mirror of https://github.com/moparisthebest/xeps synced 2024-08-13 16:53:48 -04:00

397 lines
18 KiB

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE xep SYSTEM 'xep.dtd' [
<!ENTITY % ents SYSTEM 'xep.ent'>
<?xml-stylesheet type='text/xsl' href='xep.xsl'?>
<title>Federated MUC for Constrained Environments</title>
<abstract>This document provides a protocol for federating MUC rooms together in order to reduce the effects of constrained network (e.g. unreliability, severely limited bandwidth) on the room occupants.</abstract>
<type>Standards Track</type>
<spec>XMPP Core</spec>
<remark><p>Reworking for new protocol and clarity of purpose.</p></remark>
<remark><p>Initial published version.</p></remark>
<remark><p>First draft.</p></remark>
<section1 topic='Introduction' anchor='intro'>
<p>MUC's design generally assumes a highly reliable network providing plenty of bandwidth, and it functions well in Internet settings. It is sometimes the case that server to server traffic is heavily constrained, with typical problems for constrained links being high latency, tiny amounts of available bandwidth and unreliability (including, potentially, long-term failure of S2S links). This document provides methods for allowing experiences close to those of standard MUC use while operating across such constrained links by allowing rooms to federate with remote counterparts and for users to connect to the federated MUC node nearest to them on the network for a given FMUC room. It requires no setup in advance, and needs no bandwidth for remote rooms without local occupants. The premise is that a proxy room joins another room and receives stanzas from the MUC just as another occupant would; this is analogous to the client to server model, whereby a client would connect to their local server and the server deals with connections elsewhere - the client joins a local room and the room deals with connections to other federated rooms.</p>
<section2 topic='Terminology' anchor='terminology'>
<p>As MUCs are generally self-contained entities with a single address, federating them requires the introduction of some new terminology:</p>
<li>FMUC set - the union of all MUC rooms that federate together</li>
<li>FMUC node - a single MUC room that is a member of an FMUC set</li>
<li>FMUC room - a room represented by an FMUC set</li>
<p>For illustration: if room1@rooms.server1.lit and room2@rooms.server2.lit federate with each other, then room1@rooms.server1.lit is an FMUC node, as is room2@rooms.server2.lit. Both nodes are in the FMUC set (along with any other node rooms that mutually federate) while the conceptual single room created by joining the FMUC set together is the FMUC room (and this FMUC room does not have a single definitive identifier).</p>
<section1 topic='Requirements' anchor='reqs'>
<li>If appropriately configured, avoid bandwidth use that isn't strictly necessary for message exchange.</li>
<li>Allow conversation in a federated MUC to continue when one of the federated nodes is unavailable (e.g. due to network failure preventing S2S links forming), such that the nodes operate in a 'peer to peer' or 'multi-master' mode.</li>
<li>If configured, allow a master/slave configuration such that a disconnected node is no longer usable for local chat</li>
<li><em>Acceptable compromise</em> When operating in multi-master mode the message ordering may not be consistent between FMUC nodes.</li>
<section1 topic='Addressing' anchor='addressing'>
<p>In Federated MUC an FMUC room does not have a single logical address; when joining the FMUC room a user's client can join any of the nodes in the FMUC set for that room, and all addressing will appear to that client as if this was the single canonical representation of the room's address - while other users in the room may see different addresses dependent upon the node they joined.</p>
<p>It is possible, although not required, for an implementation and deployment to use &xep0106; to make naming schemes easy to manage, but this is a matter of deployment policy and not of the protocol defined herein.</p>
<section1 topic='Actors' anchor='actors'>
<p>The following JIDs are used in this document.</p>
<li>wonderland.lit - service</li>
<li>rooms.wonderland.lit - MUC service on wonderland.lit.</li>
<li>alice@wonderland.lit - User on wonderland.lit</li>
<li>hatter@wonderland.lit - User on wonderland.lit</li>
<li>rabbithole@rooms.wonderland.lit - MUC room / FMUC node.<br/></li>
<li>denmark.lit - service, likely connected to wonderland.lit over constrained link</li>
<li>talk.denmark.lit - MUC service on denmark.lit.</li>
<li>hamlet@denmark.lit - User on denmark.lit</li>
<li>ophelia@denmark.lit - User on denmark.lit</li>
<li>elsinore@talk.denmark.lit - MUC room / FMUC node.</li>
<section1 topic='Use Cases' anchor='usecases'>
<section2 topic='Joining' anchor='joining'>
<section3 topic='Success case' anchor='joinsuccess'>
<p>kev@remote.example.com/Swift joining jabberchat@talk.example.com through a pre-known mirror.remote.example.com service. At this point mirror.remote.example.com knows nothing of the jabberchat@talk.example.com MUC, and no existing proxying is in place beyond mirror.remote.example.com being willing to proxy for kev@remote.example.com</p>
<example caption='User joins MUC through a proxy'><![CDATA[
<x xmlns='http://jabber.org/protocol/muc'/>
<p>mirror.example.com then un-escapes 'jabberchat\40talk.example.com', and joins jabberchat@talk.example.com (the master), saying it's a room mirror.</p>
<example caption='Proxy service joins the target MUC'><![CDATA[
<fmuc xmlns='http://isode.com/protocol/fmuc' from='kev@remote.example.com/Swift' />
<p>jabberchat@talk.example.com recognises that the mirror service is now mirrorring it, and performs the usual ACL checks as if kev@example.com/Swift had joined directly, sending presence to all occupants as normal. For all in-room routing, the slave is now treated as an occupant, and the slave is expected to do fan-out to its users as it is itself a MUC.</p>
<example caption='MUC confirms room join'><![CDATA[
<x xmlns='http://jabber.org/protocol/muc#user'>
<item affiliation='none' role='participant'/>
<p>The slave then fans-out.</p>
<example caption='Proxy delivers the join to local users'><![CDATA[
<x xmlns='http://jabber.org/protocol/muc#user'>
<item affiliation='none' role='participant'/>
<section3 topic='Failure case' anchor='joinfail'>
<p>If the master doesn't allow the user to join, they send the standard MUC error to the slave. Note that for stanzas sent to a user on the slave (such as this join error), it sends to the full MUC JID of the user on the slave, not to the slave room as it does with most other stanzas.</p>
<example caption='Master rejects joins'><![CDATA[
<x xmlns='http://jabber.org/protocol/muc'/>
<error type='auth'>
<registration-required xmlns='urn:ietf:params:xml:ns:xmpp-stanzas'/>
<p>The proxy then delivers this to the user</p>
<example caption='Proxy delivers the join failure to the user'><![CDATA[
<x xmlns='http://jabber.org/protocol/muc'/>
<error type='auth'>
<registration-required xmlns='urn:ietf:params:xml:ns:xmpp-stanzas'/>
<section3 topic='Joining the MUC directly' anchor='joinmaster'>
<p>Now when a user joins the master directly it will do usual presence distribution to occupants (remembering the slave is an occupant). Status codes are omitted from this example, see &xep0045; for those.</p>
<example caption='User joins the master MUC directly'><![CDATA[
<x xmlns='http://jabber.org/protocol/muc'/>
<example caption='MUC delivers the join to its occupants'><![CDATA[
<x xmlns='http://jabber.org/protocol/muc#user'>
<item affiliation='owner' role='moderator'/>
<x xmlns='http://jabber.org/protocol/muc#user'>
<item affiliation='admin' role='moderator'/>
<example caption='Proxy delivers join to its occupants'><![CDATA[
<x xmlns='http://jabber.org/protocol/muc#user'>
<item affiliation='owner' role='moderator'/>
<section2 topic='Parting' anchor='parting'>
<section3 topic='Proxy-connected Users' anchor='proxypart'>
<p>The flow for a user leaving the proxy room is much the same as joining the proxy room:</p>
<example caption='User leaves the proxy room'><![CDATA[
<example caption='Proxy sends part to the MUC'><![CDATA[
<example caption='MUC transmits part to occupants'><![CDATA[
<x xmlns='http://jabber.org/protocol/muc#user'>
<item affiliation='none' role='none'/>
<x xmlns='http://jabber.org/protocol/muc#user'>
<item affiliation='none' role='none'/>
<example caption='Proxy sends part to local users'><![CDATA[
<x xmlns='http://jabber.org/protocol/muc#user'>
<item affiliation='none' role='none'/>
<status code='110'/>
<p>When the master MUC receives a parting presence from the only user of the proxy, the proxy itself also leaves the room. This means that as long as no users of the proxy are in the room, it is causing no traffic on the s2s link.</p>
<section3 topic='Direct-connection Users' anchor='directpart'>
<p>Distribution of presence for users parting when connected directly to the MUC is identical to distribution of presence for users joining directly to the MUC.</p>
<section3 topic='Status changes' anchor='statuschange'>
<p>Distribution of presence for users changing status is the same as that for joining and parting.</p>
<section2 topic='Sending a Message to All Occupants' anchor='message'>
<section3 topic='Normal use' anchor='message-ack'>
<p>Normal fan-out like presence</p>
<example caption='Proxy user sends a message to the room'><![CDATA[
<body>[[Unclassified]] It's getting warm in here.</body>
<example caption='Proxy sends the message to the MUC'><![CDATA[
<body>[[Unclassified]] It's getting warm in here.</body>
<p>If the proxy is not using fire and forget mode (see below), it MUST NOT fan out this message to local users until it receives the message copy from the MUC.</p>
<example caption='MUC sends the message to the occupants'><![CDATA[
<body>[[Unclassified]] It's getting warm in here.</body>
<body>[[Unclassified]] It's getting warm in here.</body>
<p>When receiving the message copy, the proxy MUST then distribute to proxied occupants.</p>
<example caption='Proxy sends the message to the proxied users'><![CDATA[
<body>[[Unclassified]] It's getting warm in here.</body>
<section3 topic='Fire and Forget' anchor='message-noack'>
<p>When dealing with very constrained s2s links, the extra round-trip involved with the MUC sending the message back to the proxy may be unacceptable. In this case, the proxy MAY include the &lt;nomirror> element. If the MUC receives a message from a proxy with &lt;nomirror>, it MUST NOT resend this message to the proxy during its usual fan-out, but MUST send it to other occupants as usual. If sending a message with &lt;nomirror>, the proxy MUST perform fan-out as if the MUC had sent the message back to it.</p>
<p>Note that this use introduces unfortunate side-effects, such as messages appearing out of order, depending on whether connected directly to the MUC, or through a proxy. Also, messages rejected by the MUC may already have been delivered to users on a proxy. As such, a proxy SHOULD only use &lt;nomirror> in environments where these side-effects are understood.</p>
<example caption='Proxy user sends a message to the room'><![CDATA[
<body>[[Unclassified]] It's getting warm in here.</body>
<example caption='Proxy sends the message to the MUC'><![CDATA[
<body>[[Unclassified]] It's getting warm in here.</body>
<nomirror xmlns='http://isode.com/protocol/fmuc'/>
<p>If the proxy is using fire and forget mode, it MUST fan out this message to local users now, instead of waiting until it receives the message copy from the MUC.</p>
<example caption='Proxy sends the message to the proxied users'><![CDATA[
<body>[[Unclassified]] It's getting warm in here.</body>
<p>Because this is fire and forget mode, the MUC now MUST NOT send the message back to the proxy, but MUST send to the other occupants.</p>
<example caption='MUC sends the message to the other occupants'><![CDATA[
<body>[[Unclassified]] It's getting warm in here.</body>
<section2 topic='Administration Use Cases' anchor='admin'>
<p>To perform administration of the MUC, connect directly to the MUC and follow the standard process.</p>
<section1 topic='Business Rules' anchor='rules'>
<li>To avoid complexity of protocol, the MUC MUST NOT modify the nick of a user joining from a proxy - if their JID is unacceptable, the join must instead fail (this simplifies the passing of status codes between the MUC and the proxy).</li>
<li>Similarly to avoid complexity and round-trips, nick-changing is not allowed for users connected through a proxy. If a user attempts to change their nick, the proxy MUST return a <![CDATA[<not-acceptable xmlns='urn:ietf:params:xml:ns:xmpp-stanzas'/>]]> error.</li>
<!--<section1 topic='Implementation Notes' anchor='impl'>
<section1 topic='Accessibility Considerations' anchor='access'>
<section1 topic='Internationalization Considerations' anchor='i18n'>
<section1 topic='Security Considerations' anchor='security'>
<p>This allows a MUC mirror to proxy for another JID, so should only be deployed in scenarios where either the proxy service is trusted, or it is known that the users of the proxy service are in the same security domain as the proxy service.</p>
<section1 topic='IANA Considerations' anchor='iana'>
<section1 topic='XMPP Registrar Considerations' anchor='registrar'>
<p>Needs a namespace.</p>
<section1 topic='XML Schema' anchor='schema'>
<p>When advanced.</p>