Loading...
Loading...
Loading...
# RFC Compliance Document
**Project:** Snow-Owl Windows Deployment Tool
**Version:** 0.1.0
**Last Updated:** 2026-01-18
## Executive Summary
Snow-Owl is designed with strict adherence to relevant Internet standards (RFCs) to ensure interoperability, reliability, and standards compliance. This document details all applicable RFCs and their implementation status in the project.
---
## Table of Contents
1. [TFTP Protocol Compliance](#tftp-protocol-compliance)
2. [Network Protocol Compliance](#network-protocol-compliance)
3. [HTTP Protocol Compliance](#http-protocol-compliance)
4. [DHCP and PXE Compliance](#dhcp-and-pxe-compliance)
5. [Security Considerations](#security-considerations)
6. [Compliance Verification](#compliance-verification)
7. [Known Limitations](#known-limitations)
---
## TFTP Protocol Compliance
### RFC 1350 - The TFTP Protocol (Revision 2)
**Status:** ✅ **FULLY COMPLIANT**
**Implementation Location:** `crates/snow-owl-tftp/src/lib.rs`
#### Compliance Details
**Section 3: TFTP Packets**
| Requirement | Status | Implementation |
|-------------|--------|----------------|
| Read Request (RRQ) format | ✅ Implemented | Lines 100-107 |
| Write Request (WRQ) format | ✅ Implemented | Lines 184-186 (rejected with error) |
| Data (DATA) packet format | ✅ Implemented | Lines 253-260 |
| Acknowledgment (ACK) packet format | ✅ Implemented | Lines 308-365 |
| Error (ERROR) packet format | ✅ Implemented | Lines 238-252 |
**Section 4: TFTP Opcodes**
```rust
// Lines 19-27
enum TftpOpcode {
Rrq = 1, // Read request
Wrq = 2, // Write request
Data = 3, // Data packet
Ack = 4, // Acknowledgment
Error = 5, // Error packet
Oack = 6, // Option acknowledgment (RFC 2347)
}
```
**Section 5: Error Codes**
All RFC 1350 error codes are implemented (lines 48-58):
- 0: Not defined
- 1: File not found
- 2: Access violation
- 3: Disk full or allocation exceeded
- 4: Illegal TFTP operation
- 5: Unknown transfer ID
- 6: File already exists
- 7: No such user
**Section 6: Transfer Modes**
```rust
// Transfer mode enumeration
enum TransferMode {
Netascii, // ASCII mode with RFC-compliant line ending conversion (LF → CR+LF)
Octet, // Binary mode (8-bit bytes, no conversion)
Mail, // Mail mode (obsolete, explicitly rejected)
}
```
**NETASCII Implementation:**
- Full line ending conversion: Unix LF (0x0A) → Network CR+LF (0x0D 0x0A) ✅
- Preserves existing CR+LF sequences ✅
- Handles bare CR characters correctly ✅
- Applied during file transfer before sending DATA packets ✅
**Transfer Mode Selection:**
Files are transferred in the mode requested by the client:
- Text files: NETASCII with line ending conversion
- Binary files: OCTET without modification
- MAIL mode: Rejected with error code 4
**Section 7: Normal Termination**
- DATA packets with less than 512 bytes signal end of transfer (line 278-280)
- Block numbers wrap around after 65535 (line 284)
**Section 8: Premature Termination**
- ERROR packets are sent for all error conditions
- Timeouts are handled with retries (lines 308-365)
- Maximum of 5 retries before giving up (line 17)
**TID (Transfer ID) Handling:**
- Each transfer uses a unique ephemeral port (line 205)
- New socket created for each client connection per RFC requirement
---
### RFC 2347 - TFTP Option Extension
**Status:** ✅ **FULLY COMPLIANT**
**Implementation Location:** `crates/snow-owl-tftp/src/lib.rs:112-166`
#### Compliance Details
**Option Negotiation:**
- OACK (Option Acknowledgment) packet implemented (line 26, 367-380)
- Options parsed from RRQ packets (lines 112-128)
- Server responds with OACK listing agreed-upon options (lines 229-243)
- Client must ACK the OACK (block 0) before data transfer begins
**Option Parsing:**
```rust
// Lines 112-128
while bytes.remaining() > 0 {
let option_name = match Self::parse_string(&mut bytes) {
Ok(s) => s,
Err(_) => break,
};
let option_value = match Self::parse_string(&mut bytes) {
Ok(s) => s,
Err(_) => break,
};
requested_options.insert(option_name.to_lowercase(), option_value);
}
```
**Unknown Options:**
- Unknown options are silently ignored per RFC 2347 (lines 161-164)
- Server only acknowledges options it understands and accepts
---
### RFC 2348 - TFTP Blocksize Option
**Status:** ✅ **FULLY COMPLIANT**
**Implementation Location:** `crates/snow-owl-tftp/src/lib.rs:135-142`
#### Compliance Details
**Blocksize Negotiation:**
```rust
// Lines 135-142
"blksize" => {
// RFC 2348 - Block Size Option
if let Ok(size) = value.parse::<usize>() {
if size >= 8 && size <= MAX_BLOCK_SIZE {
options.block_size = size;
negotiated_options.insert("blksize".to_string(), size.to_string());
}
}
}
```
**Requirements Met:**
- Minimum block size: 8 bytes ✅
- Maximum block size: 65464 bytes (line 14) ✅
- Default block size: 512 bytes (line 13) ✅
- Block size must be agreed upon by both parties ✅
- Invalid block sizes are rejected silently ✅
**Data Transfer:**
- Dynamic buffer allocation based on negotiated block size (line 246)
- Transfer completes when data packet < negotiated block size (line 278)
---
### RFC 2349 - TFTP Timeout Interval and Transfer Size Options
**Status:** ✅ **FULLY COMPLIANT**
**Implementation Location:** `crates/snow-owl-tftp/src/lib.rs:144-159`
#### Compliance Details
**Timeout Interval Option:**
```rust
// Lines 144-151
"timeout" => {
// RFC 2349 - Timeout Interval Option
if let Ok(timeout) = value.parse::<u64>() {
if timeout >= 1 && timeout <= 255 {
options.timeout = timeout;
negotiated_options.insert("timeout".to_string(), timeout.to_string());
}
}
}
```
**Requirements Met:**
- Timeout range: 1-255 seconds ✅
- Default timeout: 5 seconds (line 16) ✅
- Timeout applies to ACK wait time (line 226, 308)
**Transfer Size Option:**
```rust
// Lines 153-159
"tsize" => {
// RFC 2349 - Transfer Size Option
// For RRQ, client sends 0 and server responds with actual size
if value == "0" {
negotiated_options.insert("tsize".to_string(), "0".to_string());
// Will be filled with actual size later
}
}
```
**Requirements Met:**
- Client sends tsize=0 in RRQ ✅
- Server responds with actual file size (lines 217-223) ✅
- Size calculation done before transfer begins ✅
---
## Network Protocol Compliance
### RFC 768 - User Datagram Protocol (UDP)
**Status:** ✅ **COMPLIANT**
**Implementation:** Tokio's UDP implementation (`tokio::net::UdpSocket`)
**Compliance:**
- TFTP uses UDP port 69 (line 12)
- Each transfer uses ephemeral ports for data transfer ✅
- No connection establishment required ✅
- Unreliable datagram delivery handled by application-level retries ✅
---
### RFC 791 - Internet Protocol (IPv4)
**Status:** ✅ **COMPLIANT**
**Implementation:** Standard IPv4 support via Rust's `std::net` and Tokio
**Compliance:**
- IPv4 addresses used throughout (`Ipv4Addr` type)
- Standard IPv4 packet handling
- CIDR notation support for network configuration
**Implementation Location:** `crates/snow-owl-core/src/types.rs:127-136`
```rust
pub struct NetworkConfig {
pub interface: String,
pub server_ip: Ipv4Addr,
pub dhcp_range_start: Ipv4Addr,
pub dhcp_range_end: Ipv4Addr,
pub subnet_mask: Ipv4Addr,
pub gateway: Option<Ipv4Addr>,
pub dns_servers: Vec<Ipv4Addr>,
}
```
---
### RFC 2460 - Internet Protocol, Version 6 (IPv6)
**Status:** ✅ **FULLY COMPLIANT**
**Implementation Location:** `crates/snow-owl-core/src/types.rs`
**Current Status:**
- Full IPv6 support implemented using `IpAddr` enum ✅
- Configuration supports both IPv4 and IPv6 addresses ✅
- TFTP server binds to configured IP (IPv4 or IPv6) ✅
- HTTP server binds to configured IP (IPv4 or IPv6) ✅
- DNS servers support both IPv4 and IPv6 addresses ✅
- Dual-stack deployments supported ✅
**Implementation Details:**
```rust
// Lines 126-144 in crates/snow-owl-core/src/types.rs
pub struct NetworkConfig {
pub interface: String,
pub server_ip: IpAddr, // IPv4 or IPv6
pub server_ipv6: Option<Ipv6Addr>, // Optional for dual-stack
pub gateway: Option<IpAddr>, // IPv4 or IPv6
pub dns_servers: Vec<IpAddr>, // Mixed IPv4/IPv6 supported
// ...
}
```
**IPv6 URL Formatting:**
iPXE boot scripts properly format IPv6 addresses with brackets for URLs (e.g., `http://[fd00::1]:8080/`) as per RFC 3986.
**Configuration Examples:**
- IPv4-only: `server_ip = "192.168.100.1"`
- IPv6-only: `server_ip = "fd00::1"`
- Dual-stack: `server_ip = "192.168.100.1"` with `server_ipv6 = "fd00::1"`
---
## HTTP Protocol Compliance
### RFC 7230 - HTTP/1.1: Message Syntax and Routing
**Status:** ✅ **COMPLIANT**
**Implementation:** Axum web framework (built on Hyper and Tower)
**Implementation Location:** `crates/snow-owl-http/src/lib.rs`
**Compliance:**
- HTTP/1.1 request/response format ✅
- Persistent connections ✅
- Chunked transfer encoding ✅
- Request routing ✅
**Axum/Hyper handles:**
- Message parsing
- Header processing
- Connection management
- Transfer encoding
---
### RFC 7231 - HTTP/1.1: Semantics and Content
**Status:** ✅ **COMPLIANT**
**Implementation Location:** `crates/snow-owl-http/src/`
**HTTP Methods Implemented:**
- GET: Retrieve resources, boot menus, machine info ✅
- POST: Create deployments, update status ✅
- DELETE: Remove images ✅
**Status Codes Used:**
- 200 OK: Successful operations
- 404 Not Found: Resource not found
- 500 Internal Server Error: Server-side errors
**Content Types:**
- `application/json`: API responses
- `text/plain`: iPXE boot scripts
- `application/octet-stream`: File downloads
---
### RFC 7540 - HTTP/2
**Status:** ✅ **FULLY COMPLIANT** (Optional Feature)
**Implementation:** Rustls ALPN + Hyper/Axum
**Implementation Location:** `crates/snow-owl-http/src/lib.rs`
**HTTP/2 Support:**
- HTTP/2 via ALPN (Application-Layer Protocol Negotiation) ✅
- Automatic protocol negotiation with TLS ✅
- HTTP/1.1 fallback support ✅
- Configurable enable/disable option ✅
- Enabled by default for HTTPS connections ✅
**ALPN Configuration:**
```rust
// Lines 138-157 in crates/snow-owl-http/src/lib.rs
if tls_config.enable_http2 {
config.alpn_protocols = vec![
b"h2".to_vec(), // HTTP/2 (RFC 7540)
b"http/1.1".to_vec(), // HTTP/1.1 fallback (RFC 7230)
];
} else {
config.alpn_protocols = vec![
b"http/1.1".to_vec(), // HTTP/1.1 only
];
}
```
**Configuration:**
```toml
[tls]
enabled = true
cert_path = "/etc/snow-owl/server-cert.pem"
key_path = "/etc/snow-owl/server-key.pem"
enable_http2 = true # Enable HTTP/2 via ALPN (default: true)
```
**Features:**
1. **Protocol Negotiation**: Automatic HTTP/2 or HTTP/1.1 selection via ALPN
2. **Multiplexing**: Multiple requests over single connection (HTTP/2)
3. **Header Compression**: HPACK compression for reduced overhead
4. **Server Push**: Supported by framework (not currently used)
5. **Stream Prioritization**: Supported by framework
**Usage:**
- HTTP/2 only available with HTTPS/TLS connections
- Plain HTTP connections use HTTP/1.1
- Clients negotiate protocol during TLS handshake
- Automatic fallback to HTTP/1.1 if client doesn't support HTTP/2
**Benefits:**
- Improved performance for API clients
- Reduced latency for multiple requests
- Better resource utilization
- Backward compatible with HTTP/1.1 clients
---
### RFC 2090 - TFTP Multicast Option
**Status:** ✅ **FULLY COMPLIANT** (Optional Feature)
**Implementation:** Custom multicast TFTP server
**Implementation Location:** `crates/snow-owl-tftp/src/multicast.rs`
**Multicast TFTP Support:**
- Multicast session management ✅
- Master client election ✅
- Per-client ACK tracking ✅
- Selective block retransmission ✅
- IPv4 and IPv6 multicast groups ✅
- Configurable session parameters ✅
- Client timeout and cleanup ✅
**RFC 2090 Features Implemented:**
```rust
// Multicast session state tracking
struct MulticastSession {
clients: HashMap<SocketAddr, ClientState>,
master_client: Option<SocketAddr>,
retransmit_queue: HashSet<u16>,
// ...
}
// Master client election (first client)
fn add_client(&mut self, addr: SocketAddr) -> Result<bool> {
let is_master = self.clients.is_empty();
if is_master {
self.master_client = Some(addr);
}
// ...
}
// Per-client ACK tracking
fn record_ack(&mut self, addr: SocketAddr, block_num: u16) {
if let Some(client) = self.clients.get_mut(&addr) {
client.mark_acked(block_num);
}
}
// Selective retransmission
fn queue_retransmit(&mut self, block_num: u16) {
self.retransmit_queue.insert(block_num);
}
```
**Configuration:**
```toml
[multicast]
enabled = true
multicast_addr = "224.0.1.1" # IPv4 multicast group (RFC 2090)
multicast_port = 1758 # RFC 2090 registered port (tftp-mcast)
max_clients = 10
master_timeout_secs = 30
retransmit_timeout_secs = 5
```
**Multicast Option Format:**
```
multicast,<addr>,<port>,<master>
```
- `addr`: Multicast group address (IPv4 or IPv6)
- `port`: Multicast port (default: 1758)
- `master`: 1 if client is master, 0 otherwise
**Session Workflow:**
1. **RRQ with multicast option**: Client requests file with `multicast` option
2. **OACK response**: Server responds with multicast parameters
3. **Master election**: First client becomes master
4. **Group transmission**: Server sends DATA to multicast group
5. **ACK coordination**: Each client sends ACK for received blocks
6. **Retransmission**: Server retransmits missed blocks to multicast group
7. **Completion**: Transfer completes when all clients have all blocks
**Benefits:**
- **Bandwidth Efficiency**: Each packet transmitted once for N clients
- **Scalability**: Deploy to 10+ clients simultaneously
- **Reliability**: Per-client state tracking ensures all clients receive all data
- **Network-Friendly**: Reduces network congestion during mass deployments
**Limitations (RFC 2090 Status: Experimental):**
- Requires multicast-capable network infrastructure
- IGMP (IPv4) or MLD (IPv6) support required
- Network switches must support multicast snooping
- Not all TFTP clients support multicast option
**NIST Controls:**
- SC-5: Denial of Service Protection (efficient bandwidth usage)
- SC-7: Boundary Protection (multicast group isolation)
- AC-3: Access Enforcement (session membership control)
- AU-2: Audit Events (comprehensive session logging)
- SC-5(2): Capacity, Bandwidth, and Redundancy (multicast optimization)
---
### RFC 8446 - The Transport Layer Security (TLS) Protocol Version 1.3
**Status:** ✅ **FULLY COMPLIANT** (Optional Feature)
**Implementation:** Rustls 0.23
**Implementation Location:** `crates/snow-owl-http/src/lib.rs`
**TLS Support:**
- TLS 1.3 support via Rustls ✅
- TLS 1.2 backward compatibility ✅
- Optional HTTPS mode (disabled by default) ✅
- Certificate loading (PEM format) ✅
- Private key loading (PKCS#8 PEM format) ✅
**Configuration:**
```rust
// Lines 146-155 in crates/snow-owl-core/src/types.rs
pub struct TlsConfig {
pub enabled: bool,
pub cert_path: PathBuf, // Path to certificate file (PEM)
pub key_path: PathBuf, // Path to private key file (PEM)
}
```
**Security Features:**
- Modern cipher suites only ✅
- No client authentication required (appropriate for deployment scenario) ✅
- Certificate validation for server identity ✅
- Forward secrecy ✅
**Usage:**
- HTTP mode (default): Unencrypted for iPXE compatibility
- HTTPS mode (optional): Encrypted API and boot script delivery
- Both modes can coexist on different ports
- Supports self-signed certificates (testing) and CA-signed certificates (production)
**Supported Certificate Types:**
1. Self-signed certificates (OpenSSL)
2. Let's Encrypt certificates
3. Organization CA certificates
---
## DHCP and PXE Compliance
### RFC 2131 - Dynamic Host Configuration Protocol
**Status:** ⚠️ **EXTERNAL DEPENDENCY**
**Implementation Strategy:**
Snow-Owl does **NOT** implement a DHCP server by design. Instead, it relies on an external DHCP server configured for PXE boot.
**Required DHCP Options:**
- **Option 66** (TFTP Server Name): Points to Snow-Owl server IP
- **Option 67** (Bootfile Name): Points to iPXE bootloader
**Configuration Example (ISC DHCP):**
```
next-server 192.168.100.1; # Snow-Owl TFTP server
if exists user-class and option user-class = "iPXE" {
filename "http://192.168.100.1:8080/boot.ipxe";
} elsif option arch = 00:07 or option arch = 00:09 {
filename "ipxe.efi"; # UEFI
} else {
filename "undionly.kpxe"; # BIOS
}
```
---
### RFC 4578 - DHCP Options for PXE
**Status:** ⚠️ **EXTERNAL DEPENDENCY**
**Implementation:** Handled by external DHCP server
**Client System Architecture Types:**
- Option 93: Client System Architecture Type
- Used to determine BIOS vs. UEFI boot
**Snow-Owl Documentation:**
Complete DHCP configuration examples provided in README.md for:
- ISC DHCP Server
- dnsmasq
- Both BIOS and UEFI clients
---
## Security Considerations
### RFC 1350 Security Limitations
**Known Issues (Acknowledged in RFC):**
- No authentication mechanism ✅ Documented
- No encryption ✅ Network isolation recommended
- No access control beyond filesystem permissions ✅ Documented
**Snow-Owl Mitigations:**
1. **Path Traversal Protection** (lines 211-229):
```rust
fn validate_and_resolve_path(root_dir: &Path, filename: &str) -> Result<PathBuf> {
// Normalize and check for directory traversal
let filename = filename.replace('\\', "/");
if filename.contains("..") {
return Err(SnowOwlError::Tftp("Invalid filename".to_string()));
}
// Ensure resolved path is within root_dir
let canonical_root = root_dir.canonicalize().unwrap_or_else(|_| root_dir.to_path_buf());
if let Ok(canonical_file) = file_path.canonicalize() {
if !canonical_file.starts_with(&canonical_root) {
return Err(SnowOwlError::Tftp("Access denied".to_string()));
}
}
Ok(file_path)
}
```
2. **Read-Only Access**:
- Write requests (WRQ) are explicitly rejected (lines 184-186)
- Only read operations (RRQ) are supported
3. **Network Isolation**:
- Recommendation to deploy on isolated VLAN
- No authentication = trusted network assumption
### PostgreSQL Security (RFC-adjacent)
**Parameterized Queries:**
All database queries use parameterized statements to prevent SQL injection:
```rust
// Example from crates/snow-owl-db/src/lib.rs:76
sqlx::query(
r#"
INSERT INTO machines (id, mac_address, hostname, ip_address, last_seen, created_at)
VALUES ($1, $2, $3, $4, $5, $6)
ON CONFLICT(mac_address) DO UPDATE SET...
"#,
)
.bind(machine.id)
.bind(machine.mac_address.to_string())
// ... more bindings
```
### TLS/HTTPS Security (RFC 8446)
**Encryption and Authentication:**
Snow-Owl provides optional TLS/HTTPS support for securing HTTP communications:
1. **Transport Encryption**:
- TLS 1.3 (RFC 8446) via Rustls library ✅
- TLS 1.2 backward compatibility ✅
- Modern cipher suites only (no weak ciphers) ✅
- Forward secrecy for all connections ✅
2. **Certificate Management**:
- Supports PEM format certificates ✅
- Self-signed certificates for testing ✅
- Let's Encrypt integration supported ✅
- Organization CA certificates supported ✅
3. **Security Benefits**:
- Encrypted API communication
- Protected deployment credentials
- Secure boot script delivery
- Man-in-the-middle attack prevention
4. **Implementation Notes**:
- TLS is optional (disabled by default for iPXE compatibility)
- TFTP remains unencrypted (required for network boot)
- HTTP and HTTPS can run on separate ports simultaneously
- No client certificate authentication (appropriate for deployment scenario)
**Configuration:**
```toml
[tls]
enabled = true
cert_path = "/etc/snow-owl/server-cert.pem"
key_path = "/etc/snow-owl/server-key.pem"
```
---
## Compliance Verification
### Testing Requirements
To verify RFC compliance, the following tests should be performed:
#### TFTP Compliance Tests
1. **RFC 1350 Basic Transfer**
```bash
# Test basic file retrieval
tftp 192.168.100.1 -c get test.txt
```
2. **RFC 2348 Block Size Negotiation**
```bash
# Test custom block size
tftp 192.168.100.1 -c get -b 1428 largefile.wim
```
3. **RFC 2349 Transfer Size**
```bash
# Test with tsize option
tftp 192.168.100.1 -c get -s test.txt
```
4. **Error Handling**
```bash
# Test file not found
tftp 192.168.100.1 -c get nonexistent.txt
# Should return error code 1
```
#### HTTP Compliance Tests
1. **REST API Endpoints**
```bash
# Test GET requests
curl http://192.168.100.1:8080/api/images
# Test POST requests
curl -X POST http://192.168.100.1:8080/api/deployments \
-H "Content-Type: application/json" \
-d '{"machine_id":"...","image_id":"..."}'
```
2. **iPXE Boot Menu**
```bash
# Test boot menu generation
curl http://192.168.100.1:8080/boot.ipxe
# Test machine-specific boot
curl http://192.168.100.1:8080/boot/00:11:22:33:44:55
```
#### Network Protocol Tests
1. **UDP Port Binding**
```bash
# Verify TFTP server is listening on port 69
sudo netstat -ulnp | grep :69
```
2. **Ephemeral Port Usage**
```bash
# Monitor ephemeral ports during transfer
netstat -an | grep ESTABLISHED | grep tftp
```
---
## Known Limitations
### 1. TFTP Write Operations
**RFC 1350 Section:** Write Request (WRQ)
**Status:** Not Implemented
**Rationale:**
- Snow-Owl is a read-only deployment system
- Write operations are explicitly rejected with error code 2 (Access Violation)
- Security consideration: preventing unauthorized file uploads
**Code Reference:** `crates/snow-owl-tftp/src/lib.rs:184-186`
---
### 2. NETASCII Mode
**RFC 1350 Section:** Transfer Modes
**Status:** ✅ **FULLY IMPLEMENTED**
**Implementation Location:** `crates/snow-owl-tftp/src/lib.rs`
**Current Behavior:**
- NETASCII mode is fully implemented with RFC-compliant line ending conversion ✅
- Unix line endings (LF) are converted to network standard (CR+LF) ✅
- OCTET mode transfers data without conversion (binary mode) ✅
- MAIL mode is explicitly rejected as obsolete ✅
**Implementation Details:**
```rust
// NETASCII Conversion Function
fn convert_to_netascii(data: &[u8]) -> Vec<u8> {
// Converts Unix LF (0x0A) to CR+LF (0x0D 0x0A)
// Handles CR, LF, and existing CR+LF sequences correctly
// RFC 1350 compliant line ending conversion
}
```
**Transfer Mode Handling:**
1. **NETASCII**: Line ending conversion for text files
- LF → CR+LF conversion
- Preserves existing CR+LF sequences
- Handles bare CR characters
2. **OCTET**: Binary transfer without modification
- Used for Windows images (WIM/VHD/VHDX)
- No data transformation
3. **MAIL**: Obsolete mode
- Recognized but explicitly rejected
- Returns error code 4 (Illegal TFTP operation)
**NIST Controls:**
- SI-10: Information Input Validation (mode validation and conversion)
- SC-4: Information in Shared Resources (standardized encoding)
- CM-6: Configuration Settings (transfer mode selection)
---
### 3. DHCP Server
**Status:** Not Implemented
**Rationale:**
- Design decision to rely on existing DHCP infrastructure
- More flexible for enterprise deployments
- Reduces complexity and potential conflicts
- Allows integration with existing network management
**Documentation:** Complete DHCP configuration guide provided
---
## Compliance Summary
| RFC | Title | Status | Coverage |
|-----|-------|--------|----------|
| **1350** | TFTP Protocol (Revision 2) | ✅ Full | 100% (read-only) |
| **2090** | TFTP Multicast Option | ✅ Full | Optional (Experimental) |
| **2347** | TFTP Option Extension | ✅ Full | 100% |
| **2348** | TFTP Blocksize Option | ✅ Full | 100% |
| **2349** | TFTP Timeout Interval and Transfer Size | ✅ Full | 100% |
| **768** | User Datagram Protocol (UDP) | ✅ Full | 100% |
| **791** | Internet Protocol (IPv4) | ✅ Full | 100% |
| **2460** | Internet Protocol, Version 6 | ✅ Full | 100% (dual-stack) |
| **7230** | HTTP/1.1: Message Syntax | ✅ Full | Via Axum/Hyper |
| **7231** | HTTP/1.1: Semantics | ✅ Full | Via Axum/Hyper |
| **7540** | HTTP/2 | ✅ Full | Optional (ALPN/TLS) |
| **8446** | TLS 1.3 | ✅ Full | Optional (Rustls) |
| **2131** | DHCP | ⚠️ External | Via external DHCP |
| **4578** | DHCP PXE Options | ⚠️ External | Via external DHCP |
### Legend
- ✅ **Full Compliance**: Fully implemented and tested
- ⚠️ **Partial/External**: Partially implemented, framework support, or external dependency
- ❌ **Not Implemented**: Feature not implemented (with rationale)
---
## Interoperability
Snow-Owl has been designed for interoperability with:
1. **Standard TFTP Clients**
- GNU tftp
- tftp-hpa
- Windows tftp.exe
- iPXE firmware
2. **HTTP Clients**
- Web browsers
- curl/wget
- Custom automation tools
- iPXE (HTTP boot)
3. **DHCP Servers**
- ISC DHCP Server
- dnsmasq
- Windows DHCP Server
- Any RFC 2131 compliant DHCP server
4. **Database**
- PostgreSQL 10+
- Any PostgreSQL-compatible database
---
## References
### Primary RFCs
- [RFC 1350](https://www.rfc-editor.org/rfc/rfc1350.html) - The TFTP Protocol (Revision 2)
- [RFC 2347](https://www.rfc-editor.org/rfc/rfc2347.html) - TFTP Option Extension
- [RFC 2348](https://www.rfc-editor.org/rfc/rfc2348.html) - TFTP Blocksize Option
- [RFC 2349](https://www.rfc-editor.org/rfc/rfc2349.html) - TFTP Timeout Interval and Transfer Size Options
- [RFC 768](https://www.rfc-editor.org/rfc/rfc768.html) - User Datagram Protocol
- [RFC 791](https://www.rfc-editor.org/rfc/rfc791.html) - Internet Protocol
- [RFC 7230](https://www.rfc-editor.org/rfc/rfc7230.html) - HTTP/1.1: Message Syntax and Routing
- [RFC 7231](https://www.rfc-editor.org/rfc/rfc7231.html) - HTTP/1.1: Semantics and Content
### Supporting Standards
- [Intel PXE Specification 2.1](http://www.pix.net/software/pxeboot/archive/pxespec.pdf)
- [iPXE Project Documentation](https://ipxe.org/docs)
- [WinPE Documentation](https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/winpe-intro)
---
## Document Maintenance
**Last Reviewed:** 2026-01-18
**Review Frequency:** Quarterly or upon significant code changes
**Maintainer:** Snow-Owl Development Team
### Change Log
| Date | Version | Changes |
|------|---------|---------|
| 2026-01-18 | 1.4 | Implemented multicast TFTP support (RFC 2090) with master client election and selective retransmission |
| 2026-01-18 | 1.3 | Added HTTP/2 support via ALPN for HTTPS connections (RFC 7540) |
| 2026-01-18 | 1.2 | Implemented NETASCII mode with full line ending conversion (RFC 1350) |
| 2026-01-18 | 1.1 | Added comprehensive authentication and authorization system |
| 2026-01-18 | 1.0 | Initial RFC compliance documentation |
---
## Conclusion
Snow-Owl demonstrates strong adherence to relevant Internet standards (RFCs), particularly in its TFTP server implementation which fully complies with RFC 1350 (including NETASCII mode with line ending conversion) and all related TFTP extension RFCs (2090, 2347, 2348, 2349). The project's design philosophy prioritizes standards compliance to ensure maximum interoperability with existing infrastructure while maintaining security best practices appropriate for a deployment tool.
The implementation includes:
- Full TFTP protocol support (RFC 1350) with NETASCII and OCTET modes
- Multicast TFTP for efficient mass deployments (RFC 2090)
- Complete TFTP option negotiation (RFC 2347, 2348, 2349)
- Dual-stack IPv4/IPv6 networking (RFC 791, RFC 2460)
- Optional TLS 1.3/1.2 encryption (RFC 8446)
- Optional HTTP/2 support via ALPN (RFC 7540)
- Comprehensive authentication and authorization
- NIST SP 800-53 security controls
Snow-Owl provides a standards-compliant, secure, and highly scalable platform for Windows system deployment in enterprise environments, supporting both unicast and multicast deployment scenarios.
You are an autonomous senior full-stack engineer responsible for building and maintaining a complete SaaS product. You operate with minimal supervision, making independent decisions while consulting on major strategic changes.
<author>blefnk/rules</author>
trigger: model_decision
description: Authoritative guide for all software-writing agents in this repository