ARMWARE RFC Archive <- RFC Index (5301..5400)

RFC 5352


Network Working Group                                         R. Stewart
Request for Comments: 5352                                        Q. Xie
Category: Experimental                                The Resource Group
                                                             M. Stillman
                                                                   Nokia
                                                               M. Tuexen
                                      Muenster Univ. of Applied Sciences
                                                          September 2008

                Aggregate Server Access Protocol (ASAP)

Status of This Memo

   This memo defines an Experimental Protocol for the Internet
   community.  It does not specify an Internet standard of any kind.
   Discussion and suggestions for improvement are requested.
   Distribution of this memo is unlimited.

Abstract

   Aggregate Server Access Protocol (ASAP; RFC 5352), in conjunction
   with the Endpoint Handlespace Redundancy Protocol (ENRP; RFC 5353),
   provides a high-availability data transfer mechanism over IP
   networks.  ASAP uses a handle-based addressing model that isolates a
   logical communication endpoint from its IP address(es), thus
   effectively eliminating the binding between the communication
   endpoint and its physical IP address(es), which normally constitutes
   a single point of failure.

   In addition, ASAP defines each logical communication destination as a
   pool, providing full transparent support for server pooling and load
   sharing.  It also allows dynamic system scalability -- members of a
   server pool can be added or removed at any time without interrupting
   the service.

   ASAP is designed to take full advantage of the network level
   redundancy provided by the Stream Transmission Control Protocol
   (SCTP; RFC 4960).  Each transport protocol, other than SCTP, MUST
   have an accompanying transport mapping document.  It should be noted
   that ASAP messages passed between Pool Elements (PEs) and ENRP
   servers MUST use the SCTP transport protocol.

   The high-availability server pooling is gained by combining two
   protocols, namely ASAP and ENRP, in which ASAP provides the user
   interface for Pool Handle to address translation, load sharing
   management, and fault management, while ENRP defines the high-
   availability Pool Handle translation service.

Stewart, et al.               Experimental                      [Page 1]



RFC 5352            Aggregate Server Access Protocol      September 2008

Table of Contents

   1. Introduction ....................................................4
      1.1. Definitions ................................................4
      1.2. Conventions ................................................5
      1.3. Organization of This Document ..............................6
      1.4. Scope of ASAP ..............................................6
           1.4.1. Extent of the Handlespace ...........................6
   2. Message Definitions .............................................6
      2.1. ASAP Parameter Formats .....................................7
      2.2. ASAP Messages ..............................................7
           2.2.1. ASAP_REGISTRATION Message ...........................7
           2.2.2. ASAP_DEREGISTRATION Message .........................8
           2.2.3. ASAP_REGISTRATION_RESPONSE Message ..................9
           2.2.4. ASAP_DEREGISTRATION_RESPONSE Message ...............10
           2.2.5. ASAP_HANDLE_RESOLUTION Message .....................10
           2.2.6. ASAP_HANDLE_RESOLUTION_RESPONSE Message ............11
           2.2.7. ASAP_ENDPOINT_KEEP_ALIVE Message ...................13
           2.2.8. ASAP_ENDPOINT_KEEP_ALIVE_ACK Message ...............14
           2.2.9. ASAP_ENDPOINT_UNREACHABLE Message ..................14
           2.2.10. ASAP_SERVER_ANNOUNCE Message ......................15
           2.2.11. ASAP_COOKIE Message ...............................16
           2.2.12. ASAP_COOKIE_ECHO Message ..........................16
           2.2.13. ASAP_BUSINESS_CARD Message ........................17
           2.2.14. ASAP_ERROR Message ................................17
   3. Procedures .....................................................18
      3.1. Registration ..............................................18
      3.2. De-Registration ...........................................21
      3.3. Handle Resolution .........................................23
      3.4. Endpoint Keep Alive .......................................25
      3.5. Unreachable Endpoints .....................................26
      3.6. ENRP Server Hunt Procedures ...............................27
      3.7. Handling ASAP Endpoint to ENRP Server
           Communication Failures ....................................28
           3.7.1. SCTP Send Failure ..................................28
           3.7.2. T1-ENRPrequest Timer Expiration ....................29
           3.7.3. Registration Failure ...............................29
      3.8. Cookie Handling Procedures ................................29
      3.9. Business Card Handling Procedures .........................30
   4. Roles of Endpoints .............................................31
   5. SCTP Considerations ............................................31
   6. The ASAP Interfaces ............................................31
      6.1. Registration.Request Primitive ............................32
      6.2. Deregistration.Request Primitive ..........................32
      6.3. CachePopulateRequest Primitive ............................33
      6.4. CachePurgeRequest Primitive ...............................33
      6.5. DataSendRequest Primitive .................................33
           6.5.1. Sending to a Pool Handle ...........................34

Stewart, et al.               Experimental                      [Page 2]



RFC 5352            Aggregate Server Access Protocol      September 2008

           6.5.2. Pool Element Selection .............................35
                  6.5.2.1. Round-Robin Policy ........................35
           6.5.3. Sending to a Pool Element Handle ...................35
           6.5.4. Send by Transport Address ..........................37
           6.5.5. Message Delivery Options ...........................37
      6.6. Data.Received Notification ................................38
      6.7. Error.Report Notification .................................39
      6.8. Examples ..................................................39
           6.8.1. Send to a New Pool .................................39
           6.8.2. Send to a Cached Pool Handle .......................40
      6.9. PE Send Failure ...........................................41
           6.9.1. Translation.Request Primitive ......................41
           6.9.2. Transport.Failure Primitive ........................42
   7. Timers, Variables, and Thresholds ..............................42
      7.1. Timers ....................................................42
      7.2. Variables .................................................42
      7.3. Thresholds ................................................43
   8. IANA Considerations ............................................43
      8.1. A New Table for ASAP Message Types ........................43
      8.2. Port Numbers ..............................................44
      8.3. SCTP Payload Protocol Identifier ..........................44
      8.4. Multicast Addresses .......................................44
   9. Security Considerations ........................................44
      9.1. Summary of RSerPool Security Threats ......................45
      9.2. Implementing Security Mechanisms ..........................46
      9.3. Chain of Trust ............................................49
   10. Acknowledgments ...............................................50
   11. References ....................................................50
      11.1. Normative References .....................................50
      11.2. Informative References ...................................51

Stewart, et al.               Experimental                      [Page 3]



RFC 5352            Aggregate Server Access Protocol      September 2008

1.  Introduction

   The Aggregate Server Access Protocol (ASAP), when used in conjunction
   with Endpoint Name Resolution Protocol [RFC5353], provides a high-
   availability data-transfer mechanism over IP networks.  ASAP uses a
   handle-based addressing model that isolates a logical communication
   endpoint from its IP address(es), thus effectively eliminating the
   binding between the communication endpoint and its physical IP
   address(es), which normally constitutes a single point of failure.

   When multiple receiver instances exist under the same handle (aka a
   server pool), an ASAP Endpoint will select one Pool Element (PE),
   based on the current load sharing policy indicated by the server
   pool, and deliver its message to the selected PE.

   While delivering the message, ASAP can be used to monitor the
   reachability of the selected PE.  If it is found unreachable, before
   notifying the message sender (an ASAP User) of the failure, ASAP can
   automatically select another PE (if one exists) under that pool and
   attempt to deliver the message to that PE.  In other words, ASAP is
   capable of transparent failover amongst PE instances within a server
   pool.

   ASAP depends on ENRP, which provides a high-availability Pool
   Handlespace.  ASAP is responsible for the abstraction of the
   underlying transport technologies, load distribution management,
   fault management, as well as presentation to the upper layer (aka an
   ASAP User) via a unified primitive interface.

   When SCTP [RFC4960] is used as the transport layer protocol, ASAP can
   seamlessly incorporate the link-layer redundancy provided by SCTP.

   This document defines the ASAP portion of the high-availability
   server pool.

1.1.  Definitions

   This document uses the following terms:

   ASAP User:  Either a PE or Pool User (PU) that uses ASAP.

   Business Card:  When presented by a PU or PE, it specifies the pool
      the sender belongs to and provides a list of alternate PEs in case
      of failovers.

Stewart, et al.               Experimental                      [Page 4]



RFC 5352            Aggregate Server Access Protocol      September 2008

   Operational Scope:  The part of the network visible to pool users by
      a specific instance of the reliable server pooling protocols.

   Pool (or Server Pool):  A collection of servers providing the same
      application functionality.

   Pool Handle:  A logical pointer to a pool.  Each server pool will be
      identifiable in the operational scope of the system by a unique
      Pool Handle.

   Pool Element:  A server entity having registered to a pool.

   Pool User:  A server pool user.

   Pool Element Handle (or Endpoint Handle):  A logical pointer to a
      particular Pool Element in a pool, consisting of the Pool Handle
      and a destination transport address of the Pool Element.

   Handlespace:  A cohesive structure of Pool Handles and relations that
      may be queried by an internal or external agent.

   Home ENRP Server:  The ENRP server to which a PE or PU currently
      sends all namespace service requests.  A PE must only have one
      Home ENRP server at any given time, and both the PE and its Home
      ENRP server MUST know and keep track of this relationship.  A PU
      should select one of the available ENRP servers as its Home ENRP
      server, but the collective ENRP servers may change this by the
      sending of an ASAP_ENDPOINT_KEEP_ALIVE message.

   ENRP Client Channel:  The communication channel through which an ASAP
      User sends all namespace service requests.  The client channel is
      usually defined by the transport address of the Home ENRP server
      and a well-known port number.  The channel MAY make use of
      multicast or a named list of ENRP servers.

   Network Byte Order:  Most significant byte first, aka Big Endian.

   Transport Address:  A transport address is traditionally defined by
      Network Layer address, Transport Layer protocol and Transport
      Layer port number.  In the case of SCTP running over IP, a
      transport address is defined by the combination of an IP address
      and an SCTP port number (where SCTP is the Transport protocol).

1.2.  Conventions

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [RFC2119].

Stewart, et al.               Experimental                      [Page 5]



RFC 5352            Aggregate Server Access Protocol      September 2008

1.3.  Organization of This Document

   Section 2 details the ASAP message formats.  In Section 3, we provide
   detailed ASAP procedures for the ASAP implementer.  Section 4
   summarizes which messages need to be supported by which nodes, and
   Section 5 describes the usage of SCTP.  In Section 6, details of the
   ASAP interface are given, focusing on the communication primitives
   between ASAP, the applications above ASAP, and ASAP itself, and the
   communications primitives between ASAP and SCTP (or other transport
   layers).  Also included in this discussion are relevant timers and
   configurable parameters, as appropriate.  Section 7 provides
   threshold and protocol variables.

   It should be noted that variables, timers, and constants are used in
   the text when necessary.  The complete list can be found in
   Section 7.

1.4.  Scope of ASAP

   The requirements for high availability and scalability do not imply
   requirements on shared state and data.  ASAP does not provide
   transaction failover.  If a host or application fails during the
   processing of a transaction, this transaction may be lost.  Some
   services MAY provide a way to handle the failure, but this is not
   guaranteed.  ASAP MAY provide hooks to assist an application in
   building a mechanism to share state but ASAP in itself does NOT share
   any state.

1.4.1.  Extent of the Handlespace

   The scope of ASAP/ENRP is NOT Internet-wide.  The handlespace is
   neither hierarchical nor arbitrarily large like DNS.  A flat peer-to-
   peer model is detailed.  Pools of servers will exist in different
   administrative domains.  For example, suppose the use of ASAP and
   ENRP is wanted.  First, the PU may use DNS to contact an ENRP server.
   Suppose a PU in North America wishes to contact a server pool in
   Japan instead of North America.  The PU would use DNS to get the list
   of IP addresses of the Japanese server pool; that is, the ENRP client
   channel in Japan.  From there, the PU would query the Home ENRP
   server it established and then directly contact the PE(s) of
   interest.

2.  Message Definitions

   All messages, as well as their fields described below, shall be in
   network byte order during transmission.  For fields with a length
   bigger than 4 bytes, a number in a pair of parentheses may follow the
   field name to indicate the length of the field in number of bytes.

Stewart, et al.               Experimental                      [Page 6]



RFC 5352            Aggregate Server Access Protocol      September 2008

2.1.  ASAP Parameter Formats

   The basic message format and all parameter formats can be found in
   [RFC5354].  Note also that *all* ASAP messages exchanged between an
   ENRP server and a PE MUST use SCTP as transport, while ASAP messages
   exchanged between an ENRP server and a PU MUST use either SCTP or TCP
   as transport.  PE to PU data traffic MAY use any transport protocol
   specified by the PE during registration.

2.2.  ASAP Messages

   This section details the individual messages used by ASAP.  These
   messages are composed of a standard message format found in Section 4
   of [RFC5354].  The parameter descriptions can be found in [RFC5354].

   The following ASAP message types are defined in this section:

   Type       Message Name
   -----      -------------------------
   0x00       - (Reserved by IETF)
   0x01       - ASAP_REGISTRATION
   0x02       - ASAP_DEREGISTRATION
   0x03       - ASAP_REGISTRATION_RESPONSE
   0x04       - ASAP_DEREGISTRATION_RESPONSE
   0x05       - ASAP_HANDLE_RESOLUTION
   0x06       - ASAP_HANDLE_RESOLUTION_RESPONSE
   0x07       - ASAP_ENDPOINT_KEEP_ALIVE
   0x08       - ASAP_ENDPOINT_KEEP_ALIVE_ACK
   0x09       - ASAP_ENDPOINT_UNREACHABLE
   0x0a       - ASAP_SERVER_ANNOUNCE
   0x0b       - ASAP_COOKIE
   0x0c       - ASAP_COOKIE_ECHO
   0x0d       - ASAP_BUSINESS_CARD
   0x0e       - ASAP_ERROR
   others     - (Reserved by IETF)

                                 Figure 1

2.2.1.  ASAP_REGISTRATION Message

   The ASAP_REGISTRATION message is sent by a PE to its Home ENRP server
   to either create a new pool or to add itself to an existing pool.
   The PE sending the ASAP_REGISTRATION message MUST fill in the Pool
   Handle parameter and the Pool Element parameter.  The Pool Handle
   parameter specifies the name to be registered.  The Pool Element
   parameter MUST be filled in by the registrant, as outlined in
   Section 3.1.  Note that the PE sending the registration message MUST

Stewart, et al.               Experimental                      [Page 7]



RFC 5352            Aggregate Server Access Protocol      September 2008

   send the message using an SCTP association.  Furthermore, the IP
   address(es) of the PE that is registered within the Pool Element
   parameter MUST be a subset of the IP address(es) used in the SCTP
   association, regardless of the registered transport protocol.

    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |   Type = 0x01 |0|0|0|0|0|0|0|0|        Message Length         |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   :                     Pool Handle Parameter                     :
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   :                     Pool Element Parameter                    :
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Pool Handle Parameter:

   See [RFC5354].

   Pool Element Parameter:

   See [RFC5354].

2.2.2.  ASAP_DEREGISTRATION Message

   The ASAP_DEREGISTRATION message is sent by a PE to its Home ENRP
   server to remove itself from a pool to which it registered.

    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |   Type = 0x02 |0|0|0|0|0|0|0|0|        Message Length         |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   :                     Pool Handle Parameter                     :
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   :                    PE Identifier Parameter                    :
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+++

   Pool Handle Parameter:

   See [RFC5354].

   PE Identifier Parameter:

   See [RFC5354].

Stewart, et al.               Experimental                      [Page 8]



RFC 5352            Aggregate Server Access Protocol      September 2008

   The PE sending the ASAP_DEREGISTRATION MUST fill in the Pool Handle
   and the PE identifier parameter in order to allow the ENRP server to
   verify the identity of the endpoint.  Note that de-registration is
   NOT allowed by proxy; in other words, a PE may only de-register
   itself.

2.2.3.  ASAP_REGISTRATION_RESPONSE Message

   The ASAP_REGISTRATION_RESPONSE message is sent in response by the
   Home ENRP server to the PE that sent an ASAP_REGISTRATION message.

    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |   Type = 0x03 |0|0|0|0|0|0|0|R|        Message Length         |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   :                     Pool Handle Parameter                     :
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   :                    PE Identifier Parameter                    :
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   :                   Operational Error (optional)                :
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   R (Reject) Flag:

   When set to '1', this flag indicates that the ENRP server sending
   this message has rejected the registration.  Otherwise, when this
   flag is set to '0', this indicates the registration has been granted.

   Pool Handle Parameter:

   See [RFC5354].

   PE Identifier Parameter:

   See [RFC5354].

   Operational Error Parameter (optional):

   See [RFC5354].

   This parameter is included if an error or some atypical events
   occurred during the registration process.  When the R flag is set to
   '1', this parameter, if present, indicates the cause of the
   rejection.  When the R flag is set to '0', this parameter, if
   present, serves as a warning to the registering PE, informing it that

Stewart, et al.               Experimental                      [Page 9]



RFC 5352            Aggregate Server Access Protocol      September 2008

   some of its registration values may have been modified by the ENRP
   server.  If the registration was successful and there is no warning,
   this parameter is not included.

2.2.4.  ASAP_DEREGISTRATION_RESPONSE Message

   The ASAP_DEREGISTRATION_RESPONSE message is returned by the Home ENRP
   server to a PE in response to an ASAP_DEREGISTRATION message or due
   to the expiration of the registration life of the PE in the pool.

    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |   Type = 0x04 |0|0|0|0|0|0|0|0|        Message Length         |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   :                     Pool Handle Parameter                     :
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   :                    PE Identifier Parameter                    :
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   :                   Operational Error (optional)                :
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Pool Handle Parameter:

   See [RFC5354].

   PE Identifier Parameter:

   See [RFC5354].

   Operational Error:

   See [RFC5354].

   This parameter is included if an error or some atypical events
   occurred during the de-registration process.  If the de-registration
   was successful this parameter is not included.

2.2.5.  ASAP_HANDLE_RESOLUTION Message

   The ASAP_HANDLE_RESOLUTION message is sent by either a PE or PU to
   its Home ENRP server to resolve a Pool Handle into a list of Pool
   Elements that are members of the pool indicated by the Pool Handle.

Stewart, et al.               Experimental                     [Page 10]



RFC 5352            Aggregate Server Access Protocol      September 2008

    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |   Type = 0x05 |0|0|0|0|0|0|0|S|        Message Length         |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   :                     Pool Handle Parameter                     :
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   The 'S' bit:

   The 'S' bit, if set to '1', requests the Home ENRP server to send
   updates to this Pool dynamically when the Pool changes for the
   lifetime of the SCTP association.  Dynamic updates to the pool will
   consist of additional ASAP_HANDLE_RESOLUTION_RESPONSE messages,
   without the user needing to send in an ASAP_HANDLE_RESOLUTION.

   If the 'S' bit is set to '0', no Dynamic updates are requested.

   Note that if a new Home ENRP server is adopted, any 'dynamic update
   request' will need to be re-sent to the new Home ENPR server if the
   endpoint would like to continue to receive updates.  In other words,
   the ENRP servers do NOT share state regarding which of its PU's are
   requesting automatic update of state.  Thus, upon change of Home ENRP
   server, the PU will need to re-send an ASAP_HANDLE_RESOLUTION message
   with the 'S' bit set to '1'.  Note also, that the 'S' bit will only
   cause Dynamic update of a Pool when the Pool exists.  If a negative
   response is returned, no further updates to the Pool (when it is
   created) will occur.

   Pool Handle Parameter:

   See [RFC5354].

2.2.6.  ASAP_HANDLE_RESOLUTION_RESPONSE Message

   The ASAP_HANDLE_RESOLUTION_RESPONSE message is sent in response by
   the Home ENRP server of the PU or PE that sent an
   ASAP_HANDLE_RESOLUTION message or is sent periodically upon Pool
   changes if the PU has requested Dynamic updates.

Stewart, et al.               Experimental                     [Page 11]



RFC 5352            Aggregate Server Access Protocol      September 2008

    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |   Type = 0x06 |0|0|0|0|0|0|0|A|        Message Length         |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   :                     Pool Handle Parameter                     :
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   :             Overall PE Selection Policy (optional)            :
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   :               Pool Element Parameter 1 (optional)             :
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   :                              ...                              :
   :                                                               :
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   :               Pool Element Parameter N (optional)             :
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   :                   Operational Error (optional)                :
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   'A' bit:

   This bit is set to '1' if the ENRP server accepts the request to send
   automatic updates (i.e., the 'S' bit was set on the request).  If
   this bit is set to '0', either the ENRP server does NOT support
   automatic updates, it has resource issues and cannot supply this
   feature, or the user did not request it.

   Pool Handle Parameter:

   See [RFC5354].

   Overall PE Selection Policy (optional):

   See [RFC5354].

   This parameter can be present when the response is positive.  If
   present, it indicates the overall pool member selection policy of the
   pool.  If not present, a Round-Robin overall pool member selection
   policy is assumed.  This parameter is not present when the response
   is negative.

   Note, any load policy parameter within a Pool Element parameter (if
   present) MUST be ignored, and MUST NOT be used to determine the
   overall pool member selection policy.

   Pool Element Parameters (optional):

   See [RFC5354].

Stewart, et al.               Experimental                     [Page 12]



RFC 5352            Aggregate Server Access Protocol      September 2008

   When the response is positive, an array of PE parameters are
   included, indicating the current information about the PEs in the
   named pool.  At least one PE parameter MUST be present.  When the
   response is negative, no PE parameters are included.

   Operational Error (optional):

   See [RFC5354].

   The presence of this parameter indicates that the response is
   negative (the handle resolution request was rejected by the ENRP
   server).  The cause code in this parameter (if present) will indicate
   the reason the handle resolution request was rejected (e.g., the
   requested Pool Handle was not found).  The absence of this parameter
   indicates that the response is positive.

2.2.7.  ASAP_ENDPOINT_KEEP_ALIVE Message

   The ASAP_ENDPOINT_KEEP_ALIVE message is sent by an ENRP server to a
   PE.  The ASAP_ENDPOINT_KEEP_ALIVE message is used to verify that the
   PE is reachable and requires the PE to adopt the sending server as
   its new Home ENRP server if the 'H' bit is set to '1'.  Regardless of
   the setting of the 'H' bit, an ASAP Endpoint MUST respond with an
   ASAP_ENDPOINT_KEEP_ALIVE_ACK to any ASAP_ENDPOINT_KEEP_ALIVE messages
   that arrive.

    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |   Type = 0x07 |0|0|0|0|0|0|0|H|        Message Length         |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                       Server Identifier                       |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   :                     Pool Handle Parameter                     :
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   H (Home ENRP server) Flag:

   When set to '1', indicates that the ENRP server that sends this
   message wants to be the Home ENRP server of the receiver of this
   message.

   Server Identifier: 32 bits (unsigned integer)

   This is the ID of the ENRP server, as discussed in [RFC5353].

Stewart, et al.               Experimental                     [Page 13]



RFC 5352            Aggregate Server Access Protocol      September 2008

   Pool Handle Parameter:

   See [RFC5354].

2.2.8.  ASAP_ENDPOINT_KEEP_ALIVE_ACK Message

   The ASAP_ENDPOINT_KEEP_ALIVE_ACK message is sent by a PE in response
   to an ASAP_ENDPOINT_KEEP_ALIVE message sent by an ENRP server.

    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |   Type = 0x08 |0|0|0|0|0|0|0|0|        Message Length         |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   :                     Pool Handle Parameter                     :
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   :                    PE Identifier Parameter                    :
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Pool Handle Parameter:

   See [RFC5354].

   PE Identifier Parameter:

   See [RFC5354].

2.2.9.  ASAP_ENDPOINT_UNREACHABLE Message

   The ASAP_ENDPOINT_UNREACHABLE message is sent by either a PE or PU to
   its Home ENRP server to report an unreachable PE.

    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |   Type = 0x09 |0|0|0|0|0|0|0|0|        Message Length         |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   :                     Pool Handle Parameter                     :
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   :                    PE Identifier Parameter                    :
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Pool Handle Parameter:

   See [RFC5354].

Stewart, et al.               Experimental                     [Page 14]



RFC 5352            Aggregate Server Access Protocol      September 2008

   PE Identifier Parameter:

   See [RFC5354].

2.2.10.  ASAP_SERVER_ANNOUNCE Message

   The ASAP_SERVER_ANNOUNCE message is sent by an ENRP server such that
   PUs and PEs know the transport information necessary to connect to
   the ENRP server.

    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |   Type = 0x0a |0|0|0|0|0|0|0|0|        Message Length         |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                       Server Identifier                       |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   :                       Transport Param #1                      :
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   :                       Transport Param #2                      :
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   :                                                               :
   :                             .....                             :
   :                                                               :
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   :                       Transport Param #n                      :
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Server Identifier: 32 bits (unsigned integer)

   This is the ID of the ENRP server, as discussed in [RFC5353].

   Transport Parameters (optional):

   See [RFC5354] for the SCTP and TCP Transport parameters.

   Only SCTP and TCP Transport parameters are allowed for use within the
   SERVER_ANNOUNCE message.

Stewart, et al.               Experimental                     [Page 15]



RFC 5352            Aggregate Server Access Protocol      September 2008

2.2.11.  ASAP_COOKIE Message

   The ASAP_COOKIE message is sent by a PE to a PU, allowing the PE to
   convey information it wishes to share using a control channel.

    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |   Type = 0x0b |0|0|0|0|0|0|0|0|        Message Length         |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   :                         Cookie Parameter                      :
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Cookie Parameter :

   See [RFC5354].

2.2.12.  ASAP_COOKIE_ECHO Message

   The ASAP_COOKIE_ECHO message is sent by a PU to a new PE when it
   detects a failure with the current PE to aid in failover.  The Cookie
   Parameter sent by the PE is the latest one received from the failed
   PE.

    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |   Type = 0x0c |0|0|0|0|0|0|0|0|        Message Length         |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   :                         Cookie Parameter                      :
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Cookie Parameter:

   See [RFC5354].

Stewart, et al.               Experimental                     [Page 16]



RFC 5352            Aggregate Server Access Protocol      September 2008

2.2.13.  ASAP_BUSINESS_CARD Message

   The ASAP_BUSINESS_CARD message is sent by a PU to a PE or from a PE
   to a PU using a control channel to convey the pool handle and a
   preferred failover ordering.

    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |   Type = 0x0d |0|0|0|0|0|0|0|0|        Message Length         |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   :                     Pool Handle Parameter                     :
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   :                   Pool Element Parameter-1                    :
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   :                              ..                               :
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   :                   Pool Element Parameter-N                    :
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Pool Handle Parameter:

   See [RFC5354].

   Pool Element Parameters:

   See [RFC5354].

2.2.14.  ASAP_ERROR Message

   The ASAP_ERROR message is sent in response by an ASAP Endpoint
   receiving an unknown message or an unknown parameter to the sending
   ASAP Endpoint to report the problem or issue.

   0                   1                   2                   3
   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |   Type = 0x0e |0|0|0|0|0|0|0|0|        Message Length         |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   :                 Operational Error Parameter                   :
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Operational Error Parameter:

   See [RFC5354].

Stewart, et al.               Experimental                     [Page 17]



RFC 5352            Aggregate Server Access Protocol      September 2008

   When an ASAP Endpoint receives an ASAP message with an unknown
   message type or a message of known type that contains an unknown
   parameter, it SHOULD handle the unknown message or the unknown
   parameter according to the unrecognized message and parameter
   handling rules, defined in Section 3.

   According to the rules, if an error report to the message sender is
   needed, the ASAP endpoint that discovered the error SHOULD send back
   an ASAP_ERROR message that includes an Operational Error parameter
   with the proper cause code, cause length, and case-specific
   information.

3.  Procedures

   This section will focus on the methods and procedures used by an
   internal ASAP Endpoint.  Appropriate timers and recovery actions for
   failure detection and management are also discussed.  Also, please
   note that ASAP messages sent between a PE and PU are identified by an
   SCTP Payload Protocol Identifier (PPID).

3.1.  Registration

   When a PE wishes to initiate or join a server pool, it MUST use the
   procedures outlined in this section for registration.  Often, the
   registration will be triggered by a user request primitive (discussed
   in Section 6.1).  The PE MUST register using an SCTP association
   established between itself and the Home ENRP server.  If the PE has
   not established its Home ENRP server, it MUST follow the procedures
   specified in Section 3.6.

   Once the PE's ASAP Endpoint has established its Home ENRP server, the
   following procedures MUST be followed to register:

   R1)  The PE's SCTP endpoint used to communicate with the Home ENRP
      server MUST be bound to all IP addresses that will be used by the
      PE (regardless of which transport protocol will be used to service
      user requests to the PE).

   R2)  The PE's ASAP Endpoint MUST formulate an ASAP_REGISTRATION
      message, as defined in Section 2.2.1.  In formulating the message,
      the PE MUST:

      R2.1)  Fill in the Pool Handle parameter to specify which server
         pool the ASAP Endpoint wishes to join.

      R2.2)  Fill in the PE identifier using a good-quality randomly
         generated number ([RFC4086] provides some information on
         randomness guidelines).

Stewart, et al.               Experimental                     [Page 18]



RFC 5352            Aggregate Server Access Protocol      September 2008

      R2.3)  Fill in the Registration Lifetime parameter with the number
         of seconds that this registration is valid for.  Note that a PE
         that wishes to continue service MUST re-register before the
         registration expires.

      R2.4)  Fill in a User Transport parameter to specify the type of
         transport and the data/control channel usage the PE is willing
         to support.  Note, in joining an existing server pool, the PE
         MUST follow the overall transport type and overall data/control
         channel usage of the pool.  Otherwise, the registration may be
         rejected by the ENRP server.

      R2.5)  Fill in the preferred Pool Member Selection Policy
         parameter.

   R3)  Send the ASAP_REGISTRATION message to the Home ENRP server using
      SCTP.

   R4)  Start a T2-registration timer.

   Note: the PE does not need to fill in the optional ASAP transport
   parameter.  The ASAP transport parameter will be filled in and used
   by the Home ENRP server.

   If the T2-registration timer expires before receiving an
   ASAP_REGISTRATION_RESPONSE message, or a SEND.FAILURE notification is
   received from the SCTP layer, the PE shall start the Server Hunt
   procedure (see Section 3.6) in an attempt to get service from a
   different ENRP server.  After establishing a new Home ENRP server,
   the PE SHOULD restart the registration procedure.

   At the reception of the registration response, the PE MUST stop the
   T2-registration timer.  If the response indicates success, the PE is
   registered and will be considered an available member of the server
   pool.  If the registration response indicates a failure, the PE must
   either re-attempt registration after correcting the error or return a
   failure indication to the PE's upper layer.  The PE MUST NOT re-
   attempt registration without correcting the error condition.

   At any time, a registered PE MAY wish to re-register to either update
   its member selection Policy Value or registration expiration time.
   When re-registering, the PE MUST use the same PE identifier.

   After successful registration, the PE MUST start a T4-reregistration
   timer.  At its expiration, a re-registration SHOULD be made starting
   at step R1, including (at completion) restarting the T4-
   reregistration timer.

Stewart, et al.               Experimental                     [Page 19]



RFC 5352            Aggregate Server Access Protocol      September 2008

   Note that an implementation SHOULD keep a record of the number of
   registration (and re-registration) attempts it makes in a local
   variable that gets set to zero before the initial registration
   attempt to the Home ENRP server or after a successful re-
   registration.  If repeated registration timeouts or failures occurs
   and the local count exceeds the Threshold 'MAX-REG-ATTEMPT', the
   implementation SHOULD report the error to its upper layer and stop
   attempting registration.

   The ENRP server handles the ASAP_REGISTRATION message according to
   the following rules:

   1.  If the named pool does not exist in the handlespace, the ENRP
       server MUST create a new pool with that handle in the handlespace
       and add the PE to the pool as its first PE.

       When a new pool is created, the overall member selection policy
       of the pool MUST be set to the policy type indicated by the first
       PE, the overall pool transport type MUST be set to the transport
       type indicated by the PE, and the overall pool data/control
       channel configuration MUST be set to what is indicated in the
       Transport Use field of the User Transport parameter by the
       registering PE.

   2.  If the named pool already exists in the handlespace, but the
       requesting PE is not currently a member of the pool, the ENRP
       server will add the PE as a new member to the pool.

       However, before adding the PE to the pool, the server MUST check
       if the policy type, transport type, and transport usage indicated
       by the registering PE is consistent with those of the pool.  If
       different, the ENRP server MUST reject the registration.

   3.  If the named pool already exists in the handlespace *and* the
       requesting PE is already a member of the pool, the ENRP server
       SHOULD consider this as a re-registration case.  The ENRP server
       MUST perform the same tests on policy, transport type, and
       transport use, as described above.  If the re-registration is
       accepted after the test, the ENRP server SHOULD replace the
       attributes of the existing PE with the information carried in the
       received ASAP_REGISTRATION message.

   4.  After accepting the registration, the ENRP server MUST assign
       itself the owner of this PE.  If this is a re-registration, the
       ENRP server MUST take over ownership of this PE, regardless of
       whether the PE was previously owned by this server or by another

Stewart, et al.               Experimental                     [Page 20]



RFC 5352            Aggregate Server Access Protocol      September 2008

       server.  The ENRP server MUST also record the SCTP transport
       address from which it received the ASAP_REGISTRATION in the ASAP
       Transport parameter TLV inside the PE parameter of this PE.

   5.  The ENRP server may reject the registration due to other reasons
       such as invalid values, lack of resource, authentication failure,
       etc.

   In all above cases, the ENRP server MUST reply to the requesting PE
   with an ASAP_REGISTRATION_RESPONSE message.  If the registration is
   accepted, the ENRP server MUST set the R flag in the
   ASAP_REGISTRATION_RESPONSE to '0'.  If the registration is rejected,
   the ENRP server MUST indicate the rejection by setting the R flag in
   the ASAP_REGISTRATION_RESPONSE to '1'.

   If the registration is rejected, the ENRP server SHOULD include the
   proper error cause(s) in the ASAP_REGISTRATION_RESPONSE message.

   If the registration is granted (either a new registration or a re-
   registration case), the ENRP server MUST assign itself to be the Home
   ENRP server of the PE, i.e., to "own" the PE.

      Implementation note: For better performance, the ENRP server may
      find it both efficient and convenient to internally maintain two
      separate PE lists or tables -- one is for the PEs that are owned
      by the ENRP server and the other is for all the PEs owned by their
      peer(s).

   Moreover, if the registration is granted, the ENRP server MUST take
   the handlespace update action to inform its peers about the change
   just made.  If the registration is denied, no message will be sent to
   its peers.

3.2.  De-Registration

   In the event a PE wishes to de-register from its server pool
   (normally, via an upper-layer request, see Section 6.2), it SHOULD
   use the following procedure.  It should be noted that an alternate
   method of de-registration is to NOT re-register and to allow the
   registration life of the PE to expire.  In this case, an
   ASAP_DEREGISTRATION_RESPONSE message is sent to the PE's ASAP
   Endpoint to indicate the removal of the PE from the pool it
   registered.

   When de-registering, the PE SHOULD use the SCTP association that was
   used for registration with its Home ENRP server.  To de-register, the
   PE's ASAP Endpoint MUST take the following actions:

Stewart, et al.               Experimental                     [Page 21]



RFC 5352            Aggregate Server Access Protocol      September 2008

   D1)  Fill in the Pool Handle parameter of the ASAP_DEREGISTRATION
      message (Section 2.2.2) using the same Pool Handle parameter sent
      during registration.

   D2)  Fill in the PE Identifier parameter of the ASAP_DEREGISTRATION
      message.  The identifier MUST be the same as used during
      registration.  The use of the same Pool Handle and Pool Identifier
      parameters used in registration allows the identity of the PE ASAP
      Endpoint to be verified before de-registration can occur.

   D3)  Send the ASAP_DEREGISTRATION message to the Home ENRP server
      using the PE's SCTP association.

   D4)  Start a T3-Deregistration timer.

   If the T3-Deregistration timer expires before receiving either an
   ASAP_REGISTRATION_RESPONSE message, or a SEND.FAILURE notification
   from the PE's SCTP endpoint, the PE's ASAP Endpoint shall start the
   ENRP Server Hunt procedure (see Section 3.6) in an attempt to get
   service from another ENRP server.  After establishing a new Home ENRP
   server, the ASAP Endpoint SHOULD restart the de-registration
   procedure.

   At the reception of the ASAP_DEREGISTRATION_RESPONSE, the PE's ASAP
   endpoint MUST stop the T3-Deregistration timer.

   It should be noted that after a successful de-registration, the PE
   MAY still receive requests for some period of time.  The PE MAY wish
   to remain active and service these requests or to exit and ignore
   these requests.

   Upon receiving the message, the ENRP server SHALL remove the PE from
   its handlespace.  Moreover, if the PE is the last one of the named
   pool, the ENRP server will remove the pool from the handlespace as
   well.

   If the ENRP server fails to find any record of the PE in its
   handlespace, it SHOULD consider the de-registration granted and
   completed, and send an ASAP_DEREGISTRATION_RESPONSE message to the
   PE.

   The ENRP server may reject the de-registration request for various
   reasons, such as invalid parameters, authentication failure, etc.

   In response, the ENRP server MUST send an
   ASAP_DEREGISTRATION_RESPONSE message to the PE.  If the de-
   registration is rejected, the ENRP server MUST indicate the rejection
   by including the proper Operational Error parameter.

Stewart, et al.               Experimental                     [Page 22]



RFC 5352            Aggregate Server Access Protocol      September 2008

   It should be noted that de-registration does not stop the PE from
   sending or receiving application messages.

   Once the de-registration request is granted *and* the PE removed from
   its local copy of the handlespace, the ENRP server MUST take the
   handlespace update action to inform its peers about the change just
   made.  Otherwise, the ENRP server MUST NOT inform its peers.

3.3.  Handle Resolution

   At any time, a PE or PU may wish to resolve a handle.  This usually
   will occur when an ASAP Endpoint sends a Pool Handle (Section 6.5.1)
   to its Home ENRP server or requests a cache population (Section 6.3).
   It may also occur for other reasons (e.g., the internal ASAP PE
   wishes to know its peers to send a message to all of them).  When an
   ASAP Endpoint (PE or PU) wishes to resolve a pool handle to a list of
   accessible transport addresses of the member PEs of the pool, it MUST
   take the following actions:

   NR1)  Fill in an ASAP_HANDLE_RESOLUTION message (Section 2.2.5) with
      the Pool Handle to be resolved.

   NR2)  If the endpoint does not have a Home ENRP server, start the
      ENRP Server Hunt procedures specified in Section 3.6 to obtain
      one.  Otherwise, proceed to step NR3.

   NR3)  If a PE, send the ASAP_HANDLE_RESOLUTION message to the Home
      ENRP server using SCTP; if a PU, send the ASAP_HANDLE_RESOLUTION
      message to the Home ENRP server using either TCP or SCTP.  If sent
      from a PE, the SCTP association used for registration SHOULD be
      used.

   NR4)  Start a T1-ENRPrequest timer.

   If the T1-ENRPrequest timer expires before receiving a response
   message, the ASAP Endpoint SHOULD take the steps described in
   Section 3.7.2.  If a SEND.FAILURE notification is received from the
   SCTP or TCP layer, the ASAP Endpoint SHOULD start the Server Hunt
   procedure (see Section 3.6) in an attempt to get service from a
   different ENRP server.  After establishing a new Home ENRP server,
   the ASAP Endpoint SHOULD restart the handle resolution procedure.

   At the reception of the ASAP_HANDLE_RESOLUTION_RESPONSE message, the
   ASAP Endpoint MUST stop its T1-ENRPrequest timer.  After stopping the
   T1-ENRPrequest timer, the ASAP Endpoint SHOULD process the message as
   appropriate (e.g., populate a local cache, give the response to the
   ASAP User, and/or use the response to send the ASAP User's message).

Stewart, et al.               Experimental                     [Page 23]



RFC 5352            Aggregate Server Access Protocol      September 2008

   Note that some ASAP Endpoints MAY use a cache to minimize the number
   of handle resolutions sent.  If a cache is used, it SHOULD:

   C1)  Be consulted before sending a handle resolution.

   C2)  Have a stale timeout timer associated with each cache entry.  If
      the cache entry is determined to be stale upon a cache hit, a
      handle resolution message SHOULD be sent so the cache can be
      updated.

   C3)  In the case of a stale cache entry, the implementation may, in
      parallel, update the cache and answer the request, or it may block
      the user and wait for an updated cache before proceeding with the
      users request.

   C4)  If the cache entry is NOT stale, the endpoint SHOULD NOT send a
      handle resolution request but instead SHOULD use the entry from
      the cache.

   It should be noted that the impact of using a cache depends on the
   policy and the requirements of the application.  For some
   applications, cache-usage can increase the performance of the system;
   for some, it can decrease it.

   An ENRP server SHOULD be prepared to receive ASAP_HANDLE_RESOLUTION
   requests from PUs, either over an SCTP association on the well-known
   SCTP port, or over a TCP connection on the well-known TCP port.

   Upon reception of the ASAP_HANDLE_RESOLUTION message, the ENRP server
   MUST first look up the pool handle in its handlespace.  If the pool
   exists, the Home ENRP server MUST compose and send back an
   ASAP_HANDLE_RESOLUTION_RESPONSE message to the requesting PU.

   In the response message, the ENRP server SHOULD list all the PEs
   currently registered in this pool, in a list of PE parameters.  The
   ENRP server MUST also include a pool member selection policy
   parameter to indicate the overall member selection policy for the
   pool, if the current pool member selection policy is not Round-Robin.

   If the named pool does not exist in the handlespace, the ENRP server
   MUST reject the handle resolution request by responding with an
   ASAP_HANDLE_RESOLUTION_RESPONSE message carrying an Unknown Pool
   Handle error.

Stewart, et al.               Experimental                     [Page 24]



RFC 5352            Aggregate Server Access Protocol      September 2008

3.4.  Endpoint Keep Alive

   The ASAP_ENDPOINT_KEEP_ALIVE message is sent by an ENRP server to a
   PE in order to verify it is reachable.  If the transport level
   heartbeat mechanism is insufficient, this message can be used in a
   heartbeat mechanism for the ASAP level whose goal is determining the
   health status of the ASAP level in a timely fashion.  (The transport
   level heartbeat mechanism may be insufficient due to either the
   timeouts or the heartbeat interval being set too long, or, that the
   transport level heartbeat mechanism's coverage is limited only to the
   transport level at the two ends.)  Additionally, the
   ASAP_ENDPOINT_KEEP_ALIVE message has value in the reliability of
   fault detection if the SCTP stack is in the kernel.  In such a case,
   while the SCTP-level heartbeat monitors the end-to-end connectivity
   between the two SCTP stacks, the ASAP-level heartbeat monitors the
   end-to-end liveliness of the ASAP layer above it.

   The use of the ASAP_ENDPOINT_KEEP_ALIVE message (Section 2.2.7) and
   the ASAP_ENDPOINT_KEEP_ALIVE_ACK (Section 2.2.8) is described below.
   Upon reception of an ASAP_ENDPOINT_KEEP_ALIVE message, the following
   actions MUST be taken:

   KA1)  The PE must verify that the Pool Handle is correct and matches
      the Pool Handle sent in its earlier ASAP_REGISTRATION message.  If
      the Pool Handle does not match, the PE MUST silently discard the
      message.

   KA2)  Send an ASAP_ENDPOINT_KEEP_ALIVE_ACK (Section 2.2.8) as
      follows:

      KA2.1)  Fill in the Pool Handle parameter with the PE's Pool
         Handle.

      KA2.2)  Fill in the PE Identifier parameter using the PE
         identifier used by this PE for registration.

      KA2.3)  Send the ASAP_ENDPOINT_KEEP_ALIVE_ACK message via the
         appropriate SCTP association for the ENRP server that sent the
         ASAP_ENDPOINT_KEEP_ALIVE message.

      KA2.4)  If the H flag in the received ASAP_ENDPOINT_KEEP_ALIVE
         message is set, and the Server Identifier in the message is NOT
         the identity of your Home ENRP server (or it is not set, e.g.,
         you have a no Home ENRP server) adopt the sender of the
         ASAP_ENDPOINT_KEEP_ALIVE message as the new Home ENRP server.

Stewart, et al.               Experimental                     [Page 25]



RFC 5352            Aggregate Server Access Protocol      September 2008

3.5.  Unreachable Endpoints

   Occasionally, an ASAP Endpoint may realize a PE is unreachable.  This
   may occur by a specific SCTP error realized by the ASAP endpoint or
   via an ASAP User report via the Transport.Failure Primitive
   (Section 6.9.2).  In either case, the ASAP Endpoint SHOULD report the
   unavailability of the PE by sending an ASAP_ENDPOINT_UNREACHABLE
   message to any ENRP server.  Before sending the
   ASAP_ENDPOINT_UNREACHABLE message, the ASAP Endpoint should fill in
   the Pool Handle parameter and PE Identifier parameter of the
   unreachable endpoint.  If the sender is a PE, the message MUST be
   sent via SCTP.  It should be noted that an ASAP Endpoint MUST report
   no more than once each time it encounters such an event.
   Additionally, when processing a Transport.Failure Primitive
   (Section 6.9.2), the ASAP Endpoint MUST NOT send an
   ASAP_ENDPOINT_UNREACHABLE message unless the user has made a previous
   request to send data to the PE specified by the primitive.

   Upon the reception of an ASAP_ENDPOINT_UNREACHABLE message, an ENRP
   server MUST immediately send a point-to-point
   ASAP_ENDPOINT_KEEP_ALIVE message to the PE in question (the H flag in
   the message SHOULD be set to '0', in this case).  If this
   ASAP_ENDPOINT_KEEP_ALIVE fails (e.g., it results in an SCTP
   SEND.FAILURE notification), the ENRP server MUST consider the PE as
   truly unreachable and MUST remove the PE from its handlespace.

   If the ASAP_ENDPOINT_KEEP_ALIVE message is transmitted successfully
   to the PE, the ENRP server MUST retain the PE in its handlespace.
   Moreover, the server SHOULD keep a counter to record how many
   ASAP_ENDPOINT_UNREACHABLE messages it has received reporting
   reachability problem relating to this PE.  If the counter exceeds the
   protocol threshold MAX-BAD-PE-REPORT, the ENRP server SHOULD remove
   the PE from its handlespace.

   Optionally, an ENRP server may also periodically send point-to-point
   ASAP_ENDPOINT_KEEP_ALIVE (with the H flag set to '0') messages to
   each of the PEs owned by the ENRP server in order to check their
   reachability status.  If the sending of ASAP_ENDPOINT_KEEP_ALIVE to a
   PE fails, the ENRP server MUST consider the PE as unreachable and
   MUST remove the PE from its handlespace.  Note, if an ENRP server
   owns a large number of PEs, the implementation should pay attention
   not to flood the network with bursts of ASAP_ENDPOINT_KEEP_ALIVE
   messages.  Instead, the implementation MUST distribute the
   ASAP_ENDPOINT_KEEP_ALIVE message traffic over a time period.  This
   can be achieved by varying the time between two
   ASAP_ENDPOINT_KEEP_ALIVE messages to the same PE randomly by plus/
   minus 50 percent.

Stewart, et al.               Experimental                     [Page 26]



RFC 5352            Aggregate Server Access Protocol      September 2008

3.6.  ENRP Server Hunt Procedures

   Each PU and PE manages a list of transport addresses of ENRP servers
   it knows about.

   If multicast capabilities are used within the operational scope, an
   ENRP server MUST send periodically every (N+1)*T6-Serverannounce an
   ASAP_SERVER_ANNOUNCE message (Section 2.2.10), which includes all the
   transport addresses available for ASAP communication on the multicast
   ENRP client channel, where N is the number of ENRP servers the server
   has found via receiving ASAP_SERVER_ANNOUNCE messages.  This should
   result in a message rate of approximately 1 ASAP_SERVER_ANNOUNCE per
   T6-Serverannounce.

   If an ASAP_SERVER_ANNOUNCE message is received by a PU or PE, it
   SHOULD insert all new included transport addresses into its list of
   ENRP server addresses and start a T7-ENRPoutdate timer for each
   address.  For all already-known, included transport addresses, the
   T7-ENRPoutdate timer MUST be restarted for each address.  If no
   transport parameters are included in the ASAP_SERVER_ANNOUNCE
   message, the SCTP transport protocol is assumed to be used and the
   source IP address and the IANA-registered ASAP port number is used
   for communication with the ENRP server.  If a T7-ENRPoutdate timer
   for a transport address expires, the corresponding address is deleted
   from the managed list of transport addresses of the PU or PE.

   If multicast capabilities are not used within the operational scope,
   each PU and PE MUST have a configured list of transport addresses of
   ENRP servers.

   At its startup, or when it fails to communicate with its Home ENRP
   server (i.e., timed out on an ENRP request), a PE or PU MUST
   establish a new Home ENRP server (i.e., set up a TCP connection or
   SCTP association with a different ENRP server).

   To establish a Home ENRP server, the following rules MUST be
   followed:

   SH1)  The PE or PU SHOULD try to establish an association or
      connection, with no more than three ENRP servers.  An ASAP
      Endpoint MUST NOT establish more than three associations or
      connections.

   SH2)  The ASAP Endpoint shall start a T5-Serverhunt timer.

Stewart, et al.               Experimental                     [Page 27]



RFC 5352            Aggregate Server Access Protocol      September 2008

   SH3)  If the ASAP Endpoint establishes an association or connection
      it MUST stop its T5-Serverhunt timer.  The ASAP Endpoint SHOULD
      also reset the T5-Serverhunt timer to its initial value and then
      proceed to step SH6.

   SH4)  If an association or connection establishment fails, the ASAP
      Endpoint SHOULD try to establish an association or connection
      using a different transport address.

   SH5)  If the T5-Serverhunt timer expires, the following should be
      performed:

      SH5.1)  The ASAP Endpoint MUST double the value of the T5-
         Serverhunt timer.  Note that this doubling is capped at the
         value RETRAN.max.

      SH5.2)  The ASAP Endpoint SHOULD stop the establishment of
         associations and connections with the transport addresses
         selected in step SH1.

      SH5.2)  The ASAP Endpoint SHOULD repeat trying to establish an
         association or connection by proceeding to step SH1.  It SHOULD
         attempt to select a different set of transport addresses with
         which to connect.

   SH6)  The PE or PU shall pick one of the ENRP servers with which it
      was able to establish an association or connection, and send all
      subsequent ENRP request messages to this new Home ENRP server.

3.7.  Handling ASAP Endpoint to ENRP Server Communication Failures

   Three types of failure may occur when the ASAP Endpoint at either the
   PE or PU tries to communicate with an ENRP server:

   A) SCTP send failure

   B) T1-ENRPrequest timer expiration

   C) Registration failure

3.7.1.  SCTP Send Failure

   This communication failure indicates that the SCTP layer was unable
   to deliver a message sent to an ENRP server.  In other words, the
   ENRP server is unreachable.

Stewart, et al.               Experimental                     [Page 28]



RFC 5352            Aggregate Server Access Protocol      September 2008

   In such a case, the ASAP Endpoint MUST NOT re-send the undeliverable
   message.  Instead, it SHOULD discard the message and start the ENRP
   Server Hunt procedure as described in Section 3.6.  After finding a
   new Home ENRP server, the ASAP Endpoint should re-send the request.

   Note that an ASAP Endpoint MAY also choose to NOT discard the
   message, but to queue it for retransmission after a new Home ENRP
   server is found.  If an ASAP Endpoint does choose to discard the
   message, after a new Home ENRP server is found, the ASAP Endpoint
   MUST be capable of reconstructing the original request.

3.7.2.  T1-ENRPrequest Timer Expiration

   When the T1-ENRPrequest timer expires, the ASAP Endpoint should re-
   send the original request to the ENRP server and restart the T1-
   ENRPrequest timer.  In parallel, the ASAP Endpoint should begin the
   ENRP server hunt procedures described in Section 3.6.

   This should be repeated up to MAX-REQUEST-RETRANSMIT times.  After
   that, an Error.Report notification should be generated to inform the
   ASAP User, and the ENRP request message associated with the T1-
   ENRPrequest timer should be discarded.  It should be noted that if an
   alternate ENRP server responds, the ASAP Endpoint SHOULD adopt the
   responding ENRP server as its new Home ENRP server and re-send the
   request to the new Home ENRP server.

3.7.3.  Registration Failure

   Registration failure is discussed in Section 3.1.

3.8.  Cookie Handling Procedures

   Whenever a PE wants, and a control channel exists, it can send an
   ASAP_COOKIE message to a PU via the control channel.  The PU's ASAP
   endpoint stores the Cookie parameter and discards an older cookie if
   it is previously stored.

   Note: A control channel is a communication channel between a PU and
   PE that does not carry data passed to the user.  This is accomplished
   with SCTP by using a PPID to separate the ASAP messages (Cookie and
   Business Card) from normal data messages.

   If the PU's ASAP Endpoint detects a failure and initiates a failover
   to a different PE, it SHOULD send the latest received cookie
   parameter in an ASAP_COOKIE_ECHO message to the new PE as the first
   message on the control channel.  Upper layers may be involved in the
   failover procedure.

Stewart, et al.               Experimental                     [Page 29]



RFC 5352            Aggregate Server Access Protocol      September 2008

   The cookie handling procedure can be used for state sharing.
   Therefore, a cookie should be signed by the sending PE ASAP Endpoint
   and the cookie should be verified by the receiving PE's ASAP
   Endpoint.  The details of the verification procedure are out of scope
   for this document.  It is only important that the PU always stores
   the last received Cookie parameter and sends that back unmodified in
   case of a PE failure.

3.9.  Business Card Handling Procedures

   When communication begins between a PU and a PE, either of which
   could be part of a PU/PE combination (i.e., a message is sent between
   the entities), a PE should always send an ASAP_BUSINESS_CARD message
   to a PU.  A PU should send an ASAP_BUSINESS_CARD message to a PE only
   if it is part of a PU/PE combination.  An ASAP_BUSINESS_CARD message
   MUST ONLY be sent if a control channel exists between a PU and PE.
   After communication has been established between a PE and PU, a new
   ASAP_BUSINESS_CARD message may be sent at any time by either entity
   to update its failover order.

   The ASAP_BUSINESS_CARD message serves two purposes.  First, it lists
   the pool handle.  For a PU that is part of a PU/PE combination that
   is contacting a PE, this is essential so that the PE learns the pool
   handle of the PU/PE combination requesting service.  Secondly, the
   ASAP_BUSINESS_CARD message tells the receiving entity a failover
   order that is recommended to follow.  This should facilitate
   rendezvous between entities that have been working together, as well
   as to control the load redistribution upon the failure of any PE.

   Upon receipt of an ASAP_BUSINESS_CARD message (see Section 2.2.13),
   the receiving ASAP Endpoint SHOULD:

   BC1)  Unpack the message, and if no entry exists in the translation
      cache of the receiving ASAP Endpoint for the pool handle listed
      within the ASAP_BUSINESS_CARD message, perform an
      ASAP_HANDLE_RESOLUTION for that pool handle.  If the translation
      cache does hold an entry for the pool handle, then it may be
      necessary to update the peer endpoint.

   BC2)  Unpack the message and populate a preferred list for failover
      order.  If the peer's PE should fail, this preferred list will be
      used to guide the ASAP Endpoint in the selection of an alternate
      PE.

Stewart, et al.               Experimental                     [Page 30]



RFC 5352            Aggregate Server Access Protocol      September 2008

4.  Roles of Endpoints

   A PU MUST implement the handling of ASAP_HANDLE_RESOLUTION and
   ASAP_HANDLE_RESOLUTION_RESPONSE messages.  Furthermore, it MUST
   support the handling of ASAP_ERROR messages.  It MAY implement the
   handling of ASAP_COOKIE, ASAP_COOKIE_ECHO, and ASAP_BUSINESS_CARD
   messages.  It MAY also implement the handling of ASAP_SERVER_ANNOUNCE
   messages.

   A PE MUST implement the handling of ASAP_REGISTRATION,
   ASAP_DEREGISTRATION, ASAP_REGISTRATION_RESPONSE, and
   ASAP_DEREGISTRATION_RESPONSE messages.  Furthermore, it MUST support
   the handling of ASAP_ENDPOINT_KEEP_ALIVE,
   ASAP_ENDPOINT_KEEP_ALIVE_ACK, ASAP_ENDPOINT_UNREACHABLE, and
   ASAP_ERROR messages.  It SHOULD support the handling of ASAP_COOKIE,
   ASAP_COOKIE_ECHO, and ASAP_BUSINESS_CARD messages.  Furthermore, it
   MAY support the handling of ASAP_SERVER_ANNOUNCE messages.

   An ENRP server MUST implement the handling of ASAP_REGISTRATION,
   ASAP_DEREGISTRATION, ASAP_REGISTRATION_RESPONSE, and
   ASAP_DEREGISTRATION_RESPONSE messages.  Furthermore, it MUST support
   the handling of ASAP_ENDPOINT_KEEP_ALIVE,
   ASAP_ENDPOINT_KEEP_ALIVE_ACK, ASAP_ENDPOINT_UNREACHABLE, and
   ASAP_ERROR messages.  Furthermore, it MAY support the handling of
   ASAP_SERVER_ANNOUNCE messages.

   If a node acts as a PU and a PE, it MUST fulfill both roles.

5.  SCTP Considerations

   Each ASAP message is considered as an SCTP user message.  The PPID
   registered for ASAP SHOULD be used.  The SCTP port used at the ENRP
   server might be preconfigured or announced in the
   ASAP_SERVER_ANNOUNCE message or the well-known ASAP port.

   ASAP messages belonging to the control channel MUST be sent using the
   PPID registered for ASAP.  Messages belonging to the data channel
   MUST NOT use the PPID registered for ASAP.

6.  The ASAP Interfaces

   This chapter will focus primarily on the primitives and notifications
   that form the interface between the ASAP User and ASAP and that
   between ASAP and its lower-layer transport protocol (e.g., SCTP).

Stewart, et al.               Experimental                     [Page 31]



RFC 5352            Aggregate Server Access Protocol      September 2008

   Note, the following primitive and notification descriptions are shown
   for illustrative purposes.  We believe that including these
   descriptions in this document is important to the understanding of
   the operation of many aspects of ASAP; but an ASAP implementation is
   not required to use the exact syntax described in this section.

   An ASAP User passes primitives to the ASAP sub-layer to request
   certain actions.  Upon the completion of those actions or upon the
   detection of certain events, the ASAP layer will notify the ASAP
   User.

6.1.  Registration.Request Primitive

         Format: registration.request(Pool Handle,
                                      User Transport parameter(s))

   The Pool Handle parameter contains a NULL terminated ASCII string of
   fixed length.  The optional User Transport parameter(s) indicates
   specific transport parameters and types with which to register.  If
   this optional parameter is left off, then the SCTP endpoint used to
   communicate with the ENRP server is used as the default User
   Transport parameter.  Note that any IP address contained within a
   User Transport parameter MUST be a bound IP address in the SCTP
   endpoint used to communicate with the ENRP server.

   The ASAP User invokes this primitive to add itself to the
   handlespace, thus becoming a Pool Element of a pool.  The ASAP User
   must register itself with the ENRP server by using this primitive
   before other ASAP Users using the handlespace can send message(s) to
   this ASAP User by Pool Handle or by PE handle (see Sections 6.5.1 and
   6.5.3).

   In response to the registration primitive, the ASAP Endpoint will
   send an ASAP_REGISTRATION message to the Home ENRP server (see
   Sections 2.2.1 and 3.1), and start a T2-registration timer.

6.2.  Deregistration.Request Primitive

         Format: deregistration.request(Pool Handle)

   The ASAP PE invokes this primitive to remove itself from the Server
   Pool.  This should be used as a part of the graceful shutdown process
   by the application.

   An ASAP_DEREGISTRATION message will be sent by the ASAP Endpoint to
   the Home ENRP server (see Sections 2.2.2 and 3.2).

Stewart, et al.               Experimental                     [Page 32]



RFC 5352            Aggregate Server Access Protocol      September 2008

6.3.  CachePopulateRequest Primitive

          Format: cache_populate_request([Pool-Handle |
                                        Pool-Element-Handle])

   If the address type is a Pool Handle and a local handle translation
   cache exists, the ASAP Endpoint should initiate a mapping information
   query by sending an ASAP_HANDLE_RESOLUTION message on the Pool handle
   and updating its local cache when the response comes back from the
   ENRP server.

   If a Pool-Element-Handle is passed, then the Pool Handle is unpacked
   from the Pool-Element-Handle and the ASAP_HANDLE_RESOLUTION message
   is sent to the ENRP server for resolution.  When the response message
   returns from the ENRP server, the local cache is updated.

   Note that if the ASAP service does NOT support a local cache, this
   primitive performs NO action.

6.4.  CachePurgeRequest Primitive

      Format: cache_purge_request([Pool-Handle | Pool-Element-Handle])

   If the user passes a Pool Handle and local handle translation cache
   exists, the ASAP Endpoint should remove the mapping information on
   the Pool Handle from its local cache.  If the user passes a Pool-
   Element-Handle, then the Pool Handle within is used for the
   cache_purge_request.

   Note that if the ASAP service does NOT support a local cache, this
   primitive performs NO action.

6.5.  DataSendRequest Primitive

         Format: data_send_request(destinationAddress, typeOfAddress,
                                   message, sizeOfMessage, Options);

   This primitive requests ASAP to send a message to some specified Pool
   or Pool Element within the current Operational scope.

   Depending on the address type used for the send request, the sender's
   ASAP Endpoint may perform address translation and Pool Element
   selection before sending the message out.  This MAY also dictate the
   creation of a local transport endpoint in order to meet the required
   transport type.

   The data_send_request primitive can take different forms of address
   types, as described in the following sections.

Stewart, et al.               Experimental                     [Page 33]



RFC 5352            Aggregate Server Access Protocol      September 2008

6.5.1.  Sending to a Pool Handle

   In this case, the destinationAddress and typeOfAddress together
   indicate a pool handle.

   This is the simplest form of send_data_request primitive.  By
   default, this directs ASAP to send the message to one of the Pool
   Elements in the specified pool.

   Before sending the message out to the pool, the sender's ASAP
   endpoint MUST first perform a pool handle to address translation.  It
   may also need to perform Pool Element selection if multiple Pool
   Elements exist in the pool.

   If the sender's ASAP implementation does not support a local cache of
   the mapping information, or if it does not have the mapping
   information on the pool in its local cache, it will transmit an
   ASAP_HANDLE_RESOLUTION message (see Sections 2.2.5 and 3.3) to the
   current Home ENRP server and MUST hold the outbound message in queue
   while awaiting the response from the ENRP server (any further send
   request to this pool before the ENRP server responds SHOULD also be
   queued).

   Once the necessary mapping information arrives from the ENRP server,
   the sender's ASAP will:

   A) map the pool handle into a list of transport addresses of the
      destination PE(s);

   B) if multiple PEs exist in the pool, choose one of them and transmit
      the message to it.  In that case, the choice of the PE is made by
      the ASAP Endpoint of the sender based on the server pooling
      policy, as discussed in Section 6.5.2;

   C) optionally create any transport endpoint that may be needed to
      communicate with the PE selected;

   D) if no transport association or connection exists towards the
      destination PE, establish any needed transport state;

   E) send out the queued message(s) to the appropriate transport
      connection using the appropriate send mechanism (e.g., for SCTP,
      the SEND primitive in [RFC4960] would be used); and,

   F) if the local cache is implemented, append/update the local cache
      with the mapping information received in the ENRP server's
      response.  Also, record the local transport information (e.g., the
      SCTP association id) if any new transport state was created.

Stewart, et al.               Experimental                     [Page 34]



RFC 5352            Aggregate Server Access Protocol      September 2008

   For more on the ENRP server request procedures see [RFC5353].

   Optionally, the ASAP Endpoint of the sender may return a Pool Element
   handle of the selected PE to the application after sending the
   message.  This PE handle can then be used for future transmissions to
   that same PE (see Section 6.5.3).

   Section 3.7 defines the failover procedures for cases where the
   selected PE is found unreachable.

6.5.2.  Pool Element Selection

   Each time an ASAP User sends a message to a pool that contains more
   than one PE, the sender's ASAP Endpoint must select one of the PEs in
   the pool as the receiver of the current message.  The selection is
   made according to the current server pooling policy of the pool to
   which the message is sent.

   Note, no selection is needed if the ASAP_SEND_TOALL option is set
   (see Section 6.5.5).

   Together with the server pooling policy, each PE can also specify a
   Policy Value for itself at the registration time.  The meaning of the
   Policy Value depends on the current server pooling policy of the
   group.  A PE can also change its Policy Value whenever it desires, by
   re-registering itself with the handlespace with a new Policy Value.
   Re-registration shall be done by simply sending another
   ASAP_REGISTRATION to its Home ENRP server (see Section 2.2.1).

   One basic policy is defined in this document; others can be found in
   [RFC5356]

6.5.2.1.  Round-Robin Policy

   When an ASAP Endpoint sends messages by Pool Handle and Round-Robin
   is the current policy of that Pool, the ASAP Endpoint of the sender
   will select the receiver for each outbound message by Round-Robining
   through all the registered PEs in that Pool, in an attempt to achieve
   an even distribution of outbound messages.  Note that in a large
   server pool, the ENRP server might not send back all PEs to the ASAP
   client.  In this case, the client or PU will be performing a Round-
   Robin policy on a subset of the entire Pool.

6.5.3.  Sending to a Pool Element Handle

   In this case, the destinationAddress and typeOfAddress together
   indicate an ASAP Pool Element handle.

Stewart, et al.               Experimental                     [Page 35]



RFC 5352            Aggregate Server Access Protocol      September 2008

   This requests that the ASAP Endpoint deliver the message to the PE
   identified by the Pool Element handle.

   The Pool Element handle should contain the Pool Handle and a
   destination transport address of the destination PE or the Pool
   Handle and the transport type.  Other implementation dependent
   elements may also be cached in a Pool Element handle.

   The ASAP Endpoint shall use the transport address and transport type
   to identify the endpoint with which to communicate.  If no
   communication state exists with the peer endpoint (and is required by
   the transport protocol), the ASAP Endpoint MAY set up the needed
   state and then invoke the SEND primitive for the particular transport
   protocol to send the message to the PE.

   In addition, if a local translation cache is supported, the endpoint
   will:

   A) send out the message to the transport address (or association id)
      designated by the PE handle.

   B) determine if the Pool Handle is in the local cache.

      If it is *not*, the endpoint will:

      i) ask the Home ENRP server for handle resolution on the pool
         handle by sending an ASAP_HANDLE_RESOLUTION message (see
         Section 2.2.5), and

      ii)  use the response to update the local cache.

         If the pool handle is in the cache, the endpoint will only
         update the pool handle if the cache is stale.  A stale cache is
         indicated by it being older than the protocol parameter
         'stale.cache.value' (see Section 7.2).

   Sections 3.5 and 6.9 define the failover procedures for cases where
   the PE pointed to by the Pool Element handle is found to be
   unreachable.

   Optionally, the ASAP Endpoint may return the actual Pool Element
   handle to which the message was sent (this may be different from the
   Pool Element handle specified when the primitive is invoked, due to
   the possibility of automatic failover).

Stewart, et al.               Experimental                     [Page 36]



RFC 5352            Aggregate Server Access Protocol      September 2008

6.5.4.  Send by Transport Address

   In this case, the destinationAddress and typeOfAddress together
   indicate a transport address and transport type.

   This directs the sender's ASAP Endpoint to send the message out to
   the specified transport address.

   No endpoint failover is supported when this form of send request is
   used.  This form of send request effectively bypasses the ASAP
   endpoint.

6.5.5.  Message Delivery Options

   The Options parameter passed in the various forms of the above
   data_send_request primitive gives directions to the sender's ASAP
   endpoint on special handling of the message delivery.

   The value of the Options parameter is generated by bit-wise "OR"ing
   of the following pre-defined constants:

   ASAP_USE_DEFAULT: 0x0000  Use default setting.

   ASAP_SEND_FAILOVER: 0x0001  Enables PE failover on this message.  In
      the case where the first selected PE or the PE pointed to by the
      PE handle is found unreachable, the sender's ASAP Endpoint SHOULD
      re-select an alternate PE from the same pool if one exists, and
      silently re-send the message to this newly selected endpoint.

      Note that this is a best-effort service.  Applications should be
      aware that messages can be lost during the failover process, even
      if the underlying transport supports retrieval of unacknowledged
      data (e.g., SCTP).  (Example: messages acknowledged by the SCTP
      layer at a PE, but not yet read by the PE when a PE failure
      occurs.)  In the case where the underlying transport does not
      support such retrieval (e.g., TCP), any data already submitted by
      ASAP to the transport layer may be lost upon failover.

   ASAP_SEND_NO_FAILOVER: 0x0002  This option prohibits the sender's
      ASAP Endpoint from re-sending the message to any alternate PE in
      case that the first selected PE, or the PE pointed to by the PE
      handle, is found to be unreachable.  Instead, the sender's ASAP
      Endpoint shall notify its upper layer about the unreachability
      with an Error.Report and return any unsent data.

   ASAP_SEND_TO_LAST: 0x0004  This option requests that the sender's
      ASAP Endpoint send the message to the same PE in the pool to which
      the previous message destined to this pool was sent.

Stewart, et al.               Experimental                     [Page 37]



RFC 5352            Aggregate Server Access Protocol      September 2008

   ASAP_SEND_TO_ALL: 0x0008  When sending by Pool Handle, this option
      directs the sender's ASAP endpoint to send a copy of the message
      to all the PEs, except for the sender itself if the sender is a PE
      in that pool.

   ASAP_SEND_TO_SELF: 0x0010  This option only applies in combination
      with the ASAP_SEND_TO_ALL option.  It permits the sender's ASAP
      Endpoint to also deliver a copy of the message to itself if the
      sender is a PE of the pool (i.e., loop-back).

   ASAP_SCTP_UNORDER: 0x1000  This option requests that the transport
      layer send the current message using un-ordered delivery (note the
      underlying transport must support un-ordered delivery for this
      option to be effective).

6.6.  Data.Received Notification

         Format: data.received(messageReceived, sizeOfMessage,
                               senderAddress, typeOfAddress)

   When a new user message is received, the ASAP Endpoint of the
   receiver uses this notification to pass the message to its upper
   layer.

   Along with the message being passed, the ASAP Endpoint of the
   receiver should also indicate to its upper layer the message senders
   address.  The sender's address can be in the form of either an SCTP
   association id, TCP transport address, UDP transport address, or an
   ASAP Pool Element handle.

   A) If the handle translation local cache is implemented at the
      receiver's ASAP Endpoint, a reverse mapping from the sender's IP
      address to the pool handle should be performed, and if the mapping
      is successful, the sender's ASAP Pool Element handle should be
      constructed and passed in the senderAddress field.

   B) If there is no local cache or the reverse mapping is not
      successful, the SCTP association id or other transport specific
      identification (if SCTP is not being used) should be passed in the
      senderAddress field.

Stewart, et al.               Experimental                     [Page 38]



RFC 5352            Aggregate Server Access Protocol      September 2008

6.7.  Error.Report Notification

         Format: error.report(destinationAddress, typeOfAddress,
                              failedMessage, sizeOfMessage)

   An error.report should be generated to notify the ASAP User about
   failed message delivery as well as other abnormalities.

   The destinationAddress and typeOfAddress together indicate to whom
   the message was originally sent.  The address type can be either an
   ASAP Pool Element handle, association id, or a transport address.

   The original message (or the first portion of it if the message is
   too big) and its size should be passed in the failedMessage and
   sizeOfMessage fields, respectively.

6.8.  Examples

   These examples assume an underlying SCTP transport between the PE and
   PU.  Other transports are possible, but SCTP is utilized in the
   examples for illustrative purposes.  Note that all communication
   between the PU and ENRP server and the PE and ENRP servers would be
   using SCTP.

6.8.1.  Send to a New Pool

   This example shows the event sequence when a Pool User sends the
   message "hello" to a pool that is not in the local translation cache
   (assuming local caching is supported).

     ENRP Server                       PU         new-handle:PEx

       |                                |                 |
       |                              +---+               |
       |                              | 1 |               |
       |2. ASAP_HANDLE_RESOLUTION     +---+               |
       |<-------------------------------|                 |
       |                              +---+               |
       |                              | 3 |               |
       |4. ASAP_HANDLE_RESOLUTION_RSP +---+               |
       |------------------------------->|                 |
       |                              +---+               |
       |                              | 5 |               |
       |                              +---+  6. "hello1"  |
       |                                |---------------->|
       |                                |                 |

Stewart, et al.               Experimental                     [Page 39]



RFC 5352            Aggregate Server Access Protocol      September 2008

   1) The user at PU invokes:

      data_send_request("new-handle", handle-type, "hello1", 6, 0);

      The ASAP Endpoint, in response, looks up the pool "new-handle" in
      its local cache, but fails to find it.

   2) The ASAP Endpoint of the PU queues the message and sends an
      ASAP_HANDLE_RESOLUTION request to the ENRP server asking for all
      information about pool "new-handle".

   3) A T1-ENRPrequest timer is started while the ASAP Endpoint is
      waiting for the response from the ENRP server.

   4) The ENRP server responds to the query with an
      ASAP_HANDLE_RESOLUTION_RESPONSE message that contains all the
      information about pool "new-handle".

   5) ASAP at PU cancels the T1-ENRPrequest timer and populate its local
      cache with information on pool "new-handle".

   6) Based on the server pooling policy of pool "new-handle", ASAP at
      PU selects the destination PE (PEx), sets up, if necessary, an
      SCTP association towards PEx (explicitly or implicitly), and sends
      out the queued "hello1" user message.

6.8.2.  Send to a Cached Pool Handle

   This shows the event sequence when the ASAP User PU sends another
   message to the pool "new-handle" after what happened in
   Section 6.8.1.

     ENRP Server                       PU         new-handle:PEx

       |                                |                 |
       |                              +---+               |
       |                              | 1 |               |
       |                              +---+  2. "hello2"  |
       |                                |---------------->|
       |                                |                 |

Stewart, et al.               Experimental                     [Page 40]



RFC 5352            Aggregate Server Access Protocol      September 2008

   1) The user at PU invokes:

      data_send_request("new-handle", handle-type, "hello2", 6, 0);

      The ASAP Endpoint, in response, looks up the pool "new-handle" in
      its local cache and finds the mapping information.

   2) Based on the server pooling policy of "new-handle", ASAP at PU
      selects the PE (assuming EPx is selected again), and sends out
      "hello2" message (assuming the SCTP association is already set
      up).

6.9.  PE Send Failure

   When the ASAP Endpoint in a PE or PU attempts to send a message to a
   PE and fails, the failed sender will report the event as described in
   Section 3.5.

   Additional primitives are also defined in this section to support
   those user applications that do not wish to use ASAP as the actual
   transport.

6.9.1.  Translation.Request Primitive

           Format: translation.request(Pool-Handle)

   If the address type is a Pool Handle and a local handle translation
   cache exists, the ASAP Endpoint should look within its translation
   cache and return the current known transport types, ports, and
   addresses to the caller.

   If the Pool Handle does not exist in the local handle cache or no
   handle cache exists, the ASAP Endpoint will send an
   ASAP_HANDLE_RESOLUTION request using the Pool Handle.  Upon
   completion of the handle resolution, the ASAP Endpoint should
   populate the local handle cache (if a local handle cache is
   supported) and return the transport types, ports, and addresses to
   the caller.

Stewart, et al.               Experimental                     [Page 41]



RFC 5352            Aggregate Server Access Protocol      September 2008

6.9.2.  Transport.Failure Primitive

       Format: transport.failure(Pool-Handle, Transport-address)

   If an external user encounters a failure in sending to a PE and is
   *not* using ASAP, it can use this primitive to report the failure to
   the ASAP endpoint.  ASAP will send an ASAP_ENDPOINT_UNREACHABLE to
   the "Home" ENRP server in response to this primitive.  Note ASAP
   SHOULD NOT send an ASAP_ENDPOINT_UNREACHABLE *unless* the user has
   actually made a previous request to send data to the PE.

7.  Timers, Variables, and Thresholds

   The following is a summary of the timers, variables, and pre-set
   protocol constants used in ASAP.

7.1.  Timers

   T1-ENRPrequest -  A timer started when a request is sent by ASAP to
      the ENRP server (providing application information is queued).
      Normally set to 15 seconds.

   T2-registration -  A timer started when sending an ASAP_REGISTRATION
      request to the Home ENRP server, normally set to 30 seconds.

   T3-deregistration -  A timer started when sending a de-registration
      request to the Home ENRP server, normally set to 30 seconds.

   T4-reregistration -  This timer is started after successful
      registration into the ENRP handlespace and is used to cause a re-
      registration at a periodic interval.  This timer is normally set
      to 10 minutes or 20 seconds less than the Lifetime parameter used
      in the registration request (whichever is less).

   T5-Serverhunt -  This timer is used during the ENRP Server Hunt
      procedure and is normally set to 10 seconds.

   T6-Serverannounce -  This timer gives the time between the sending of
      consecutive ASAP_SERVER_ANNOUNCE messages.  It is normally set to
      1 second.

   T7-ENRPoutdate -  This timer gives the time a server announcement is
      valid.  It is normally set to 5 seconds.

7.2.  Variables

   stale_cache_value -  A threshold variable that indicates how long a
      cache entry is valid for.

Stewart, et al.               Experimental                     [Page 42]



RFC 5352            Aggregate Server Access Protocol      September 2008

7.3.  Thresholds

   MAX-REG-ATTEMPT -  The maximum number of registration attempts to be
      made before a server hunt is issued.  The default value of this is
      set to 2.

   MAX-REQUEST-RETRANSMIT -  The maximum number of attempts to be made
      when requesting information from the local ENRP server before a
      server hunt is issued.  The default value for this is 2.

   RETRAN-MAX -  This value represents the maximum time between
      registration attempts and puts a ceiling on how far the
      registration timer will back off.  The default value for this is
      normally set to 60 seconds.

8.  IANA Considerations

   This document (RFC 5352) is the reference for all registrations
   described in this section.  All registrations have been listed on the
   Reliable Server Pooling (RSerPool) Parameters page.

8.1.  A New Table for ASAP Message Types

   ASAP Message Types are maintained by IANA.  Fourteen initial values
   have been assigned by IANA as described in Figure 1.  IANA created a
   new table, "ASAP Message Types":

   Type       Message Name                     Reference
   -----      -------------------------        ---------
   0x00       (Reserved by IETF)               RFC 5352
   0x01       ASAP_REGISTRATION                RFC 5352
   0x02       ASAP_DEREGISTRATION              RFC 5352
   0x03       ASAP_REGISTRATION_RESPONSE       RFC 5352
   0x04       ASAP_DEREGISTRATION_RESPONSE     RFC 5352
   0x05       ASAP_HANDLE_RESOLUTION           RFC 5352
   0x06       ASAP_HANDLE_RESOLUTION_RESPONSE  RFC 5352
   0x07       ASAP_ENDPOINT_KEEP_ALIVE         RFC 5352
   0x08       ASAP_ENDPOINT_KEEP_ALIVE_ACK     RFC 5352
   0x09       ASAP_ENDPOINT_UNREACHABLE        RFC 5352
   0x0a       ASAP_SERVER_ANNOUNCE             RFC 5352
   0x0b       ASAP_COOKIE                      RFC 5352
   0x0c       ASAP_COOKIE_ECHO                 RFC 5352
   0x0d       ASAP_BUSINESS_CARD               RFC 5352
   0x0e       ASAP_ERROR                       RFC 5352
   0x0b-0xff  (Available for Assignment)       RFC 5352

Stewart, et al.               Experimental                     [Page 43]



RFC 5352            Aggregate Server Access Protocol      September 2008

   Requests to register an ASAP Message Type in this table should be
   sent to IANA.  The number must be unique.  The "Specification
   Required" policy of [RFC5226] MUST be applied.

8.2.  Port Numbers

   The references for the already assigned port numbers

      asap-tcp 3863/tcp

      asap-udp 3863/udp

      asap-sctp 3863/sctp

      asap-tcp-tls 3864/tcp

      asap-sctp-tls 3864/sctp

   have been updated to RFC 5352.

8.3.  SCTP Payload Protocol Identifier

   The reference for the already assigned ASAP payload protocol
   identifier 11 has been updated to RFC 5352.

8.4.  Multicast Addresses

   IANA has assigned an IPv4 multicast address (224.0.1.185) and an IPv6
   multicast address (FF0X:0:0:0:0:0:0:133).  The IPv4 address is part
   of the Internetwork Control Block (224.0.1/24).

9.  Security Considerations

   We present a summary of the of the threats to the RSerPool
   architecture and describe security requirements in response in order
   to mitigate the threats.  Next, we present the security mechanisms,
   based on TLS, that are implementation requirements in response to the
   threats.  Finally, we present a chain-of-trust argument that examines
   critical data paths in RSerPool and shows how these paths are
   protected by the TLS implementation.

Stewart, et al.               Experimental                     [Page 44]



RFC 5352            Aggregate Server Access Protocol      September 2008

9.1.  Summary of RSerPool Security Threats

   "Threats Introduced by Reliable Server Pooling (RSerPool) and
   Requirements for Security in Response to Threats" [RFC5355] describes
   the threats to the RSerPool architecture in detail and lists the
   security requirements in response to each threat.  From the threats
   described in this document, the security services required for the
   RSerPool protocol are enumerated below.

   Threat 1) PE registration/de-registration flooding or spoofing.
   -----------
   Security mechanism in response: ENRP server authenticates the PE.

   Threat 2) PE registers with a malicious ENRP server.
   -----------
   Security mechanism in response: PE authenticates the ENRP server.

   Threats 1 and 2, taken together, result in mutual authentication of
   the ENRP server and the PE.

   Threat 3) Malicious ENRP server joins the ENRP server pool.
   -----------
   Security mechanism in response: ENRP servers mutually authenticate.

   Threat 4) A PU communicates with a malicious ENRP server for handle
   resolution.
   -----------
   Security mechanism in response: The PU authenticates the ENRP server.

   Threat 5) Replay attack.
   -----------
   Security mechanism in response: Security protocol that has protection
   from replay attacks.

   Threat 6) Corrupted data that causes a PU to have misinformation
   concerning a pool handle resolution.
   -----------
   Security mechanism in response: Security protocol that supports
   integrity protection.

   Threat 7) Eavesdropper snooping on handlespace information.
   -----------
   Security mechanism in response: Security protocol that supports data
   confidentiality.

Stewart, et al.               Experimental                     [Page 45]



RFC 5352            Aggregate Server Access Protocol      September 2008

   Threat 8) Flood of ASAP_ENDPOINT_UNREACHABLE messages from the PU to
   ENRP server.
   -----------
   Security mechanism in response: ASAP must control the number of ASAP
   Endpoint unreachable messages transmitted from the PU to the ENRP
   server.

   Threat 9) Flood of ASAP_ENDPOINT_KEEP_ALIVE messages to the PE from
   the ENRP server.
   -----------
   Security mechanism in response: ENRP server must control the number
   of ASAP_ENDPOINT_KEEP_ALIVE messages to the PE.

   To summarize, the threats 1-7 require security mechanisms that
   support authentication, integrity, data confidentiality, and
   protection from replay attacks.

   For RSerPool we need to authenticate the following:

      PU <----  ENRP server (PU authenticates the ENRP server)
      PE <----> ENRP server (mutual authentication)
      ENRP server <-----> ENRP server (mutual authentication)

9.2.  Implementing Security Mechanisms

   We do not define any new security mechanisms specifically for
   responding to threats 1-7.  Rather, we use an existing IETF security
   protocol, specifically [RFC3237], to provide the security services
   required.  TLS supports all these requirements and MUST be
   implemented.  The TLS_RSA_WITH_AES_128_CBC_SHA ciphersuite MUST be
   supported, at a minimum, by implementers of TLS for RSerPool.  For
   purposes of backwards compatibility, ENRP SHOULD support
   TLS_RSA_WITH_3DES_EDE_CBC_SHA.  Implementers MAY also support any
   other IETF-approved ciphersuites.

   ENRP servers, PEs, and PUs MUST implement TLS.  ENRP servers and PEs
   MUST support mutual authentication using PSK (pre-shared-key).  ENRP
   servers MUST support mutual authentication among themselves using
   PSK.  PUs MUST authenticate ENRP servers using certificates.

   TLS with PSK is mandatory to implement as the authentication
   mechanism for ENRP to ENRP authentication and PE to ENRP
   authentication.  For PSK, having a pre-shared-key constitutes
   authorization.  The network administrators of a pool need to decide
   which nodes are authorized to participate in the pool.  The
   justification for PSK is that we assume that one administrative
   domain will control and manage the server pool.  This allows for PSK
   to be implemented and managed by a central security administrator.

Stewart, et al.               Experimental                     [Page 46]



RFC 5352            Aggregate Server Access Protocol      September 2008

   TLS with certificates is mandatory to implement as the authentication
   mechanism for PUs to the ENRP server.  PUs MUST authenticate ENRP
   servers using certificates.  ENRP servers MUST possess a site
   certificate whose subject corresponds to their canonical hostname.
   PUs MAY have certificates of their own for mutual authentication with
   TLS, but no provisions are set forth in this document for their use.
   All RSerPool Elements that support TLS MUST have a mechanism for
   validating certificates received during TLS negotiation; this entails
   possession of one or more root certificates issued by certificate
   authorities (preferably, well-known distributors of site certificates
   comparable to those that issue root certificates for web browsers).

   In order to prevent man-in-the-middle attacks, the client MUST verify
   the server's identity (as presented in the server's Certificate
   message).  The client's understanding of the server's identity
   (typically, the identity used to establish the transport connection)
   is called the "reference identity".  The client determines the type
   (e.g., DNS name or IP address) of the reference identity and performs
   a comparison between the reference identity and each subjectAltName
   value of the corresponding type until a match is produced.  Once a
   match is produced, the server's identity has been verified, and the
   server identity check is complete.  Different subjectAltName types
   are matched in different ways.  The client may map the reference
   identity to a different type prior to performing a comparison.
   Mappings may be performed for all available subjectAltName types to
   which the reference identity can be mapped; however, the reference
   identity should only be mapped to types for which the mapping is
   either inherently secure (e.g., extracting the DNS name from a URI to
   compare with a subjectAltName of type dNSName) or for which the
   mapping is performed in a secure manner (e.g., using DNS Security
   (DNSSEC), or using user- or admin-configured host-to-address/
   address-to-host lookup tables).

   If the server identity check fails, user-oriented clients SHOULD
   either notify the user or close the transport connection and indicate
   that the server's identity is suspect.  Automated clients SHOULD
   close the transport connection and then return or log an error
   indicating that the server's identity is suspect, or both.  Beyond
   the server identity check described in this section, clients should
   be prepared to do further checking to ensure that the server is
   authorized to provide the service it is requested to provide.  The
   client may need to make use of local policy information in making
   this determination.

   If the reference identity is an internationalized domain name,
   conforming implementations MUST convert it to the ASCII Compatible
   Encoding (ACE) format, as specified in Section 4 of [RFC3490], before
   comparison with subjectAltName values of type dNSName.  Specifically,

Stewart, et al.               Experimental                     [Page 47]



RFC 5352            Aggregate Server Access Protocol      September 2008

   conforming implementations MUST perform the conversion operation
   specified in Section 4 of [RFC3490] as follows: * in step 1, the
   domain name SHALL be considered a "stored string"; * in step 3, set
   the flag called "UseSTD3ASCIIRules"; * in step 4, process each label
   with the "ToASCII" operation; and * in step 5, change all label
   separators to U+002E (full stop).

   After performing the "to-ASCII" conversion, the DNS labels and names
   MUST be compared for equality, according to the rules specified in
   Section 3 of RFC 3490.  The '*' (ASCII 42) wildcard character is
   allowed in subjectAltName values of type dNSName, and then, only as
   the left-most (least significant) DNS label in that value.  This
   wildcard matches any left-most DNS label in the server name.  That
   is, the subject *.example.com matches the server names a.example.com
   and b.example.com, but does not match example.com or a.b.example.com.

   When the reference identity is an IP address, the identity MUST be
   converted to the "network byte order" octet string representation in
   [RFC791] and [RFC2460].  For IP version 4, as specified in RFC 791,
   the octet string will contain exactly four octets.  For IP version 6,
   as specified in RFC 2460, the octet string will contain exactly
   sixteen octets.  This octet string is then compared against
   subjectAltName values of type iPAddress.  A match occurs if the
   reference identity octet string and value octet strings are
   identical.

   After a TLS layer is established in a session, both parties are to
   independently decide whether or not to continue based on local policy
   and the security level achieved.  If either party decides that the
   security level is inadequate for it to continue, it SHOULD remove the
   TLS layer immediately after the TLS (re)negotiation has completed
   (see RFC 4511)[RFC4511].  Implementations may re-evaluate the
   security level at any time and, upon finding it inadequate, should
   remove the TLS layer.

   Implementations MUST support TLS with SCTP, as described in [RFC3436]
   or TLS over TCP, as described in [RFC5246].  When using TLS/SCTP we
   must ensure that RSerPool does not use any features of SCTP that are
   not available to a TLS/SCTP user.  This is not a difficult technical
   problem, but simply a requirement.  When describing an API of the
   RSerPool lower layer, we also have to take into account the
   differences between TLS and SCTP.

   Threat 8 requires the ASAP protocol to limit the number of
   ASAP_ENDPOINT_UNREACHABLE messages (see Section 3.5) to the ENRP
   server.

Stewart, et al.               Experimental                     [Page 48]



RFC 5352            Aggregate Server Access Protocol      September 2008

   Threat 9 requires the ENRP protocol to limit the number of
   ASAP_ENDPOINT_KEEP_ALIVE messages from the ENRP server to the PE (see
   [RFC5353]).

   There is no security mechanism defined for the multicast
   announcements.  Therefore, a receiver of such an announcement cannot
   consider the source address of such a message to be a trustworthy
   address of an ENRP server.  A receiver must also be prepared to
   receive a large number of multicast announcements from attackers.

9.3.  Chain of Trust

   Security is mandatory to implement in RSerPool and is based on TLS
   implementation in all three architecture components that comprise
   RSerPool -- namely PU, PE, and ENRP server.  We define an ENRP server
   that uses TLS for all communication and authenticates ENRP peers and
   PE registrants to be a secured ENRP server.

   Here is a description of all possible data paths and a description of
   the security.

   PU <---> secured ENRP server (authentication of ENRP server;
            queries over TLS)
   PE <---> secured ENRP server (mutual authentication;
            registration/de-registration over TLS)
   secured ENRP server <---> secured ENRP server (mutual authentication;
            database updates using TLS)

   If all components of the system authenticate and communicate using
   TLS, the chain of trust is sound.  The root of the trust chain is the
   ENRP server.  If that is secured using TLS, then security will be
   enforced for all ENRP and PE components that try to connect to it.

   Summary of interaction between secured and unsecured components: If
   the PE does not use TLS and tries to register with a secure ENRP
   server, it will receive an error message response indicated as an
   error due to security considerations and the registration will be
   rejected.  If an ENRP server that does not use TLS tries to update
   the database of a secure ENRP server, then the update will be
   rejected.  If a PU does not use TLS and communicates with a secure
   ENRP server, it will get a response with the understanding that the
   response is not secure, as the response can be tampered with in
   transit even if the ENRP database is secured.

   The final case is the PU sending a secure request to ENRP.  It might
   be that ENRP and PEs are not secured and this is an allowable
   configuration.  The intent is to secure the communication over the
   Internet between the PU and the ENRP server.

Stewart, et al.               Experimental                     [Page 49]



RFC 5352            Aggregate Server Access Protocol      September 2008

   Summary:

   RSerPool architecture components can communicate with each other to
   establish a chain of trust.  Secured PE and ENRP servers reject any
   communications with unsecured ENRP or PE servers.

   If the above is enforced, then a chain of trust is established for
   the RSerPool user.

10.  Acknowledgments

   The authors wish to thank John Loughney, Lyndon Ong, Walter Johnson,
   Thomas Dreibholz, and many others for their invaluable comments and
   feedback.

11.  References

11.1.  Normative References

   [RFC791]  Postel, J., "Internet Protocol", STD 5, RFC 791,
              September 1981.

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.

   [RFC2460]  Deering, S. and R. Hinden, "Internet Protocol, Version 6
              (IPv6) Specification", RFC 2460, December 1998.

   [RFC3237]  Tuexen, M., Xie, Q., Stewart, R., Shore, M., Ong, L.,
              Loughney, J., and M. Stillman, "Requirements for Reliable
              Server Pooling", RFC 3237, January 2002.

   [RFC3436]  Jungmaier, A., Rescorla, E., and M. Tuexen, "Transport
              Layer Security over Stream Control Transmission Protocol",
              RFC 3436, December 2002.

   [RFC3490]  Faltstrom, P., Hoffman, P., and A. Costello,
              "Internationalizing Domain Names in Applications (IDNA)",
              RFC 3490, March 2003.

   [RFC5246]  Dierks, T. and E. Rescorla, "The Transport Layer Security
              (TLS) Protocol Version 1.2", RFC 5246, August 2008.

   [RFC4511]  Sermersheim, J., "Lightweight Directory Access Protocol
              (LDAP): The Protocol", RFC 4511, June 2006.

   [RFC4960]  Stewart, R., "Stream Control Transmission Protocol",
              RFC 4960, September 2007.

Stewart, et al.               Experimental                     [Page 50]



RFC 5352            Aggregate Server Access Protocol      September 2008

   [RFC5226]  Narten, T. and H. Alvestrand, "Guidelines for Writing an
              IANA Considerations Section in RFCs", BCP 26, RFC 5226,
              May 2008.

   [RFC5356]  Dreibholz, T. and M. Tuexen, "Reliable Server Pooling
              Policies", RFC 5356, September 2008.

   [RFC5354]  Stewart, R., Xie, Q., Stillman, M., and M. Tuexen,
              "Aggregate Server Access Protocol (ASAP) and Endpoint
              Handlespace Redundancy Protocol (ENRP) Parameters",
              RFC 5354, September 2008.

   [RFC5353]  Xie, Q., Stewart, R., Stillman, M., Tuexen, M., and A.
              Silverton, "Endpoint Handlespace Redundancy Protocol
              (ENRP)", RFC 5353, September 2008.

   [RFC5355]  Stillman, M., Ed., Gopal, R., Guttman, E., Holdrege, M.,
              and S. Sengodan, "Threats Introduced by Reliable Server
              Pooling (RSerPool) and Requirements for Security in
              Response to Threats", RFC 5355, September 2008.

11.2.  Informative References

   [RFC4086]  Eastlake, D., Schiller, J., and S. Crocker, "Randomness
              Requirements for Security", BCP 106, RFC 4086, June 2005.

Stewart, et al.               Experimental                     [Page 51]



RFC 5352            Aggregate Server Access Protocol      September 2008

Authors' Addresses

   Randall R. Stewart
   The Resource Group
   1700 Pennsylvania Ave NW
   Suite 560
   Washington, D.C.,   20006
   USA

   EMail: randall@lakerest.net

   Qiaobing Xie
   The Resource Group
   1700 Pennsylvania Ave NW
   Suite 560
   Washington, D.C.,   20006
   USA

   Phone: +1 224-465-5954
   EMail: Qiaobing.Xie@gmail.com

   Maureen Stillman
   Nokia
   1167 Peachtree Ct.
   Naperville, IL  60540
   USA

   EMail: maureen.stillman@nokia.com

   Michael Tuexen
   Muenster Univ. of Applied Sciences
   Stegerwaldstr. 39
   48565 Steinfurt
   Germany

   EMail: tuexen@fh-muenster.de

Stewart, et al.               Experimental                     [Page 52]



RFC 5352            Aggregate Server Access Protocol      September 2008

Full Copyright Statement

   Copyright (C) The IETF Trust (2008).

   This document is subject to the rights, licenses and restrictions
   contained in BCP 78, and except as set forth therein, the authors
   retain all their rights.

   This document and the information contained herein are provided on an
   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
   THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
   OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
   THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Intellectual Property

   The IETF takes no position regarding the validity or scope of any
   Intellectual Property Rights or other rights that might be claimed to
   pertain to the implementation or use of the technology described in
   this document or the extent to which any license under such rights
   might or might not be available; nor does it represent that it has
   made any independent effort to identify any such rights.  Information
   on the procedures with respect to rights in RFC documents can be
   found in BCP 78 and BCP 79.

   Copies of IPR disclosures made to the IETF Secretariat and any
   assurances of licenses to be made available, or the result of an
   attempt made to obtain a general license or permission for the use of
   such proprietary rights by implementers or users of this
   specification can be obtained from the IETF on-line IPR repository at
   http://www.ietf.org/ipr.

   The IETF invites any interested party to bring to its attention any
   copyrights, patents or patent applications, or other proprietary
   rights that may cover technology that may be required to implement
   this standard.  Please address the information to the IETF at
   ietf-ipr@ietf.org.

Stewart, et al.               Experimental                     [Page 53]