Network Working Group A. Barbir
Request for Comments: 3752 Nortel Networks
Category: Informational E. Burger
Brooktrout Technology, Inc.
R. Chen
AT&T Labs
S. McHenry
Individual Contributor
H. Orman
Purple Streak Development
R. Penno
Nortel Networks
April 2004
Network Working Group A. Barbir
Request for Comments: 3752 Nortel Networks
Category: Informational E. Burger
Brooktrout Technology, Inc.
R. Chen
AT&T Labs
S. McHenry
Individual Contributor
H. Orman
Purple Streak Development
R. Penno
Nortel Networks
April 2004
Open Pluggable Edge Services (OPES) Use Cases and Deployment Scenarios
开放可插拔边缘服务(OPE)用例和部署场景
Status of this Memo
本备忘录的状况
This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited.
本备忘录为互联网社区提供信息。它没有规定任何类型的互联网标准。本备忘录的分发不受限制。
Copyright Notice
版权公告
Copyright (C) The Internet Society (2004). All Rights Reserved.
版权所有(C)互联网协会(2004年)。版权所有。
Abstract
摘要
This memo provides a discussion of use cases and deployment scenarios for Open Pluggable Edge Services (OPES). The work examines services that could be performed to requests and/or responses.
本备忘录讨论了开放式可插拔边缘服务(OPE)的用例和部署场景。这项工作检查了可以对请求和/或响应执行的服务。
Table of Contents
目录
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Types of OPES services . . . . . . . . . . . . . . . . . . . . 3
2.1. Services performed on requests . . . . . . . . . . . . . 3
2.1.1. Services intending to modify requests . . . . . 3
2.1.2. Services *not* intending to modify requests . . 4
2.2. Services performed on responses. . . . . . . . . . . . . 4
2.2.1. Services intending to modify responses . . . . . 4
2.2.2. Services *not* intending to modify responses . . 5
2.3. Services creating responses. . . . . . . . . . . . . . . 5
3. OPES deployment scenarios . . . . . . . . . . . . . . . . . . 5
3.1. Surrogate Overlays . . . . . . . . . . . . . . . . . . . 6
3.2. Delegate Overlays . . . . . . . . . . . . . . . . . . . 7
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Types of OPES services . . . . . . . . . . . . . . . . . . . . 3
2.1. Services performed on requests . . . . . . . . . . . . . 3
2.1.1. Services intending to modify requests . . . . . 3
2.1.2. Services *not* intending to modify requests . . 4
2.2. Services performed on responses. . . . . . . . . . . . . 4
2.2.1. Services intending to modify responses . . . . . 4
2.2.2. Services *not* intending to modify responses . . 5
2.3. Services creating responses. . . . . . . . . . . . . . . 5
3. OPES deployment scenarios . . . . . . . . . . . . . . . . . . 5
3.1. Surrogate Overlays . . . . . . . . . . . . . . . . . . . 6
3.2. Delegate Overlays . . . . . . . . . . . . . . . . . . . 7
3.3. Enterprise environment . . . . . . . . . . . . . . . . . 8
3.4. Callout Servers . . . . . . . . . . . . . . . . . . . . 9
3.5. Chaining of OPES data filters and callout servers . . . 9
3.5.1. Chaining along the content path. . . . . . . . . 9
3.5.2. Chaining along the callout path. . . . . . . . . 9
4. Failure cases and service notification . . . . . . . . . . . . 10
5. Security Considerations. . . . . . . . . . . . . . . . . . . . 11
6. Informative References . . . . . . . . . . . . . . . . . . . . 11
7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 12
8. Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 12
9. Full Copyright Statement . . . . . . . . . . . . . . . . . . . 14
3.3. Enterprise environment . . . . . . . . . . . . . . . . . 8
3.4. Callout Servers . . . . . . . . . . . . . . . . . . . . 9
3.5. Chaining of OPES data filters and callout servers . . . 9
3.5.1. Chaining along the content path. . . . . . . . . 9
3.5.2. Chaining along the callout path. . . . . . . . . 9
4. Failure cases and service notification . . . . . . . . . . . . 10
5. Security Considerations. . . . . . . . . . . . . . . . . . . . 11
6. Informative References . . . . . . . . . . . . . . . . . . . . 11
7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 12
8. Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 12
9. Full Copyright Statement . . . . . . . . . . . . . . . . . . . 14
The Open Pluggable Edge Services (OPES) [1] architecture enables cooperative application services (OPES services) between a data provider, a data consumer, and zero or more OPES processors. The application services under consideration analyze and possibly transform application-level messages exchanged between the data provider and the data consumer. The execution of such services is governed by a set of filtering rules installed on the OPES processor.
开放可插拔边缘服务(OPES)[1]体系结构支持数据提供者、数据使用者和零个或多个OPES处理器之间的协作应用程序服务(OPES服务)。考虑中的应用程序服务分析并可能转换数据提供者和数据使用者之间交换的应用程序级消息。此类服务的执行由安装在OPES处理器上的一组过滤规则控制。
The rules enforcement can trigger the execution of service applications local to the OPES processor. Alternatively, the OPES processor can distribute the responsibility of service execution by communicating and collaborating with one or more remote callout [6] servers.
规则实施可以触发OPES处理器本地服务应用程序的执行。或者,OPES处理器可以通过与一个或多个远程调出[6]服务器通信和协作来分配服务执行的责任。
The document presents examples of services in which Open Pluggable Edge Services (OPES) would be useful. There are different types of OPES services: services that modify requests, services that modify responses, and a special case of the latter, services that create responses.
该文档提供了开放可插拔边缘服务(OPE)将非常有用的服务示例。有不同类型的OPES服务:修改请求的服务、修改响应的服务,以及后者的特例,即创建响应的服务。
The work also examines various deployment scenarios of OPES services. The two main deployment scenarios, as described by the OPES architecture [1], are surrogate overlays and delegate overlays. Surrogate overlays act on behalf of data provider applications, while delegate overlays act on behalf of data consumer applications. The document also describes combined surrogate and delegate overlays, as one might find within an enterprise deployment.
这项工作还研究了OPES服务的各种部署场景。OPES体系结构[1]描述的两种主要部署场景是代理覆盖和代理覆盖。代理覆盖代表数据提供者应用程序,而委托覆盖代表数据使用者应用程序。该文档还描述了组合代理和委托覆盖,这可能在企业部署中找到。
The document is organized as follows: Section 2 discusses the various types of OPES services. Section 3 introduces OPES deployment scenarios. Section 4 discusses failure cases and service notification. Section 5 discusses security considerations.
本文件组织如下:第2节讨论了各种类型的OPES服务。第3节介绍了OPES部署场景。第4节讨论了故障案例和服务通知。第5节讨论了安全注意事项。
The IAB has expressed architectural and policy concerns [2] about OPES. Other OPES documents that may be relevant are, "OPES Service Authorization and Enforcement Requirements" [5]. See references [3, 4] for recommended background reading.
IAB已经表达了对运营商的架构和政策担忧[2]。其他可能相关的OPES文件为“OPES服务授权和执行要求”[5]。参考参考文献[3,4]了解推荐的背景阅读。
OPES scenarios involve services that can be performed on requests for data and/or responses. OPES services can be classified into three categories: services performed on requests, services performed on responses, and services creating responses. In Figure 1, the four service activation points for an OPES processor are depicted. The data dispatcher examines OPES rules, enforces policies, and invokes service applications (if applicable) at each service activation point.
OPES场景涉及可对数据请求和/或响应执行的服务。OPES服务可分为三类:对请求执行的服务、对响应执行的服务和创建响应的服务。在图1中,描述了OPES处理器的四个服务激活点。数据调度器在每个服务激活点检查OPES规则、实施策略并调用服务应用程序(如果适用)。
+------------------------------------------------+
| +-------------+-------------+ |
| | Service Application | |
| +---------------------------+ |
Responses | Data Dispatcher | Responses
<============4== +---------------------------+ <=3===========
Requests | HTTP | Requests
=============1=> +---------------------------+ ==2==========>
| OPES Processor |
+------------------------------------------------+
+------------------------------------------------+
| +-------------+-------------+ |
| | Service Application | |
| +---------------------------+ |
Responses | Data Dispatcher | Responses
<============4== +---------------------------+ <=3===========
Requests | HTTP | Requests
=============1=> +---------------------------+ ==2==========>
| OPES Processor |
+------------------------------------------------+
Figure 1: Service Activation Points
图1:服务激活点
An OPES service performed on HTTP requests may occur when a request arrives at an OPES processor (point 1) or when it is about to leave the OPES processor (point 2).
对HTTP请求执行的OPES服务可能在请求到达OPES处理器(第1点)或即将离开OPES处理器(第2点)时发生。
The services performed on requests can further be divided into two cases: those that intend to modify requests and those that do not.
对请求执行的服务可以进一步分为两种情况:打算修改请求的服务和不修改请求的服务。
An OPES processor may modify a service request on behalf of the data consumer for various reasons, such as:
OPES处理器可出于各种原因代表数据消费者修改服务请求,例如:
o Owner of a Web access device might need control over what kind of Web content can be accessed with the device, parental control for example.
o Web访问设备的所有者可能需要控制使用该设备可以访问哪些类型的Web内容,例如家长控制。
o Organization may restrict or redirect access to certain web
o 组织可能会限制或重定向对特定网站的访问
services based on various criteria such as time of the day or the employee access privileges.
基于各种标准的服务,如一天中的时间或员工访问权限。
o Hiding the data consumer's identity, user agent, or referrer.
o 隐藏数据使用者的身份、用户代理或推荐人。
o Adding user preferences or device profile to the service request to get personalized or adapted services.
o 向服务请求添加用户首选项或设备配置文件,以获得个性化或自适应服务。
o Blocking or redirecting a service request due to a corporate policy.
o 由于公司策略而阻止或重定向服务请求。
An OPES processor may also modify a service request on behalf of the data provider in several ways, such as:
OPES处理器还可以以多种方式代表数据提供商修改服务请求,例如:
o Redirecting the request to a different server to reduce the server work load.
o 将请求重定向到其他服务器以减少服务器工作负载。
o Redirecting image requests to improve access time.
o 重定向映像请求以缩短访问时间。
An OPES processor may invoke useful service applications that do not modify the user requests. Examples include:
OPES处理器可以调用不修改用户请求的有用服务应用程序。例子包括:
o Administrative functions for the data provider, such as service monitoring or usage tracking for billing purposes.
o 数据提供商的管理功能,例如用于计费的服务监控或使用情况跟踪。
o Useful services for the data consumer, such as user profiling (with the user's consent) for service adaptation later on.
o 为数据使用者提供有用的服务,例如用户分析(在用户同意的情况下),以便稍后进行服务调整。
An OPES service performed on HTTP responses may occur when a response arrives at an OPES processor (point 3) or when it is about to leave the OPES processor (point 4). In the case of a caching proxy, the former service may be an encoding operation before the content is stored in the cache, while the latter may be a decoding operation before the content is returned to the data consumer.
在HTTP响应上执行的OPES服务可能在响应到达OPES处理器(第3点)或即将离开OPES处理器(第4点)时发生。在缓存代理的情况下,前一个服务可以是在内容存储在缓存中之前的编码操作,而后一个服务可以是在内容返回给数据使用者之前的解码操作。
The services performed on responses can further be divided into two cases: those that intend to modify responses and those that do not.
对响应执行的服务可以进一步分为两种情况:打算修改响应的服务和不修改响应的服务。
There are several reasons why responses from the data providers might be modified before delivery to the data consumer:
数据提供者的响应在交付给数据使用者之前可能会被修改的原因有几个:
o Content adaptation: the data provider may not have all the device
o 内容自适应:数据提供商可能没有所有设备
profiles and templates necessary to transcode the original content into a format appropriate for mobile devices of limited screen size and display capabilities.
将原始内容转换为适合屏幕大小和显示能力有限的移动设备的格式所需的配置文件和模板。
o Language translation: the data provider may not have all the translation capabilities needed to deliver the same content in multiple languages to various areas around the world. An OPES processor may perform the language translation or it may invoke different callout servers to perform different language translation tasks.
o 语言翻译:数据提供商可能不具备以多种语言向世界各地交付相同内容所需的所有翻译能力。OPES处理器可以执行语言翻译,也可以调用不同的调用服务器来执行不同的语言翻译任务。
An OPES service may be performed on the responses without modifying them. Examples include:
可以对响应执行OPES服务,而无需修改它们。例子包括:
o Logging/Monitoring: Each response may be examined and recorded for monitoring or debugging purposes.
o 日志记录/监视:为了监视或调试的目的,可以检查和记录每个响应。
o Accounting: An OPES processor may record the usage data (time and space) of each service request for billing purposes.
o 记帐:OPES处理器可记录每个服务请求的使用数据(时间和空间),以用于计费。
Services creating responses may include OPES services that dynamically assemble web pages based on the context of the data consumer application.
创建响应的服务可能包括基于数据使用者应用程序上下文动态组装网页的OPES服务。
Consider a content provider offering web pages that include a local weather forecast based on the requestor's preferences. The OPES service could analyze received requests, identify associated user preferences, select appropriate templates, insert the corresponding local weather forecasts, and would then deliver the content to the requestor. Note that the OPES processor may perform the tasks with or without direct access to the weather data. For example, the service could use locally cached weather data or it could simply embed a URL pointing to another server that holds the latest local weather forecast information.
考虑提供基于请求者的偏好的包括本地天气预报的网页的内容提供商。OPES服务可以分析收到的请求,确定相关的用户偏好,选择适当的模板,插入相应的本地天气预报,然后将内容发送给请求者。请注意,OPES处理器可在直接访问或不访问天气数据的情况下执行任务。例如,该服务可以使用本地缓存的天气数据,也可以简单地嵌入指向另一台保存最新本地天气预报信息的服务器的URL。
OPES entities can be deployed over an overlay network that supports the provisioning of data services in a distributed manner. Overlay networks are an abstraction that creates a virtual network of connected devices layered on an existing underlying IP networks in order to perform application level services.
OPES实体可以部署在覆盖网络上,覆盖网络支持以分布式方式提供数据服务。覆盖网络是一种抽象,它在现有的底层IP网络上创建一个连接设备的虚拟网络,以执行应用程序级服务。
The use of overlay networks creates virtual networks that via OPES
使用覆盖网络创建虚拟网络,通过OPE
entities enables the necessary network infrastructure to provide better services for data consumer and provider applications. At the application level, the resulting overlay networks are termed OPES Services Networks.
实体使必要的网络基础设施能够为数据使用者和提供者应用程序提供更好的服务。在应用层,生成的覆盖网络称为OPES服务网络。
There are two parties that are interested in the services that are offered by OPES entities, the delegate and the surrogate. Delegates are authorized agents that act on behalf of data consumers. Surrogates are authorized agents that act on behalf of data providers.
有两方对OPES实体提供的服务感兴趣,即代表方和代理方。委托是代表数据使用者的授权代理。代理是代表数据提供商行事的授权代理。
All parties that are involved in enforcing policies must communicate the policies to the parties that are involved. These parties are trusted to adhere to the communicated policies.
参与执行政策的各方必须将政策传达给相关方。我们相信这些当事人会遵守所传达的政策。
In order to delegate fine-grained trust, the parties must convey policy information by implicit contract, by a setup protocol, by a dynamic negotiation protocol, or in-line with application data headers.
为了委托细粒度信任,各方必须通过隐式契约、设置协议、动态协商协议或与应用程序数据头一致的方式传递策略信息。
A surrogate overlay is a specific type of OPES service network, which is delegated the authority to provide data services on behalf of one or more origin servers. Such services include, but are not limited to, dynamic assembling of web pages, watermarking, and content adaptation.
代理覆盖是一种特定类型的OPES服务网络,它被授权代表一个或多个源服务器提供数据服务。此类服务包括但不限于网页的动态组装、水印和内容自适应。
The elements of surrogate overlays act on behalf of origin severs and logically belong to the authoritative domain of the respective origin servers. The scenario is depicted in Figure 2.
代理覆盖的元素代表源服务器,逻辑上属于各个源服务器的权威域。该场景如图2所示。
*********************************************
* *
* +--------+ Authoritative *
* | Origin | Domain *
* | Server | *
* +--------+ +------------+ *
* | | OPES Admin | *
* | | Server | *
* | +------------+ *
* | / *
* | / *
* +--------------+ +-----------------+ *
* | OPES |----- | Remote Call-out | *
* | Processor | | Server | *
* +--------------+ +-----------------+ *
* | *
*********************************************
|
|
|
+---------------------------+
| Data consumer application |
+---------------------------+
*********************************************
* *
* +--------+ Authoritative *
* | Origin | Domain *
* | Server | *
* +--------+ +------------+ *
* | | OPES Admin | *
* | | Server | *
* | +------------+ *
* | / *
* | / *
* +--------------+ +-----------------+ *
* | OPES |----- | Remote Call-out | *
* | Processor | | Server | *
* +--------------+ +-----------------+ *
* | *
*********************************************
|
|
|
+---------------------------+
| Data consumer application |
+---------------------------+
Figure 2: Authoritative Domains for Surrogate Overlays
图2:代理覆盖的权威域
A delegate overlay is a specific type of OPES service network, which is delegated the authority to provide data services on behalf of one or more data consumer applications.
委托覆盖是一种特定类型的OPES服务网络,它被授权代表一个或多个数据使用者应用程序提供数据服务。
Delegate overlays provide services that would otherwise be performed by the data consumer applications. Such services include, but are not limited to, virus scanning and content filtering.
委托覆盖提供了数据使用者应用程序将执行的服务。此类服务包括但不限于病毒扫描和内容过滤。
The elements of delegate overlays logically belong to the authoritative domain of the respective data consumer application. The situation is illustrated in Figure 3.
委托覆盖的元素在逻辑上属于相应数据使用者应用程序的权威域。这种情况如图3所示。
+--------+
| Origin |
| Server |
+--------+
|
|
|
*********************************************
* | *
* +--------------+ +-----------------+ *
* | OPES |----- | Remote Call-out | *
* | Processor | | Server | *
* +--------------+ +-----------------+ *
* | \ *
* | +------------+ *
* | | OPES Admin | *
* | | Server | *
* | +------------+ *
* +---------------------+ *
* | Data consumer Appl. | Authoritative *
* +---------------------+ Domain *
* *
*********************************************
+--------+
| Origin |
| Server |
+--------+
|
|
|
*********************************************
* | *
* +--------------+ +-----------------+ *
* | OPES |----- | Remote Call-out | *
* | Processor | | Server | *
* +--------------+ +-----------------+ *
* | \ *
* | +------------+ *
* | | OPES Admin | *
* | | Server | *
* | +------------+ *
* +---------------------+ *
* | Data consumer Appl. | Authoritative *
* +---------------------+ Domain *
* *
*********************************************
Figure 3: Authoritative Domains for Delegate Overlays
图3:代理覆盖的权威域
Deployment of OPES services in an enterprise environment is unique in several ways:
在企业环境中部署OPES服务在以下几个方面是独一无二的:
o Both data providers and data consumers are in the same administrative domain and trust domain. This implies that the logical OPES administrator has the authority to enforce corporate policies on all data providers, data consumers, and OPES entities.
o 数据提供者和数据使用者都位于同一管理域和信任域中。这意味着逻辑OPES管理员有权对所有数据提供者、数据使用者和OPES实体强制执行公司策略。
o In the case when a callout server outside the corporate firewall is invoked for services (such as language translation) that cannot be performed inside the corporation, care must be taken to guarantee a secure communication channel between the callout server and corporate OPES entities. The callout server must also adhere to all corporate security policies for the services authorized.
o 如果调用公司防火墙外的调出服务器提供公司内部无法执行的服务(如语言翻译),则必须注意确保调出服务器与公司OPES实体之间的安全通信通道。callout服务器还必须遵守授权服务的所有公司安全策略。
In some cases the deployment of OPES services can benefit from the use of callout servers that could distribute the workload of OPES processors or to contract specialized services from other OPES providers.
在某些情况下,OPES服务的部署可以受益于调用服务器的使用,调用服务器可以分配OPES处理器的工作负载,或者从其他OPES提供商处承包专门服务。
In general, operations such as virus scanning that operate on large objects are better handled through the use of a dedicated callout server that is better designed to perform the memory intensive task than what an OPES processor could handle.
一般来说,通过使用专用调出服务器,可以更好地处理在大型对象上运行的病毒扫描等操作。与OPES处理器相比,专用调出服务器更适合执行内存密集型任务。
OPES data processors can be "chained" in two dimensions: along the content path or along the callout path. In the latter case, the callout servers can themselves be organized in series for handling requests. Any content that is touched by more than one data processor or more than one callout server has been handled by a "chain".
OPES数据处理器可以在两个维度上“链接”:沿内容路径或标注路径。在后一种情况下,调用服务器本身可以串联起来处理请求。由多个数据处理器或多个调出服务器触及的任何内容都已由“链”处理。
NOTE: Chaining of callout servers is deferred from version 1 of the Protocol. The discussion of chaining is included here for completeness.
注意:callout服务器的链接从协议版本1推迟。为了完整起见,这里包括了对链接的讨论。
An OPES provider may have assigned OPES services to a set of processors arranged in series. All content might move through the series, and if the content matches the rules for a processor, it is subjected to the service. In this way, the content can be enhanced by several services. This kind of chaining can be successful if the services are relatively independent. For example, the content might be assembled by a service early in the chain and then further decorated by a later service.
OPES提供商可能已将OPES服务分配给一组串联排列的处理器。所有内容都可能在系列中移动,如果内容与处理器的规则相匹配,则受服务约束。通过这种方式,可以通过多种服务增强内容。如果服务相对独立,这种链接就可以成功。例如,内容可能由链中的早期服务组装,然后由后期服务进一步修饰。
Alternatively, an OPES data processor might act as a content-level switch in a cluster of other data processors and callout servers.
或者,OPES数据处理器可以充当其他数据处理器和调用服务器集群中的内容级交换机。
The first stage might develop a processing schedule for the content and direct it to other OPES data processors and/or callout servers. For example, OPES processor A might handle all services assembling content, OPES processor B might handle all services involving URL translation, and OPES processor C might handle all content security services. The first processor would determine that processors A and
第一阶段可能会为内容制定处理计划,并将其定向到其他OPES数据处理器和/或调用服务器。例如,OPES处理器A可能处理组装内容的所有服务,OPES处理器B可能处理涉及URL转换的所有服务,OPES处理器C可能处理所有内容安全服务。第一个处理器将确定处理器A和
C were needed for a particular content object, and it would direct the content to those processors. In turn, the processors might use several callout servers to accomplish the task.
一个特定的内容对象需要C语言,它会将内容定向到那些处理器。反过来,处理器可能会使用多个调用服务器来完成任务。
These are illustrative cases where information about OPES processing can help endpoint users determine where and why content modifications are being performed.
这些都是说明性案例,其中有关OPES处理的信息可以帮助端点用户确定在何处以及为什么要执行内容修改。
o Content provider uses an OPES data processor to enhance content based only on context local to the provider. The local context might be time of day, local URL, or available advertising, for example. The content provider might find OPES logging to be sufficient for debugging any problems in this case. However, the content provider might also try direct probing by issuing a request for the content and examining headers related to tracing. If unexpected parameters show up in the trace headers, the content provider's administrator can use these to correct the OPES rules or detect the presence of an unexpected OPES processor in the content path.
o 内容提供商使用OPES数据处理器仅基于提供商本地的上下文增强内容。例如,本地上下文可能是一天中的时间、本地URL或可用广告。内容提供商可能会发现OPES日志足以调试这种情况下的任何问题。但是,内容提供者也可以通过发出内容请求并检查与跟踪相关的头来尝试直接探测。如果跟踪头中显示意外参数,则内容提供商的管理员可以使用这些参数更正OPES规则或检测内容路径中是否存在意外的OPES处理器。
o Content provider uses an OPES data processor to enhance content based on context related to the requestor. The requestor may notice that his requests do not elicit the same response as another requestor. He may, for example, get an error message. If he believes there is a configuration error on the OPES data processor, he will need to provide information to the administrator of it. If the information includes "OPES service access control, action: blocked", for example, he can inquire about the circumstances that will allow him to be added to the access control list. In another example, if he sees a picture unrelated to the surrounding text, and if the tracing shows "OPES service choose picture, action: insert 640x480 weather.gif", he might complain that the OPES service does not properly recognize his geographic location and inserts the wrong weather map. In any case, if the information is forwarded to the content provider, the problem may be fixed.
o 内容提供者使用OPES数据处理器根据与请求者相关的上下文增强内容。请求者可能会注意到,他的请求不会引起与另一请求者相同的响应。例如,他可能会收到一条错误消息。如果他认为OPES数据处理器上存在配置错误,他需要向其管理员提供信息。例如,如果信息包括“OPES service access control,action:blocked”,他可以询问允许他添加到访问控制列表的情况。在另一个例子中,如果他看到与周围文本无关的图片,并且跟踪显示“OPES服务选择图片,操作:插入640x480 weather.gif”,他可能会抱怨OPES服务没有正确识别他的地理位置,插入了错误的天气图。在任何情况下,如果将信息转发给内容提供商,问题都可能得到解决。
o End user has OPES processor available as part of his network access environment. The end user may have selected "translate English to Spanish" as an OPES service. If he sees "OPES service language translation, action: destination language not supported, no action", then he may inquire of the OPES service provider about what languages are supported by the package. If the end user feels that the source language is not properly represented by the
o 最终用户的网络访问环境中有可用的OPES处理器。最终用户可能已选择“将英语翻译成西班牙语”作为OPES服务。如果他看到“OPES服务语言翻译,操作:目标语言不受支持,无操作”,那么他可能会询问OPES服务提供商该软件包支持哪些语言。如果最终用户认为源语言没有正确地由
provider, resulting in inability for the service to operate, he (or the language service provider) can contact the content provider.
服务提供商(或语言服务提供商)可以联系内容提供商。
o If the content provider gets complaints from users about the translation service and feels that the problem is not in the content but in the service, he may recommend that the service not be applied to his pages. He can do that through content headers, for example, with the notation "No OPES service #8D3298EB" or "No OPES class language translation".
o 如果内容提供商收到用户关于翻译服务的投诉,并认为问题不在于内容,而在于服务,他可能会建议不要将该服务应用于他的页面。他可以通过内容标题来实现这一点,例如,使用符号“No OPES service#8D3298EB”或“No OPES class language translation”。
o End user's ISP or enterprise uses OPES to control user access based on user profiles. The end user can see that the OPES services are being applied by his ISP, but he cannot control them. If he feels that the transformations bowdlerize the content he can complain to the provider organization.
o 最终用户的ISP或企业使用OPE根据用户配置文件控制用户访问。最终用户可以看到其ISP正在应用OPES服务,但他无法控制这些服务。如果他认为转换会使内容无效,他可以向提供商组织投诉。
o The content provider or end user relies on a content distribution network and OPES is used within that network. OPES may be authorized by either the content provider, end user, or both. The content provider may suspect that his access control rules are not being applied properly, for example. He may ask for notification on all accesses to his content through a log. This request and the logfile are outside the OPES architecture; there are security implications for the request, the response, and the resources used by the logfile.
o 内容提供商或最终用户依赖于内容分发网络,并且在该网络中使用OPE。运营商可以由内容提供商、最终用户或两者授权。例如,内容提供商可能怀疑其访问控制规则没有得到正确应用。他可能会要求通过日志通知对其内容的所有访问。该请求和日志文件不在OPES架构内;对于请求、响应和日志文件使用的资源,存在安全隐患。
The document presents usage scenarios and deployment cases. Issues related to the overall security of OPES entities are given in [1].
该文档介绍了使用场景和部署案例。[1]中给出了与OPES实体整体安全相关的问题。
[1] A. Barbir et al., "An Architecture for Open Pluggable Edge Services (OPES)", Work in Progress, July 2002.
[1] A.Barbir等人,“开放可插拔边缘服务(OPES)的体系结构”,正在进行的工作,2002年7月。
[2] Floyd, S. and L. Daigle, "IAB Architectural and Policy Considerations for Open Pluggable Edge Services", RFC 3238, January 2002.
[2] Floyd,S.和L.Daigle,“开放可插拔边缘服务的IAB架构和政策考虑”,RFC 3238,2002年1月。
[3] Westerinen, A., Schnizlein, J., Strassner, J., Scherling, M., Quinn, B., Herzog, S., Huynh, A., Carlson, M., Perry, J. and S. Waldbusser, "Terminology for Policy-Based Management", RFC 3198, November 2001.
[3] 威斯特林,A.,施尼兹林,J.,斯特拉斯纳,J.,舍林,M.,奎因,B.,赫尔佐格,S.,休恩,A.,卡尔森,M.,佩里,J.和S.瓦尔德布瑟,“基于政策的管理术语”,RFC 3198,2001年11月。
[4] Fielding, R., Gettys, J., Mogul, J., Nielsen, H., Masinter, L., Leach, P. and T. Berners-Lee, "Hypertext Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999.
[4] 菲尔丁,R.,盖蒂斯,J.,莫格尔,J.,尼尔森,H.,马斯特,L.,利奇,P.和T.伯纳斯李,“超文本传输协议——HTTP/1.1”,RFC2616,1999年6月。
[5] OPES Working Group, "OPES Service Authorization and Enforcement Requirements", Work in Progress, May 2002.
[5] OPES工作组,“OPES服务授权和执行要求”,正在进行的工作,2002年5月。
[6] Beck, A., et al., "Requirements for OPES Callout Protocols", Work in Progress, July 2002.
[6] Beck,A.等人,“OPES调用协议的要求”,正在进行的工作,2002年7月。
The authors would like to thank the participants of the OPES WG for their comments on this document.
作者要感谢OPES工作组的与会者对本文件的评论。
Abbie Barbir Nortel Networks 3500 Carling Avenue Nepean, Ontario K2H 8E9 Canada
加拿大安大略省内皮恩卡林大道3500号北电网络有限公司K2H 8E9
Phone: +1 613 763 5229
EMail: abbieb@nortelnetworks.com
Phone: +1 613 763 5229
EMail: abbieb@nortelnetworks.com
Eric W. Burger Brooktrout Technology, Inc. 18 Keewaydin Dr. Salem, NH 03079
Eric W.Burger Brooktrout Technology,Inc.18 Keewaydin Dr.Salem,NH 03079
EMail: e.burger@ieee.org
EMail: e.burger@ieee.org
Yih-Farn Robin Chen AT&T Labs - Research 180 Park Avenue Florham Park, NJ 07932 US
Yih Farn Robin Chen AT&T实验室-美国新泽西州弗洛勒姆公园公园大道180号研究中心,邮编:07932
Phone: +1 973 360 8653
EMail: chen@research.att.com
Phone: +1 973 360 8653
EMail: chen@research.att.com
Stephen McHenry 305 Vineyard Town Center, #251 Morgan Hill, CA 95037 US
斯蒂芬·麦克亨利,美国加利福尼亚州摩根山251号葡萄园镇中心305号,邮编95037
Phone: +1 408 683 2700
EMail: stephen@mchenry.net
Phone: +1 408 683 2700
EMail: stephen@mchenry.net
Hilarie Orman Purple Streak Development
Hilarie Orman紫色条纹发育
EMail: ho@alum.mit.edu
EMail: ho@alum.mit.edu
Reinaldo Penno Nortel Networks 600 Technology Park Drive Billerica, MA 01803 US
雷纳尔多·佩诺北电网络公司美国马萨诸塞州比尔里卡科技园大道600号,邮编01803
EMail: rpenno@nortelnetworks.com
EMail: rpenno@nortelnetworks.com
Copyright (C) The Internet Society (2004). This document is subject to the rights, licenses and restrictions contained in BCP 78 and except as set forth therein, the authors retain all their rights.
版权所有(C)互联网协会(2004年)。本文件受BCP 78中包含的权利、许可和限制的约束,除其中规定外,作者保留其所有权利。
This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
本文件及其包含的信息是按“原样”提供的,贡献者、他/她所代表或赞助的组织(如有)、互联网协会和互联网工程任务组不承担任何明示或暗示的担保,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。
Intellectual Property
知识产权
The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79.
IETF对可能声称与本文件所述技术的实施或使用有关的任何知识产权或其他权利的有效性或范围,或此类权利下的任何许可可能或可能不可用的程度,不采取任何立场;它也不表示它已作出任何独立努力来确定任何此类权利。有关RFC文件中权利的程序信息,请参见BCP 78和BCP 79。
Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr.
向IETF秘书处披露的知识产权副本和任何许可证保证,或本规范实施者或用户试图获得使用此类专有权利的一般许可证或许可的结果,可从IETF在线知识产权存储库获取,网址为http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org.
IETF邀请任何相关方提请其注意任何版权、专利或专利申请,或其他可能涵盖实施本标准所需技术的专有权利。请将信息发送至IETF的IETF-ipr@ietf.org.
Acknowledgement
确认
Funding for the RFC Editor function is currently provided by the Internet Society.
RFC编辑功能的资金目前由互联网协会提供。