Internet Engineering Task Force Erik Guttman INTERNET DRAFT Charles Perkins 30 October 1997 Sun Microsystems John Veizades @Home Network Service Location Protocol draft-ietf-svrloc-protocol-v2-00.txt Status of This Memo This document is a submission by the Service Location Working Group of the Internet Engineering Task Force (IETF). Comments should be submitted to the srvloc@corp.home.net mailing list. Distribution of this memo is unlimited. This document is an Internet-Draft. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as ``work in progress.'' To learn the current status of any Internet-Draft, please check the ``1id-abstracts.txt'' listing contained in the Internet-Drafts Shadow Directories on ftp.is.co.za (Africa), nic.nordu.net (North Europe), ftp.nis.garr.it (South Europe), munnari.oz.au (Pacific Rim), ds.internic.net (US East Coast), or ftp.isi.edu (US West Coast). Abstract The Service Location Protocol provides a scalable framework for the discovery and selection of network services. Using this protocol, computers using the Internet need little or no static configuration of network services for network based applications. This is especially important as computers become more portable, and users less tolerant or able to fulfill the demands of network system administration. Guttman,Perkins,Veizades Expires 30 April 1998 [Page i] Internet Draft Service Location Protocol 30 October 1997 Contents Status of This Memo i Abstract i 1. Introduction 1 2. Terminology 1 2.1. Notation Conventions . . . . . . . . . . . . . . . . . . 3 2.2. Service Information and Predicate Representation . . . . 4 3. Protocol Overview 4 3.1. Protocol Transactions . . . . . . . . . . . . . . . . . . 5 3.2. Introduction to Directory Agents . . . . . . . . . . . . 6 3.3. URLs used in the Service Location Protocol . . . . . . . 7 3.3.1. The ``service:'' URL scheme . . . . . . . . . . 7 3.4. Standard Attribute Definitions . . . . . . . . . . . . . 7 3.5. Naming Authority . . . . . . . . . . . . . . . . . . . . 8 3.6. Interpretation of Service Location Replies . . . . . . . 8 3.7. Transmission of SLP messages . . . . . . . . . . . . . . 9 3.7.1. Use of TCP . . . . . . . . . . . . . . . . . . . 9 3.7.2. Use of Multicast Addresses . . . . . . . . . . . 10 3.7.3. Multicast vs. Broadcast . . . . . . . . . . . . 10 4. Service Location General Message Format 11 4.1. Service Location Extension Options . . . . . . . . . . . 14 4.2. Retransmission and Transaction IDs (XIDs) . . . . . . . . 15 4.3. URL Entries . . . . . . . . . . . . . . . . . . . . . . . 15 4.4. Authentication Blocks . . . . . . . . . . . . . . . . . . 16 4.5. URL Entry Lifetime . . . . . . . . . . . . . . . . . . . 19 5. Service Location Protocol Requests 19 6. Service Request Message Format 20 6.1. Service Request Usage . . . . . . . . . . . . . . . . . . 21 6.2. Directory Agent Discovery Request . . . . . . . . . . . . 22 6.3. Explanation of Terms of Predicate Grammar . . . . . . . . 23 6.4. Service Request Predicates . . . . . . . . . . . . . . . 24 6.5. String Matching for Requests . . . . . . . . . . . . . . 25 7. Service Reply Message Format 26 8. Service Type Request Message Format 27 9. Service Type Reply Message Format 28 Guttman,Perkins,Veizades Expires 30 April 1998 [Page ii] Internet Draft Service Location Protocol 30 October 1997 10. Attribute Request Message Format 28 11. Attribute Reply Message Format 30 12. Directory Agent Advertisement Message Format 31 13. Service Registration Message Format 32 14. Service Acknowledgement Message Format 35 15. Service Deregister Message Format 36 16. Directory Agents 37 16.1. Finding Directory Agents . . . . . . . . . . . . . . . . 37 17. Scope Discovery and Use 38 17.1. Rules governing Scopes . . . . . . . . . . . . . . . . . 39 17.1.1. Scope Strings in SLP Messages . . . . . . . . . . 40 17.1.2. Registration . . . . . . . . . . . . . . . . . . 41 17.1.3. Query Handling . . . . . . . . . . . . . . . . . 41 17.2. Protected Scopes . . . . . . . . . . . . . . . . . . . . 42 18. Language Internationalization Issues 43 18.1. Language Tags and Dialects . . . . . . . . . . . . . . . 43 18.2. Scope Strings are not Language Specific . . . . . . . . . 43 18.3. Declaring the language of registrations . . . . . . . . . 44 18.4. Translation of Attribute Strings . . . . . . . . . . . . 44 18.5. Declaring the language of a Request . . . . . . . . . . . 44 19. Substitution of Character Escape Sequences 45 19.1. Language-Independent Strings . . . . . . . . . . . . . . 46 20. String Formats used with Service Location Messages 47 20.1. Previous Responders' Address Specification . . . . . . . 47 20.1.1. Service Type String . . . . . . . . . . . . . . . 48 20.1.2. String List . . . . . . . . . . . . . . . . . . . 48 20.1.3. Select List . . . . . . . . . . . . . . . . . . . 48 20.2. Attribute Information . . . . . . . . . . . . . . . . . . 49 20.3. Address Specification in Service Location . . . . . . . . 49 20.4. Attribute Value encoding rules . . . . . . . . . . . . . 50 21. Protocol Timing Rules 51 21.1. Active DA Discovery . . . . . . . . . . . . . . . . . . . 51 21.2. Passive DA Advertising . . . . . . . . . . . . . . . . . 51 21.3. Reliable Unicast to DAs . . . . . . . . . . . . . . . . . 52 21.4. Multicast/Convergence . . . . . . . . . . . . . . . . . . 52 22. Configurable Parameters and Default Values 52 22.1. Time Out Intervals . . . . . . . . . . . . . . . . . . . 53 Guttman,Perkins,Veizades Expires 30 April 1998 [Page iii] Internet Draft Service Location Protocol 30 October 1997 22.2. Service Agent: Use Predefined Directory Agent(s) . . . . 55 23. Security Considerations 55 24. Protocol Requirements 56 24.1. Directory Agent Requirements . . . . . . . . . . . . . . 56 24.2. Service Agent Requirements . . . . . . . . . . . . . . . 56 24.3. User Agent Requirements . . . . . . . . . . . . . . . . . 57 24.4. Common Requirements for all SLP Agents . . . . . . . . . 57 25. Non-configurable Parameters 58 26. Acknowledgments 58 A. Version 2 Notes 59 B. SLP Certificates 63 C. Example of deploying SLP security using MD5 and RSA 65 D. Scaling and Deployment of the Service Location Protocol 66 1. Introduction Traditionally, users find services by using the name of a network host (a human readable text string) which is an alias for a network address. The Service Location Protocol eliminates the need for a user to know the name of a network host supporting a service. Rather, the user names the service and supplies a set of attributes which describe the service. The Service Location Protocol allows the user to bind this description to the network address of the service. Service Location provides a dynamic configuration mechanism for applications in local area networks. It has been designed to serve enterprise networks with shared services, and may not in its current form scale for wide-area service discovery throughout the global Internet. Applications are modeled as clients that need to find servers attached to the enterprise network at a possibly distant location. For cases where there are many different clients and/or services available, the protocol is adapted to make use of nearby Directory Agents that offer a centralized repository for advertised services. 2. Terminology User Agent (UA) A process working on the user's behalf to establish Guttman,Perkins,Veizades Expires 30 April 1998 [Page 1] Internet Draft Service Location Protocol 30 October 1997 contact with a useful service. The UA retrieves service information from the Service Agents or Directory Agents. Service Agent (SA) A process working on the behalf of one or more services to advertise service information. Service Information A collection of attributes and configuration information associated with a single service. The SAs advertise service information for a collection of service instances. Directory Agent (DA) A process which collects information from SAs to provide a single repository of service information in order to centralize it for efficient access by UAs. There can only be one DA present per given host. Service Type Each type of service has a unique Service Type string. The Service Type defines a template, called a "service scheme", including expected attributes, values and protocol behavior. IANA IANA stands for the Internet Assigned Numbers Authority. Naming Authority The agency or group which catalogues given Service Types and Attributes. The default Naming Authority is IANA. Keyword A string describing a characteristic of a service. Attribute A (class, value-list) pair of strings describing a characteristic of a service. The value string may be interpreted as a boolean, integer or opaque value if it takes specific forms (see section 20.4). Predicate A boolean expression of attributes, relations and logical operators. The predicate is used to find services which satisfy particular requirements. See section 6.3. Alphanumeric A character within the range 'a' to 'z', 'A' to 'Z', or '0' to '9'. Guttman,Perkins,Veizades Expires 30 April 1998 [Page 2] Internet Draft Service Location Protocol 30 October 1997 Scope A collection or set of services that make up a logical group. See sections D and 17. Site Network All the hosts accessible within the Agent's multicast radius, which defaults to a value appropriate for reaching all hosts within a site (see section 22). If the site does not support multicast, the agent's site network is restricted to a single subnet. URL A Universal Resource Locator - see [4]. Address Specification This is the network layer protocol dependent mechanism for specifying an Agent. This is part of a URL. SLPv1 The version of Service Location Protocol specified in RFC 2165 [17]. 2.1. Notation Conventions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [6]. Quoted Strings Some strings are quoted in this document to indicate they should be used literally. Single characters inside apostrophes are included literally. <> Values set off in this manner are fully described in section 20. In general, all definitions of items in messages are described in section 20 or immediately following their first use. silently discard The implementation discards the datagram without further processing, and without indicating an error to the sender. The implementation SHOULD provide the capability of logging the error, including the contents of the discarded datagram, and SHOULD record the event in a statistics counter. Guttman,Perkins,Veizades Expires 30 April 1998 [Page 3] Internet Draft Service Location Protocol 30 October 1997 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | A | B \ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ \ C \ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ A is a 2 byte field. B is of *arbitrary length*, where the length in bytes is typically indicated by A. C is of arbitrary length. A string field in a SLP message is 'omitted' by setting the length of the string to 0 and transmitting no character bytes. Syntax for string based protocols will follow the conventions defined for ABNF [8]. Terms in angular brackets are defined formally in Section 20 or where they are introduced. 2.2. Service Information and Predicate Representation Service information is represented in a text format. The goal is that the format be human readable and transmissible via email. The location of network services is encoded as a Universal Resource Locator (URL) which is human readable. Strings used in the Service Location Protocol are NOT null-terminated. 3. Protocol Overview The basic operation in Service Location is that a client attempts to discover the location of a Service. A client uses a User Agent (UA) to obtain service information. A service uses a Service Agent (SA) to advertise service information. These Agents may be implemented various ways. For instance, they could be a shared user library or be a system service accessible to user level applications. In smaller installations, UAs will request information directly from SAs. In larger installations, SAs will register their services with one or more Directory Agents (DAs), and UAs will contact the DA to fulfill requests for Service Location information. UAs and SAs discover DAs by preconfiguration, DHCP [9, 1], or using SLP itself. A scoping facility is used to provide further protocol scalability. Guttman,Perkins,Veizades Expires 30 April 1998 [Page 4] Internet Draft Service Location Protocol 30 October 1997 3.1. Protocol Transactions The diagram below illustrates the relationships described below: +--------------------+ we want this info: +-----------+ | Client Application | - - - - - - - - - - - -> | Service | +--------------------+ +-----------+ /|\ | | | +---------------+ | | | | \|/ \|/ \|/ +---------------+ +-----------+ +----------------+ | User Agent |<-------->| Service | | Service | +---------------+ | Agent | | Agent which | | +-----------+ | does not reply | | | | to UA requests | | \|/ +----------------+ | +-------------+ | +------------------>| Directory |<----------+ | Agent | +-------------+ ___________ /|\ / Many other\ +------------>| SA's | \___________/ UAs require no preconfiguration to begin network interaction. The UA's primary function is to issue Service Requests and obtain the URLs of services. This request specifies the requirements of the client application, and is all that is required to discover services using SLP. The UA MAY also discover all available types of service and attributes of services, but this is not required for lightweight UA implementations. These additional requests enable the client application to perform interactive service discovery. UAs may obtain service information directly from SAs by multicasting the request and gathering the replies. The same request may be unicast to a DA, so it is transparent to the client application whether there are DAs or not. DAs are used in larger deployments. If DHCP or static configuration is used to configure the UA, and DAs are deployed, the UA will not have to make any multicast requests at all. All requests will be unicast from the UA to the DA (see section 6.2). Otherwise, the UA will multicast a DA discovery request to find DAs and issue all unicast all subsequent requests to one or more of these DAs. Guttman,Perkins,Veizades Expires 30 April 1998 [Page 5] Internet Draft Service Location Protocol 30 October 1997 When the UA issues a multicast request to SAs it makes use of a retransmission/convergence algorithm in order to accumulate available information reliably from multiple sources. The UA resends the request periodically, for a short interval. See section 21 for the details of this algorithm. SAs SHOULD listen for multicast requests using the Service Location General Multicast Address. A SA which does not respond to multicast requests will not be useful in the absence of DAs. SA implementations may omit this functionality if an especially lightweight implementation is required. SAs MUST listen for DAAdverts passively. UAs SHOULD do this, but are not required to do so. Instead they may use a lazy approach and only do DA discovery actively (periodically) when they do not know of any DAs which respond to their requests. SAs MUST register their service advertisements with DAs, subject to the rules described in 17.1. Service advertisements have a lifetime. DAs act as caches for this information, which eventually ages out. SAs must refresh registrations before they age out if the service advertisement is to remain available continuously. 3.2. Introduction to Directory Agents A DA acts on behalf of many SAs. It acquires information from them and acts as a soft state cache. It is a single point of contact to supply that information to UAs. The queries that a UA multicasts to SAs (in an environment without a DA) are the same as queries that the UA might unicast to a DA. A UA may cache information about the presence of alternate DAs to use in case a selected DA fails. Aside from enhancing the scalability of the protocol (see section D), running multiple DAs provides robustness of operation. The DAs may have replicated service information which remain accessible even when one of the DAs fail. DAs, in the future, may use mechanisms outside of this protocol to coordinate the maintenance of a distributed database of Service Location information, and thus scale to larger administrative domains. Each SA MUST register with all DAs they are configured to use. UAs may choose among DAs they are configured to use. UAs and SAs determine which DAs to use based on scope rules described in Section 17.1. Guttman,Perkins,Veizades Expires 30 April 1998 [Page 6] Internet Draft Service Location Protocol 30 October 1997 Locally, DA consistency is guaranteed using mechanisms in the protocol. There isn't any DA to DA protocol yet. Rather, passive detection of DAs by SAs ensures that eventually service information will be registered consistently between equivalent DAs. Invalid data will age out of the DA caches leaving only transient stale registrations even in the case of a failure of a SA. 3.3. URLs used in the Service Location Protocol The Service Location Protocol uses URLs to indicate the location of services. URLs are used in a variety of Service Location Messages: SAs send them to register and deregister service advertisements, UAs obtain them in Service Replies and may send them in Attribute Requests. Any URL which conforms to standard URL syntax conventions (see RFC 1738 [4]) may be used in these messages. Service: URLs are useful for transmitting a service's location to a client application. Other standard URL schemes may also be used for this purpose. 3.3.1. The ``service:'' URL scheme The service URL scheme is used specifically to communicate a Service Location. Many Service Types will be named by including a standard network service name after the ``service:'' scheme name. The format of the information which follows the ``service:'' scheme should as closely as possible follow the URL structure and semantics as formalized by the IETF standardization process. See [10]. Well known Service Types are registered with the IANA and templates are available as RFCs. Private Service Types may also be supported. 3.4. Standard Attribute Definitions Service Types used with the Service Location Protocol must describe the following: Service Type string of the service Attributes and Keywords Attribute Descriptions and interpretations Service Types not specified by documents maintained with IANA will use their own Naming Authority string. The procedure for standardizing new Service Types is defined in [10]. Guttman,Perkins,Veizades Expires 30 April 1998 [Page 7] Internet Draft Service Location Protocol 30 October 1997 Services which advertise a particular Service Type must support the complete set of standardized attributes. They may support additional attributes, beyond the standardized set. Unrecognized attributes MUST be ignored by UAs. Service Type names which begin with "x-" are guaranteed not to conflict with any officially registered Service Type names. It is suggested that this prefix be used for experimental or private Service Type names. Similarly, attribute names which begin with "x-" are guaranteed not to be used for any officially registered attribute names. A service of a given Service Type should accept the networking protocol if one is implied in its definition. If a Service Type can accept multiple protocols, configuration information SHOULD be included in the Service Type attribute information. This configuration information will enable an application to use the results of a Service Request and Attribute Request to directly connect to a service. The format of a Service Type string is described in section 20.1.1. 3.5. Naming Authority The Naming Authority of a service defines the meaning of the Service Types and attributes registered with and provided by Service Location. The Naming Authority itself is a string which uniquely identifies an organization. If no string is provided IANA is the default. Naming Authorities may define Service Types which are experimental, proprietary or for private use. The procedure to use is to create a 'unique' Naming Authority string and then specify the Standard Attribute Definitions as described above. This Naming Authority will accompany registration and queries, as described in sections 6 and 13. Service Types SHOULD be registered with IANA to allow for Internet-wide interoperability. 3.6. Interpretation of Service Location Replies Replies should be considered to be valid at the time of delivery. The service may, however, fail or change between the time of the reply and the moment an application seeks to make use of the service. The application making use of Service Location MUST be prepared for the possibility that the service information provided is either stale or incomplete. In the case where the service information provided Guttman,Perkins,Veizades Expires 30 April 1998 [Page 8] Internet Draft Service Location Protocol 30 October 1997 does not allow a UA to connect to a service as desired, the Service Request and/or Attribute Request may be resubmitted. Service specific configuration information (such as which protocol to use) should be included as attribute information in Service Registrations. 3.7. Transmission of SLP messages 3.7.1. Use of TCP The Service Location Protocol requires the implementation of UDP (connectionless) and TCP (connection oriented) transport protocols. The latter is used for bulk transfer only when necessary. The only two reasons to use TCP are: First, a registration or deregistration may be too large to fit into a datagram. If no MTU information is available for the route, assume that the MTU is 1400 which is enough to accommodate a IPv6 header and UDP header in an ethernet frame. This value is configurable (see section 22). In this case a connection must be set up from a SA to a DA. UAs may establish a TCP connection with a DA (not an SA) to send requests which do not fit in a datagram to DAs. Second, if the reply to a UA's request overflows a datagram, the DA or SA truncates the reply to fit in one datagram and sets the 'overflow' bit in the SLP header. A UA which receives such a reply MAY open a TCP connection with the DA or SA and retransmit the request. It MAY also attempt to make use of the truncated reply or reformulate a more restrictive request which will result in a smaller reply. DAs and SAs MUST respond to connection requests; SAs whose registration data can overflow a datagram must be able to use TCP to send the registration. A TCP connection initiated by an Agent may be used for a single transaction. It may also be used for multiple transactions. Since there are length fields in the message headers, the Agents may send multiple requests along a connection and read the return stream for acknowledgments and replies. The initiating agent is responsible for closing the TCP connection. The DA should wait at least CONFIG_CLOSE_CONN seconds before closing an idle connection. DAs and SAs SHOULD eventually close idle connections to ensure robust operation, even when the agent which opened a connection neglects to close it. Guttman,Perkins,Veizades Expires 30 April 1998 [Page 9] Internet Draft Service Location Protocol 30 October 1997 SAs and UAs use ephemeral ports for transmitting information to the service location port, which is 427. 3.7.2. Use of Multicast Addresses SrvTypeRqst messages are sent to the Service Location General Multicast Address. SrvRqst messages used for DA Discovery are sent to the Directory Agent Discovery Multicast Address. SAs must join multicast groups depending on which services they advertise (called Service-Specific multicast addresses). They also must join the Service Location General Multicast Address. UAs send multicast SrvRqst or AttrRqst messages to the Service- Specific multicast group corresponding to the service type of the request. Service-Specific Multicast addresses are computed by calculating a string hash on the service type string. The service type string is defined in Section 20.1.1. This string will always fall inside the ASCII range of the UTF8 [19] encoding due to its definition. The multicast group they join is determined by the string hash function given below: #define RANGE_SIZE 0x7f /* * SLPhash returns a hash value in the range 0-RANGE_SIZE for * a string of single-byte characters, of specified length. */ unsigned long SLPhash (const char *pc, unsigned int length) { unsigned long h = 0; while (length-- != 0) { h *= 33; h += *pc++; } return (RANGE_SIZE & h); /* round to fit in range of addresses */ } This value is added to the base range of Service Specific Discovery Addresses, to be assigned by IANA. These will be 128 contiguous multicast addresses from the administrative local multicast range. 3.7.3. Multicast vs. Broadcast The Service Location Protocol was designed for use in networks where DHCP is available, or multicast is supported at the network Guttman,Perkins,Veizades Expires 30 April 1998 [Page 10] Internet Draft Service Location Protocol 30 October 1997 layer. To support this protocol when only network layer broadcast is supported, the following procedures may be followed. 3.7.3.1. Single Subnet In isolated networks, broadcasts will work in place of multicast. SAs SHOULD and DAs MUST listen for broadcast Service Location request messages to the Service Location port. This allows UAs which lack multicast capabilities to still make use of Service Location on a single subnet. 3.7.3.2. Multiple Subnets In larger enterprises, a DA can be used to provide a central clearing house of information for UAs. The DA address can be dynamically configured with Agents using DHCP. The address can also be determined by static configuration. Using multicast DA discovery in enterprises with multiple subnets will require use of multicast discovery with multiple hops (i.e., TTL > 1 in the IP header). Note that the setting of the TTL in multicast packets sometimes must be interpreted according to conventional scoping agreements rather than strictly as the number of hops. 4. Service Location General Message Format The following header is used in all of the message descriptions below and is abbreviated by using "Service Location header =" followed by the function being used. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Version | Function | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |O|M|U|A|F|R|S| reserved | XID | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Next option, offset | Language Tag Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ \ Language Tag (ASCII string) \ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Version This protocol document defines version 2 of the Service Location protocol. A SLP implementation MAY support version 1 [RFC2165]. If a SLP message indicates it Guttman,Perkins,Veizades Expires 30 April 1998 [Page 11] Internet Draft Service Location Protocol 30 October 1997 is sent using version 1 and this is not supported, a PROTOCOL_V1_REJECTED error is returned. Guttman,Perkins,Veizades Expires 30 April 1998 [Page 12] Internet Draft Service Location Protocol 30 October 1997 Function Service Location datagrams can be identified as to their operation by the function field. The following are the defined operations: Message Type Abbreviation Function Value Service Request SrvRqst 1 Service Reply SrvRply 2 Service Registration SrvReg 3 Service Deregister SrvDeReg 4 Service Acknowledge SrvAck 5 Attribute Request AttrRqst 6 Attribute Reply AttrRply 7 DA Advertisement DAAdvert 8 Service Type Request SrvTypeRqst 9 Service Type Reply SrvTypeRply 10 Length The number of bytes in the message, including the Service Location Header. O The 'Overflow' bit. See Section 3.7 for the use of this field. M The 'Monolingual' bit. Requests with this bit set indicate the User Agent will only accept responses in the language (see section 18) that is indicated by the Service or Attribute Request. U The 'URL Authentication Present' bit. See sections 4.3, 4.4, 13, and 15 for the use of this field. A The 'Attribute Authentication Present' bit. See sections 4.3, 4.4, and 11 for the use of this field. F If the 'Fresh bit' is set by the SA when it makes a Service Registration if it is to be considered 'fresh'. If this bit is not present, the registration is considered to be an update. R The 'Multicast request' bit. This is set by the UA when it multicasts a request. S The 'Specific Scoping' bit. This is set by Service Location Protocol entities wishing to exclude services not assigned to any scope, or by services unwilling to provide service to user agents not specifying the particular scope. Guttman,Perkins,Veizades Expires 30 April 1998 [Page 13] Internet Draft Service Location Protocol 30 October 1997 reserved MUST be zero. Transaction Identifier (XID) The XID (transaction ID) field allows the requester to match replies to individual requests (see section 4.2). Next Option Offset Options are added after the regular payload in the SLP packet. If no options are present, then this field is set to 0. Language Tag Length Strings within the remainder of the message which follows are to be interpreted in the language specified (see section 18) in the bytes following the header. The Language Tag is defined by RFC 1766 [2]. Note that, whenever there is an Attribute Authentication block, there will also be a URL Authentication block. Thus, it is an error to have the 'A' bit set without also having the 'U' bit set. 4.1. Service Location Extension Options A service location extension option must be specified by a standards track document. The option may be defined to accompany any or all Service Location Messages. A conforming SLP implementation MUST be able to ignore Service Location Extension Options it does not recognize. It may be the case that future Options will be defined and standardized which will become requirements of SLP implementations. These documents will have to proceed as Standards Track specifications. Otherwise, support of all headers is elective. The format of a Service Location Extension Option is: 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Option Extension ID | Offset to next Option | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ \ Extension Contents \ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ The Option Extension ID is defined by a Standards document which also defines the contents of the extension. The offset to next option is 0 if there is no option following or is set to the length of the Extension contents. Guttman,Perkins,Veizades Expires 30 April 1998 [Page 14] Internet Draft Service Location Protocol 30 October 1997 4.2. Retransmission and Transaction IDs (XIDs) Retransmission is used by UAs and SAs to ensure reliable exchange of unicast messages with DAs. If a UA or SA sends a message to a DA fails to receive a response, the message will be sent again. The message is retried up to 3 times Multicast requests are retransmitted, but according to different rules. See Section 21 for the details of the algorithm. Replies received using the multicast convergence algorithm are accumulated until convergence has been detected. A list of previous responders is sent. This list will prevent those in the list from responding, to be sure that responses from other sources are not drowned out. Retransmission of the same message should not contain an updated XID. It is quite possible the original request reached the DA or SA, but reply failed to reach the requester. Using the same XID allows the DA or SA to cache its reply to the original request and then send it again, should a duplicate request arrive. This cached information should only be held very briefly (CONFIG_KEEP_RPLY is recommended.) Any registration or deregistration at a DA, or change of service information at a SA should flush this cache so that the information returned to the client is always valid. The requester creates the XID from an initial random seed and increments it by one for each request it makes. The XIDs will eventually wrap and continue incrementing from there. Requests are never sent with an XID of 0. An unsolicited DAAdvert has an XID of 0. Requests all include XIDs which will match the XIDs of the replies. The replies may be returned in any order. A UA or SA may have multiple outstanding requests. 4.3. URL Entries When URLs are registered, they have lifetimes and lengths, and may be authenticated. These values are associated with the URL for Guttman,Perkins,Veizades Expires 30 April 1998 [Page 15] Internet Draft Service Location Protocol 30 October 1997 the duration of the registration. The association is known as a "URL-entry", and has the following format: 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Reserved | Lifetime |# of URL auths | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | URL length | URL (variable length) \ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | URL Auth. blocks (if any) \ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |# of Attr auths| Attr Auth. blocks (if any) \ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Reserved MUST be zero. This field is reserved for longer lifetimes used by a wide area service location protocol. Lifetime The length of time that the registration is valid, in the absence of later registrations or deregistration. Length of URL The length of the URL, measured in bytes and < 32768. URL Authentication Block (if present) A timestamped authentication block (section 4.4) If the 'U' bit is set in the message header, the URL is followed by an URL Authentication Block. If the scheme used in the URL does not have a standardized representation, the minimal requirement is: service::// "service" is the URL scheme used for denoting a service access point, (see [10] for the formal definition.) Other URLs besides service: scheme URLs may be transmitted in Service Location Messages. 4.4. Authentication Blocks Authentication blocks are used to authenticate service registrations and deregistrations. URLs are registered along with an URL Authentication block to retain the authentication information in the URL entry for subsequent use by UAs who receive a Service Reply containing the URL entry. Service attributes are registered along Guttman,Perkins,Veizades Expires 30 April 1998 [Page 16] Internet Draft Service Location Protocol 30 October 1997 with an Attribute Authentication block. Both authentication blocks have the format illustrated below. If a service registration is accompanied by authentication which can be validated by the DA, the DA MUST validate any subsequent service deregistrations, so that unauthorized entities cannot invalidate such registered services. Likewise, if a service registration is accompanied by an Attribute Authentication block which can be validated by the DA, the DA MUST validate any subsequent attribute registrations, so that unauthorized entities cannot invalidate such registered attributes. To avoid replay attacks which use previously validated deregistrations, the deregistration or attribute registration message must contain a timestamp for use by the DA. To avoid replay attacks which use previously validated registrations to nullify a valid deregistration, registrations must also contain a timestamp. A single Authentication Block is returned with an AttrRply and SrvRply. A SrvReg may include multiple authentication blocks if more the service is to be registered in more than one protected scope, or if more than one cryptographic algorithm is supported by the Service Location Protocol deployment. A DAAdvert will include one Authentication Block per protected scope that the DA supports. Unsolicited DAAdverts (see Section 12) will always be made in using the default cryptographic algorithm (see below). DAAdverts sent as a reply to a SrvRqst will include only one Authenticator Block. An authentication block has the following format: 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Protected Scope String Length | Protected Scope String \ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | + Timestamp + | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Block Structure Descriptor | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ \ Structured Authentication Block ... \ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Timestamp A 64-bit value formatted as specified by the Network Time Protocol (NTP) [14]. Block Structure Descriptor (BSD) A value describing the structure of the Authentication Guttman,Perkins,Veizades Expires 30 April 1998 [Page 17] Internet Draft Service Location Protocol 30 October 1997 Block. The only value currently defined is 1, for Object-Identifier. Length The length of the Authentication Block Structured Authentication Block An algorithm specification, and the authentication data produced by the algorithm. The Structured Authentication Block contains a digital signature of the information being authenticated. It contains sufficient information to determine the algorithm to be used and the keys to be selected to verify the digital signature. The digital signature is computed over the following ordered stream of data: LIFETIME (2 bytes in network byte order) LENGTH OF URL (2 bytes in network byte order) URL (n bytes) TIMESTAMP (8 bytes in SNTP format [14]) LENGTH OF SCOPE STRING (2 bytes) SCOPE STRING (n bytes) When producing a URL Authentication block, the authentication data produced by the algorithm identified within the Structured Authentication Block calculated over the following ordered stream of data: LENGTH OF ATTRIBUTES (2 bytes in network byte order) ATTRIBUTES (n bytes) TIMESTAMP (8 bytes in SNTP format [14]) LENGTH OF SCOPE STRING (2 bytes) SCOPE STRING (n bytes) Every Service Location Protocol entity (UA, SA, or DA) which is configured for use with protected scopes MUST implement "md5WithRSAEncryption" [3] and be able to associate it with BSD value == 1. A conforming SLP implementation MAY implement other digital signature systems. In the case where BSD == 1 and OID == "md5WithRSAEncryption" is selected, the Structured Authentication Block will start with the ASN.1 Distinguished Encoding (DER) [7] for "md5WithRSAEncryption", which has the as its value the bytes (MSB first in hex): "30 0d 06 09 2a 86 48 86 f7 0d 01 01 04 05 00" Guttman,Perkins,Veizades Expires 30 April 1998 [Page 18] Internet Draft Service Location Protocol 30 October 1997 This is then immediately followed by an ASN.1 Distinguished Encoding (as a "Bitstring") of the RSA encryption (using the Scope's private key) of a bitstring consisting of the OID for "MD5" concatenated by the MD5 [16] message digest computed over the fields above. The exact construction of the MD5 OID and digest can be found in RFC 1423 [3]. 4.5. URL Entry Lifetime The Lifetime field is set to the number of seconds the reply can be cached by any agent. A value of 0 means the information must not be cached. UAs MAY cache service information, but if they do, they must provide a way for applications to flush this cached information and issue the request directly onto the network. Services should be registered with DAs with a Lifetime, the suggested value being CONFIG_LIFETIME. The service must be reregistered before this interval elapses, or the service advertisement will no longer be available. Thus, services which vanish and fail to deregister eventually become automatically deregistered. 5. Service Location Protocol Requests SLP includes SrvRqst, AttrRqst and SrvTypeRqst messages. All UAs MUST be able to issue SrvRqst messages and SHOULD be able to issue AttrRqst and SrvTypeRqst messages. SAs issue only SrvRqst messages, and only for the purpose of DA discovery. UAs MUST use scoped DAs in preference to unscoped DAs and any DA in preference to multicasting to SAs. See section 17.1 for rules concerning the use of scopes. Multicast and broadcast requests MUST set the 'R' bit in the header. This will ease implementation of combined DA and SA services by making it apparent whether an arriving datagram was unicast or multicast. Multicast (or broadcast) service requests MUST be ignored by DAs. Replies to SLP requests include a 2 byte error code. If the error code is nonzero the rest of the message SHOULD be omitted. The error codes which may be returned are: 0 Success LANGUAGE_NOT_SUPPORTED A SA or DA returns this when a request is received from a UA which is in a language for which there is no Guttman,Perkins,Veizades Expires 30 April 1998 [Page 19] Internet Draft Service Location Protocol 30 October 1997 registered Service Information which can satisfy it, or the request arrived with the Monolingual bit set and no registration is available in the specified language. See Section 18. Note: SrvTypeRqst messages do not contain a Language Tag, so they never elicit this error. PROTOCOL_PARSE_ERROR A SA or DA returns this error when a SrvRply is received which cannot be parsed or the declared string lengths overrun the message. SCOPE_NOT_SUPPORTED A DA will return this error if it receives a request which has a scope not supported by the DA. An SA will not return this error; it will simply not reply to the multicast request. 6. Service Request Message Format The Service Request is used by UAs to obtain URLs from a DA or SAs. The format of the Service Request is as follows: 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Service Location header (function = SrvRqst) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |length of prev resp list string| Previous Responders Addr Spec \ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | length of | String \ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | length of predicate string | Service Request \ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ The is described in sections 8 and 20.1. See Section 17.1 for the interpretation of the scope-list field. The predicate allows the UA to request the Service Type and specific required attributes of a services in a specific language. The minimal form of a Service Request is shown below: "(service-type=" ["."] ")" Guttman,Perkins,Veizades Expires 30 April 1998 [Page 20] Internet Draft Service Location Protocol 30 October 1997 Service Requests MAY include a scope term and a 'where clause'. The syntax of the query language is described in section 6.4. The form of a Service Request is: "(&(service-type=" ["."] ")" ")" where: - The refers to the Service Type. For each type of service available, there is a unique Service type name string. This term MUST be part of every Service Request. See section 20.1.1. - The is the Naming Authority. This term is OPTIONAL. See section 20.1.1. - The string contains a set of query terms which will indicate those service instances which the User Agent is interested in. This clause includes attributes, boolean operators and relations. (See section 6.3.) In order for a request to succeed in matching registered information, the following conditions must be met: 1. The result must have the same Service Type as the request. 2. It must have the same Naming Authority. 3. It must satisfy the scoping rules for requests (see Section 17.1). 4. The conditions specified in the Where Clause must match the attributes and keywords registered with the service. 6.1. Service Request Usage The UA forms SrvRqsts using standard or conventionally known Service Type attributes. It MAY also issue AttrRqsts to obtain the attribute values for a Service Type before issuing SrvRqsts (see Section 11). Having obtained the attributes which describe a particular kind of service from an AttrRqsts, or using configured knowledge of a service's attributes, the UA can build a predicate that describes the service needs of the user. Suppose a printer supporting the lpr protocol is needed on the 12th floor which has UNRESTRICTED_ACCESS and prints 12 pages per minute. Suppose further that a Attribute Request indicates that there is a Guttman,Perkins,Veizades Expires 30 April 1998 [Page 21] Internet Draft Service Location Protocol 30 October 1997 printer on the 12th floor, a printer that prints 12 pages per minute, and a printer that offers UNRESTRICTED_ACCESS. To check whether they are same printer, issue the following request: (& (SERVICE-TYPE=LPR)(PAGES PER MINUTE=12) (UNRESTRICTED_ACCESS=*) (LOCATION=12th FLOOR)) Suppose there is no such printer. The DA responds with a SrvRply with 0 in the number of responses and no reply values. A SA silently discards the request. The UA might then try a less restrictive query to find a printer, using only the 12th floor as "where" criteria. (&(SERVICE-TYPE=LPR)(LOCATION=12th FLOOR)) In this case, there might be the reply: Returned URL: service:lpr://igore.wco.ftp.com:515/draft The Address Specification for the printer is: igore.wco.ftp.com:515, containing the name of the host managing the requested printer. Files would be printed by spooling to that port on that host. The word 'draft' refers to the name of the print queue the lpr server supports. 6.2. Directory Agent Discovery Request Normally a SrvRqst returns a Service Reply. The sole exception to this is a SrvRqst for the Service Type "directory-agent". This SrvRqst is answered with a DAAdvert. UAs and SAs which lack preconfigured or DHCP configured knowledge of a DA MUST multicast a Service Request to the DA Discovery Multicast Address. For the details of the multicast convergence algorithm see Section 21. The predicate included in this request is: (service-type=directory-agent) The in the DA discovery request may include only the string "*" in their . In this case, all DAs respond. If it includes any scope strings, only those DAs which support the indicated scope reply, or those which support unscoped requests. A DA discovery request which has the 'S' bit set in the message header will not get responses from unscoped DAs. Guttman,Perkins,Veizades Expires 30 April 1998 [Page 22] Internet Draft Service Location Protocol 30 October 1997 Normally, a DA will not respond to multicast requests, nor will it respond to requests which are improperly scoped. This request is a special case, if a properly scoped DA Discovery request is received from the DA Discovery multicast group a DA MUST respond. If the request specifies a scope, the DA MUST NOT respond unless the scope request matches its scope. If a DA has no scope, it will only respond if there is no scope term or the request does not have the 'S' bit set. DA Advertisement Replies may arrive from different sources, similar in form to: URL returned: service:directory-agent://slp-resolver.big.org Scope returned: NONE (ie. the length field is set to 0 for the scope string.) URL returned: service:directory-agent://204.182.15.66 Scope returned: JANITORIAL SERVICES,ADMIN URL returned: service:directory-agent://204.182.15.66 Scope returned: Legal Department ('S' bit set) The first DA supports only unscoped advertisements. The second supports advertisements which are unscoped, or are in the JANITORIAL SERVICES or ADMIN scope. The DA in the last example supports only the LEGAL DEPARTMENT scope, and explicitly NOT unscoped advertisements. The DA Advertisement format is defined in Section 12. If the goal is merely to discover any DA, the first DA Advert which is received will do. If the goal, however, is to discover all reachable DAs, the multicast convergence algorithm must be used, see Section 21. 6.3. Explanation of Terms of Predicate Grammar A predicate has a simple structure, which depends on parentheses, commas and slashes to delimit the elements. Examples of proper usage are given throughout this document. The predicate uses the same syntax as a LDAP search filter [11]. This means that a SLP service request could be handled by a LDAP server. The reverse is not true: SLP uses a greatly simplified attribute typing system. Thus a SA or DA cannot interpret an arbitrary LDAP query. There are some restrictions and assumptions which are necessary in order to interpret SrvRqst predicates in the context of SLP. Guttman,Perkins,Veizades Expires 30 April 1998 [Page 23] Internet Draft Service Location Protocol 30 October 1997 - A query for keywords uses a 'present' filter type. Thus, to query for services including the keyword 'X', the filter would be "X=*". - Degenerate queries such as "(&" ")" and "(|" ")" must be tolerated. They are equivalent to . - LDAPv2 defines several data types [12]. The only data types which are supported in SLP are String (equivalent to a Case Ignore String), Opaque (equivalent to a Case Exact String, since the binary values is encoded as a radix64 value). Integer and Boolean values are identically represented in SLP and LDAPv2. 6.4. Service Request Predicates The Service Request Predicate follows the grammar of the LDAPv2 string search filter [11]. The Predicate MUST contain a simple term which defines a service type for the query. It MAY contain a simple term which defines the scope for the query (see section 17.1.) Restrictions which are not implied by the grammar are: - LDAPv2 string text filters [11] and string based attribute encodings [12] are all ASCII based. For UTF8 character encoding, which SLP supports, either the LDAPv3 filters (and UTF8) must be used or the production in RFC 1778, Section 2, must be expanded to include the entire range of allowed alphanumerics excluding those in the

(protected) rule. - filters, ``=~'', are interpreted as filters ``=''. For strings the filter MAY be implemented so that it returns true for the service with the 'greatest possible' match of the string sequence. For example: (x=~ABCD) applied to services S1 with x=AAAA, S2 with x=ABBBBB and S3 with x=ABCCCC would return S3 since it matches the longest sequence of characters in the request. - terms are always interpreted as string values and may only be used with filters, with the two exceptions - filters applied to ``*'' as the value will return true only for the item whose value is the MAXIMUM for the attribute. This only applies to an Integer attribute. Otherwise, it returns a PROTOCOL_PARSE_ERROR. Guttman,Perkins,Veizades Expires 30 April 1998 [Page 24] Internet Draft Service Location Protocol 30 October 1997 - filters applied to ``*'' as the value will return true only for the item(s) whose value is the MINIMUM for the attribute. This only applies to an Integer attribute. Otherwise, it returns a PROTOTOL_PARSE_ERROR. The following are examples of query predicates in Service Requests. When the 'S' is present, it means that the 'S' bit is set in the message header. See Section 17.1 for how details on how the works. "(service-type=http)" = none This is a minimal request string. It matches all http services. "(service-type=lpr)" ="SALES" This request is for all lpr services either universally available or available in the SALES scope. "(service-type=lpr)" ="SALES", 'S' This request is for all lpr services which have been explicitly configured to reside within in the SALES scope. "(&(service-type=pop3)(user=wump))" ="ADMIN" This is a request for all pop3 services available in the ADMIN scope (or are unscoped) and which serve mail to the user 'wump'. "(&(service-type=backup)(qlength<=*))" ="BLDG 32", 'S' This returns the backup service which has the shortest queue-length. (This assumes that the queue length is an integer based attribute). It will return this only for services registered with the BLDG 32 scope (not unscoped services.) 6.5. String Matching for Requests All strings are case insensitive, with respect to string matching on queries. All preceding or trailing blanks which are not escaped should not be considered for a match. White space (SPACE, CR, LF, TAB) internal to a string value is folded to a single SPACE character for the sake of string comparisons. For example, " Some String " matches "SOME STRING". Guttman,Perkins,Veizades Expires 30 April 1998 [Page 25] Internet Draft Service Location Protocol 30 October 1997 String comparisons (using comparison operators such as '<' or '>=') are done using lexical ordering in the character set of the registration, not using any language specific rules. The ordering is strictly by the character value, i.e. "0" < "A" is true when the character set is US-ASCII, since "0" has the value of 48 and "A" has the value 65. The special character '*' may precede, follow or be internal to a string value in order to indicate substring matching. The query including this character matches any character sequence which conforms to the letters which are not wildcarded. Examples: "bob*" matches "bob", "bobcat", and "bob and sue" "*bob" matches "bob", "bigbob", and "sue and bob" "*bob*" matches "bob", "bobcat", "bigbob", and "a bob I know" "b*b" matches "bob" and "big dreams no grub" String matching is done after escape sequences have been substituted. See sections 18, 6.3, 19. 7. Service Reply Message Format The format of the Service Reply Message is: 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Service Location header (function = SrvRply) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Error Code | URL Entry count | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | \ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... \ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ \ . . . \ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... \ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Each Service Reply message is composed of a list of URL Entries. Each in the list has the form defined in Section 4.3. If the presence of an URL Authentication block is signaled by the 'U' bit, the length of the authentication block is determined by information within the block as discussed in section 4.4. The URL Guttman,Perkins,Veizades Expires 30 April 1998 [Page 26] Internet Draft Service Location Protocol 30 October 1997 Authentication block will include the authentication block calculated using the algorithm specified in the SrvRqst if possible. If not, the Authentication block calculated using the default algorithm is supplied. A UA MAY use the authentication block to determine whether the SA advertising the URL is, in fact, authorized to offer the indicated service. If, in a list of URL entries, some of the URLs indicate services which are in protected scopes (see section 17.2) while other URLs in the list indicate services which are not in protected scopes, the latter must still have Authentication Blocks, but the length of the authentication block is shown as zero, and no authentication need be done. 8. Service Type Request Message Format The Service Type Request is used to determine all the types of services supported on a network. The format of a Service Type Request is: 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Service Location header (function = SrvTypeRqst) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | length of prev resp string |\ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | length of naming authority | \ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | length of | String \ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ The is a comma delimited list. See section 20.1. The Naming Authority, if included, will limit the replies to Service Type Requests to Service Types which have the specified Naming Authority. If this field is omitted (i.e., the length field is zero), the default Naming Authority ("IANA") is assumed. If the length field is -1, service types from all naming authorities are requested. See Section 17.1 for the interpretation of the scope-list field. Guttman,Perkins,Veizades Expires 30 April 1998 [Page 27] Internet Draft Service Location Protocol 30 October 1997 9. Service Type Reply Message Format The Service Type Reply has the following format: 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Service Location header (function = SrvTypeRply) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Error Code | number of service types | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | length of Service Type String | \ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ \ . . . \ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | length of Service Type String | \ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ The service type's name is provided in the . If the service type has a naming authority other than "IANA" it MUST be returned following the service type string and a "." character. See section 20.1.1 for the formal definition of this field. The following are examples of Service Type Strings which might be found in Service Type Replies: service:lpr: service:http: nfs: 10. Attribute Request Message Format The Attribute Request is used to obtain attribute information. The UA supplies a request and the appropriate attribute information is returned. If the UA supplies only a Service Type, then the reply includes all attributes and all values for that Service Type. The reply includes only those attributes for which services exist and are advertised by the DA or SA which received the Attribute Request. Since different instances of a given service can, and very likely will, have different values for the attributes defined by the Service Type, the UA must form a union of all attributes returned by all service Agents. The Attribute information will be used to form Service Requests. If the UA supplies a URL, the reply will contain service information corresponding to that URL. Guttman,Perkins,Veizades Expires 30 April 1998 [Page 28] Internet Draft Service Location Protocol 30 October 1997 Attribute Requests MAY include a 'select clause'. This limits the amount of information returned. If the select clause is empty, all information is returned. Otherwise, the UA supplies a comma delimited list of attribute tags and keywords. If the attribute or keyword is defined for a service, it will be returned in the Attribute Reply, along with all registered values for that attribute. If the attribute selected has not been registered for that URL or Service Type, the attribute or keyword information is simply not returned. The Attribute Request message has the following form: 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Service Location header (function = AttrRqst) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |length of prev resp list string|\ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | length of URL | URL \ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | length of | string \ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |length of string | string \ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ The functions exactly as introduced in Section 8. See also Section 20.1. The URL field can take two forms: Either it is simply a Service Type (see Section 20.1.1), such as "service:http:" or "nfs:". All attributes and the full range of values for each attribute of all services of the given Service Type is returned. The URL field may also be a full URL, such as "service:lpr://igore.wco.ftp.com:515/draft" or "ftp://max.net/znoo". In this, only the attributes for the service of the specified URL is defined are returned. See Section 17.1 for the interpretation of the scope-list field. The select list takes the form of a , see 20. The items on the list are attribute tags or keywords, which can be either complete tags or include '*' characters for wildcard string matching. An example of a select-list following the printer example is: "PAGES PER MINUTE,UNRESTRICTED_ACCESS,LOCATION" Guttman,Perkins,Veizades Expires 30 April 1998 [Page 29] Internet Draft Service Location Protocol 30 October 1997 11. Attribute Reply Message Format An Attribute Reply Message takes the form: 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Service Location header (function = AttrRply) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Error Code | length of string \ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ \ \ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ \ Attribute Authentication Block (if any) \ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ The (attribute list) has the same form as the attribute list in a Service Registration, see Section 20.2 for a formal definition of this field. An Attribute Request for "lpr" might elicit the following reply (UNRESTRICTED_ACCESS is a keyword): (PAPER COLOR=WHITE,BLUE), (PAPER SIZE=LEGAL,LETTER,ENVELOPE,TRACTOR FEED), UNRESTRICTED_ACCESS, (PAGES PER MINUTE=1,3,12), (LOCATION=12th, NEAR ARUNA'S OFFICE), (QUEUES=LEGAL,LETTER,ENVELOPE,LETTER HEAD) If the message header has the 'A' bit set, the Attribute Reply will have an Attribute Authentication block set. In this case, the Attribute Authentication Block must be returned with the entire list of attributes, exactly as it was registered by an SA in a protected scope. In this case, the URL was registered in a protected scope and the UA included a URL but not a select clause. If the AttrRqst specifies that only certain attributes are to be returned, the DA does not (typically cannot) compute a new Authentication so it simply returns the attributes without an authentication block. The SA or DA returns the Attribute Authentication block. A UA which wishes to obtain authenticated attributes for a service in a protected scope MUST therefore must include a particular URL and no select list with the AttrRqst. Guttman,Perkins,Veizades Expires 30 April 1998 [Page 30] Internet Draft Service Location Protocol 30 October 1997 12. Directory Agent Advertisement Message Format DA Advertisement Messages have the following format: 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Service Location header (function = DAAdvert) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Error Code | DAAdvert Sequence Number | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Length of URL | URL \ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Length of | \ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Number of Auth Blocks | authentication block 1 ... \ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ \ autentication block 1 (continued) ... \ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ \ ... \ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ \ autentication block N (continued) ... \ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ The Error Code is set when a DA Advertisement is returned as the result of a Service Request, as specified in Section 5. The Error Code will always be set to 0 in the case of an unsolicited DA Advertisement. The DAAdvert Sequence Number is 0 when the DA comes up initially and increases by one each time the DAAdvert is sent unsolicited. DAs which store service advertisements in a nonvolatile store will set their initial sequence number to 256. The sequence number will be used by SAs to determine if they must reregister services when a DA is discovered. See section 16.1 which describes unsolicited DAAdverts and how SAs respond to them. The URL corresponds to the DA's location. There MUST be at least one authentication block for each protected scope. There MAY be more than one authentication block for each protected scope if more than one authentication algorithm (identified by the BSD field) is used. See Section 17.1 for the definition of the . If the 'U' bit in the SLP header is set, an authentication block is included to allow the SA and UA to ascertain whether the DA Guttman,Perkins,Veizades Expires 30 April 1998 [Page 31] Internet Draft Service Location Protocol 30 October 1997 Advertisement is valid. See 4.4. See Section 6.4 for the lexical rules regarding . DA Advertisements sent in reply to a Directory Agent Discovery Request has the same format as the unsolicited DA Advertisement, for example: URL: service:directory-agent://SLP-RESOLVER.CATCH22.COM SCOPE List: ADMIN The DA can be reached at the Address Specification returned, and supports the SCOPE called "ADMIN". 13. Service Registration Message Format After a SA has found a DA, it begins to register its advertised services one at a time. A SA must wait for some random time uniformly distributed within the range specified by CONFIG_REG_ACTIVE seconds before registering again. Registration is done using the Service Registration message specifying all attributes for a service. If the service registration in a protected scope 17.2, then the service MUST include both a URL Authentication block and an Attribute Authentication block (see section 4.4). In that case, the service agent MUST set both the 'U' bit and the 'A' bit (see section 4). A DA must acknowledge each service registration request. If authentication blocks are included, the DA MUST verify the authentication before registering the service. This requires obtaining key information, either by preconfiguration, maintenance of a security association with the service agent, or acquiring the appropriate certificate. Guttman,Perkins,Veizades Expires 30 April 1998 [Page 32] Internet Draft Service Location Protocol 30 October 1997 The format of a Service Registration is: 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Service Location header (function = SrvReg) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ \ \ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Length of | String \ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Length of Attr List String | \ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ \ (if present) Attribute Authentication Block ... \ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ The is defined at the end of Section 4.3. The is defined in Section 20.2. The Attribute Authentication Block, which is only present if the 'A' bit is set in the message header, is defined in section 4.4. The is defined in Section 17.1. Service registration may use a connectionless protocol (e.g. UDP), or a connection oriented protocol (e.g. TCP). If the registration operation may contain more information than can be sent in one datagram, the SA MUST use a connection oriented protocol to register itself with the DA. When a SA registers the same attribute class more than once for a service instance, the DA overwrites the all the values associated with that attribute class for that service instance. Separate registrations must be made for each language that the service is to be advertised in. If a SA attempts to register a service with a DA and the registration is larger than the site path MTU, then the DA will reply with a SrvAck, with the error set to INVALID_REGISTRATION and the 'Overflow' byte set. An example of Service Registration information is: Lifetime (seconds): 16-bit unsigned integer URL (at least): service::// scope-list: omitted (ie. no items, 0 bytes) Attributes (if any): (ATTR1=VALUE),KEYWORD,(ATTR2 = VAL1, VAL2) Guttman,Perkins,Veizades Expires 30 April 1998 [Page 33] Internet Draft Service Location Protocol 30 October 1997 In order to offer continuously advertised services, SAs should start the reregistration process before the Lifetime they used in the registration expires. An example of a service registration (valid for 3 hours) is as follows: Lifetime: 10800 URL: service:lpr://igore.wco.ftp.com:515/draft scope-list: DEVELOPMENT Attributes: (PAPER COLOR=WHITE), (PAPER SIZE=LETTER), UNRESTRICTED_ACCESS, (LANGUAGE=POSTSCRIPT, HPGCL), (LOCATION=12 FLOOR) The same registration could be done again, as shown below, in German; however, note that "lpr" and "service" are reserved terms and will remain in the language they were originally registered (English). Lifetime: 10800 URL: service:lpr://igore.wco.ftp.com:515/draft scope-list: ENTWICKLUNG Attributes: (PAPIERFARBE=WEISS), (PAPIERFORMAT=BRIEF), UNBEGRENTZTER_ZUGANG, (DRUECKERSPRACHE=POSTSCRIPT,HPGCL), (STANDORT=11 ETAGE) Scoped registrations must contain the SCOPE attribute. Unscoped registrations must be registered with all unscoped DAs. Registrations of a previously registered service are considered an update. If such an attribute registration is performed in a protected scope (see section 17.2), a new Attribute Authentication block must also be included, and the 'A' bit set in the registration message header. The new registration's attributes replace the previous registration's, but do not effect attributes which were included previously and are not present in the update. For example, suppose service:x://a.org has been registered with attributes A=1, B=2, C=3. If a new registration comes for service:x://a.org with attributes C=30, D=40, then the attributes for the service after the update are A=1, B=2, C=30, D=40. In the example above, the SCOPE is set to DEVELOPMENT (in English) and ENTWICKLUNG (in German). Recall that all strings in a message Guttman,Perkins,Veizades Expires 30 April 1998 [Page 34] Internet Draft Service Location Protocol 30 October 1997 must be in one language, which is specified in the header. The string SCOPE is *not* translated, as it is one of the reserved strings in the Service Location Protocol (see section 19.1.) The DA may return a server error in the acknowledgment. This error is carried in the Error Codes field of the service location message header. The SrvReg may result in the error codes described in Section 14. There are various rules concerning scopes: Which DAs a SA MUST register with and which DAs accept which registrations. See Section 17.1. When the URL entry accompanying a registration also contains an authentication block (section 4.4), the DA MUST perform the indicated authentication, and subsequently indicate the results in the Service Acknowledgement message. 14. Service Acknowledgement Message Format A Service Acknowledgement is sent as the result of a DA receiving and processing a Service Registration or Service Deregistration. An acknowledgment indicating success must have the error code set to zero. Once a DA acknowledges a service registration it makes the information available to clients. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Service Location header (function = SrvAck) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Error Code | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ The Error Code may have one of the following values: 0 Success PROTOCOL_PARSE_ERROR A DA returns this error when the SrvReg or SrvDeReg is received which cannot be parsed or the declared string lengths overrun the message. INVALID_REGISTRATION A DA returns this error when a SrvReg or SrvDeReg is invalid. For instance, an invalid URL, unknown or malformed attributes, or deregistering an unregistered service all cause this error to be reported. Guttman,Perkins,Veizades Expires 30 April 1998 [Page 35] Internet Draft Service Location Protocol 30 October 1997 SCOPE_NOT_SUPPORTED A DA which is configured to have a scope will return this error if it receives a SrvRqst which is set to have a scope which it does not support. AUTHENTICATION_ABSENT If DA has been configured to require an authentication for any service registered in the requested scope, and there are no authentication blocks in the registration, the DA will return this error. AUTHENTICATION_FAILED If the registration contains an authentication block which fails to match the correct result as calculated (see section 4.4) over the URL or attribute data to be authenticated, the DA will return this error. If the DA accepts a Service Registration, and already has an existing entry, it updates the existing entry with the new lifetime information and possibly new attributes and new attribute values. Otherwise, if the registration is acceptable (including all necessary authentication checks) the DA creates a new entry, and sets the 'F' bit in the Service Acknowledgement returned to the SA. 15. Service Deregister Message Format When a service is no longer available for use, the SA must deregister itself from DAs that it has been registered with. A service uses the following PDU to deregister itself. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Service Location header (function = SrvDeReg) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | length of URL | URL \ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ \ (if present) authentication block ..... \ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | length of string | \ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ The SA should retry this operation if there is no response from the DA. The DA acknowledges this operation with a Service Acknowledgment message. Once the Service Agent receives an acknowledgment indicating success, it can assume that the service is no longer advertised by the DA. The Error Code in the Acknowledgment of the Guttman,Perkins,Veizades Expires 30 April 1998 [Page 36] Internet Draft Service Location Protocol 30 October 1997 Service Deregistration may have the same values as described in section 14. The Service Deregister Information sent to the directory agent has the following form: service::// Attribute tags (if any): ATTR1,KEYWORD,ATTR2 This will deregister the specified attributes from the service information from the directory agent. If the Language Tag is omitted and no attribute tags are included, the entire service information is deregistered in every language and every scope it was registered in. To deregister the printer from the preceding example, use: service:lpr://igore.wco.ftp.com:515/draft If the service was originally registered with a URL entry containing a URL authentication block, then the Service Deregistration message header MUST have the 'U' bit set, and the URL entry is then followed by the authentication block, with the authentication block calculated over the URL data, the timestamp, and the length of the authentication as explained in section 4.4. In this calculation, the lifetime of the URL data is considered to be zero, no matter what the current value for the remaining lifetime of the registered URL. 16. Directory Agents 16.1. Finding Directory Agents A UA or SA may be statically configured to use a particular DA. This is discouraged unless the application resides on a network where any form of multicast or broadcast is impossible. Alternatively, a host which uses DHCP [9, 1] may use it to obtain a DA's address. DHCP options 78 and 79 have been assigned for this purpose [15]. The third way to discover DAs is dynamically. This is done by sending out a Directory Agent Discovery request (see Section 6.2). Lastly, the agent may be informed passively as follows: When a DA first comes on-line, and periodically, it sends an unsolicited DA Advertisement to the Service Location general multicast address. See Section 21 for details. If a DA supports a particular scope or set of scopes these are placed in its DAAdvert. Guttman,Perkins,Veizades Expires 30 April 1998 [Page 37] Internet Draft Service Location Protocol 30 October 1997 When a SA or UA first comes on-line it must issue a Directory Agent Discovery Request unless it is using static or DHCP configuration, as described in 6.2. A SA registers information with ALL newly discovered DAs when either of the above two events take place. Once a UA becomes aware of a DA it will unicast its queries there. In the event that more than one DA is detected, it will select one to communicate with. The protocol will cause all DAs (of the same scope) to eventually obtain consistent information. Thus one DA should be as good as any other for obtaining service information. There may be temporary inconsistencies between DAs. 17. Scope Discovery and Use The scope mechanism in the Service Location Protocol enhances its scalability. The primary use of scopes is to provide the capability to organize a site network along administrative lines. A set of services can be assigned to a given department of an organization, to a certain building or geographical area or for a certain purpose. The users in a department can be configured to request services from a particular scope. A scope is not an attribute of the service instance, because it is completely independent of the characteristics of the service instance. Services in a scope effectively offer their service only to users that indicate that particular scope in their user requests. Just as sets can be non-disjoint, services can belong to several scopes. Users, on the other hand, are not viewed as belonging to particular scopes, but instead as having access to services in one or more scopes. This access can be acquired in several ways, as further detailed below. Services that do not belong to any scope effectively offer their service to any user agent. Since a user agent selects its desired service by specifying the desired attributes of that service, any service satisfying those attributes will satisfy the needs of the user agent. Thus, a user agent typically does not care about which service agent provides the needed service. Cases in which this is not true require the user agent to specify that only services from the specific scope are desired, but such cases always arise from administrative considerations, and not from the specific values assigned to service attributes. The 'S' bit is supplied by user agents requiring the exclusion of services not assigned to the specific requested scope or scopes. Guttman,Perkins,Veizades Expires 30 April 1998 [Page 38] Internet Draft Service Location Protocol 30 October 1997 A site network that has grown beyond a size that can be reasonably serviced by a few DAs can use the scope mechanism. DAs may be configured with a scope list, representing the administrative categories which they serve. The semantics and language of the strings used to describe the scope are almost entirely the choice of the administrative entity of the particular domain in which these scopes exist. The values of SCOPE should be configurable, so the system administration Block can set its value. The scopes "LOCAL" and "REMOTE" are reserved and SHOULD NOT be used. Use of these reserved values is to be defined in a future protocol document. DAs advertise their available scopes, together with a "service:directory-agent:" URL indicating its location. These advertisements are sent periodically starting as soon as the DA first becomes available. The UA and SA may also solicit these DA advertisements when they first come on line. Thus, UAs and SAs are consistently informed of available scopes provided by scoped DAs. UAs may select or be configured with one or more scopes to use. This selection may be automated through the use of DHCP or it may be done by the individual client application or service programmatically. UAs send all requests to DAs which support the scope or scopes they select. A SA is configured with a scope (or scopes) in which to register. It MUST register with all DAs in that scope that it can discover. Failure to be comprehensive in registration according to this rule may mean that the service advertisement may not be available to all UAs. 17.1. Rules governing Scopes For the sake of illustration, imagine that a service is a candy M&M, and that scopes divide the candy up into sets all containing the same color. Users want candy, but some users are more particular than others, and some users are constrained by their administration to only eat candy of a particular color. Rules for User Agents, for various combinations of settings of the 'S' bit, and contents of the : <'S'=on, scope-list=""> I want colorless M&Ms. <'S'=on, scope-list="green"> I want green M&Ms. <'S'=off, scope-list="green"> I want green M&Ms, or else colorless M&Ms. <'S'=off, scope-list=""> I want colorless M&Ms. Guttman,Perkins,Veizades Expires 30 April 1998 [Page 39] Internet Draft Service Location Protocol 30 October 1997 Rules for Service Agents, for various combinations of settings of the 'S' bit, and contents of the : <'S'=on, scope-list=""> I am a colorless M&M. <'S'=on, scope-list="green"> I am a green M&M, and always appear colorful. <'S'=off, scope-list="green"> I am a green M&M, but I'm happy to appear colorless. <'S'=off, scope-list=""> I am a colorless M&M. Rules for Directory Agents, for various combinations of settings of the 'S' bit, and contents of the : <'S'=on, scope-list=""> I am a jar for colorless M&Ms. <'S'=on, scope-list="green"> I am a jar for green M&Ms only. <'S'=off, scope-list="green"> I am a jar for green M&Ms, but I'm happy to accept colorless. <'S'=off, scope-list=""> I am a jar for colorless M&Ms. The intention motivating this algorithm for satisfying scoped service requests is to allow a smooth transition between administration of unscoped service domains into scoped service domains. Notice that if a DA is installed and configured to offer scoped service, that user agents sending requests to that DA will typically be able to find the existing unscoped services until the services are configured for scope membership. This should enable system administrators to become more familiar with the scope model without the need for "flag days" or discontinuous changeovers of services. If it is intended that all user agents be configured to request services from particular scopes, then while the user agents receive the necessary scope configuration information they will work as before in the unscoped administration until the time finally arrives when all user agents are configured with scopes. After that time, all service agents can be configured to register their services with the 'S' bit set, and the user agents will all continue to work as before. 17.1.1. Scope Strings in SLP Messages Scope strings are found in several service location messages. The takes the form of a (see Section 20) of Guttman,Perkins,Veizades Expires 30 April 1998 [Page 40] Internet Draft Service Location Protocol 30 October 1997 scope names. The only characters which are reserved in scope strings are commas ',', asterisk '*' and the backslash character '\'. If this scope list is omitted, the message is said to be 'not scoped'. will explicitly exclude unscoped requests, as will be explained below. The scope list may include '*' when multicasting requests to SAs, which specifies that scopes will be ignored for the purposes of handling the request. The list may also include any other valid scope string. 17.1.2. Registration Services which are registered with a non-null scope list are considered 'scoped'. A service registration which has no scope string is considered unscoped. That means it will be registered with all DAs which do not explicitly refuse unscoped registrations. A DA does this by setting the 'S' bit in its DAAdvert. A DA may be configured to be unscoped or scoped. An unscoped DA accepts only unscoped registrations. SAs MUST register all unscoped services with an unscoped DA. By default, a scoped DA will accept unscoped registrations. A DA MUST be configurable to deny unscoped registrations. Scopes determine which requests a DA will accept. A DA MUST decline to register a service if it is specified with an unsupported scope. In this case a SCOPE_NOT_SUPPORTED error is returned in the SrvAck. SAs MUST register scoped services with every DA they are aware of, that supports the service's scopes. 17.1.3. Query Handling In every case, the rules specified in Section 17.1 apply. UAs MUST use scoped DAs in preference to unscoped DAs, and unscoped DAs in preference to multicasting requests to SAs. UAs MUST use scoped requests when making requests of scoped DAs. UAs SHOULD use requests with no scope when multicasting requests to SAs. UAs MUST use requests with no scope when sending a request to an unscoped DA. Guttman,Perkins,Veizades Expires 30 April 1998 [Page 41] Internet Draft Service Location Protocol 30 October 1997 17.1.3.1. DA Query Handling An unscoped DA accepts only unscoped requests. It will reply with a SCOPE_NOT_SUPPORTED error if a scoped service registration is received. A scoped DA MUST accept only requests which have the scope of the DA or where the request is unscoped (ie. the is omitted). The DA will respond with information which matches the request in the scope of the request AND unscoped service information. If the request has the 'S' bit set in the message header, the DA will respond only with scoped service information. If a scoped DA receives a request which does not include a supported scope in its , or includes the string "*" the DA replies with a SCOPE_NOT_SUPPORTED error in the reply corresponding to the request. This rule does not apply DA Discovery requests, which are described in Section 6.2. DAs will return a reply with 0 results if they support the request (ie. do not return an error) and they have no matches to the request. 17.1.3.2. SA Query Handling SAs apply the same rules for matching requests except that if there is no match they will drop the request if there are no matches. They will never reply with a SCOPE_NOT_SUPPORTED error. SAs which receive a request where the is set to the string "*" does not apply scope matching rules to the request. 17.2. Protected Scopes Scope membership MAY also define the security access and authorization for services in the scope; such scopes are called protected scopes. If a UA wishes to be sure that SAs are authorized to provide the service they advertise, then the UA should request services from a protected scope which has been configured to have the necessary authentication mechanism and keys distributed to the SAs within the scope. A directory agent distributing URLs for services in a protected scope will reject any registrations or deregistrations for service agents which cannot provide cryptographically strong authentication to prove their authorization to provide the services. For instance, if a campus registrar wishes to find a working printer to produce student grade information for mailing, the registrar would Guttman,Perkins,Veizades Expires 30 April 1998 [Page 42] Internet Draft Service Location Protocol 30 October 1997 require the printing user agent to transmit the printable output only to those printing SAs which have been registered in the appropriate protected scope. Notice that each service agent is, under normal circumstances, validated two times: once when registering with the directory agent, and once when the user agent validates the URL received with the Service Reply. This protects against the possibilities of malicious DAs as well as malicious SAs. Note that services in protected scopes provide separate authentication for their URL entry, and for their attributes. This follows naturally from the needs of the protocol operation. UAs which specify a service type and attributes needed for service in that service type will not receive attribute information from the directory agent; they will only receive the appropriate URL entries. Only the information returned needs to be authenticated. User agents which receive attribute information for a particular URL (see section 10), on the other hand, need to authenticate the attributes when they are returned (see section 11). In this case, there may be much more data to authenticate, but this operation is also performed much less often, usually only while the user is browsing the available network resources. 18. Language Internationalization Issues 18.1. Language Tags and Dialects Service location messages often include a Language Tag in the header. A SrvDeReg message MAY omit a Language Tag if the service is to be deregistered in ALL languages it has been registered in. If the Language Tag is omitted, the Language Tag length in the header is set to 0. If the Language Tag used includes a dialect, the dialect is to be used the following way: Requests which can be fulfilled by matching a language and dialect will be preferred to those which match only the language portion. Otherwise, dialects have no effect on matching requests. 18.2. Scope Strings are not Language Specific A scope string, which is used to configure DAs and which are used by both UAs and SAs for various operations (see Section 17.1) is NOT language specific. Thus, the language declared in a SrvRqst used for DA discovery has no effect on whether the request predicate matches the scopes of the DA or not. The DAAdvert does not include a Language Tag as the scope strings are not language specific. Guttman,Perkins,Veizades Expires 30 April 1998 [Page 43] Internet Draft Service Location Protocol 30 October 1997 18.3. Declaring the language of registrations All Service Registrations declare the language in which the strings in the service attributes are written by specifying a Language Tag in the message header. For each language the Service advertises a separate registration takes place. Each of these registrations uses the same URL to indicate that they refer to the same service. A Service is fully deregistered if the URL is given in the Service Deregister message without any attribute information or Language Tag sent in the message. If, on the other hand, attribute information is included in the Service Deregistration request, a separate Service Deregistration of selected attributes must be undertaken in each language in which service information has been provided to the DA by a SA. Service Registrations in different languages are mutually unintelligible. They share no information except for their service type and URL with which they were registered. No attempt is made to match queries with "language independence." Instead, queries are handled using string matching against registrations in the same language as the query. 18.4. Translation of Attribute Strings Service Types which are standardized will have definitions for all attributes and value strings. Official translations to other languages of the attribute tags and values may be created and submitted as part of the standard; this is not feasible for all languages. For those languages which are not defined as part of the Service Type, a best effort translation of the standard definitions of the Service type's attribute strings MAY be used. 18.5. Declaring the language of a Request Service and Attribute requests specify a requested language in the message header. The DA or SA will respond in the same language as the request, if it has a registration in the same language as the request. If this language is not supported, and the Monolingual bit is not specified, a reply MAY be sent in the default language (which is English) on a best effort basis. If no reply is possible, or if the 'monolingual bit' flag in the header is set and the requested language is not supported, a SrvRply is returned with the error field set to LANGUAGE_NOT_SUPPORTED. Guttman,Perkins,Veizades Expires 30 April 1998 [Page 44] Internet Draft Service Location Protocol 30 October 1997 If a query is in a supported language on a SA or DA, but has a different dialect than the available service information, the query MUST be serviced on a best-effort basis. If possible, the query should be matched against the same dialect. If that is not possible, it MAY be matched against any dialect of the same language. When there are several replies returned in one message and the reply includes attributes which were registered with separate dialects, the dialect portion of the Language Tag in the reply is dropped. This could occurs primarily with an attribute reply. 19. Substitution of Character Escape Sequences Certain characters are illegal in certain contexts of the protocol. Since the protocol is largely character string based, in some contexts characters are used as protocol delimiters. In these cases the delimiting characters must not be used as 'data text.' Characters which are reserved as part of the encoding of attribute tags or values MUST be escaped if they are included in Attribute Lists or Predicates. Any character in these strings MAY be escaped. The escape mechanism uses the reserved backslash character '\' (ASCII 0x5c). This character is followed by two hexadecimal digits of the escaped character. Note that some characters are multibyte, using UTF8 encoding. Examples: Character to encode Unicode UTF8 SLP Escaped value ------------------- ------- --------- ----------------- ',' 0x0029 0x0029 \29 e accent aigue 0x0039 0xc3a9 \c3\a9 not equals glyph 0x2260 0xe289a0 \e2\89\a0 Characters in URLs which are reserved according to the URL syntax specification must be escaped using the URL escape character convention. In this case a 'percent' is followed by the hex encoding of the escaped character exactly as defined above for the 'slash' character. The current URL syntax specification limits all encoded characters to a subset of the ASCII character set. The update to this defines a way to transmit UTF8 encoded characters outside of the ASCII range. Guttman,Perkins,Veizades Expires 30 April 1998 [Page 45] Internet Draft Service Location Protocol 30 October 1997 19.1. Language-Independent Strings Some strings, such as Service Type names, have standard definitions. These reserved strings should be considered as tokens and not as words in a language to be translated. They are case-independent. Reserved String Section xDefinition --------------- ------- -------------------------------------- SCOPE 3, 16 Used to limit the matching of requests. SERVICE 7, 13 The URL scheme of all Service Location information registered with a DA or returned from a Service Request. 20.1.1 Used in all service registrations and replies. domain names 20.3 A fully qualified domain name, used in registrations and replies. IANA 3.4 The default naming authority. LOCAL 17 Reserved. REMOTE 17 Reserved. TRUE 20.4 Boolean true. FALSE 20.4 Boolean false. Guttman,Perkins,Veizades Expires 30 April 1998 [Page 46] Internet Draft Service Location Protocol 30 October 1997 20. String Formats used with Service Location Messages The following section supplies formal definitions for fields and protocol elements introduced in the sections indicated. Protocol Element Defined in Used in ----------------------------------- ------------ ------------ 20.1 SrvRqst Service Request 6.4 SrvRqst URL [10] SrvReg, SrvDeReg, SrvRply 20.2 SrvReg, SrvRply, AttrRply 13 SrvReg 15 SrvDeReg 20.1.1 AttrRqst DAAdvert, SrvTypeRply attr vals AttrRqst, SrvDeReg 20.1. Previous Responders' Address Specification The previous responders' Address Specification is specified as a of terms. The Address Specification is the address of the DA or SA which supplied the previous response. The format for Address Specifications in Service Location is defined in section 20.3. The use of dotted decimal IP address notation should only be used in environments which have no Domain Name Service. Example: RESOLVO.NEATO.ORG,128.127.203.63 SAs or DAs which are listed in a Previous Responders list in a multicast Service Location request will silently discard the request. Depending on the length of the request, around 60 previous responders may be listed in a single datagram. If there are more responders than this, the scaling mechanisms described in section D should be used. Guttman,Perkins,Veizades Expires 30 April 1998 [Page 47] Internet Draft Service Location Protocol 30 October 1997 20.1.1. Service Type String The Service Type is a string describing the type of service. These strings may only be comprised of alphanumeric characters, '+', and '-'. Upper case is considered equivalent to lower case in Service Type names. The Service Type of a service: scheme URL is encoded as the string up to and including the last ":". This includes the Naming Authority string. URL Service Type String ----------------------------------- ------------------ service:lpr://biglaser.dog.com service:lpr: service:wp:http://dir.cat.org service:wp: service:game.cs312://morb.lug.edu service:game.cs312: ftp://ftpserv.mouse.gov ftp: 20.1.2. String List String lists transmitted by the service location protocol are items with a ',' delimiter. str-list = str-item / str-item ',' str-list The definition of depends on the string list. For a DAAdvert, the is a scope attribute value (see in Section 20.2). The other important case is described in Section 20.1, which may be included with SrvRqst, AttrRqst and SrvTypeRqst messages. 20.1.3. Select List Select Lists are String List used in AttrRqst and SrvDeReg messages. The is a with the following syntax: tag-filter = simple-tag / substring simple-tag = 1*filt-char substring = [initial] any [final] initial = 1*filt-char any = '*' *(filt-char '*') final = 1*filt-char filt-char = Any character excluding and See Section 20.2. Guttman,Perkins,Veizades Expires 30 April 1998 [Page 48] Internet Draft Service Location Protocol 30 October 1997 20.2. Attribute Information The is returned in the Attribute Reply if the Attribute Request does not result in an empty result. attr-list = attribute / attribute ',' attr-list attribute = '(' attr-tag '=' attr-val-list ')' / attr-tag attr-val-list = attr-val / attr-val ',' attr-val-list attr-tag = 1*safe-tag attr-val = intval / strval / boolval / opaque intval = [-]1*DIGIT strval = 1*safe-val boolval = "TRUE" / "FALSE" opaque = "(" 1*DIGIT ":" 1*r64chars ")" safe-val = Any character except reserved. safe-tag = Any character except reserved, star and bad-tag. reserved = '(' / ')' / ',' / '\' / '!' / '<' / '=' / '>' / 'tilde' bad-tag = CR / LF / HT star = '*' r64chars = DIGIT / ALPHA / '=' / '/' / '-' An must be scanned prior to evaluation for all occurrences of the escape character '\'. Reserved characters in attributes placed in attribute lists must be escaped. All escaped characters must be restored to their value before used for string matching. See Section 19. A keyword has only an , and no values. (OPERATOR=Joe Javaman) (COLOR=RED\, WHITE\, BLUE) (DELAY=10 MINS), BUSY, (LATEST BUILD=10-5-95), (PRIORITY=L,M,H) The third example has three attributes in the list. Color takes the value "RED, WHITE, BLUE" (the commas in the value string are escaped). Priority, on the other hand, takes the three values "L", "M", and "H". There are several other examples of attribute lists throughout the document. 20.3. Address Specification in Service Location The address specification used in Service Location is: ::= [ ':' '@' ] [ ':' ] ::= Fully qualified domain name / dotted decimal IP address notation Guttman,Perkins,Veizades Expires 30 April 1998 [Page 49] Internet Draft Service Location Protocol 30 October 1997 When no Domain Name Server is available, SAs and DAs must use dotted decimal conventions for IP addresses. Otherwise, it is preferable to use a fully qualified domain name wherever possible as renumbering of host addresses will make IP addresses invalid over time. Generally, just the host domain name (or address) is returned. When there is a non-standard port for the protocol, that should be returned as well. Passwords SHOULD NOT be sent with SLP messages (as cleartext) unless an IPSec ESP is used for delivery of the SLP message. Address specification in Service Location is consistent with standard URL format [4]. 20.4. Attribute Value encoding rules Attribute values, and attribute tags are CASE INSENSITIVE for purposes of lexical comparison. The syntax of attribute values is described in Section 20.2. While an attribute can take any value, there are three types of values which differentiate themselves from general strings: Booleans, Integers and Opaque values. - Boolean values are either "TRUE" or "FALSE". This is the case regardless of the language strings are encoded in. Boolean attributes can take only one value. - Integer values are expressed as a sequence of DIGITs. The range of allowable values for integers is "-2147483648" to "2147483647". No other form of numeric representation is interpreted as such except integers. For example, hexadecimal numbers such as "0x342" are not interpreted as integers, but as strings. - Opaque values (i.e. binary values) are expressed in radix-64 notation. The syntax is: ::= "(" ":" ")" ::= 1*DIGIT ::= radix-64 encoding of the original data is a 16-bit binary number expressed as a decimal string. For example, if the opaque value is 34 bytes long before encoding the field would be the string "34". Guttman,Perkins,Veizades Expires 30 April 1998 [Page 50] Internet Draft Service Location Protocol 30 October 1997 Radix-64 encodes every 3 bytes of binary data into 4 bytes of ASCII data which is in the range of characters which are fully printable and transferable by mail. For a formal definition of the Radix-64 format see RFC 1521 [5], MIME Part One, Section 5.2 Base64 Content Transfer Encoding, page 21. The Opaque value encoding includes otherwise reserved characters in attribute values: '(', ')'. It may include another reserved character: '='. These characters are escaped in SrvRqst predicates. For example "(&(service-type=thing)(att=\(3:AAAA\)))" is a query for a service of type "thing" which has an attribute "att" with a value of a 3 zero bytes. 21. Protocol Timing Rules There are four protocol actions which require timing rules. Active DA Discovery, Passive DA Advertising, reliable unicast requests to a DA and multicast/convergence. 21.1. Active DA Discovery After a UA or SA restarts (say, after rebooting of a system or loading of the network kernel), their initial DA discovery request should be delayed for some random time uniformly distributed from 0 to CONFIG_START_WAIT seconds. DA Discovery requests should be sent according to CONFIG_DA_RETRY. The second and third transmission of the DA Discovery request MUST include a previous responders list of all DAs which have responded. See Section 20.1 and 12. SAs which discover DAs actively must wait CONFIG_REG_ACTIVE seconds before registering their services. 21.2. Passive DA Advertising Every CONFIG_DA_BEAT seconds a DA will multicast or broadcast an unsolicited DAAdvert. This will ensure that eventually it will be discovered by all applications which are concerned. All SAs which receive the unsolicited DAAdvert should examine its Sequence Number. If the DA has never before been heard from or if the Sequence Number is less than it was previously and less than 256, the SA should assume the DA does not have its service registration, even if it once did. If this is the case and the DA has the proper Guttman,Perkins,Veizades Expires 30 April 1998 [Page 51] Internet Draft Service Location Protocol 30 October 1997 scope, the SA should register all service information with the DA, after waiting a random interval CONFIG_REG_PASSIVE. While it might seem advantageous to have frequent heartbeats, this generates traffic throughout the network in proportion to the number of DAs. Thus, CONFIG_DA_BEAT should be specified with a value in seconds long enough to prevent routine protocol operations from using any significant bandwidth. 21.3. Reliable Unicast to DAs If a DA fails to respond to a unicast UDP message in CONFIG_DA_RETRY seconds, the message should be retried. If a DA fails to respond after CONFIG_DA_MAX seconds, the UA or SA should use a different DA. DA addresses may be cached from previous discovery attempts, preconfigured, or by use of DHCP (see section 16.1). If no such DA responds, DA discovery should be used to find a new DA. Care should be taken not to do Active DA Discovery more than once per CONFIG_DA_FIND seconds. 21.4. Multicast/Convergence This algorithm is used by UAs to send requests to SAs using the Service Location General Multicast Address. The algorithm is used by both UAs and SAs to send DA Discovery requests to DAs using the DA Discovery Multicast Address. Requests to SAs are multicast repeatedly (with a recommended wait interval of CONFIG_MC_RETRY) until there are no new responses, or CONFIG_MC_MAX seconds have elapsed. DA discovery requests use different timing for repeated requests, CONFIG_DA_RETRY. Repeated requests include a previous responder list, see Section 20.1. 22. Configurable Parameters and Default Values There are several configuration parameters for Service Location. Default values are chosen to allow protocol operation without the need for selection of these configuration parameters, but other values may be selected by the site administrator. The configurable parameters will allow an implementation of Service Location to be more useful in a variety of scenarios. Guttman,Perkins,Veizades Expires 30 April 1998 [Page 52] Internet Draft Service Location Protocol 30 October 1997 22.1. Time Out Intervals These values should be configurable in case the site deploying Service Location has special requirements (such as very slow links.) Interval name Section Default Value Meaning ----------------- ------- ------------- ----------------------- CONFIG_KEEP_RPLY 4.2 1 minute Cache replies by XID. CONFIG_LIFETIME 4.5 10800 seconds registration Lifetime, (ie. 3 hours)after which ad expires CONFIG_MC_RETRY 4.2 each second, Retry multicast query backing off until no new values gradually arrive. CONFIG_MC_MAX 6 15 seconds Max time to wait for a complete multicast query response (all values.) CONFIG_START_WAIT 13 3 seconds Wait to perform DA discovery on reboot. CONFIG_DA_RETRY 6.2 2 seconds Retransmit DA discovery, try it 3 times. CONFIG_DA_MAX 6.2 6 seconds Give up on requests sent to a DA. CONFIG_DA_BEAT 16.1 3 hours DA Heartbeat, so that SAs passively detect new DAs. CONFIG_DA_FIND 6.2 900 seconds Minimum interval to wait before repeating Active DA discovery. CONFIG_REG_PASSIVE 16.1 1-3 seconds Wait to register services on passive DA discovery. CONFIG_REG_ACTIVE 13 1-3 seconds Wait to register services on active DA discovery. CONFIG_CLOSE_CONN 3.7 5 minutes DAs and SAs close idle connections. Guttman,Perkins,Veizades Expires 30 April 1998 [Page 53] Internet Draft Service Location Protocol 30 October 1997 Multicast vs. Broadcast All Service Location entities must use multicast by default. The ability to use broadcast messages must be configurable for UAs and SAs. Broadcast messages are to be used in environments where not all Service Location entities have hardware or software which supports multicast. Multicast Radius Multicast requests should be sent to all subnets in a site. The default multicast radius for a site is 32. This value MUST be configurable. Directory Agent Address The DA address discovery mechanism must be configurable. There are three possibilities for this configuration: A default address, no default address and the use of DHCP to locate a DA as described in section 16.1. The default value should be use of DHCP, with "no default address" used if DHCP does not respond. In this case the UA or SA must do a Directory Agent Discovery query. Directory Agent Scope Assignment The scope or scopes of a DA must be configurable. The default value for a DA is to have no scope if not otherwise configured. Path MTU The default path MTU is assumed to be 1400. This value MUST be configurable for all SAs and DAs. Keys for Protected Scopes Guttman,Perkins,Veizades Expires 30 April 1998 [Page 54] Internet Draft Service Location Protocol 30 October 1997 If the local administration designates certain scopes as "protected scopes", the agents making use of those scopes MUST able to acquire keys to authenticate data sent by services along with their advertised URLs for services within the protected scope. For instance, SAs would use a private key to produce authentication data. By default, service agents use "md5WithRSAEncryption" [3] to produce the signed data, to be be included with service registrations and deregistrations (see appendix B, 4.4). This authentication data could be verified by user agents and directory agents that possess the corresponding public key. 22.2. Service Agent: Use Predefined Directory Agent(s) A SA's default configuration is to do passive and active DA discovery and to register with all DAs which are properly scoped. A SA SHOULD be configurable to allow a special mode of operation: They will use only preconfigured DAs. This means they will *NOT* actively or passively detect DAs. If a SA is configured this way, knowledge of the DA must come through another channel, either static configuration or by the use of DHCP. The availability of the Service information will not be consistent between DAs. The mechanisms which achieve eventual consistency between DAs are ignored by the SA, so their service information will not be distributed. This leaves the SA open to failure if the DA they are configured to use fails. 23. Security Considerations The Service Location Protocol provides for authentication of Service Information registered by SAs and DA Advertisements. This allows UAs to obtain information about services with confidence that is reasonably complete and accurate. Service Location does not provide confidentiality. Because the objective of this protocol is to advertise services to a community of users, confidentiality might not generally be needed when this protocol is used in non-sensitive environments. Specialized schemes might be able to provide confidentiality, if needed in the future. Sites requiring confidentiality should implement the IP Encapsulating Security Payload (ESP) [13] to provide confidentiality for Service Location messages. Guttman,Perkins,Veizades Expires 30 April 1998 [Page 55] Internet Draft Service Location Protocol 30 October 1997 Using unprotected scopes, an adversary might easily use this protocol to advertise services on servers controlled by the adversary and thereby gain access to users' private information. Further, an adversary using this protocol will find it much easier to engage in selective denial of service attacks. Sites that are in potentially hostile environments (e.g. are directly connected to the Internet) SHOULD use protected scopes. Service Location is useful as a bootstrap protocol. It may be used in environments in which no preconfiguration is possible. In such situations, a certain amount of "blind faith" is required: Without any prior configuration it is impossible to use any of the security mechanisms described above. Service Location will make use of the mechanisms provided by the Security Area of the IETF for key distribution as they become available. At this point it would only be possible to gain the benefits associated with the use of protected scopes if some cryptographic information can be preconfigured with the end systems before they use Service Location. For UAs, this could be as simple as supplying the public key of a Certificate Authority. See Appendix B. 24. Protocol Requirements In this section are listed various protocol requirements for UAs, SAs, and DAs. 24.1. Directory Agent Requirements Announce using multicast when coming up MUST Announce using multicast every CONFIG_DA_BEAT secs MUST Respond to unicast SrvRqsts, AttrRqst and SrvTypeRqst MUST Support TCP connections in the case where a previous MUST request overflowed. Respond to multicast (broadcast) DA discovery SrvRqsts MUST Accept de/registrations from SAs MUST Age out expired service registrations MUST If the DA is scoped: Return an error for improperly scoped requests. MUST If the DA is unscoped: Respond to all requests. MUST 24.2. Service Agent Requirements Perform Active DA discovery on start up MUST Perform Passive DA discovery continuously MUST Forward Service Advertisements to DAs as detected MUST Guttman,Perkins,Veizades Expires 30 April 1998 [Page 56] Internet Draft Service Location Protocol 30 October 1997 Respond to multicast SrvRqst MUST Respond to multicast AttrRqst and SrvTypeRqst SHOULD If responses sent, support TCP failover on overflow MUST Age out expired service registrations MUST Register services using scopes which are supported by scoped DAs if they exist or without scopes if there are no scoped DAs. MUST 24.3. User Agent Requirements Perform Active DA discovery on start up OR use DHCP MUST to configure DA addresses and scopes. Perform Passive DA discovery continuously SHOULD Issue SrvRqst MUST Issue AttrRqst and SrvTypeRqst SHOULD Issue unicast requests to DAs using UDP Issue multicast requests to SAs using the multicast/ convergence algorithm. SHOULD Issue requests in different languages provided it can use defaults if this is not supported. SHOULD Ignore DAAdverts, SrvRplys and AttrRplys which are not authenticated using a protected scope. SHOULD Issue requests to scoped DAs if possible, unscoped DAs if no scoped ones exist and multicast to SAs if no DAs exist. MUST Reissue requests using TCP if the reply overflows the datagram in communications with a DA. MUST Reissue requests as above for overflowed replies from SAs. SHOULD 24.4. Common Requirements for all SLP Agents Static Configurability MUST DHCP Configurability SHOULD Support Protected Scopes configuration SHOULD If Protected Scopes supported, the minimum implementation MUST requirement is "md5WithRSAEncryption" [3]. If an IPSec association exists, ignore SLP messages which lack authentication. Use AH and ESP when possible. MUST Support UTF8 character set MUST Guttman,Perkins,Veizades Expires 30 April 1998 [Page 57] Internet Draft Service Location Protocol 30 October 1997 25. Non-configurable Parameters IP Port number for unicast requests to DAs: UDP and TCP Port Number: 427 Multicast Addresses Service Location General Multicast Address: 224.0.1.22 Directory Agent Discovery Multicast Address: 224.0.1.35 A range of 1024 contiguous multicast addresses for use as Service Specific Discovery Multicast Addresses will be assigned by IANA. Error Codes: No Error 0 LANGUAGE_NOT_SUPPORTED 1 PROTOCOL_PARSE_ERROR 2 INVALID_REGISTRATION 3 SCOPE_NOT_SUPPORTED 4 AUTHENTICATION_ABSENT 6 AUTHENTICATION_FAILED 7 AUTHENTICATION_ALGO_UNKNOWN 8 PROTOCOL_V1_REJECTED 9 26. Acknowledgments Early work on this protocol was done by Leo McLaughlin, Mike Ritter and Scott Kaplan. Charlie Perkins and Harry Harjono's Resource Discovery Protocol was merged with the Service Location Protocol. Jeff Schiller assisted in shaping the security architecture specified in this document. Guttman,Perkins,Veizades Expires 30 April 1998 [Page 58] Internet Draft Service Location Protocol 30 October 1997 A. Version 2 Notes This document revises the Service Location Protocol as specified in RFC 2165. There are some open issues which are resolved here. Some of these are protocol corrections (which result in a change in the on the protocol as it is exchanged over the wire.) Some of the changes to the document are merely clarifications and document restructuring. Clarifications SrvTypeRqst definition SrvTypeRqst does not include a list of previously received service types as was erroneously indicated. Opaque value syntax The ``(`` and ``)'' characters enclosing an opaque value are to be taken literally. The length of the opaque value is to be encoded as a decimal number. Scopes Are NOT language specific strings. All scope rules have been coalesced into a single section. The rules for when to use unscoped requests and registrations have been clarified as well as the consequences of receiving them and the behavior of unscoped DAs. Requirements The requirements section has been redone in a simpler matrix style, with references to the protocol section, reflecting *all* protocol requirements. Wild Card values in search filters Wild card values are only intended to be used for string MATCHING not string COMPARISONS. Service Type Reply strings The definition of the reply strings needs to be clarified and allow for arbitrary URL schemes. Guttman,Perkins,Veizades Expires 30 April 1998 [Page 59] Internet Draft Service Location Protocol 30 October 1997 Security considerations The security section has been updated to reflect the changes made to the certificate format section and the ability to sign DAAdverts. AttrRqst select-list length The length of the select-list is the length of the select-list string, which is the common convention in SLP. Modifications Crypto Algorithm field in Service requests The UA requires a way to specify which crypto algorithm it can use, if it is not the default, so the DA or SA can determine what to use. Version Number Since the wire protocol has changed, the version number of the protocol takes the version number 2. Character Encoding Character encodings are all be in UTF8 [19]. This conforms to current IESG recommendations and simplifies the protocol. Service Request Predicates Service Request Predicate grammar have been replaced by the request grammar used by LDAP string search filters. Some conventions are necessary to ensure proper structure of requests. The simple 'list format' queries is no longer supported. Character escapes in string encoding To be consistent with the LDAP string search filters syntax and to simplify the encoding rules in SLP, all character escapes in SLP string based messages reserve the backslash character as an escape for reserved characters. Character escapes in Guttman,Perkins,Veizades Expires 30 April 1998 [Page 60] Internet Draft Service Location Protocol 30 October 1997 URLs conform to standard URL syntax conventions. Fresh Bit Handling The Fresh bit is transmitted by SAs to DAs to indicate freshness, not returned by DAs to SAs in the acknowledgement of registration. This allowed for a race condition. URL handling SLPv1 only supports service: URLs. It now supports arbitrary URLs provided that they follow standard URL syntax. This support modifies SrvRply, AttrRqst, SrvReg, DAAdvert and SrvDeReg. DAAdvert format The DAAdvert message contains new information: It indicates whether it was sent as the result of a service request or at the DA's own initiative. It can also carry a digital signature of the DAAdvert. The DA may also mark some of the scopes it advertises in as 'protected' and provide a pointer to the protected scope's certificate. DAAdverts no longer override the XID in the header, but instead carry a 'DAAdvert sequence number'. Request Flagging The header indicates whether a request was multicast or unicast. This aids interpretation of the request by SAs and DAs implemented on platforms which receive all datagram requests from the same socket and cannot distinguish between the 'destination' address of the datagram they received. String Interpretation Strings are interpreted in line with other string based query protocols: Interior white space is folded to a single white space rather than interpreted literally for string matching. Guttman,Perkins,Veizades Expires 30 April 1998 [Page 61] Internet Draft Service Location Protocol 30 October 1997 Language Tagging The reserved Dialect field is used for inclusion of RFC 1766 language tags (or whatever obsoletes them.) This is in accord with the new guidelines for internationalization. SLP Certificate format The certificate format needs an additional field indicating the name of the CA. There also needs to be text which encourages the use of standard certificate formats if possible (X.509, etc.) Requirements The requirement that SAs handle SrvTypeRqst and AttrRqst has been relaxed from a SHOULD to a MAY. The requirement that a UA be able to issue a SrvTypeRqst and AttrRqst has been relaxed from a MUST to a SHOULD. The requirement that UAs be able to use multicast/convergence has been relaxed from a MUST to a SHOULD (provided that DHCP is used for DA discovery!) This allows conformant implementations to be much more lightweight. Service Location Extension Options These options allow for the protocol to be enhanced without requiring the main protocol specification standardization to be derailed. Open Issues Service Specific Multicast Addresses Use of Service Specific Discovery Multicast Addresses as defined in RFC 2165 is deprecated until a multicast address range allocation mechanism is defined using Administratively Scoped Multicast Addresses. We need to assign the range of service specific multicast addresses for use by UAs and SAs. Guttman,Perkins,Veizades Expires 30 April 1998 [Page 62] Internet Draft Service Location Protocol 30 October 1997 Lifetime may be too short It may be that timeouts for soft state are too short. We may want to make the URL entry's Lifetime field be longer than 2 bytes worth of seconds. Allow the tag list in SrvDeReg to include wildcards This would allow for deletions of attributes with patterns, such as all entries with a common prefix. This facilitates efficient name deletion based on a hierarchical structure. Include a MIN, MAX and BEST operator for queries MIN and MAX would be used for integer query terms - to allow the service with the smallest or largest value for a given attribute to be returned. BEST would be a string match which would return the service(s) for which the longest substring match could be found. Allow increasing ring multicast discovery This would allow the 'nearest' services to be discovered. Use multicast based de/registration of services This would eliminate a scaling issue in the protocol but would require the use of MTCP-like techniques so that SAs could moderate their refresh intervals so that SLP registration take only a fixed amount of network bandwidth. LDAP search filters Should LDAPv2 filters [11, 18, 12] be used, since they rely on Draft Standard protocols? Or, should SLP use the new LDAPv3 filters (which have not yet gone to PS)? The latter handle internationalization far better! B. SLP Certificates Certificates may be used in SLP in order to distribute the public keys of trusted protected scopes. This section defines a very simple format for certificates which provides only the most basic functionality required for deploying protected scopes. If a public Guttman,Perkins,Veizades Expires 30 April 1998 [Page 63] Internet Draft Service Location Protocol 30 October 1997 key infrastructure has already been deployed, for instance using X.509 certificates, these SHOULD be used instead. Implementation of SLP Certificates is entirely OPTIONAL. Possession of the private key of a protected scope is equivalent to being a trusted SA. The trustworthiness of the protected scope depends upon all of these private keys being held by trusted hosts, and used only for legitimate service registrations and deregistrations. With access to the proper Certificate Authority (CA), DAs and UAs do not need (in advance) hold public keys which correspond to these protected scopes. They do require the public key of the CA. The CA produces certificates using its unique private key. This private key is not shared with any other system, and must remain secure. The certificates declare that a given protected scope has a given public key, as well as the expiration date of the certificate. The ASCII (mail-safe) string format for the certificate is the following list of tag and value pairs: The radix-64 notation is described in RFC 1521 [5]. Spaces are ignored in the computation of the binary value corresponding to a Radix-64 string. If the value for scope, public-key or cert-digest is greater than 72 characters, the Radix-64 notation may be broken up on to separate lines. The continuation lines must be preceded by one or more spaces. Only the tags listed above may start in the first column of the certificate string. This removes ambiguity in parsing the Radix-64 values (since the tags consist of legal Radix-64 values.) The certificate-auth identifies the authority who created the certificate. This enables a very unsophisticated mechanism for enabling the use of multiple certificate authorities: An end system may be configured with public keys for multiple certificate authorities. In each case the public key will be identified by a 'certificate-auth' string as part of the configuration. When certificates are obtained, they may use the 'certificate-auth' field to determine which public key to use to verify the certificate's validity. The certificate-alg is the ASN.1 string for the Object Identifier value of the algorithm used to produce the "cert-digest". The scope-charset is a decimal representation of the MIBEnum value for the character set in which the scope is represented. The radix-64 encoding of the scope string will allow the ASCII rendering of a scope string any character set. Guttman,Perkins,Veizades Expires 30 April 1998 [Page 64] Internet Draft Service Location Protocol 30 October 1997 The 8 byte NTP format timestamp is represented as 16 hex digits. This timestamp is the time at which the certificate will expire. The format for the public key will depend on the type of cryptosystem used, which is identified by the certificate-alg. When the CA generated the certificate holding the public key being obtained, it used the message digest algorithm identified by certificate-alg to calculate a digest D on the string encoding of the certificate, excepting the cert-digest. The CA then encrypted this value using the CA's private key to produce the cert-digest, which is included in the certificate. The CA generates the certificate off-line. The mechanism to distribute certificates is not specified in the Service Location Protocol, but may be in the future. The CA specifies the algorithms to use for message digest and public key decryption. The DA or SA need only obtain the certificate, have a preconfigured public key for the CA and support the algorithm specified in the certificate-alg in order to obtain certified new public keys for protected scopes. The DA or UA may confirm the certificate by calculating the message digest D, using the message digest algorithm identified by the certificate-alg. The input to the message digest algorithm is the string encoding of the certificate, excepting the cert-digest. The cert-digest is decrypted using the CA's public key to produce D'. If D is the same as D', the certificate is legitimate. The public-key for the protected scope may be used until the expiration date indicated by the certificate timestamp. The certificate may be distributed along untrusted channels, such as email or through file transfer, as it must be verified anyhow. The CA's public key must be delivered using a trusted channel. C. Example of deploying SLP security using MD5 and RSA In our site, we have a protected scope "CONTROLLED". We generate a private key - public key pair for the scope, using RSA. The private key is maintained on a secret key ring by all SAs in the protected scope. The public key is available to all DAs which support the protected scope and to all UAs which will use it. In order to register or deregister a URL, the data required to be authenticated (as described in section 4.4) is digestified using MD5 [16] to create a digital signature, then encrypted by RSA with the protected scope's private key. The output of RSA is used in the authentication data field of the authentication block. Guttman,Perkins,Veizades Expires 30 April 1998 [Page 65] Internet Draft Service Location Protocol 30 October 1997 The DA or UA discovers the appropriate method for verifying the authentication by looking inside the authentication block. Suppose that the "md5WithRSAEncryption" [3] algorithm has to be used to verify the signed data. The DA or UA calculates the message digest of the URL Entry by using md5, exactly as the SA did. The authentication block is decrypted using the public key for the "CONTROLLED" scope, which is stored in the public key ring of the UA or DA under the name "CONTROLLED". If the digest calculated by the UA or DA matches that of the SA, the URL Entry has been validated. D. Scaling and Deployment of the Service Location Protocol The Service Location Protocol is meant to be deployable in a variety of network configurations. The protocol is ideal for 'plug and play' networks, which have the minimum of services offered. It also will scale to sites, with many routed networks, even over wide-area low bandwidth links. The key to SLP's scalability is how it is configured in the default case and how it can be configured for use in larger deployments. The default configuration for SLP requires it to discover DAs and if possible, to use them. This ensures that even in a larger deployment SLP will not use multicast or broadcast more than necessary. Thus SLP will not require much network bandwidth for its operation. If there are no DAs, as would be the case in the simplest configuration, UAs will multicast (or broadcast) their requests to SAs. This allows a network of client applications and services to be set up with no configuration; no DNS, no DHCP, and so on. This is a useful feature for extremely small networks, such as in a conference room. DAs are provided for scalability. The protocol works identically whether DAs are present or not (UAs issue the same requests to either SAs or DAs, and get the same replies.) The only difference is efficiency and scalability. The scoping feature of SLP provides further scalability. Services which are scoped will be attracted to the subset of DAs which support their scope. UAs will go to the DAs which supply service information in the scope they are configured to use, or the scope which the user selects if the UA is not configured with a scope. In some cases multicast cannot be used to discover DAs. In others, administration Blocks may decide that they would prefer to control the way DAs are used. Here, DHCP may be used to configure UAs and SAs with the location of DAs. This is particularly useful for Guttman,Perkins,Veizades Expires 30 April 1998 [Page 66] Internet Draft Service Location Protocol 30 October 1997 configuring hosts which are networked via slow wide-area links. It would be a waste of scarce network bandwidth to use a multicast routing protocol to distribute DA advertisements over such a link. There is no guarantee that a DA of a particular scope will contain the same service information as another DA in the same scope. This consistency is only achieved when all SAs which advertise services in that scope are aware of the same set of DAs. This may not be possible, if multicast routing does not pervade the entire site or if DHCP does not uniformly configure SAs with the same scope to use the same DAs. Indeed, it may not even be desirable to allow such pervasive use of multicast nor even be required for useful 'best effort' service provision for there to be a consistent view of services from all DAs of the same scope. This is a decision which network administrators of SLP in large sites need to consider. The more consistency they wish to achieve between DAs, the more complicated their DHCP configuration will be, or the more SLP based multicast traffic they will have in their networks. Guttman,Perkins,Veizades Expires 30 April 1998 [Page 67] Internet Draft Service Location Protocol 30 October 1997 References [1] S. Alexander and R. Droms. DHCP Options and BOOTP Vendor Extensions. RFC 2132, March 1997. [2] H. Alvestrand. Tags for the Identification of Languages. RFC 1766, March 1995. [3] D. Balenson. Privacy Enhancement for Internet Electronic Mail: Part III: Algorithms, Modes, and Identifiers. RFC 1423, February 1993. [4] T. Berners-Lee, L. Masinter, and M. McCahill. Uniform Resource Locators (URL). RFC 1738, December 1994. [5] N. Borenstein and N. Freed. MIME (Multipurpose Internet Mail Extensions) Part One: Mechanisms for Specifying and Describing the Format of Internet Message Bodies. RFC 1521, September 1993. [6] S. Bradner. Key words for use in RFCs to Indicate Requirement Levels. RFC 2119, March 1997. [7] CCITT. Specification of the Abstract Syntax Notation One (ASN.1). Recommendation X.208, 1988. [8] D. Crocker and P Overell. Augmented BNF for Syntax Specifications: ABNF. draft-ietf-drums-abnf-04.txt, September 1997. (work in progress). [9] R. Droms. Dynamic Host Configuration Protocol. RFC 2131, March 1997. [10] E. Guttman, C. Perkins, and J. Kempf. Service Templates and service: Schemes. draft-ietf-svrloc-service-scheme-03.txt, October 1997. (work in progress). [11] T. Howes. A String Representation of LDAP Search Filters. RFC 1960, June 1996. [12] T. Howes, S. Kille, W. Yeong, and C. Robbins. The String Representation of Standard Attribute Syntaxes. RFC 1778, March 1995. [13] Stephen Kent and Randall Atkinson. IP Encapsulating Security Payload (ESP). draft-ietf-ipsec-esp-v2-00.txt, July 1997. (work in progress). Guttman,Perkins,Veizades Expires 30 April 1998 [Page 68] Internet Draft Service Location Protocol 30 October 1997 [14] D. Mills. Simple Network Time Protocol (SNTP) Version 4 for IPv4, IPv6 and OSI. RFC 2030, October 1996. [15] C. Perkins. DHCP Options for Service Location Protocol, August 1996. draft-ietf-dhc-slp-00.txt (work in progress). [16] Ronald L. Rivest. The MD5 Message-Digest Algorithm. RFC 1321, April 1992. [17] J. Veizades, E. Guttman, C. Perkins, and S. Kaplan. Service Location Protocol. RFC 2165, July 1997. [18] W. Yeong, T. Howes, and S. Kille. Lightweight Directory Access Protocol. RFC 1777, March 1995. [19] F. Yergeau. UTF-8, a transformation format of unicode and ISO 10646. RFC 2044, October 1996. Authors' Addresses Questions about this memo can be directed to: Erik Guttman Charles Perkins John Veizades Sun Microsystems Sun Microsystems @Home Network Bahnstr. 2 901 San Antonio Road 385 Ravendale Dr. 74915 Waibstadt Palo Alto, CA 94040 Mountain View, CA Germany USA 94043 USA Phone: +49 7263 911701 +1 650 786 6464 +1 650 569 5243 Fax: +1 650 786 6445 Email: eguttman@sun.com cperkins@sun.com veizades@home.net Guttman,Perkins,Veizades Expires 30 April 1998 [Page 69]