The Extensible Provisioning Protocol
Gavin Brown, CentralNic Ltd
About CentralNic
- founded 1995
- second-level registry (.UK.COM, .US.COM)
- ~105 domains
- > 2x103 resellers/registrars
- bidders on .ORG, .EU
- .LA ccTLD launching soon
History
- Prehistory: NSI
- Then: ICANN
Shared Registry System
for gTLDs- standard registry-registrar interface
What is EPP?
- domain provisioning
- provisioning means:
- registering
- renewing
- modifying
- deleting
- transferring
- standard protocol to be adopted by all gTLDs
What is EPP?
- XML over TCP*
- stateful, transactional, idempotent
- basic protcol is agnostic of object type
- uses namespaces to define objects and schemas to describe them
- like XML-RPC or SOAP but harder
* secured by SSL/TLS
What is EPP?
|
V
+-----------------+ +-----------------+
| Waiting for | Connected | Prepare |
| Client |----------------->| Greeting |
+-----------------+ or <hello> +-----------------+
^ |
| Close Connection Send |
| or Idle Greeting |
+-----------------+ V
| End | Timeout +-----------------+
| Session |<-----------------| Waiting for |
+-----------------+ | Client |
^ ^ ^ Send +-------->| Authentication |
| | | Response | +-----------------+
| | | +--------------+ |
| | | | Prepare Fail | | <login>
| | +-----| Response | | Received
| | Send +--------------+ V
| | 2501 ^ +-----------------+
| | Response | | Processing |
| | +---------| <login> |
| | Auth Fail +-----------------+
| | |
| | | Auth OK
| | V
| | Timeout +-----------------+
| +----------------------------| Waiting for |
| | Command |
| Send x5xx +-----------------+
| Response +-----------------+ Send ^ |
+-----------| Prepare | Response | | Command
| Response |----------+ | Received
+-----------------+ V
^ +-----------------+
Command | | Processing |
Processed +----------| Command |
+-----------------+
What is EPP?
- RFC 3730 - basic protocol
- RFC 3731 - domain
- RFC 3732 - hosts
- RFC 3733 - contacts
- RFC 3734 - TCP transport
- RFC 3735 - extending
- RFC 3915 - grace periods
- RFC 4310 - DNSSEC (DS records)
Why should I care?
- Already in use for .ORG, .INFO, .EU
- .COM and .NET migration to EPP October 28
- Changes transfer procedure
- Nominet implementation
- ENUM
The guts of EPP
- EPP frame = 4 octets + XML
$frame = pack('N', length($xml) + 4).$xml
EPP Command Frame
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<epp xmlns="urn:ietf:params:xml:ns:epp-1.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:ietf:params:xml:ns:epp-1.0 epp-1.0.xsd">
<command>
<cmdName>
<objectType:cmdName
xmlns:contact="objectTypeNameSpace"
xsi:schemaLocation="objectTypeSchema">
<objectType:parameter name="foo">bar</objectType:parameter>
</objectType:check>
</cmdName>
<clTRID>ABC-12345</clTRID>
</command>
</epp>
EPP Response Frame
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<epp xmlns="urn:ietf:params:xml:ns:epp-1.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:ietf:params:xml:ns:epp-1.0 epp-1.0.xsd">
<response>
<result code="200">Command completed successfully.</result>
<resData>
<objectType:cmdNameData>
<objectType:parameter name="foo">bar</objectType:parameter>
</objectType:cmdNameData>
</resData>
<trID>
<clTRID>ABC-12345</clTRID>
<svTRID>XYZ-54321</svTRID>
</trID>
</response>
</epp>
Domain <info> Request Frame
<?xml version="1.0" encoding="UTF-8"?>
<epp xmlns="urn:ietf:params:xml:ns:epp-1.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:ietf:params:xml:ns:epp-1.0 epp-1.0.xsd">
<command>
<info>
<domain:info xmlns:domain="urn:ietf:params:xml:ns:domain-1.0"
xsi:schemaLocation="urn:ietf:params:xml:ns:domain-1.0 domain-1.0.xsd">
<domain:name>example.uk.com</domain:name>
</domain:info>
</info>
<clTRID>ABC-12345</clTRID>
</command>
</epp>
Domain <info> Response Frame
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<epp xmlns="urn:ietf:params:xml:ns:epp-1.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:ietf:params:xml:ns:epp-1.0 epp-1.0.xsd">
<response>
<result code="1000">
<msg>Command completed successfully.</msg>
</result>
<resData>
<domain:infData xmlns:domain="urn:ietf:params:xml:ns:domain-1.0"
xsi:schemaLocation="urn:ietf:params:xml:ns:domain-1.0 domain-1.0.xsd">
<domain:name>example.uk.com</domain:name>
<domain:roid>CNIC-DO302520</domain:roid>
<domain:status r="ok"/>
<domain:registrant>C11480</domain:registrant>
<domain:contact type="admin">C11480</domain:contact>
<domain:contact type="tech">H12345</domain:contact>
<domain:contact type="billing">C27228</domain:contact>
<domain:clID>C11480</domain:clID>
<domain:crDate>1995-01-01T00:00:00.0Z</domain:crDate>
<domain:exDate>2037-01-01T23:59:59.0Z</domain:exDate>
<domain:upDate>2006-09-06T15:43:19.0Z</domain:upDate>
<domain:ns>
<domain:hostObj>ns0.centralnic.net</domain:hostObj>
<domain:hostObj>ns1.centralnic.net</domain:hostObj>
</domain:ns>
<domain:authInfo>
<domain:pw>a893cd40c2bfa7d0</domain:pw>
</domain:authInfo>
</domain:infData>
</resData>
<trID>
<clTRID>ABC-12345</clTRID>
<svTRID>XYZ-54321</svTRID>
</trID>
</response>
</epp>
Other commands
- <check> - availability
- <info> - information
- <create> - register
- <renew>
- <update>
- <delete>
- <transfer>
- <transfer op="request">
- <transfer op="query">
- <transfer op="cancel">
- <transfer op="approve">
- <transfer op="reject">
- <poll> - out-of-band message queue
- <poll op="req">
- <poll op="ack">
Idempotency
- Running the same command twice has no effect
- Rôle of clTRID
Object Types
- Domains
- Hosts
- Contacts
- DS records
- Other types:
- e-mail addresses
- phone numbers
- certificates
Domains
- n contact assocations:
<domain:assoc type="registrant">H12345</domain:assoc> - n DNS servers:
<domain:ns>ns0.example.com</domain:ns> - n subordinate hosts:
<domain:host>ns1.example.com</domain:host> - n status codes:
<domain:status>clientTranserProhibited</domain:status> - authInfo code
- metadata (ID, created, expires, updated, sponsor)
Hosts
- n IP addresses:
<host:addr ip="v4">10.0.0.1</host:addr> - n status codes:
<host:status>serverDeleteProhibited</host:status> - authInfo code
- metadata (ID, created, updated, sponsor)
Contacts
- Name (<contact:name>)
- Organisation (<contact:org>)
- Postal Address
- n Street address (<contact:street>)
- City/Town (<contact:city>)
- State/Province (<contact:sp>)
- Country (<contact:cc>)
- Voice (<contact:voice>)
- Fax (<contact:fax>)
- E-mail (<contact:email>)
- n status codes:
<contact:status>serverDeleteProhibited</contact:status> - authInfo code
- metadata (ID, created, updated, sponsor)
Status Codes
- objects can have arbitrary number of codes
- assigned by "server" and "client"
- ok
- linked
- hold
- Out-of-band transforms: pendingTransfer, pendingRenew, pendingDelete, pendingUpdate, pendingCreate
- Restricted commands: deleteProhibited, transferProhibited, updateProhibited, renewProhibited
- Grace periods: addPeriod, transferPeriod, renewPeriod
authInfo
- managed by registrar
- supplied to gaining registrar during transfer
- means transfer is "auto-ack"
Extensions
- new object types
- extend object properties, TTL/web forwarding for domains
- modify command behaviour
- represented as a schema
EPP Clients
Not many off-the-shelf client implementations
- EURid EPP Client (eppclient.it, PHP)
EPP Client Libraries
Plenty of libraries:
- Universal Registry/Registrar Toolkit (epp-rtk.sf.net, C, C++, Java)
- Universal Registry Client (urc.sf.net, Java)
- Net::EPP::Client + Net::EPP::Frame (labs.centralnic.com, Perl)
- Net_EPP_Client (labs.centralnic.com, PHP)
- Net::DRI (CPAN, Perl)
Preppi
Preppi
Preppi
Client scalability
- stateful protocol
- substantial overhead in SSL handshake and login
- poor performance for web applications
- use a proxy
Net::EPP::Proxy
EPP Servers
- accept connections
- parse command frame
- act on database
- return result frame
mod_epp
- open source (APL)
- developed by nic.at with a little help from CentralNic
- protocol module for Apache 2.x
- security via mod_ssl
- authentication via mod_auth
- business logic handled by arbitrary backend
- can use all the logging and performance features of Apache
- CGI, PHP, whatever
- custom Apache module
- session management
- web developers can operate domain registries!
- aepps.sf.net
- RPMs at labs.centralnic.com
mod_epp Configuration
Listen 700
LoadModule epp_module modules/mod_epp.so
<VirtualHost *:700>
ServerName epp.centralnic.com
EPPEngine On
EPPCommandRoot /epp/command # <create> maps to /epp/command/create
EPPSessionRoot /epp/session # <login> maps to /epp/session/login
EPPErrorRoot /epp/error
EPPAuthURI /epp/auth
Alias /epp /var/lib/epp
<Location "/epp/auth">
AuthType Digest
AuthName "EPP"
AuthUserFile /var/lib/epp/etc/epp.passwd
require valid-user
</Location>
</VirtualHost>
mod_epp Command Processors
- mod_epp maps EPP commands to URIs
- URIs get processed as if they were HTTP GET requests
- get REMOTE_ADDR, REMOTE_PORT, REMOTE_USER
- EPP command frame in frame CGI parameter
- EPP clID in clID parameter
Scaling mod_epp implementations
- Dedicated SSL appliance converts EPP+SSL to plaintext EPP
- Reverse proxy accepts plaintext EPP connections and makes HTTP requests to a pool of command processors
- Apache + mod_proxy:
<Location /epp> ProxyPass http://pool.epp.registry.tld/epp </Location>
- pool.epp.registry.tld is a round-robin host with short TTL
- using Squid for reverse proxy might be better
Scaling mod_epp implementations
Nominet's solution
- Use XML appliance (From Intel/Sarvega) to XSL EPP requests to Automaton requests
- concerned about lack of proof of origin (XML signatures?)
Finishing Up
- Slides at labs.centralnic.com/uknof5
- software at labs.centralnic.com
- mail: gavin@centralnic.com
- jabber: gavin@juno.centralnic.net
- skype: gavin.brown
- Questions?