Multicast Enabled) \ / (Multicast Enabled) \
/ \ / \
| +----+ | | |
| | | +------+ | | +------+ | +----+
| | AS |------>| BR |-|---------|->| BR |-------------|-->| EU |
| | | +------+ | I1 | +------+ |I2 +----+
\ +----+ / \ /
\ / \ /
\ / \ /
------------------- -------------------

AD = Administrative Domain (Independent Autonomous System) (independent autonomous system)
AS = Application multicast (e.g., Content) Multicast content) Application Source
BR = Border Router
I1 = AD-1 and AD-2 Multicast Interconnection multicast interconnection (e.g., MBGP) MP-BGP)
I2 = AD-2 and EU Multicast Connection multicast connection

Figure 1: Content Distribution via End to End End-to-End Native Multicast

Advantages of this configuration are: configuration:

o Most efficient use of bandwidth in both domains.

o Fewer devices in the path traversed by the multicast stream when
compared to an AMT enabled AMT-enabled peering point.

From the perspective of AD-1, the one disadvantage associated with
native multicast into to AD-2 instead of individual unicast to every EU in
AD-2 is that it does not have the ability to count the number of
End Users EUs
as well as the transmitted bytes delivered to them. This information
is relevant from the perspective of customer billing and operational
logs. It is assumed that such data will be collected by the
application layer. The application layer application-layer mechanisms for generating
this information need to be robust enough such so that all pertinent
requirements for the source provider and the AD operator are
satisfactorily met. The specifics of these methods are beyond the
scope of this document.

Architectural guidelines for this configuration are as follows:

a. Dual homing for peering points between domains is recommended as
a way to ensure reliability with full BGP table visibility.

b. If the peering point between AD-1 and AD-2 is a controlled
network environment, then bandwidth can be allocated accordingly
by the two domains to permit the transit of non- rate adaptive non-rate-adaptive
multicast traffic. If this is not the case, then the multicast
traffic must support rate-adaption (see [BCP145]). congestion control via any of the mechanisms
described in Section 4.1 of [BCP145].

c. The sending and receiving of multicast traffic between two
domains is typically determined by local policies associated with
each domain. For example, if AD-1 is a service provider and AD-2
is an enterprise, then AD-1 may support local policies for
traffic delivery to, but not traffic reception from, AD-2.
Another example is the use of a policy by which AD-1 delivers
specified content to AD-2 only if such delivery has been accepted
by contract.

d. Relevant It is assumed that relevant information on multicast streams
delivered to End Users EUs in AD-2 is assumed to be collected by available capabilities
in the application layer. The precise nature and formats of the
collected information will be determined by directives from the
source owner and the domain operators.

3.2. Peering Point Enabled with GRE Tunnel

The peering point is not native multicast enabled in this Use Case. use case.
There is a Generic Routing Encapsulation Tunnel GRE tunnel provisioned over the peering point. See
Figure 2.

------------------- -------------------
/ AD-1 \ / AD-2 \
/ (Multicast Enabled) \ / (Multicast Enabled) \
/ \ / \
| +----+ +---+ | (I1) | +---+ |
| | | +--+ |uBR|-|--------|-|uBR| +--+ | +----+
| | AS |-->|BR| +---+-| | +---+ |BR| -------->|-->| EU |
| | | +--+ <.......|........|........>+--+ +--+<........|........|........>+--+ |I2 +----+
\ +----+ / I1 \ /
\ / GRE \ /
\ / Tunnel \ /
------------------- -------------------

AD = Administrative Domain (Independent Autonomous System) (independent autonomous system)
AS = Application multicast (e.g., Content) Multicast content) Application Source
uBR = unicast Border Router - not necessarily multicast enabled enabled;
may be the same router as BR
BR = Border Router - for multicast
I1 = AD-1 and AD-2 Multicast Interconnection multicast interconnection (e.g., MBGP) MP-BGP)
I2 = AD-2 and EU Multicast Connection multicast connection

Figure 2: Content Distribution via GRE Tunnel

In this case, the interconnection I1 between AD-1 and AD-2 in Figure 2 is
multicast enabled via a Generic Routing Encapsulation
Tunnel (GRE) GRE tunnel [RFC2784] between the two BR BRs and
encapsulating the multicast protocols across it.

Normally, this approach is choosen chosen if the uBR physcially physically connected to
the peering link can cannot or should not be enabled for IP multicast.
This approach may also be beneficial if the BR and uBR are the same device,
device but the peering link is a broadcast domain (IXP), (IXP); see Figure 6.
Section 4.2.4.

The routing configuration is basically unchanged: Instead instead of running
BGP
(SAFI2) (SAFI-2) ("SAFI" stands for "Subsequent Address Family
Identifier") across the native IP multicast link between AD-1 and
AD-2, BGP (SAFI2) (SAFI-2) is now run across the GRE tunnel.

Advantages of this configuration:

o Highly efficient use of bandwidth in both domains, although not as
efficient as the fully native multicast Use Case. use case (Section 3.1).

o Fewer devices in the path traversed by the multicast stream when
compared to an AMT enabled AMT-enabled peering point.

o Ability to support partial and/or incremental IP multicast
deployments in AD- 1 AD-1 and/or AD-2: Only only the path(s) path or paths between
the AS/BR (AD-1) and the BR/EU (AD-2) need to be multicast
enabled. The uBRs may not support IP multicast or enabling it
could be seen as operationally risky on that important edge node node,
whereas dedicated BR nodes for IP multicast may (at least
initially) be more acceptable at least
initially. acceptable. The BR can also be located such
that only parts of the domain may need to support native IP
multicast (e.g.: (e.g., only the core in AD-1 but not edge networks
towards the uBR).

o GRE is an existing technology and is relatively simple to
implement.

Disadvantages of this configuration:

o Per Use Case 3.1, current router technology cannot count the
number of end users EUs or the number of bytes transmitted.

o The GRE tunnel requires manual configuration.

o The GRE tunnel must be established prior to stream starting. starting the stream.

o The GRE tunnel is often left pinned up.

Architectural guidelines for this configuration include the
following:

Guidelines (a) through (d) are the same as those described in
Use Case 3.1. Two additional guidelines are as follows:

e. GRE tunnels are typically configured manually between peering
points to support multicast delivery between domains.

f. It is recommended that the GRE tunnel (tunnel server)
configuration in the source network is be such that it only
advertises the routes to the application sources and not to the
entire network. This practice will prevent unauthorized delivery
of applications through the tunnel (e.g., (for example, if the
application - e.g.,
content - (e.g., content) is not part of an agreed agreed-upon
inter-domain partnership).

3.3. Peering Point Enabled with an AMT - Both Domains Multicast Enabled

Both

It is assumed that both administrative domains in this Use Case use case are assumed to be
native multicast enabled here; however, the peering point is not.

The peering point is enabled with an Automatic Multicast Tunnel. AMT. The basic configuration is
depicted in Figure 2. 3.

------------------- -------------------
/ AD-1 \ / AD-2 \
/ (Multicast Enabled) \ / (Multicast Enabled) \
/ \ / \
| +----+ +---+ | I1 | +---+ |
| | | +--+ |uBR|-|--------|-|uBR| +--+ | +----+
| | AS |-->|AR| +---+-| | +---+ |AG| -------->|-->| EU |
| | | +--+ <.......|........|........>+--+ +--+<........|........|........>+--+ |I2 +----+
\ +----+ / AMT \ /
\ / Tunnel \ /
\ / \ /
------------------- -------------------

AD = Administrative Domain (Independent Autonomous System) (independent autonomous system)
AS = Application multicast (e.g., Content) Multicast content) Application Source
AR = AMT Relay
AG = AMT Gateway
uBR = unicast Border Router - not multicast enabled
otherwise AR=uBR (AD-1), uBR=AG enabled;
also, either AR = uBR (AD-1) or uBR = AG (AD-2)
I1 = AMT Interconnection interconnection between AD-1 and AD-2
I2 = AD-2 and EU Multicast Connection multicast connection

Figure 3: - AMT Interconnection between AD-1 and AD-2

Advantages of this configuration:

o Highly efficient use of bandwidth in AD-1.

o AMT is an existing technology and is relatively simple to
implement. Attractive properties of AMT include the following:

* Dynamic interconnection between Gateway-Relay the gateway-relay pair across
the peering point.

* Ability to serve clients and servers with differing policies.

Disadvantages of this configuration:

o Per Use Case 3.1 (AD-2 is native multicast), current router
technology cannot count the number of end users EUs or the number of bytes
transmitted to all end users. EUs.

o Additional devices (AMT Gateway gateway and Relay relay pairs) may be introduced
into the path if these services are not incorporated in into the
existing routing nodes.

o Currently undefined mechanisms for the AG to automatically select
the optimal AR.

Architectural guidelines for this configuration are as follows:

Guidelines (a) through (d) are the same as those described in
Use Case 3.1. In addition,

e. It is recommended that AMT Relay relay and Gateway gateway pairs be configured
at the peering points to support multicast delivery between
domains. AMT tunnels will then configure dynamically across the
peering points once the Gateway gateway in AD-2 receives the (S, G) (S,G)
information from the EU.

3.4. Peering Point Enabled with an AMT - AD-2 Not Multicast Enabled

In this AMT Use Case, the second administrative domain use case, AD-2 is not multicast enabled. Hence, the
interconnection between AD-2 and the
End User EU is also not multicast
enabled. This Use Case use case is depicted in Figure 3. 4.

------------------- -------------------
/ AD-1 \ / AD-2 \
/ (Multicast Enabled) \ / (Non (Not Multicast \
/ \ / Enabled) \ N(large)
| +----+ +---+ | | +---+ | #EU # EUs
| | | +--+ |uBR|-|--------|-|uBR| | +----+
| | AS |-->|AR| +---+-| | +---+ ................>|EU/G|
| | | +--+ <.......|........|........... +--+<........|........|........... |I2 +----+
\ +----+ / N x AMT\ /
\ / Tunnel \ /
\ / \ /
------------------- -------------------

AS = multicast (e.g., content) Application Multicast Source
uBR = unicast Border Router - not multicast enabled,
otherwise enabled;
otherwise, AR = uBR (in AD-1). AD-1)
AR = AMT Relay
EU/G = Gateway client embedded in EU device
I2 = AMT Tunnel Connecting tunnel connecting EU/G to AR in AD-1 through Non-Multicast
Enabled AD-2.
non-multicast-enabled AD-2

Figure 4: AMT Tunnel Connecting AD-1 AMT Relay and EU Gateway

This Use Case use case is equivalent to having unicast distribution of the
application through AD-2. The total number of AMT tunnels would be
equal to the total number of End Users EUs requesting the application. The
peering point thus needs to accommodate the total number of AMT
tunnels between the two domains. Each AMT tunnel can provide the
data usage associated with each End User. EU.

Advantages of this configuration:

o Efficient use of bandwidth in AD-1 (The (the closer the AR is to the
uBR, the more efficient).

o Ability for of AD-1 to introduce IP multicast based content delivery based on IP
multicast, without any support by network devices in AD-2: Only only
the application side in the EU device needs to perform AMT gateway
library functionality to receive traffic from the AMT relay.

o Allows for AD-2 to "upgrade" to Use Case 3.5 (see below) Section 3.5) at a
later time time, without any change in AD-1 at that time.

o AMT is an existing technology and is relatively simple to
implement. Attractive properties of AMT include the following:

* Dynamic interconnection between Gateway-Relay the AMT gateway-relay pair
across the peering point.

* Ability to serve clients and servers with differing policies.

o Each AMT tunnel serves as a count for each End User EU and is also able to
track data usage (bytes) delivered to the EU.

Disadvantages of this configuration:

o Additional devices (AMT Gateway gateway and Relay relay pairs) are introduced
into the transport path.

o Assuming multiple peering points between the domains, the EU
Gateway
gateway needs to be able to find the "correct" AMT Relay relay in AD-1.

Architectural guidelines for this configuration are as follows:

Guidelines (a) through (c) are the same as those described in
Use Case 3.1. In addition,

d. It is necessary that proper procedures are be implemented such that
the AMT Gateway gateway at the End User EU device is able to find the correct AMT Relay
relay for each (S,G) content stream. Standard mechanisms for
that selection are still subject to ongoing work. This includes
the use of anycast gateway addresses, anycast DNS names, or
explicit configuration that is mapping maps (S,G) to a relay address address; or
letting the application in the EU/G provide the relay address to
the embedded AMT gateway function.

e. The AMT tunnel tunnel's capabilities are expected to be sufficient for
the purpose of collecting relevant information on the multicast
streams delivered to End Users EUs in AD-2.

3.5. AD-2 Not Multicast Enabled - Multiple AMT Tunnels Through through AD-2

This is

Figure 5 illustrates a variation of Use Case 3.4 as follows: 3.4:

------------------- -------------------
/ AD-1 \ / AD-2 \
/ (Multicast Enabled) \ / (Non (Not Multicast \
/ +---+ \ (I1) / +---+ Enabled) \
| +----+ |uBR|-|--------|-|uBR| |
| | | +--+ +---+ | | +---+ +---+ | +----+
| | AS |-->|AR|<........|.... | +---+ |AG/|....>|EU/G|
| | | +--+ | ......|.|AG/|..........>|AR2| |I3 +----+
\ +----+ / I1 \ |AR1| I2 +---+ /
\ / single Single \+---+ /
\ / AMT Tunnel \ /
------------------- -------------------

uBR = unicast Border Router - not multicast enabled
otherwise AR=uBR enabled;
also, either AR = uBR (AD-1) or ubr=AGAR1 uBR = AGAR1 (AD-2)
AS = multicast (e.g., content) Application Source
AR = AMT Relay in AD-1
AGAR1 = AMT Gateway/Relay node in AD-2 across Peering Point peering point
I1 = AMT Tunnel Connecting tunnel connecting AR in AD-1 to GW gateway in AGAR1 in AD-2
AGAR2 = AMT Gateway/Relay node at AD-2 Network Edge network edge
I2 = AMT Tunnel Connecting Relay tunnel connecting relay in AGAR1 to GW gateway in AGAR2
EU/G = Gateway client embedded in EU device
I3 = AMT Tunnel Connecting tunnel connecting EU/G to AR in AGAR2

Figure 5: AMT Tunnel Connecting AMT Relay Gateways and Relays

Use Case 3.4 results in several long AMT tunnels crossing the entire
network of AD-2 linking the EU device and the AMT Relay relay in AD-1
through the peering point. Depending on the number of End Users, EUs, there is
a likelihood of an unacceptably high amount of traffic due to the
large number of AMT tunnels - -- and unicast streams - -- through the
peering point. This situation can be alleviated as follows:

o Provisioning of strategically located AMT nodes in AD-2 AD-2. An
AMT node comprises co-location of an AMT Gateway gateway and an AMT Relay. relay.
No change is required by AD-1 AD-1, as compared to Use Case 3.4. This
can be done whenever AD-2 seems sees fit (too (e.g., too much traffic across
the peering point. point).

o One such node is at on the AD-2 side of the peering point (node (AMT node
AGAR1 in above Figure). Figure 5).

o Single A single AMT tunnel established across the peering point linking
the AMT
Relay relay in AD-1 to the AMT Gateway gateway in the AMT node AGAR1
in AD-2.

o AMT tunnels linking AMT node AGAR1 at the peering point in AD-2 to
other AMT nodes located at the edges of AD-2: e.g., AMT tunnel I2
linking the AMT Relay relay in AGAR1 to the AMT Gateway gateway in AMT
node AGAR2 in
Figure 4. (Figure 5).

o AMT tunnels linking an EU device (via Gateway a gateway client embedded in
the device) and an AMT Relay relay in an appropriate AMT node at the
edge of AD-2: e.g., I3 linking the EU Gateway gateway in the device to the
AMT Relay relay in AMT node AGAR2.

o In the most simple simplest option (not shown), AD-2 only deploys a single
AGAR1 node and lets the EU/G build AMT tunnels directly to it.
This setup already solves the problem of replicated traffic across
the peering point. As soon as there is a need to support more AMT
tunnels to the EU/G, then additional AGAR2 nodes can be deployed
by AD-2.

The advantage for of such a chained set of AMT tunnels is that the total
number of unicast streams across AD-2 is significantly reduced, thus
freeing up bandwidth. Additionally, there will be a single unicast
stream across the peering point instead of of, possibly, an unacceptably
large number of such streams per Use Case 3.4. However, this implies
that several AMT tunnels will need to be dynamically configured by
the various AMT Gateways gateways, based solely on the (S,G) information
received from the application client at the EU device. A suitable
mechanism for such dynamic configurations is therefore critical.

Architectural guidelines for this configuration are as follows:

Guidelines (a) through (c) are the same as those described in
Use Case 3.1. In addition,

d. It is necessary that proper procedures are be implemented such that
the various AMT Gateways gateways (at the End User EU devices and the AMT nodes in
AD-2) are able to find the correct AMT Relay relay in other AMT nodes
as appropriate. Standard mechanisms for that selection are still
subject to ongoing work. This includes the use of anycast
gateway addresses, anycast DNS names, or explicit configuration
that is mapping maps (S,G) to a relay address. On the EU/G, this mapping
information may come from the application.

e. The AMT tunnel tunnel's capabilities are expected to be sufficient for
the purpose of collecting relevant information on the multicast
streams delivered to End Users EUs in AD-2.

4. Functional Guidelines

Supporting functions and related interfaces over the peering point
that enable the multicast transport of the application are listed in
this section. Critical information parameters that need to be
exchanged in support of these functions are enumerated, along with
guidelines as appropriate. Specific interface functions for
consideration are as follows.

4.1. Network Interconnection Transport Guidelines

The term "Network Interconnection Transport" "network interconnection transport" refers to the
interconnection points between the two Administrative Domains. administrative domains. The
following is a representative set of attributes that will need to be
agreed to between the two
administrative domains will need to agree on to support multicast
delivery.

o Number of Peering Points. peering points.

o Peering Point Addresses point addresses and Locations. locations.

o Connection Type type - Dedicated for Multicast multicast delivery or shared with
other services.

o Connection Mode mode - Direct connectivity between the two AD's ADs or via
another ISP.

o Peering Point Protocol Support point protocol support - Multicast protocols that will be
used for multicast delivery will need to be supported at these
points. Examples of such protocols include eBGP External BGP (EBGP)
[RFC4760] and MBGP peering via MP-BGP (Multiprotocol BGP) SAFI-2 [RFC4760].

o Bandwidth Allocation allocation - If shared with other services, then there
needs to be a determination of the share of bandwidth reserved for
multicast delivery. See section Section 4.1.1 below for more details.

o QoS Requirements requirements - Delay and/or latency specifications that need
to be specified in an SLA.

o AD Roles roles and Responsibilities responsibilities - the The role played by each AD for
provisioning and maintaining the set of peering points to support
multicast delivery.

4.1.1. Bandwidth Management

Like IP unicast traffic, IP multicast traffic carried across non-
controlled
non-controlled networks must comply to Congestion Control Principles with congestion control
principles as described in [BCP41] and as explained in detail for UDP
IP multicast in [BCP145].

Non-controlled networks (such as the Internet) are those networks where
there is no policy for managing bandwidth other than best effort with
a fair share of bandwidth under congestion. As a simplified rule of
thumb, complying to with congestion control principles means to reduce reducing
bandwidth under congestion in a way that is fair to competing competing
(typically TCP) flow flows ("rate adaptive").

In many instances, multicast content delivery evolves from intra-
domain
intra-domain deployments where it is handled as a controlled network
service and of does not complyng to comply with congestion control principles. It
was given a reserved amount of bandwidth and admitted to the network
so that congestion never occurs. Therefore Therefore, the congestion control
issue should be given specific attention when evolving to an interdomain
inter-domain peering deployment.

In the case where end-to-end IP multicast traffic passes across the
network of two ADs (and their subsidiaries/customers), both ADs must
agree on a consistent traffic management traffic-management policy. If If, for example example,
AD-1 sources non congestion aware non-congestion-aware IP multicast traffic and AD-2
carries it as best effort best-effort traffic across links shared with other
Internet traffic and subject (subject to congestion, congestion), this will not work: Under under
congestion, some amount of that traffic will be dropped, often
rendering the remaining packets often as undecodeable undecodable garbage clogging up
the network in AD-2 and AD-2; because this traffic is not congestion aware,
the loss does not reduce this rate. Competing traffic will not get
their fair share under congestion, and EUs will be frusted frustrated by the
extremely bad quality of both their IP multicast traffic and other (e.g.:
(e.g., TCP) traffic. Note that this is not an IP multicast
technology issue, issue but is solely a
transport/application layer transport-layer / application-layer
issue: The the problem would equally just as likely happen if AD-1 would were to send non-rate adaptive
non-rate-adaptive unicast traffic,, traffic -- for example example, legacy IPTV
video-on-demand traffic traffic, which typically is typically also non
congestion non-congestion
aware. Because Note that because rate adaption adaptation in IP unicast video is
commonplace today because due to the availability of ABR (Adaptive Bitrate Video), Bitrate)
video, it is very unlikely for that this to will happen though in reality with IP
unicast.

While the rules for traffic management apply whether or not IP multicast is
tunneled or not, the one feature that can make AMT tunnels more
difficult is the unpredictability of bandwidth requirements across
underlying links because of the way they can be used: With with native IP
multicast or GRE tunnels, the amount of bandwidth depends on the
amount of content, content -- not the number of EUs - -- and is therefore easier
to plan for. AMT tunnels terminating in EU/G the EU/G, on the other hand hand,
scale with the number of EUs. In the vicinity of the AMT relay relay, they
can introduce a very large amount of replicated
traffic traffic, and it is
not always feasible to provision enough bandwidth for all possible EU
EUs to get the highest quality for all their content during peak
utilization in such setups - -- unless the AMT relays are very close to
the EU edge. Therefore Therefore, it is also recommended to use that IP multicast
rate adaptation be used, even inside controlled networks networks, when using
AMT tunnels directly to the EU/G.

Note that rate-adaptive IP multicast traffic in general does not mean
that the sender is reducing the bitrate, bitrate but rather that the EUs that
experience congestion are joining to a lower bitrate lower-bitrate (S,G) stream of
the content, similar to adaptive bitrate ABR streaming over TCP.
Migration Therefore, migration
from non rate-adaptive a non-rate-adaptive bitrate to rate adaptive a rate-adaptive bitrate in IP
multicast does therefore will also change the dynamic (S,G) join behavior in the network
network, resulting in potentially higher performance
requirement requirements for
IP multicast protocols (IGMP/PIM), especially on the last hops where
dynamic changes occur (including AMT gateway/relays):
In non rate-adaptive gateways/relays): in non-rate-
adaptive IP multicast, only "channel change" causes state change, but
in rate-adaptive also the multicast, congestion situation also causes state change.

Even though not fully specified in this document, peerings that rely
on GRE/AMT tunnels may be across one or more transit ADs instead of
an exclusive (non-shared, L1/L2) path. Unless those transit ADs are
explicitly contracted to provide other than "best effort" transit for
the tunneled traffic, the tunneled IP multicast traffic tunneled must be
rate adaptive in order to not violate BCP41 BCP 41 across those
transit ADs.

4.2. Routing Aspects and Related Guidelines

The main objective for multicast delivery routing is to ensure that
the End User EU receives the multicast stream from the "most optimal" source [INF_ATIS_10]
[INF_ATIS_10], which typically:

o Maximizes the multicast portion of the transport and minimizes any
unicast portion of the delivery, and

o Minimizes the overall combined network(s) route distance. distance of the network(s).

This routing objective applies to both Native native multicast and AMT; the
actual methodology of the solution will be different for each.
Regardless, the routing solution is expected: expected to:

o To be Be scalable,

o To avoid Avoid or minimize new protocol development or modifications, and

o To be Be robust enough to achieve high reliability and to automatically
adjust to changes and problems in the multicast infrastructure.

For both Native native and AMT environments, having a source as close as
possible to the EU network is most desirable; therefore, in some
cases, an AD may prefer to have multiple sources near different
peering points. However, that is entirely an implementation issue.

4.2.1. Native Multicast Routing Aspects

Native multicast simply requires that the Administrative Domains administrative domains
coordinate and advertise the correct source address(es) at their
network interconnection peering points(i.e., border routers). points (i.e., BRs). An example of
multicast delivery via a Native Multicast native multicast process across two Administrative Domains
administrative domains is as follows follows, assuming that the
interconnecting peering points are also multicast enabled:

o Appropriate information is obtained by the EU client client, who is a
subscriber to AD-2 (see Use Case 3.1). This information is in the
form of metadata metadata, and it contains instructions directing the EU
client to launch an appropriate application if necessary, as well
as additional information for the application about the source
location and the group (or stream) id ID in the form of the "S,G" (S,G) data.
The "S" portion provides the name or IP address of the source of
the multicast stream. The metadata may also contain alternate
delivery information information, such as specifying the unicast address of
the stream.

o The client uses the join message with S,G (S,G) to join the multicast
stream [RFC4604]. To facilitate this process, the two AD's ADs need to
do the following:

* Advertise the source id(s) ID(s) over the Peering Points.

o peering points.

* Exchange such relevant Peering Point peering point information such as Capacity capacity
and Utilization.

o utilization.

* Implement compatible multicast protocols to ensure proper
multicast delivery across the peering points.

4.2.2. GRE Tunnel over Interconnecting Peering Point

If the interconnecting peering point is not multicast enabled and
both AD's ADs are multicast enabled, then a simple solution is to
provision a GRE tunnel between the two AD's - ADs; see Use Case 3.2.2. 3.2
(Section 3.2). The termination points of the tunnel will usually be
a network engineering decision, decision but generally will be between the border
routers BRs
or even between the AD 2 border router AD-2 BR and the AD 1 AD-1 source (or source access
router). The GRE tunnel would allow end-to-end native multicast or
AMT multicast to traverse the interface. Coordination and
advertisement of the source IP is are still required.

The two AD's ADs need to follow the same process as the process described
in Section 4.2.1 to facilitate multicast delivery across the Peering Points. peering
points.

4.2.3. Routing Aspects with AMT Tunnels

Unlike Native Multicast native multicast (with or without GRE), an AMT Multicast multicast
environment is more complex. It presents a dual layered two-layered problem
because
in that there are two criteria that should be simultaneously met:

o Find the closest AMT relay to the end-user EU that also has multicast
connectivity to the content source, and

o Minimize the AMT unicast tunnel distance.

There are essentially two components to in the AMT specification specification:

AMT Relays: relays: These serve the purpose of tunneling UDP multicast
traffic to the receivers (i.e., End-Points). endpoints). The AMT Relay relay will
receive the traffic natively from the multicast media source and
will replicate the stream on behalf of the downstream AMT
Gateways,
gateways, encapsulating the multicast packets into unicast packets
and sending them over the tunnel toward the AMT Gateway. gateways. In
addition, the AMT Relay relay may perform collect various usage and activity
statistics collection.
statistics. This results in moving the replication point closer
to the end user, EU and cuts down on traffic across the network. Thus, the
linear costs of adding unicast subscribers can be avoided.
However, unicast replication is still required for each requesting End-Point
endpoint within the unicast-only network.

AMT Gateway (GW): gateway: The Gateway gateway will reside on an End-Point - endpoint; this could be
any type of IP host host, such as a Personal Computer (PC), mobile
phone, Set Top Set-Top Box (STB) (STB), or appliances. The AMT Gateway gateway receives
join and leave requests from the Application application via an Application
Programming Interface (API). In this manner, the
Gateway gateway allows
the End-Point endpoint to conduct itself as a true Multicast
End-Point. multicast endpoint. The
AMT Gateway gateway will encapsulate AMT messages into UDP packets and
send them through a tunnel (across the unicast-only
infrastructure) to the AMT Relay. relay.

The simplest AMT Use Case (section use case (Section 3.3) involves peering points that
are not multicast enabled between two multicast enabled AD's. multicast-enabled ADs. An
AMT tunnel is deployed between an AMT Relay relay on the AD 1 AD-1 side of the
peering point and an AMT Gateway gateway on the AD 2 AD-2 side of the peering
point. One advantage to of this arrangement is that the tunnel is
established on an as needed as-needed basis and need not be a provisioned
element. The two AD's ADs can coordinate and advertise special AMT Relay
Anycast relay
anycast addresses with with, and to, each other. Alternately, they may
decide to simply provision Relay relay addresses, though this would not be
an optimal solution in terms of scalability.

Use Cases 3.4 and 3.5 describe more complicated AMT situations that are more
complicated, as AD-2 is not multicast enabled. For enabled in these two cases.
For these cases, the End User EU device needs to be able to setup set up an AMT
tunnel in the most optimal manner. There are many methods by which
relay selection can be done done, including the use of DNS based DNS-based queries
and static lookup tables [RFC7450]. The choice of the method is
implementation dependent and is up to the network operators.
Comparison of various methods is out of scope for this document; it document and
is left for further study.

An illustrative example of a relay selection based on DNS queries and
Anycast as
part of an anycast IP addresses address process is described here for Use
Cases 3.4 and 3.5 is described
here. (Sections 3.4 and 3.5). Using an Anycast anycast
IP address for AMT Relays relays allows for all AMT
Gateways gateways to find the
"closest" AMT Relay - relay -- the nearest edge of the multicast topology of
the source. Note that this is strictly illustrative; the choice of
the method is up to the network operators. The basic process is as
follows:

o Appropriate metadata is obtained by the EU client application.
The metadata contains instructions directing the EU client to an
ordered list of particular destinations to seek the requested
stream and, for multicast, specifies the source location and the
group (or stream) ID in the form of the "S,G" (S,G) data. The "S" portion
provides the URI (name or IP address) of the source of the
multicast stream stream, and the "G" identifies the particular stream
originated by that source. The metadata may also contain
alternate delivery information such as the address of the unicast
form of the content to be used, used -- for example, if the multicast
stream becomes unavailable.

o Using the information from the metadata, and possibly metadata and, possibly, information
provisioned directly in the EU client, a DNS query is initiated in
order to connect the EU client/AMT Gateway client / AMT gateway to an AMT Relay. relay.

o Query results are obtained, obtained and may return an Anycast anycast address or a
specific unicast address of a relay. Multiple relays will
typically exist. The Anycast anycast address is a routable "pseudo-
address"
"pseudo-address" shared among the relays that can gain multicast
access to the source.

o If a specific IP address unique to a relay was not obtained, the
AMT Gateway gateway then sends a message (e.g., the discovery message) to
the Anycast anycast address such that the network is making the routing
choice of a particular relay - relay, e.g., closest the relay that is closest to
the EU. Details are outside the scope for of this document. See
[RFC4786].

o The contacted AMT Relay relay then returns its specific unicast IP
address (after which the Anycast anycast address is no longer required).
Variations may exist as well.

o The AMT Gateway gateway uses that unicast IP address to initiate a three-
way
three-way handshake with the AMT Relay. relay.

o The AMT Gateway gateway provides "S,G" the (S,G) information to the AMT Relay relay
(embedded in AMT protocol messages).

o The AMT Relay relay receives the "S,G" (S,G) information and uses the S,G it to join
the appropriate multicast stream, if it has not already subscribed
to that stream.

o The AMT Relay relay encapsulates the multicast stream into the tunnel
between the Relay relay and the Gateway, gateway, providing the requested content
to the EU.

4.2.4. Public Peering Routing Aspects

Figure 6 shows an example of a broadcast peering point.

AD-1a AD-1b
BR BR
| |
--+-+---------------+-+-- broadcast peering point LAN
| |
BR BR
AD-2a AD-2b

Figure 6: Broadcast Peering Point
A broadcast peering point is an L2 subnet connecting 3 three or more
ADs. It is common in IXPs and usually consists of ethernet Ethernet
switch(es) operated by the IXP connecting to BRs operated by the ADs.

In an example setup domain domain, AD-2a peers with AD-1a and wants to
receive IP multicast from it. Likewise Likewise, AD-2b peers with AD-1b and
wants to receive IP multicast from it.

Assume that one or more IP multicast (S,G) traffic streams can be
served by both AD-1a and AD-1b, AD-1b -- for example example, because both AD-1a and
AD-1b do
contract contact this content from the same content source.

In this case, AD-2a and AD-2b can not no longer control anymore which upstream
domain,
domain -- AD-1a or AD-1b -- will forward this (S,G) into the LAN.
The AD-2a BR requests the (S,G) from the AD-1a BR BR, and the AD-2b BR
requests the same (S,G) from the AD-1b BR. To avoid duplicate
packets, an (S,G) can be forwarded by only one router onto the LAN, and PIM-SM/PIM-SSM LAN;
PIM-SM / PIM-SSM detects requests for duplicate transmission transmissions and resolve it
resolves them via the so-called "assert" protocol operation operation, which
results in only one BR forwarding the traffic. Assume that this is
the AD-1a BR. AD-2b will then receive the unexpected multicast traffic unexpectedly
from a provider with whom it does not have a mutual agreement for the
that traffic. Quality issues in EUs behind AD-2b caused by AD-1a
will cause a lot of responsiblity issues related to responsibility and
troubleshooting issues.
troubleshooting.

In face light of this these technical issues, we describe describe, via the following options
options, how IP multicast can be carried across broadcast peering
point LANs:

1. IP multicast is tunneled across the LAN. Any of the GRE/AMT
tunneling solutions mentioned in this document are applicable.
This is the one case where specifically a GRE tunnel between the upstream BR (e.g.:
(e.g., AD-1a) and downstream BR (e.g.: (e.g., AD-2a) is
recommended specifically
recommended, as opposed to tunneling across uBRs which (which are not
the actual BRs. BRs).

2. The LAN has only one upstream AD that is sourcing IP multicast multicast,
and native IP multicast is used. This is an efficient way to
distribute the same IP multicast content to multiple downstream
ADs. Misbehaving downstream BRs can still disrupt the delivery
of IP multicast from the upstream BR to other downstream BRs,
therefore BRs;
therefore, strict rules must be follow followed to prohibit that such a case.
The downstream BRs must ensure that they will always consider
only the upstream BR as a source for multicast traffic: e.g.: e.g., no
BGP SAFI-2 peerings between the downstream ADs across the peering
point LAN, so that only the upstream BR is the only possible
next-hop next hop
reachable across this LAN. And Also, routing policies can be
configured to avoid fall falling back to the use of using SAFI-1 (unicast) routes
for IP multicast if unicast BGP peering is not limited in the
same way.

3. The LAN has multiple upstreams, upstream ADs, but they are federated and
agree on a consistent policy for IP multicast traffic across the
LAN. One policy is that each possible source is only announced
by one upstream BR. Another policy is that sources are
redundantly announced (problematic (the problematic case mentioned in above example), the
example in Figure 6 above), but the upstream domains also provide
mutual operational insight to help with troubleshooting (outside
the scope of this document).

4.3. Back Office Back-Office Functions - Provisioning and Logging Guidelines

Back Office

"Back office" refers to the following:

o Servers and Content Management content-management systems that support the delivery
of applications via multicast and interactions between AD's. ADs.

o Functionality associated with logging, reporting, ordering,
provisioning, maintenance, service assurance, settlement, etc.

4.3.1. Provisioning Guidelines

Resources for basic connectivity between AD's Providers ADs' providers need to be
provisioned as follows:

o Sufficient capacity must be provisioned to support multicast-based
delivery across AD's. ADs.

o Sufficient capacity must be provisioned for connectivity between
all supporting back-offices back offices of the AD's ADs as appropriate. This
includes activating proper security treatment for these back-
office
back-office connections (gateways, firewalls, etc) etc.) as
appropriate.

o Routing protocols as needed, e.g. configuring routers to support
these.

Provisioning aspects related to Multicast-Based multicast-based inter-domain delivery
are as follows.

The ability to receive a requested application via multicast is
triggered via receipt of the necessary metadata. Hence, this
metadata must be provided to the EU regarding the multicast URL - --
and unicast fallback if applicable. AD-2 must enable the delivery of
this metadata to the EU and provision appropriate resources for this
purpose.

Native

It is assumed that native multicast functionality is assumed to be available across
many ISP backbones, peering points, and access networks. If,
however, native multicast is not an option (Use Cases 3.4 and 3.5),
then:

o The EU must have a multicast client to use AMT multicast obtained either
from Application Source either (1) the application source (per agreement with AD-1)
or from (2) AD-1 or AD-2 (if delegated by the Application Source). application source).

o If provided by AD-1/AD-2, AD-1 or AD-2, then the EU could be redirected to a
client download site (note: this site. (Note: This could be an Application Source
site). application source
site.) If provided by the Application Source, application source, then this Source source
would have to coordinate with AD-1 to ensure that the proper
client is provided (assuming multiple possible clients).

o Where AMT Gateways gateways support different application sets, all AD-2
AMT Relays relays need to be provisioned with all source & and group
addresses for streams it is allowed to join.

o DNS across each AD must be provisioned to enable a client GW gateway
to locate the optimal AMT Relay (i.e. relay (i.e., longest multicast path and
shortest unicast tunnel) with connectivity to the content's
multicast source.

Provisioning Aspects Related aspects related to Operations operations and Customer Care customer care are
stated as
follows.

Each AD provider

It is assumed to that each AD provider will provision operations and
customer care access to their own systems.

AD-1's operations and customer care functions must have visibility be able to see
enough of what is happening in AD-2's network or to in the service
provided by AD-
2, sufficient AD-2 to verify their mutual goals and operations, e.g. e.g.,
to know how the EU's EUs are being served. This can be done in two ways:

o Automated interfaces are built between AD-1 and AD-2 such that
operations and customer care continue using their own systems.
This requires coordination between the two AD's ADs, with appropriate
provisioning of necessary resources.

o AD-1's operations and customer care personnel are provided direct
access
directly to AD-2's system. systems. In this scenario, additional
provisioning in these systems will be needed to provide necessary
access. Additional provisioning must be agreed to by the The two AD's ADs must agree on additional provisioning to
support this option.

4.3.2. Interdomain Inter-domain Authentication Guidelines

All interactions between pairs of AD's ADs can be discovered and/or be
associated with the account(s) utilized for delivered applications.
Supporting guidelines are as follows:

o A unique identifier is recommended to designate each master
account.

o AD-2 is expected to set up "accounts" (logical (a logical facility
generally protected by credentials such as login passwords) for
use by AD-1. Multiple accounts accounts, and multiple types or partitions
of accounts accounts, can apply, e.g. e.g., customer accounts, security accounts, etc.
accounts.

The reason to specifically mention the need for AD-1 to initiate
interactions with AD-2 (and use some account for that), as opposed to
the opposite direction opposite, is based on the recommended workflow initiated by
customers (see Section 4.4): The the customer contacts the content source
(part
source, which is part of AD-1), when AD-1. Consequently, if AD-1 sees the need
to propagate escalate the issue, issue to AD-2, it will interact with AD-2 using the
aforementioned guidelines.

4.3.3. Log Management Log-Management Guidelines

Successful delivery (in terms of user experience) of applications or
content via multicast between pairs of interconnecting AD's ADs can be
improved through the ability to exchange appropriate logs for various
workflows - -- troubleshooting, accounting and billing, optimization of
traffic and content transmission optimization, transmission, optimization of content and
application
development optimization development, and so on.

The basic model as explained in before is that the content source and
on its behalf

Specifically, AD-1 take over primary responsibility for customer
experience and on behalf of the AD-2's content source, with support this. from AD-2 as
needed. The application/content owner is the only participant who has
has, and needs needs, full insight into the application level and can map
the customer application experience to the network traffic flows - which it then --
which, with the help of AD-2 or logs from AD-2 AD-2, it can then analyze
and interpret.

The main difference between unicast delivery and multicast delivery
is that the content source can infer a lot more about downstream
network problems from a unicasted unicast stream than from a multicasted multicast stream: The multicasted
the multicast stream is not per-EU per EU, except after the last
replication, which is in most cases not in AD-1. Logs from the
application, including the receiver side at the EU, can provide
insight,
insight but can not cannot help to fully isolate network problems because of
the IP multicast per-application operational state built across AD-1
and AD-2 (aka: (aka the (S,G) state and any other feature operational
state operational-state
features, such as DiffServ Diffserv QoS).

See Section 7 for more discussions about discussion regarding the privacy
considerations of the model described here.

Different type types of logs are known to help support operations in AD-1
when provided by AD-2. This could be done as part of AD-1/AD-2
contracts. Note that except for implied multicast specific multicast-specific elements,
the options listed here are not unique or novel for IP multicast, but
they are more important for services novel to the operators than for
operationally well established well-established services (such as unicast). Therefore
we We
therefore detail them as follows:

o Usage information logs at an aggregate level.

o Usage failure instances at an aggregate level.

o Grouped or sequenced application access. access: performance, behavior behavior,
and failure at an aggregate level to support potential Application
Provider-driven
application-provider-driven strategies. Examples of aggregate
levels include grouped video clips, web pages, and sets of software download. software-
download sets.

o Security logs, aggregated or summarized according to agreement
(with additional detail potentially provided during security
events, by agreement).

o Access logs (EU), when needed for troubleshooting.

o Application logs (what ("What is the application doing), doing?"), when needed
for shared troubleshooting.

o Syslogs (network management), when needed for shared
troubleshooting.

The two AD's ADs may supply additional security logs to each other other, as
agreed to by upon in contract(s). Examples include the following:

o Information related to general security-relevant activity activity, which
may be of use from a protective protection or response perspective, such as perspective: types and
counts of attacks detected, related source information, related
target information, etc.

o Aggregated or summarized logs according to agreement (with
additional detail potentially provided during security events, by
agreement).

4.4. Operations - Service Performance and Monitoring Guidelines

Service Performance

"Service performance" refers to monitoring metrics related to
multicast delivery via probes. The focus is on the service provided
by AD-2 to AD-1 on behalf of all multicast application sources
(metrics may be specified for SLA use or otherwise). Associated
guidelines are as follows:

o Both AD's ADs are expected to monitor, collect, and analyze service
performance metrics for multicast applications. AD-2 provides
relevant performance information to AD-1; this enables AD-1 to
create an end-to-end performance view on behalf of the multicast
application source.

o Both AD's ADs are expected to agree on the type types of probes to be used
to monitor multicast delivery performance. For example, AD-2 may
permit AD-1's probes to be utilized in the AD-2 multicast service
footprint. Alternately, AD-2 may deploy its own probes and relay
performance information back to AD-1.

Service Monitoring

"Service monitoring" generally refers to a service (as a whole)
provided on behalf of a particular multicast application source
provider. It thus involves complaints from End Users EUs when service problems
occur. EUs direct their complaints to the source provider;
in turn the
source provider in turn submits these complaints to AD-1. The
responsibility for service delivery lies with AD-1; as such such, AD-1
will need to determine where the service problem is occurring - -- in
its own network or in AD-2. It is expected that each AD will have
tools to monitor multicast service status in its own network.

o Both AD's ADs will determine how best to deploy multicast service
monitoring tools. Typically, each AD will deploy its own set of
monitoring tools; tools, in which case, case both AD's ADs are expected to inform
each other when multicast delivery problems are detected.

o AD-2 may experience some problems in its network. For example,
for the AMT Use Cases, use cases (Sections 3.3, 3.4, and 3.5), one or more
AMT Relays relays may be experiencing difficulties. AD-2 may be able to
fix the problem by rerouting the multicast streams via alternate
AMT Relays. relays. If the fix is not successful and multicast service
delivery degrades, then AD-2 needs to report the issue to AD-1.

o When a problem notification is received from a multicast
application source, AD-1 determines whether the cause of the
problem is within its own network or within the AD-2 domain. AD-2. If the cause is
within
the AD-2 domain, AD-2, then AD-1 supplies all necessary information to AD-2.
Examples of supporting information include the following:

o Kind

* Kind(s) of problem(s).

* Starting point & and duration of problem(s).

* Conditions in which problem(s) one or more problems occur.

* IP address blocks of affected users.

* ISPs of affected users.

* Type of access access, e.g., mobile versus desktop.

* Network locations of affected EUs.

o Both AD's ADs conduct some form of root cause root-cause analysis for multicast
service delivery problems. Examples of various factors for
consideration include:

* Verification that the service configuration matches the product
features.

* Correlation and consolidation of the various customer problems
and resource troubles into a single root service root-service problem.

* Prioritization of currently open service problems, giving
consideration to problem impact, service level agreement, impacts, SLAs, etc.

o Conduction of

* Conducting service tests, including one time tests performed once or a
series of tests over a period of time.

* Analysis of test results.

* Analysis of relevant network fault or performance data.

* Analysis of the problem information provided by the customer
(CP). customer.

o Once the cause of the problem has been determined and the problem
has been fixed, both AD's ADs need to work jointly to verify and
validate the success of the fix.

4.5. Client Reliability Models/Service Models / Service Assurance Guidelines

There are multiple options for instituting reliability architectures,
most architectures.
Most are at the application level. Both AD's ADs should work those these
options out
with per their contract or agreement and also with the
multicast application source providers.

Network reliability can also be enhanced by the two AD's by
provisioning ADs if they
provision alternate delivery mechanisms via unicast means.

4.6. Application Accounting Guidelines

Application level

Application-level accounting needs to be handled differently in the
application than in IP unicast unicast, because the source side does not
directly deliver packets to individual receivers. Instead, this
needs to be signalled signaled back by the receiver to the source.

For network transport diagnostics, AD-1 and AD-2 should have
mechanisms in place to ensure proper accounting for the volume of
bytes delivered through the peering point and separately and, separately, the number
of bytes delivered to EUs.

5. Troubleshooting and Diagnostics

Any service provider supporting multicast delivery of content should
have the capability
be able to collect diagnostics as part of multicast troubleshooting
practices and resolve network issues accordingly. Issues may become
apparent or identified either identifiable through either (1) network monitoring
functions or by customer reported (2) problems reported by customers, as described in
section
Section 4.4.

It is recommended that multicast diagnostics will be performed performed, leveraging
established operational practices such as those documented in [MDH-04].
[MDH-05]. However, given that inter-domain multicast creates a
significant interdependence of proper networking functionality
between providers providers, there does exist exists a need for providers to be able to
signal (or otherwise alert) each other if there are any issues noted
by either one.

Service

For troubleshooting purposes, service providers may also wish to
allow limited read-only administrative access to their routers to
their AD peers for
troubleshooting. Of specific interest are access peers. Access to active troubleshooting tools -- especially
[Traceroute] and
[I-D.ietf-mboned-mtrace-v2]. the tools discussed in [Mtrace-v2] -- is of specific
interest.

Another option is to include this functionality into in the IP multicast
receiver application on the EU device and allow for these diagnostics to
be remotely used by support operations. Note though Note, though, that AMT
does not allow to pass the passing of traceroute or mtrace requests, therefore requests;
therefore, troubleshooting in the presence of AMT does not work as
well end-to- end to end as it can with native (or even GRE encapsulated) GRE-encapsulated) IP
multicast, especially wrt. with regard to traceroute and mtrace. Instead,
troubleshooting directly on the actual network devices is then more
likely necessary.

The specifics of the notification notifications and alerts are beyond the scope of
this document, but general guidelines are similar to those described
in section 4.4 (Service Performance and Monitoring). Section 4.4. Some general communications issues are stated as follows.

o Appropriate communications channels will be established between
the customer service and operations groups from both AD's ADs to
facilitate information sharing information-sharing related to diagnostic
troubleshooting.

o A default resolution period may be considered to resolve open
issues. Alternately, mutually acceptable resolution periods could
be established established, depending on the severity of the identified
trouble.

6. Security Considerations

6.1. DoS attacks Attacks (against state State and bandwidth) Bandwidth)

Reliable operations of IP multicast requires operations require some basic protection
against DoS (Denial of Service) attacks.

SSM IP multicast is self protecting self-protecting against attacks from illicit
sources. Their
sources; such traffic will not be forwarded beyond the first hop
router first-hop
router, because that would require (S,G) memership membership reports from the
receiver. Traffic Only valid traffic from sources will only be forwarded from the valid
source forwarded, because
RPF ("Reverse Path Forwarding") is part of the protocols. One can
say that [BCP38] style protection against spoofed source traffic performed in the
style of [BCP38] is therefore built into PIM-SM/PIM-SSM. PIM-SM / PIM-SSM.

Receivers can attack SSM IP multicast by originating such (S,G)
membership reports. This can result in a DoS attack against state
through the creation of a large number of (S,G) states that create
high control plane control-plane load or even inhibit the later creation of a valid
(S,G). In conjunction with collaborating illicit sources sources, it can
also result in illicit sources the forwarding of traffic being forwarded. from illicit sources.

Today, these type types of attacks are usually mitigated by explicitly
defining the set of permissible (S,G) on e.g.: on, for example, the last hop last-hop
routers in replicating IP multicast to EUs; For example EUs (e.g., via (S,G) Access
Control Lists access
control lists applied to IGMP/MLD membership state creation. creation). Each
AD (say, "ADi") is expected to prohibit (S,G) state creation for invalid know what sources
inside located in ADi are
permitted to send and what their own valid (S,G)s are. ADi can therefore
also filter invalid (S,G)s for any "S" located inside ADi, but not
sources located in another AD.

In the peering case, AD-2 is without further information information, AD-2 is not aware
of the set of valid (S,G) from AD-1, so this set needs to be
communicated via operational procedures from AD-1 to AD-2 to provide
protection against this type of DoS attacks. attack. Future work could signal
this information in an automated way: BGP extensions, DNS
Resource Records resource
records, or backend automation between AD-1 and AD-2. Backend
automation is is, in the short term term, the most viable solution because it solution: unlike
BGP extensions or DNS resource records, backend automation does not
require router software extensions like the other two. extensions. Observation of traffic flowing
via (S,G) state could also be used to automate the recognition of
invalid (S,G) state created by receivers in the absence of explicit
information from AD-1.

The second type of DoS attack through (S,G) membership reports is exists
when
receivers create the attacking receiver creates too much valid (S,G) state to attack and
the traffic carried by these (S,G)s congests bandwidth
available to on links
shared with other EU. EUs. Consider the uplink into to a last-hop-router last-hop router
connecting to 100 EU. EUs. If one EU joins to more multicast content
than what fits into this link, then this would impact also impact the
quality of the same content for the other 99 EU. EUs. If traffic is not
rate adaptive, the effects are even worse.

The mitigation technique is the same as what is often employed for
unicast:
Policing policing of the per-EU total amont amount of traffic. Unlike unicast
unicast, though, this can not cannot be done anywhere along the path (e.g.: (e.g.,
on an arbitrary bottleneck link), but link); it has to happen at the point of
last replication to the different EU. Simple solutions such as
limiting the maximum number of joined (S,G) (S,G)s per EU are readily available,
available; solutions that consider bandwidth take consumed exist bandwidth into account are
available as vendor specific
feature vendor-specific features in routers. Note that this is
primarily a non-peering issue in AD-2, AD-2; it only becomes a peering
issue if the peering-link peering link itself is not big enough to carry all
possible content from AD-1 or or, as in case
3.4 where Use Case 3.4, when the AMT relay
in AD-1 is that last replication point.

Limiting the amount of (S,G) state per EU is also a good first
measure to prohibit too much undesired "empty" state to be from being built
(state not carrying traffic), but it would not suffice in the case of
DDoS attack - attacks, e.g., viruses that impact a large number of EU devices.

6.2. Content Security

Content confidentiality, DRM (Digital Restrictions Rights Management),
authentication
authentication, and authorization are optional optional, based on the content
delivered. For content that is "FTA" (Free To Air), the following
considerations can be ignored ignored, and content can be sent unencrypted
and without EU authentication and authorization. Note though Note, though, that
the mechanisms described here may also be desireable by desirable for the
application source to better track users even if the content itself
would not require it.

For interdomain inter-domain content, there are at least two models for content
confidentiality, including (1) DRM authentication and authorization
and end-user (2) EU authentication and authorization:

o In the classical (IP)TV model, responsibility is per-domain per domain, and
content is and can be passed on unencrypted. AD-1 delivers
content to AD-2, AD-2; AD-2 can further process the content content, including
features like
ad-insertion ad insertion, and AD-2 is the sole point of contact
regarding the contact for its EUs. In this document, we do not
consider this case because it typically involves higher than network layer service aspects
operated by AD-2 and that are higher than the network layer; this
document focusses focuses on the network
layer network-layer AD-1/AD-2 peering case, case but
not the application layer application-layer peering case. Nevertheless, this model
can be derived through additional work from beyond what is describe described
here.

o The other case model is the one in which content confidentiality, DRM, end-
user authentication
EU authentication, and EU authorization are end-to-end: end to end:
responsibilities of the multicast application source provider and
receiver application. This is the model assumed here. It is also
the model used in Internet OTT "Over the Top" (OTT) video delivery. We
Below, we discuss the
threads threats incurred in this model due to the
use of IP multicast in AD-
1/AD-2 AD-1 or AD-2 and across the peering. peering point.

End-to-end encryption enables end-to-end EU authentication and
authorization: The the EU may be able to IGMP/MLD join (via IGMP/MLD) and receive
the content, but it can only decrypt it when it receives the
decryption key from the content source in AD-1. The key is the
authorization. Keeping that key to itself and prohibiting playout of
the decrypted content to non-copy-protected interfaces are typical
DRM features in that receiver application or EU device operating
system.

End-to-end ecnryption encryption is continuously attacked. Keys may be subject
to brute force attack brute-force attacks so that content can potentially be decrypted potentially
later, or keys are extracted from the EU application/device and
shared with other unauthenticated receivers. One important class of
content is where the value is in live consumption, such as sports or
other event (concert) (e.g., concert) streaming. Extraction of keying material
from compromised authenticated EU EUs and sharing with unauthenticated EU is
EUs are not sufficient. It is also necessary for those
unauthenticated EUs to get a streaming copy of the content itself.
In unicast streaming, they can not cannot get such a copy from the content
source (because they
can not authenticate) and cannot authenticate), and, because of asymmetric
bandwidths, it is often impossible to get the content from
compromised EUs to a large number of unauthenticated EUs. EUs behind
classical 16 "16 Mbps down, 1 Mbps up up" ADSL links are the best example.
With increasing broadband access speeds speeds, unicast peer-to-peer copying
of content becomes easier, but it likely will always be easily
detectable by the ADs because of its traffic patterns and volume.

When IP multicast is being used without additionals additional security, AD-2 is
not aware of which EU is authenticated for which content. Any
unauthenticated EU in AD-2 could therefore get a copy of the
encrypted content without triggering suspicion by on the part of AD-2 or
AD-1 and then either live-
deode it (1) live-decode it, in the presence of the
compromised authenticated EU and key
sharing, key-sharing or later (2) decrypt it later,
in the presence of federated brute force
key cracking. brute-force key-cracking.

To mitigate this issue, the last replication point that is creating
(S,G) copies to EUs would need to permit those copies only after
authentication of the EUs. This would establish the same
authenticated
EU only "EU only" copy deliver thast that is used in unicast.

Schemes for per EU per-EU IP multicast authentication/authorization (and in
result non-delivery/copying (and, as
a result, non-delivery or copying of per-content IP multicast
traffic) have been built in the past and are deployed in service
providers for
intradomain intra-domain IPTV services, but no standard standards exist for
this. For example, there is no standardized radius RADIUS attribute for
authenticating the IGMP/MLD filter set, but such implementations of this
exist. The authors of this document are specifically also not aware
of schemes where the same authentication credentials used to get the
encryption key from the content source could also be used to
authenticate and authorize the
network layer network-layer IP multicast replication
for the content. Such schemes are technically not difficult to build
and would avoid creating and maintaining a separate network forwarding authentication/
authorization
traffic-forwarding authentication/authorization scheme decoupled from
the end-to-end authentication/
authorization authentication/authorization system of the
application.

If delivery of such high value high-value content in conjunction with the
peering described here is desired, the short term short-term recommendations are
for sources to clearly isolate the source and group addresses used
for different content bundles, communicate those (S,G) patterns from
AD-1 to the AD-2 AD-2, and let AD-2 leverage existing per-EU authentication/
authorization mechanisms in network devices to establish filters for
(S,G) sets to each EU.

6.3. Peering Encryption

Encryption at peering points for multicast delivery may be used per
agreement between AD-1/AD-2. AD-1 and AD-2.

In the case of a private peering link, IP multicast does not have
attack vectors on a peering link different from those of IP unicast,
but the content owner may have defined high bars strict constraints against
unauthenticated copying of even the end-to-end encrypted content, and content; in
this case AD-1/AD-2 case, AD-1 and AD-2 can agree on additional transport encryption
across that peering link. In the case of a broadcast peering
connection (e.g.: (e.g., IXP), transport encryption is also again the easiest way
to prohibit unauthenticated copies by other ADs on the same peering
point.

If peering is across a tunnel going across that spans intermittent transit ADs
(not discused discussed in detail in this document), then encryption of that
tunnel traffic is recommended. It not only prohibits possible
"leakage" of content, content but also to protects the the information regarding what
content is being consumed in AD-2 (aggregated privacy protection).

See the following subsection Section 6.4 for reasons why the peering point may also need to be
encrypted for operational reasons.

6.4. Operational Aspects

Section 4.3.3 discusses the exchange of log information, this section
discussed exchange of (S,G) information and
Section 7 discusses
exhange the exchange of program information. All these
operational pieces of data should by default be exchanged via
authenticated and encrypted peer-
to-peer peer-to-peer communication protocols
between AD-1 and AD-2 so that only the intended recipient recipients in the peers
peers' AD have access to it. Even exposure of the least sensitive
information to third parties opens up attack vectors. Putting for example valid
(S,G) information information, for example, into DNS (as opposed to passing it
via secured channels from AD-1 to AD-2) to allow easier filtering of
invalid (S,G) information would also allow attackers to
easier more easily
identify valid (S,G) information and change their attack vector.

From the perspective of the ADs, security is most critical for the log information
information, as it provides operational insight into the originating AD,
AD but it also contains sensitive user data: data.

Sensitive user data exported from AD-2 to AD-1 as part of logs could
be as much as the equivalent of 5-tuple unicast traffic flow
accounting (but not more, e.g.: e.g., no application level application-level information).
As mentioned in Section 7, in unicast, AD-1 could capture these
traffic statistics itself because this is all about AD-1 originated traffic flows
(originated by AD-1) to EU receivers in AD-2, and operationally
passing it from AD-2 to AD-1 may be necessary when IP multicast is
used because of the replication happening taking place in AD-2.

Nevertheless, passing such traffic statistics inside AD-1 from a
capturing router to a backend system is likely less subject to third
party
third-party attacks then than passing it interdomain "inter-domain" from AD-2 to AD-1,
so more diligence needs to be applied to secure it.

If any protocols used for the operational information exchange of information are
not easily secured at the transport layer or higher (because of the
use of legacy products or protocols in the network), then AD-1 and
AD-2 can also consider to ensure ensuring that all operational data exchange goes exchanges
go across the same peering point as the traffic and use network layer network-layer
encryption of the peering point as (as discussed in before previously) to
protect it.

End-to-end authentication and authorization of EU EUs may involve some
kind of token authentication and is are done at the application layer layer,
independently of the two AD's. ADs. If there are problems related to the
failure of token authentication when end-users EUs are supported by AD-2, then
some means of validating proper working operation of the token authentication
process (e.g., back-end validating that backend servers querying the multicast
application source provider's token authentication server are
communicating properly) should be considered. Implementation details
are beyond the scope of this document.

Security Breach Mitigation Plan -

In the event of a security breach, the two AD's ADs are expected to have a
mitigation plan for shutting down the peering point and directing
multicast traffic over alternative peering points. It is also
expected that appropriate information will be shared for the purpose
of securing the identified breach.

7. Privacy Considerations

The described flow of information about content and the end-user EUs as described
in this document aims to maintain privacy:

AD-1 is operating on behalf of (or owns) the content source and is
therefore part of the content-consumption relationship with the end-
user. EU.
The privacy considerations between the EU and AD-1 are therefore in general (exception see below)
generally the same (with one exception; see below) as they would be
if no IP multicast was used, especially because for any privacy conscious
content, end-to-end encryption
can and should be used.

Interdomain used for any privacy-conscious content.

Information related to inter-domain multicast transport service related information is
provided to AD-1 by the AD-2 operators to AD-1. operators. AD-2 is not required to gain
additional insight into the user user's behavior through this process that
other than what it would not already have without the service collaboration
with AD-1
- AD-1, unless AD-1 and AD-2 agree on it and get approval from
the EU.

For example, if it is deemed beneficial for the EU to directly get support
directly from AD-2 AD-2, then it would in general generally be necessary for AD-2 to
be aware of the mapping between content and network (S,G) state so
that AD-2 knows which (S,G) to troubleshoot when the EU complains
about problems with a specific content. The degree to which this
dissemination is done by AD-1 explicitly to meet privacy expectations
of EUs is typically easy to assess by AD-1. Two simple examples: examples are
as follows:

o For a sports content bundle, every EU will happily click on the "i
"I approve that the content program information is shared with
your service provider" button, to ensure best service reliability reliability,
because
service conscious service-conscious AD-2 would likely also try to ensure
that high
value high-value content, such as the (S,G) for SuperBowl like content the Super Bowl,
would be the first to receive care in the case of network issues.

o If the content in question was one where content for which the EU expected
more privacy, the EU should prefer a content bundle that included
this content in a large variety of other content, have all content end-to-
end encrypted
end-to-end encrypted, and the not share programming information not be shared with AD-2
AD-2, to maximize privacy. Nevertheless, the privacy of the EU
against AD-2 observing traffic would still be lower than in the
equivalent setup using unicast, because in unicast, AD-2 could not
correlate which EUs are watching the same content and use that to
deduce the content. Note that even the setup in Section 3.4 3.4,
where AD-2 is not involved in IP multicast at all all, does not
provide privacy against this level of analysis by AD-2 AD-2, because
there is no transport layer transport-layer encryption in AMT and therefore AMT; therefore, AD-2 can
correlate by onpath on-path traffic analysis who is consuming the same
content from an AMT relay from both the (S,G) join messages in AMT
and the identical content segments (that where were replicated at the
AMT relay).

In summary: Because summary, because only content to be consumed by multiple EUs is
carried via IP multicast here, here and all of that content can be
end-to-end encrypted, the only IP multicast specific privacy consideration specific to IP
multicast is for AD-2 to know or reconstruct what content an EU is
consuming. For content for which this is undesirable, some form of
protections as explained above are possible, but ideally, the model of
described in Section 3.4 could be used in conjunction with future work
work, e.g., adding e.g.: dTLS
[RFC6347] Datagram Transport Layer Security (DTLS)
encryption [RFC6347] between the AMT relay and the EU.

Note that IP multicast by nature would permit the EU EU's privacy
against the countent content source operator because because, unlike unicast, the
content source does not natively know which EU is consuming which
content: In in all cases where AD-2 provides replication, only AD-2 does know
knows this directly. This document does not attempt to describe a
model that
does maintain maintains such a level of privacy against the content source but
source; rather, we describe a model that only protects against
exposure to intermediate parties, parties -- in this case case, AD-2.

8. IANA Considerations

No considerations identified in this document.

9. Acknowledgments

The authors would like to thank the following individuals for their
suggestions, comments, and corrections:

Mikael Abrahamsson

Hitoshi Asaeda

Dale Carder

Tim Chown

Leonard Giuliano

Jake Holland

Joel Jaeggli

Albert Manfredi

Stig Venaas

Henrik Levkowetz

10. Change log [RFC Editor: Please remove]

Please see discussion on mailing list for changes before -11.

-11: version in IESG review.

-12: XML'ified version of -11, committed solely to make rfcdiff
easier. XML versions hosted on https://www.github.com/toerless/
peering-bcp

-13:

o IESG feedback. Complete details in:
https://raw.githubusercontent.com/toerless/peering-bcp/master/11-
iesg-review-reply.txt

o Ben Campbell: Location information about EU (End User) is Network
Locatio information

o Ben Campbell: Added explanation of assumption to introduction that
traffic is sourced from AD-1 to (one or many) AD-2, mentioned that
sourcing from EU is out of scope.

o Introduction: moved up bullet points about exchanges and transit
to clean up flow of assumptions.

o Ben Campbell: Added picture for the GRE case, visualized tunnels
in all pictures.

o Ben Campbell: See 13-discus.txt on github for more details of
changes for this review.

o Alissia Cooper: Added more explanation for Log Management,
explained privacy context.

o Alissia Cooper: removed pre pre-RFC5378 disclaimer.

o Alissia Cooper: removed mentioning of potential mutual
compensation between domains if the other violates SLA.

o Mirja Kuehlewind: created section 4.1.1 to discuss congestion
control more detailled, adding reference to BCP145, removed stub
CC paragraphs from section 3.1 (principle applies to every section
3.x, and did not want to duplicate text between 3.x and 4.x).

o Mirja Kuehlewind: removed section 8 (conclusion). Text was not
very good,

This document does not important to hae conclusion, maybe bring back with
better text if strong interest.

o Introduced section about broadcast peering points because there
where too many places already where references to that case
existed (4.2.4).

o Introduced section about privact considerations because of comment
by Ben Campbell and Alissa Cooper.

o Rewrote security considerations and structured it into key
aspects: DoS attacks, content protection, peering point encryption
and operational aspects.

o Kathleen Moriarty: Added operational aspects to security section
(also for Alissia), e.g.: covering securing the exchange of
operational data between ADs.

o Spencer Dawkins: Various editorial fixes. Removed BCP38 text from
section 3, superceeded be explanation of PIM-SM RPF check to
provide equvialent security to BCP38 in security section 7.1).

o Eric Roscorla: (fixed from other reviews already).

o Adam Roach: Fixed up text about MDH-04, added reference to
RFC4786.

-13: Fix for Mirja's review on must for congestion control.

11. require any IANA actions.

9. References

11.1.

9.1. Normative References

[RFC2784] Farinacci, D., Li, T., Hanks, S., Meyer, D., and P.
Traina, "Generic Routing Encapsulation (GRE)", RFC 2784,
DOI 10.17487/RFC2784, March 2000,
<https://www.rfc-editor.org/info/rfc2784>.

[RFC3376] Cain, B., Deering, S., Kouvelas, I., Fenner, B., and A.
Thyagarajan, "Internet Group Management Protocol,
Version 3", RFC 3376, DOI 10.17487/RFC3376, October 2002,
<https://www.rfc-editor.org/info/rfc3376>.

[RFC3810] Vida, R., Ed. Ed., and L. Costa, Ed., "Multicast Listener
Discovery Version 2 (MLDv2) for IPv6", RFC 3810,
DOI 10.17487/RFC3810, June 2004,
<https://www.rfc-editor.org/info/rfc3810>.

[RFC4760] Bates, T., Chandra, R., Katz, D., and Y. Rekhter,
"Multiprotocol Extensions for BGP-4", RFC 4760,
DOI 10.17487/RFC4760, January 2007,
<https://www.rfc-editor.org/info/rfc4760>.

[RFC4604] Holbrook, H., Cain, B., and B. Haberman, "Using Internet
Group Management Protocol Version 3 (IGMPv3) and Multicast
Listener Discovery Protocol Version 2 (MLDv2) for Source-
Specific
Source-Specific Multicast", RFC 4604,
DOI 10.17487/RFC4604, August 2006,
<https://www.rfc-editor.org/info/rfc4604>.

[RFC4609] Savola, P., Lehtonen, R., and D. Meyer, "Protocol
Independent Multicast - Sparse Mode (PIM-SM) Multicast
Routing Security Issues and Enhancements", RFC 4609,
DOI 10.17487/RFC4609, October 2006,
<https://www.rfc-editor.org/info/rfc4609>.

[RFC7450] Bumgardner, G., "Automatic Multicast Tunneling", RFC 7450,
DOI 10.17487/RFC7450, February 2015,
<https://www.rfc-editor.org/info/rfc7450>.

[RFC7761] Fenner, B., Handley, M., Holbrook, H., Kouvelas, I.,
Parekh, R., Zhang, Z., and L. Zheng, "Protocol Independent
Multicast - Sparse Mode (PIM-SM): Protocol Specification
(Revised)", STD 83, RFC 7761, DOI 10.17487/RFC7761,
March 2016, <https://www.rfc-editor.org/info/rfc7761>.

[BCP38] Ferguson, P. and D. Senie, "Network Ingress Filtering:
Defeating Denial of Service Attacks which employ IP Source
Address Spoofing", BCP 38, RFC 2827, DOI 10.17487/RFC2827, May 2000,
<https://www.rfc-editor.org/info/rfc2827>.

[BCP41] Floyd, S., "Congestion Control Principles", BCP 41,
RFC 2914, DOI 10.17487/RFC2914, September 2000,
<https://www.rfc-editor.org/info/rfc2914>.

[BCP145] Eggert, L., Fairhurst, G., and G. Shepherd, "UDP Usage
Guidelines", BCP 145, RFC 8085, DOI 10.17487/RFC8085, March 2017,
<https://www.rfc-editor.org/info/rfc8085>.

11.2.

9.2. Informative References

[RFC4786] Abley, J. and K. Lindqvist, "Operation of Anycast
Services", BCP 126, RFC 4786, DOI 10.17487/RFC4786,
December 2006, <https://www.rfc-editor.org/info/rfc4786>.

[RFC6347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer
Security Version 1.2", RFC 6347, DOI 10.17487/RFC6347,
January 2012, <https://www.rfc-editor.org/info/rfc6347>.

[INF_ATIS_10]
"CDN Interconnection Use Cases and Requirements in a
Multi-Party Federation Environment", ATIS Standard
A-0200010, December 2012.

[MDH-04]

[MDH-05] Thaler, D. and others, B. Aboba, "Multicast Debugging Handbook",
IETF I-D draft-ietf-mboned-mdh-04.txt, May
Work in Progress, draft-ietf-mboned-mdh-05, November 2000.

[Traceroute]
,
"traceroute.org", <http://traceroute.org/#source%20code>.

[I-D.ietf-mboned-mtrace-v2]

[Mtrace-v2]
Asaeda, H., Meyer, K., and W. Lee, Ed., "Mtrace Version 2:
Traceroute Facility for IP Multicast", draft-ietf-mboned-
mtrace-v2-20 (work Work in progress), October Progress,
draft-ietf-mboned-mtrace-v2-22, December 2017.

Acknowledgments

The authors would like to thank the following individuals for their
suggestions, comments, and corrections:

Mikael Abrahamsson

Hitoshi Asaeda

Dale Carder

Tim Chown

Leonard Giuliano

Jake Holland

Joel Jaeggli

Henrik Levkowetz

Albert Manfredi

Stig Venaas

Authors' Addresses

Percy S. Tarapore (editor)
AT&T

Phone: 1-732-420-4172
Email: tarapore@att.com

Robert Sayko
AT&T

Phone: 1-732-420-3292
Email: rs1983@att.com

Greg Shepherd
Cisco

Email: shep@cisco.com

Toerless Eckert (editor)
Huawei USA - Futurewei Technologies Inc.

Email: tte+ietf@cs.fau.de tte+ietf@cs.fau.de, toerless.eckert@huawei.com

Ram Krishnan
SupportVectors

Email: ramkri123@gmail.com