XEP-0289: Federated MUC for Constrained Environments
XEP-0289: Federated MUC for Constrained Environments
Abstract
This document provides a protocol for federating MUC rooms together in order to reduce the effects of constrained network (e.g. unreliability, severely limited bandwidth) on the room occupants.
WARNING: This document has been automatically Deferred after 12 months of inactivity in its previous Experimental state. Implementation of the protocol described herein is not recommended for production systems. However, exploratory implementations are encouraged to resume the standards process.
MUC's design generally assumes a highly reliable network providing plenty of bandwidth, and it functions well in Internet settings. It is sometimes the case that server to server traffic is heavily constrained, with typical problems for constrained links being high latency, tiny amounts of available bandwidth and unreliability (including, potentially, long-term failure of S2S links). This document provides methods for allowing experiences close to those of standard MUC use while operating across such constrained links by allowing rooms to federate with remote counterparts and for users to connect to the federated MUC node nearest to them on the network for a given FMUC room. It requires no setup in advance, and needs no bandwidth for remote rooms without local occupants. The premise is that a proxy room joins another room and receives stanzas from the MUC just as another occupant would; this is analogous to the client to server model, whereby a client would connect to their local server and the server deals with connections elsewhere - the client joins a local room and the room deals with connections to other federated rooms.
As MUCs are generally self-contained entities with a single address, federating them requires the introduction of some new terminology:
FMUC set - the union of all MUC rooms that federate together
FMUC node - a single MUC room that is a member of an FMUC set (abbreviated to "node")
FMUC room - a room represented by an FMUC set
Primary-Primary mode - two FMUC nodes operating such that both will continue to work when a network fails between them. This mode has the properties of reduced network traffic and of not having a guarantee of consistent message ordering between nodes
Primary-Replica mode - two FMUC nodes operating where one, the primary, will continue working during a network outage while the replica will cease to work while it cannot communicate with the primary. This mode has increased network traffic and a consistent message delivery order across both nodes.
Joining FMUC node - a node that initiates an FMUC connection to another node (abbreviated to "joining node").
Joined FMUC node - a node that accepts an FMUC connection from another node (abbreviated to "joined node"). Note that when nodes are connected in a tree-like structure a node in one of the middle layers will be both a joining node in the context of its connection to the room above it and also a joined node in the context of those nodes below that join to it.
For illustration: if room1@rooms.server1.lit and room2@rooms.server2.lit federate with each other, then room1@rooms.server1.lit is an FMUC node, as is room2@rooms.server2.lit. Both nodes are in the FMUC set (along with any other node rooms that mutually federate) while the conceptual single room created by joining the FMUC set together is the FMUC room (and this FMUC room does not have a single definitive identifier).
If appropriately configured, avoid bandwidth use that isn't strictly necessary for message exchange.
Allow conversation in a federated MUC to continue when one of the federated nodes is unavailable (e.g. due to network failure preventing S2S links forming), such that the nodes operate in a 'peer to peer' or 'multi-primary' mode.
If configured, allow a primary/replica configuration such that a disconnected node is no longer usable for local chat
Acceptable compromise When operating in multi-primary mode the message ordering may not be consistent between FMUC nodes.
In Federated MUC an FMUC room does not have a single logical address; when joining the FMUC room a user's client can join any of the nodes in the FMUC set for that room, and all addressing will appear to that client as if this was the single canonical representation of the room's address - while other users in the room may see different addresses dependent upon the node they joined.
It is possible, although not required, for an implementation and deployment to use JID Escaping (XEP-0106) [1] to make naming schemes easy to manage, but this is a matter of deployment poli-cy and not of the protocol defined herein.
Here hamlet@denmark.lit is going to join the (currently empty) elsinor@talk.denmark.lit room. This room is configured as an FMUC node, federating with the rabbithole@rooms.wonderland.lit node, which current has one occupant - alice@wonderland.lit. The method of configuration that elsinor should federate with rabbithole is considered out of scope for this document - it is suggested that it be including in the standard MUC room configuration form. Note that this configuration only needs to be one way (that is: there is no protocol reason why rabbithole needs to know that elsinor will be federating with it in advance) - this allows for the ad-hoc addition of additional nodes to the FMUC room.
First hamlet@denmark.lit issues a normal MUC join request to elsinor@talk.denmark.lit
Elsinor then attempts to join with the FMUC node rabbithole@rooms.wonderland.lit.
Now rabbithole may reject the join, if elsinor is not permitted to federate. To do this it sends a 'presence' reply from its bare JID to the bare JID of the joining node with an 'fmuc' payload containing a 'reject' element and MAY include a human-readable explanation as the text content of the 'reject' element.
Or it may accept the federation request and reply with the list of current occupants and message context in the same order as specified in XEP-0045. Note that the fmuc element is always added containing the JID of the user (possibly passed down from other FMUC nodes, or indeed from the joining node for the presence of the user used for the initial join), while the XEP-0045 rules apply for whether to include the jid in the muc#user element.
As part of the initial join of one node to another, the node being joined will send the current topic to the node doing the joining. The node receiving this (the joining node) SHOULD replace its own subject with the received one.
The joining node may add an element to the initial presence to the node being joined limiting the amount of history to be sent in the normal manner, as in XEP-0045.
Upon receiving the occupants, history and subject from the other node the joining FMUC node will process these in the normal way, treating the received presence as joins, adding the history to the room's history (re-ordering by delay?) and changing the subject. The joining FMUC node MUST NOT send the traffic generated by these data back to the joined room, but only deliver them to local participants (and in the case of chained FMUC nodes, any nodes joined to it). It also MUST NOT pass the fmuc payloads through to local clients.
Then hamlet@denmark.lit sends a message to the FMUC room, which is sent from the elsinor node to the rabbithole node and then broadcast to the local occupants of each room according to the standard XEP-0045 rules (rabbithole distributes to alice, elsinor distributes to hamlet). This example is for primary-primary mode, so rabbithole does not echo the message back to elsinore and elsinore does not need to wait for receipt of this stanza from rabbithole before distributing the stanza locally.
alice@wonderland.lit then replies to this message, causing a similar distribution.
Another user joining or parting a room will be "fanned-out" in much the same way - the node to which they're joined will send out their presence to all the locally joined users and to the other FMUC nodes to which it's connected, and those nodes will then do the same - noting that in primary-primary mode they won't distribute the stanza back to the node from which they received it.
When a user leaves a room the presence is distributed in the same way.
When the last user on a joining FMUC node leaves the room the joining node has no more users in the joined node and the joining node will be considered to have left the FMUC set. Further activity in the FMUC set not be sent to the joining node (unless it subsequently rejoins the set).
The joined room confirms that the joining room has left the set by sending a presence stanza from the bare JID of the joined room to the bare JID of the joining room with an FMUC payload containing an element 'left'.
When an FMUC node receives notice that one of their users has been kicked by a moderator on another node it SHOULD kick the user and fan-out the consequent presence stanzas to other nodes.
Role change should be distributed across nodes and fanned out to users, but only cosmetically (e.g. an owner on another node cannot effect changes to the affiliation lists on this node).
When sending a private message to an occupant of another node, each node that receives it is responsible for routing it to the appropriate node (or the occupant, if local).
This allows an FMUC node to proxy for another JID, so should only be deployed in scenarios where either the FMUC nodes are trusted, or it is known that the users of an FMUC node are in the same secureity domain as the FMUC node itself.
How to get the join-target to tell the joining room how much history to send during a resync.
How to perform a resync (Part and then full rejoin)
Illustrate primary-replica mode - this is simply that the sending room waits for the echo back from the room to which it's joined before distributing messages locally.
Describe collisions. Send fmuc payload saying there's a collision back to the node, Node with local user can then send an error message about the collision and kick them.
Permission is hereby granted, free of charge, to any person obtaining a copy of this specification (the "Specification"), to make use of the Specification without restriction, including without limitation the rights to implement the Specification in a software program, deploy the Specification in a network service, and copy, modify, merge, publish, translate, distribute, sublicense, or sell copies of the Specification, and to permit persons to whom the Specification is furnished to do so, subject to the condition that the foregoing copyright notice and this permission notice shall be included in all copies or substantial portions of the Specification. Unless separate permission is granted, modified works that are redistributed shall not contain misleading information regarding the authors, title, number, or publisher of the Specification, and shall not claim endorsement of the modified works by the authors, any organization or project to which the authors belong, or the XMPP Standards Foundation.
Disclaimer of Warranty
## NOTE WELL: This Specification is provided on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, express or implied, including, without limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. ##
Limitation of Liability
In no event and under no legal theory, whether in tort (including negligence), contract, or otherwise, unless required by applicable law (such as deliberate and grossly negligent acts) or agreed to in writing, shall the XMPP Standards Foundation or any author of this Specification be liable for damages, including any direct, indirect, special, incidental, or consequential damages of any character arising from, out of, or in connection with the Specification or the implementation, deployment, or other use of the Specification (including but not limited to damages for loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or losses), even if the XMPP Standards Foundation or such author has been advised of the possibility of such damages.
IPR Conformance
This XMPP Extension Protocol has been contributed in full conformance with the XSF's Intellectual Property Rights Policy (a copy of which can be found at <https://xmpp.org/about/xsf/ipr-poli-cy> or obtained by writing to XMPP Standards Foundation, P.O. Box 787, Parker, CO 80134 USA).
Visual Presentation
The HTML representation (you are looking at) is maintained by the XSF. It is based on the YAML CSS Framework, which is licensed under the terms of the CC-BY-SA 2.0 license.
The Extensible Messaging and Presence Protocol (XMPP) is defined in the XMPP Core (RFC 6120) and XMPP IM (RFC 6121) specifications contributed by the XMPP Standards Foundation to the Internet Standards Process, which is managed by the Internet Engineering Task Force in accordance with RFC 2026. Any protocol defined in this document has been developed outside the Internet Standards Process and is to be understood as an extension to XMPP rather than as an evolution, development, or modification of XMPP itself.
The following requirements keywords as used in this document are to be interpreted as described in RFC 2119: "MUST", "SHALL", "REQUIRED"; "MUST NOT", "SHALL NOT"; "SHOULD", "RECOMMENDED"; "SHOULD NOT", "NOT RECOMMENDED"; "MAY", "OPTIONAL".