TOC |
|
This Internet-Draft is submitted to IETF in full conformance with the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as “work in progress.”
The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html.
This Internet-Draft will expire on September 24, 2009.
Copyright (c) 2009 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents in effect on the date of publication of this document (http://trustee.ietf.org/license-info). Please review these documents carefully, as they describe your rights and restrictions with respect to this document.
Discovery of the correct Location Information Server (LIS) in the local access network is necessary for devices that wish to acquire location information from the network. A method is described for the discovery of a LIS. Dynamic Host Configuration Protocol (DHCP) options for IP versions 4 and 6 are defined that specify a URI for a LIS in the local access network. Additional DHCP options are provided that enable authentication of the indicated LIS. An alternative method that uses URI-enabled NAPTR (U-NAPTR) is described for use where the DHCP option is unsuccessful.
1.
Introduction and Overview
1.1.
DHCP Discovery
1.2.
U-NAPTR Discovery
1.3.
Terminology
2.
LIS Discovery Using DHCP
2.1.
DHCPv4 LIS URI Option
2.2.
DHCPv6 LIS URI Option
2.3.
LIS Authentication
2.3.1.
Alternative Certificates
2.3.2.
Sub-Option Codes
2.3.3.
Authentication Algorithm Summary
2.3.4.
DHCPv4 LIS Certificate Fingerprint Option
2.3.5.
DHCPv6 LIS Certificate Fingerprint Option
3.
U-NAPTR for LIS Discovery
3.1.
Determining a Domain Name
4.
Overall Discovery Procedure
4.1.
Virtual Private Networks (VPNs)
5.
Security Considerations
6.
IANA Considerations
6.1.
Registration of DHCPv4 and DHCPv6 LIS URI Option Codes
6.2.
Registration of DHCPv4 and DHCPv6 LIS Certificate Fingerprint Option Codes
6.3.
Creation of Registry for LIS Certificate Fingerprint Sub-Option Codes
6.4.
Registration of a Location Server Application Service Tag
6.5.
Registration of a Location Server Application Protocol Tag for HELD
7.
Acknowledgements
8.
References
8.1.
Normative References
8.2.
Informative References
§
Authors' Addresses
TOC |
The location of a device is a useful and sometimes necessary part of many services. A Location Information Server (LIS) is responsible for providing that location information to devices with an access network. The LIS uses knowledge of the access network and its physical topology to generate and serve location information to devices.
Each access network requires specific knowledge about topology. Therefore, it is important to discover the LIS that has the specific knowledge necessary to locate a device. That is, the LIS that serves the current access network. Automatic discovery is important where there is any chance of movement outside a single access network. Reliance on static configuration can lead to unexpected errors if a device moves between access networks.
This document describes DHCP options and DNS records that a device can use to discover a LIS.
The product of a discovery process, such as the one described in this document, is the address of the service. In this document, the result is an http: or https: URI, which identifies a LIS.
The URI result from the discovery process is suitable for location configuration only; that is, the device MUST dereference the URI using the process described in HELD (Barnes, M., Winterbottom, J., Thomson, M., and B. Stark, “HTTP Enabled Location Delivery (HELD),” August 2009.) [I‑D.ietf‑geopriv‑http‑location‑delivery]. URIs discovered in this way are not "location URIs" (Marshall, R., “Requirements for a Location-by-Reference Mechanism,” November 2009.) [I‑D.ietf‑geopriv‑lbyr‑requirements]; dereferencing one of them provides the location of the requester only. Devices MUST NOT embed these URIs in fields in other protocols designed to carry the location of the device.
TOC |
DHCP ([RFC2131] (Droms, R., “Dynamic Host Configuration Protocol,” March 1997.), [RFC3315] (Droms, R., Bound, J., Volz, B., Lemon, T., Perkins, C., and M. Carney, “Dynamic Host Configuration Protocol for IPv6 (DHCPv6),” July 2003.)) is a commonly used mechanism for providing bootstrap configuration information allowing a device to operate in a specific network environment. The bulk of DHCP information is largely static; consisting of configuration information that does not change over the period that the device is attached to the network. Physical location information might change over this time, however the address of the LIS does not. Thus, DHCP is suitable for configuring a device with the address of a LIS.
A second DHCP option is defined that enables the authentication of a LIS based on a fingerprint of the X.509 certificate (Cooper, D., Santesson, S., Farrell, S., Boeyen, S., Housley, R., and W. Polk, “Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile,” May 2008.) [RFC5280] it presents. Use of this option provides an alternative to the authentication defined in HELD that relies on the domain name of the LIS.
TOC |
Where DHCP is not available, the DNS might be able to provide a URI. This document describes a method that uses URI-enabled NAPTR (U-NAPTR) (Daigle, L., “Domain-Based Application Service Location Using URIs and the Dynamic Delegation Discovery Service (DDDS),” April 2007.) [RFC4848], a Dynamic Delegation Discovery Service (DDDS) profile that supports URI results.
For the LIS discovery DDDS application, an Application Service tag LIS and an Application Protocol tag HELD are created and registered with the IANA. Taking a domain name, this U-NAPTR application uses the two tags to determine the LIS URI.
A domain name is the crucial input to the U-NAPTR resolution process. Section 3.1 (Determining a Domain Name) of this document describes several methods for deriving an appropriate domain name.
TOC |
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119] (Bradner, S., “Key words for use in RFCs to Indicate Requirement Levels,” March 1997.).
This document also uses the term "device" to refer to an end host, or client consistent with its use in HELD. In HELD and RFC3693 (Cuellar, J., Morris, J., Mulligan, D., Peterson, J., and J. Polk, “Geopriv Requirements,” February 2004.) [RFC3693] parlance, the Device is also the Target.
The terms "access network" refers to the network that a device connects to for Internet access. The "access network provider" is the entity that operates the access network. This is consistent with the definition in [I‑D.ietf‑geopriv‑l7‑lcp‑ps] (Tschofenig, H. and H. Schulzrinne, “GEOPRIV Layer 7 Location Configuration Protocol; Problem Statement and Requirements,” July 2009.) which combines the Internet Access Provider (IAP) and Internet Service Provider (ISP). The access network provider is responsible for allocating the device a public IP address and for directly or indirectly providing a LIS service.
TOC |
DHCP allows the access network provider to specify the address of a LIS as part of network configuration. If the device is able to acquire a LIS URI using DHCP then this URI is used directly; the U-NAPTR process is not necessary if this option is provided.
This document registers DHCP options for a LIS URI for both IPv4 and IPv6. A second option for both DHCP versions is also registered to convey a fingerprint of the certificate expected to be used by the LIS.
TOC |
This section defines a DHCP for IPv4 (DHCPv4) option for the address of a LIS.
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | LIS_URI | Length | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | . LIS URI . . ... . +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 1: DHCPv4 LIS URI Option |
- LIS_URI:
- The IANA assigned option number (TBD). [[IANA/RFC-Editor Note: Please replace TBD with the assigned DHCPv4 option code.]]
- Length:
- The length of the entire LIS URI option in octets.
- LIS URI:
- The address of the LIS. The URI MUST NOT be terminated by a zero octet.
The DHCPv4 version of this URI SHOULD NOT exceed 255 octets in length, but MAY be extended by concatenating multiple option values if necessary, as described in [RFC3396] (Lemon, T. and S. Cheshire, “Encoding Long Options in the Dynamic Host Configuration Protocol (DHCPv4),” November 2002.).
TOC |
This section defines a DHCP for IPv6 (DHCPv6) option for the address of a LIS. The DHCPv6 option for this parameter is similarly formatted to the DHCPv4 option.
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | OPTION_LIS_URI | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ . LIS URI . . ... . +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 2: DHCPv6 LIS URI Option |
- OPTION_LIS_URI:
- The IANA assigned option number (TBD). [[IANA/RFC-Editor Note: Please replace TBD with the assigned DHCPv6 option code.]]
- Length:
- The length of the LIS URI option in octets.
- The semantics and format of the remainder of the LIS URI option are identical to the DHCPv4 option, except for the larger allowance for URI length granted by the 16 bit length field. DHCPv6 prohibits concatenation of option values.
TOC |
HTTP over TLS (Rescorla, E., “HTTP Over TLS,” May 2000.) [RFC2818] describes how a host is authenticated based on an expected domain name using public key infrastructure. Relying exclusively on a domain name for authentication is not appropriate for a LIS, since the domain name associated with the access network might not be known. Indeed, it is often inappropriate to attempt to assign any particular domain name to an access network.
This specification defines an alternative means of establishing an expected identity for the server that uses a certificate fingerprint. One or more fingerprints for the server certificate used by the LIS is included in a second DHCP option. The device uses the fingerprint information provided by the DHCP server to authenticate the LIS when it establishes a TLS session. The domain name MUST NOT be used to authenticate the LIS if a non-empty fingerprint information option is provided.
This fingerprint option is of particular use for private networks where authentication based on domain name is either infeasible or not desirable.
The LIS certificate fingerprint option uses a format of "sub-options", that allows for the inclusion of multiple fingerprint values. Each "sub-option" includes a fingerprint generated by a different cryptographic hash algorithm. The "sub-option" code indicates the hash algorithm used for generating the fingerprint. Each hash algorithm is identified by the assigned code from the IANA registry "TLS HashAlgorithm Registry" established in [RFC5246] (Dierks, T. and E. Rescorla, “The Transport Layer Security (TLS) Protocol Version 1.2,” August 2008.).
The use of sub-options provides a means to upgrade hash functions without affecting backward compatibility. New hash algorithms can be used without affecting devices that do not yet support the algorithm. A device MUST use the first fingerprint that it supports. If any supported fingerprint does not match, the LIS MUST be considered unauthenticated. If none of the specified hash algorithms are supported by the device, it MUST consider the LIS to be unauthenticated.
A fingerprint is generated or checked by applying a cryptographic hash function to the DER-encoded certificate. Implementations MUST support the SHA-1 algorithm, using a sub-option code of 2.
A device SHOULD request the LIS certificate fingerprint option at the same time as the LIS URI option. Without the LIS certificate fingerprint option a device cannot authenticate the LIS; absence of this option prevents authentication.
An access network operator is able to nominate authentication based on a domain name by omitting fingerprints. If an empty option is provided, the device MUST authenticate the server using the default method for the applicable URI scheme. For https: URIs, the authentication described in Section 3.1 of RFC 2818 (Rescorla, E., “HTTP Over TLS,” May 2000.) [RFC2818] MUST be used if the LIS certificate fingerprint option is empty.
The certificate fingerprint can be ignored if the LIS URI indicates a protocol that does not support exchange of certificates (such as http:). Such a LIS cannot be authenticated using this option. The LIS certificate fingerprint option MUST be empty if no means of achieving authentication is available.
- Note:
- Whether the device goes on to use the information provided by an unauthenticated LIS depends on device policy. A device might choose to continue with discovery using different network interfaces or methods before falling back to an unauthenticated LIS.
TOC |
There is a need to renew certificates as they expire. Around the time that a certificate is replaced, DHCP configuration identifying the certificate fingerprint might become invalid. Therefore, to prevent , or where circumstances require that the LIS function is served by multiple hosts, there is a need to allow for alternative certificates. Authentication based on a fingerprint of a single certificate fails around the time that a certificate is replaced, or if there is a need for alternative servers that use different certificates.
A sub-option code of 0 indicates that the sub-option contains a certificate serial number. The value of the sub-option is the integer value in network byte order. All subsequent fingerprint values until the next occurence of sub-option 0 apply only to certificates with the given serial number.
This method means that ordering of sub-options is signficant. All fingerprint values after a certificate serial number apply to certificates with that serial number only. The DHCP server MUST NOT include fingerprint values before the first serial number, if a serial number is used. Serial numbers can be omitted if there is only one valid certificate.
Note that serial number alone is not a guarantee of uniqueness. There is small probability that two different certificate issuers could provide the same serial number with the same fingerprint. If re-issue of the certificate is not viable, selection of a different hash function might remove the collision.
TOC |
The LIS certificate fingerprint option use sub-option codes that identify the hash function that is used to generate the fingerprint. A value of 0 indicates that the sub-option contains a certificate serial number.
The following list is the current state of the "TLS HashAlgorithm Registry" established in [RFC5246] (Dierks, T. and E. Rescorla, “The Transport Layer Security (TLS) Protocol Version 1.2,” August 2008.) and maintained by the IANA. As additional values are added to the registry, these MAY be used as option.
- 0:
- (serial number) This code indicates that the sub-option contains a certificate serial number.
- 1:
- The sub-option contains a fingerprint generated using the MD5 hash algorithm.
- 2:
- A fingerprint generated using SHA-1.
- 3:
- A fingerprint generated using SHA-224.
- 4:
- A fingerprint generated using SHA-256.
- 5:
- A fingerprint generated using SHA-384.
- 6:
- A fingerprint generated using SHA-512.
The sub-option code of 0 corresponds to the "none" value in the "TLS HashAlgorithm Registry"; sub-option codes 1 through 6 correspond to the same value.
Sub-option 0 contains a long integer value in network byte order. This value is compared numerically. Negative and zero values are possible (see [RFC5280] (Cooper, D., Santesson, S., Farrell, S., Boeyen, S., Housley, R., and W. Polk, “Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile,” May 2008.)), and are expressed in twos complement; therefore, the most significant bit of the first octet is interpreted as having a negative value. This value could be up to 20 octets in size. Note that the sub-option does not contain values encoded using the distinguished encoding rules (DER).
TOC |
Once a device acquires the LIS URI option and the LIS certificate fingerprint option, it is able to authenticate a LIS. Assuming that the LIS URI indicates use of TLS, the device establishes a TLS session and acquires a certificate from the LIS.
The LIS certificate fingerprint option is either empty, or it contains a set of fingerprints. The set of fingerprints is either divided into groups based on certificate serial number, or all of the fingerprints describe the same certificate using different hash algorithms. This is shown in Figure 3 (LIS Certificate Fingerprint Option Structure).
Without serial numbers With serial numbers <hash> : <value> <serial> : <hash> : <value> <hash> : <value> : <hash> : <value> ... <serial> : <hash> : <value> : <hash> : <value> ...
Figure 3: LIS Certificate Fingerprint Option Structure |
If the LIS certificate fingerprint option is empty, the LIS is authenticated using the domain name indicated in its offered certificate, using the mechanism described in Section 3.1 of [RFC2818] (Rescorla, E., “HTTP Over TLS,” May 2000.).
If the LIS certificate fingerprint option contains data, the LIS is authenticated based on a fingerprint of its certificate. If multiple certificates are indicated using serial numbers, the first sub-option contains the serial numbers sub-option (code 0).
- No serial numbers:
- The device matches the certificate fingerprint it calculates from the LIS certificate against any of the fingerprint sub-options.
- Serial numbers:
- The device matches the certificate fingerprint it calculates against a fingerprint sub-option that follows a serial number sub-option containing the certificate serial number.
If no match can be found, the LIS is not authenticated.
TOC |
This section defines a DHCP for IPv4 (DHCPv4) option for LIS certificate fingerprints.
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | LIS_CERT_FP | Length | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | . Fingerprint-Sub-Options . . . +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 4: DHCPv4 LIS Certificate Fingerprint Option |
- LIS_CERT_FP:
- The IANA assigned option number (TBD). [[IANA/RFC-Editor Note: Please replace TBD with the assigned DHCPv4 option code.]]
- Length:
- The length of the entire LIS certificate fingerprint option in octets.
- Fingerprint-Sub-Options:
- A series of one or more sub-options, as shown in Figure 5 (DHCPv4 LIS Certificate Fingerprint Sub-Option).
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Sub-Option | Length | Fingerprint-Value ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 5: DHCPv4 LIS Certificate Fingerprint Sub-Option |
- Sub-Option:
- A code that identifies the hash algorithm used to generate the fingerprint, or a certificate serial number. The set of codes are defined in Section 2.3.2 (Sub-Option Codes).
- Length:
- The length, in octets of the Fingerprint-Value sub-option.
- Fingerprint-Value:
- The octet values of the certificate fingerprint (or a certificate serial number for sub-option 0). An invalid fingerprint is not equivalent to no fingerprint. If the length of this field does not match the expected length of the hash function output, the fingerprint MUST be considered invalid.
DHCPv4 option concatenation (Lemon, T. and S. Cheshire, “Encoding Long Options in the Dynamic Host Configuration Protocol (DHCPv4),” November 2002.) [RFC3396] SHOULD be avoided, but is permitted if long values are required. The sub-options described in this document do not require any more than 255 octets to express fully, so concatenation of sub-options is not necessary.
TOC |
This section defines a DHCP for IPv6 (DHCPv6) option for LIS certificate fingerprints. The DHCPv6 option for this parameter is similarly formatted to the DHCPv4 option.
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | OPTION_LIS_CERT_FP | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ . Fingerprint-Sub-Options . . . +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 6: DHCPv6 LIS Certificate Fingerprint Option |
- OPTION_LIS_CERT_FP:
- The IANA assigned option number (TBD). [[IANA/RFC-Editor Note: Please replace TBD with the assigned DHCPv6 option code.]]
- Length:
- The length of the LIS certificate fingerprint option in octets.
- Fingerprint-Sub-Options:
- A series of one or more sub-options, as shown in Figure 7 (DHCPv6 LIS Certificate Fingerprint Sub-Option).
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Sub-Option | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ . Fingerprint-Value . . ... . +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 7: DHCPv6 LIS Certificate Fingerprint Sub-Option |
The semantics of the DHCPv6 LIS certificate fingerprint sub-options are identical to the DHCPv4 option except that concatenation is neither required nor permitted. Length fields are 16 bits in length; therefore, concatenation is not needed to accomodate values longer than 255 octets. DHCPv6 prohibits concatenation of option values.
TOC |
U-NAPTR resolution for a LIS takes a domain name as input and produces a URI that identifies the LIS. This process also requires an Application Service tag and an Application Protocol tag, which differentiate LIS-related NAPTR records from other records for that domain.
Section 6.4 (Registration of a Location Server Application Service Tag) defines an Application Service tag of LIS, which is used to identify the location service for a particular domain. The Application Protocol tag HELD, defined in Section 6.5 (Registration of a Location Server Application Protocol Tag for HELD), is used to identify a LIS that understands the HELD protocol (Barnes, M., Winterbottom, J., Thomson, M., and B. Stark, “HTTP Enabled Location Delivery (HELD),” August 2009.) [I‑D.ietf‑geopriv‑http‑location‑delivery].
The NAPTR records in the following example demonstrate the use of the Application Service and Protocol tags. Iterative NAPTR resolution is used to delegate responsibility for the LIS service from zonea.example.net. and zoneb.example.net. to outsource.example.com..
zonea.example.net. ;; order pref flags IN NAPTR 100 10 "" "LIS:HELD" ( ; service "" ; regex outsource.example.com. ; replacement ) zoneb.example.net. ;; order pref flags IN NAPTR 100 10 "" "LIS:HELD" ( ; service "" ; regex outsource.example.com. ; replacement ) outsource.example.com. ;; order pref flags IN NAPTR 100 10 "u" "LIS:HELD" ( ; service "!*.!https://lis.example.org:4802/?c=ex!" ; regex . ; replacement )
Figure 8: Sample LIS:HELD Service NAPTR Records |
Details for the LIS Application Service tag and the HELD Application Protocol tag are included in Section 6 (IANA Considerations).
U-NAPTR MUST only be used if the DHCP LIS URI option is not available.
An https: LIS URI that is a product of U-NAPTR MUST be authenticated using the domain name method described in Section 3.1 of RFC 2818 (Rescorla, E., “HTTP Over TLS,” May 2000.) [RFC2818].
TOC |
The U-NAPTR discovery method described requires a domain name as input. This document does not specify how that domain name is acquired by a device. If a device knows one or more of the domain names assigned to it, it MAY attempt to use each domain name as input. Static configuration of a device is possible if a domain name is known to work for this purpose.
A fully qualified domain name (FQDN) for the device might be provided by a DHCP server ([RFC4702] (Stapp, M., Volz, B., and Y. Rekhter, “The Dynamic Host Configuration Protocol (DHCP) Client Fully Qualified Domain Name (FQDN) Option,” October 2006.) for DHCPv4, [RFC4704] (Volz, B., “The Dynamic Host Configuration Protocol for IPv6 (DHCPv6) Client Fully Qualified Domain Name (FQDN) Option,” October 2006.) for DHCPv6). DHCPv4 option 15 [RFC2131] (Droms, R., “Dynamic Host Configuration Protocol,” March 1997.) could also be used as a source of a domain name suffix for the device. If DHCP and any of these options are available, these values could be used as input the U-NAPTR procedure; however, implementers need to be aware that many DHCP servers do not provide a sensible value for these options.
TOC |
The individual components of discovery are combined into a single discovery procedure. Some networks maintain a topology analogous to an onion and are comprised of layers, or segments, separating hosts from the Internet through intermediate networks. Applying the individual discovery methods in an order that favours a physically proximate LIS over a remote LIS is preferred.
A host MUST support DHCP discovery and MAY support U-NAPTR discovery. The process described in this document is known to not work in a very common deployment scenario, namely the fixed wired environment described in Section 3.1 of [I‑D.ietf‑geopriv‑l7‑lcp‑ps] (Tschofenig, H. and H. Schulzrinne, “GEOPRIV Layer 7 Location Configuration Protocol; Problem Statement and Requirements,” July 2009.). Alternative methods of discovery to address this limitation are likely.
The following process ensures a greater likelihood of a LIS in close physical proximity being discovered:
A host that has multiple network interfaces could potentially be served by a different access network on each interface, each with a different LIS. The host SHOULD attempt to discover the LIS applicable to each network interface, stopping when a LIS is successfully discovered on any interface.
A host that discovers a LIS URI MUST attempt to verify that the LIS is able to provide location information. For the HELD protocol, the host MUST make a location request to the LIS. If the LIS responds to this request with the notLocatable error code (see Section 4.3.2 of [I‑D.ietf‑geopriv‑http‑location‑delivery] (Barnes, M., Winterbottom, J., Thomson, M., and B. Stark, “HTTP Enabled Location Delivery (HELD),” August 2009.)), the host MUST continue the discovery process and not make further requests to that LIS on that network interface.
DHCP discovery MUST be attempted before any other discovery method. This allows the network access provider a direct and explicit means of configuring a LIS address. Alternative methods are only specified as a means to discover a LIS where the DHCP infrastructure does not support the LIS URI option.
This document does not mandate any particular source for the domain name that is used as input to U-NAPTR. Alternative methods for determining the domain name MAY be used.
Static configuration MAY be used if all other discovery methods fail. Note however, that if a host has moved from its customary location, static configuration might indicate a LIS that is unable to provide a location.
The product of the LIS discovery process is an http: or https: URI. Nothing distinguishes this URI from other URIs with the same scheme, aside from the fact that it is the product of this process. Only URIs produced by the discovery process can be used for location configuration using HELD. URIs that are not a product of LIS discovery MUST NOT be used for location configuration.
TOC |
LIS discovery over a VPN network interface SHOULD NOT be performed. A LIS discovered in this way is unlikely to have the information necessary to determine an accurate location.
Since not all interfaces connected to a VPN can be detected by devices, a LIS MUST NOT provide location information in response to requests that it can identify as originating from a device on the remote end of a VPN interface. This ensures that even if a host discovers a LIS over the VPN, it does not rely on a LIS that is unable to provide accurate location information. The exception to this is where the LIS and host are able to determine a location without access network support.
TOC |
The primary attack against the methods described in this document is one that would lead to impersonation of a LIS. The LIS is responsible for providing location information and this information is critical to a number of network services; furthermore, a host does not necessarily have a prior relationship with a LIS. Several methods are described here that can limit the probablity of, or provide some protection against, such an attack.
The address of a LIS is usually well-known within an access network; therefore, interception of messages does not introduce any specific concerns.
Section 2.3 (LIS Authentication) describes how a LIS is authenticated by devices, using either certificate fingerprints or a domain name certificate. This mechanism relies on the integrity of the information provided by the DHCP server.
An attacker that is able to modify or spoof messages from a DHCP server could provide a falsified LIS URI and certificate fingerprint options that a device would be able to use to successfully authenticate the LIS. Preventing DHCP messages from being modified or spoofed by attackers is necessary if this information is to be relied upon. Physical or link layer security are commonplace methods that can reduce the possibility of such an attack within an access network; alternatively, DHCP authentication (Droms, R. and W. Arbaugh, “Authentication for DHCP Messages,” June 2001.) [RFC3118] can provide a degree of protection against modification or spoofing.
An attacker could attempt to compromise the U-NAPTR resolution. A more thorough description of the security considerations for U-NAPTR applications is included in [RFC4848] (Daigle, L., “Domain-Based Application Service Location Using URIs and the Dynamic Delegation Discovery Service (DDDS),” April 2007.).
In addition to considerations related to U-NAPTR, it is important to recognize that the output of this is entirely dependent on its input. An attacker who can control the domain name is therefore able to control the final URI.
TOC |
TOC |
The IANA has assigned an option code of (TBD) for the DHCPv4 option for a LIS URI, as described in Section 2.1 (DHCPv4 LIS URI Option) of this document.
The IANA has assigned an option code of (TBD) for the DHCPv6 option for a LIS URI, as described in Section 2.2 (DHCPv6 LIS URI Option) of this document.
TOC |
The IANA has assigned an option code of (TBD) for the DHCPv4 option for LIS certificate fingerprints, as described in Section 2.3.4 (DHCPv4 LIS Certificate Fingerprint Option) of this document.
The IANA has assigned an option code of (TBD) for the DHCPv6 option for LIS certificate fingerprints, as described in Section 2.3.5 (DHCPv6 LIS Certificate Fingerprint Option) of this document.
TOC |
The IANA has created a registry entitled "DHCP Certificate Fingerprint Sub-Option Codes" that contains codes identifying the sub-option codes used for the DHCPv4 and DHCPv6 LIS certificate fingerprint option. This registry is a sub-registry of "Dynamic Host Configuration Protocol (DHCP) and Bootstrap Protocol (BOOTP) Parameters".
The registry contains the following fields for each registration:
- Sub-Option Code:
- The numerical value of the sub-option code. Values from 0 through 255 (decimal) apply to DHCPv4 and DHCPv6. Values from 256 to 65535 only apply to the DHCPv6 option.
- Semantics:
- The name of the hash algorithm that the sub-option represents, or a reference to the document defining specific semantics.
- TLS HashAlgorithm Code:
- For sub-options that refer to hash algorithms, the code used in the "TLS HashAlgorithm Registry".
The initial values for this registry are included in Section 2.3.2 (Sub-Option Codes) of this document.
This registry operates under the "Specification Required" rule [RFC5226] (Narten, T. and H. Alvestrand, “Guidelines for Writing an IANA Considerations Section in RFCs,” May 2008.). For hash algorithms, the only specification required is the specification referenced in the "TLS HashAlgorithm Registry".
TOC |
This section registers a new S-NAPTR/U-NAPTR Application Service tag for a LIS, as mandated by [RFC3958] (Daigle, L. and A. Newton, “Domain-Based Application Service Location Using SRV RRs and the Dynamic Delegation Discovery Service (DDDS),” January 2005.).
- Application Service Tag:
- LIS
- Intended usage:
- Identifies a service that provides a host with its location information.
- Defining publication:
- RFCXXXX
- Related publications:
- HELD (Barnes, M., Winterbottom, J., Thomson, M., and B. Stark, “HTTP Enabled Location Delivery (HELD),” August 2009.) [I‑D.ietf‑geopriv‑http‑location‑delivery]
- Contact information:
- The authors of this document
- Author/Change controller:
- The IESG
TOC |
This section registers a new S-NAPTR/U-NAPTR Application Protocol tag for the HELD (Barnes, M., Winterbottom, J., Thomson, M., and B. Stark, “HTTP Enabled Location Delivery (HELD),” August 2009.) [I‑D.ietf‑geopriv‑http‑location‑delivery] protocol, as mandated by [RFC3958] (Daigle, L. and A. Newton, “Domain-Based Application Service Location Using SRV RRs and the Dynamic Delegation Discovery Service (DDDS),” January 2005.).
- Application Service Tag:
- HELD
- Intended Usage:
- Identifies the HELD protocol.
- Applicable Service Tag(s):
- LIS
- Terminal NAPTR Record Type(s):
- U
- Defining Publication:
- RFCXXXX
- Related Publications:
- HELD (Barnes, M., Winterbottom, J., Thomson, M., and B. Stark, “HTTP Enabled Location Delivery (HELD),” August 2009.) [I‑D.ietf‑geopriv‑http‑location‑delivery]
- Contact Information:
- The authors of this document
- Author/Change Controller:
- The IESG
TOC |
The authors would like to thank Leslie Daigle for her work on U-NAPTR; Peter Koch for feedback on how not to use DNS for discovery; Andy Newton for constructive suggestions with regards to document direction; Hannes Tschofenig and Richard Barnes for input and reviews; Dean Willis for constructive feedback; Pasi Eronen for the certificate fingerprint concept; Ralph Droms, David W. Hankins, Damien Neil, and Bernie Volz for DHCP option format.
TOC |
TOC |
TOC |
[RFC3118] | Droms, R. and W. Arbaugh, “Authentication for DHCP Messages,” RFC 3118, June 2001 (TXT). |
[RFC3693] | Cuellar, J., Morris, J., Mulligan, D., Peterson, J., and J. Polk, “Geopriv Requirements,” RFC 3693, February 2004 (TXT). |
[RFC3958] | Daigle, L. and A. Newton, “Domain-Based Application Service Location Using SRV RRs and the Dynamic Delegation Discovery Service (DDDS),” RFC 3958, January 2005 (TXT). |
[RFC5280] | Cooper, D., Santesson, S., Farrell, S., Boeyen, S., Housley, R., and W. Polk, “Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile,” RFC 5280, May 2008 (TXT). |
[I-D.ietf-geopriv-l7-lcp-ps] | Tschofenig, H. and H. Schulzrinne, “GEOPRIV Layer 7 Location Configuration Protocol; Problem Statement and Requirements,” draft-ietf-geopriv-l7-lcp-ps-10 (work in progress), July 2009 (TXT). |
[I-D.ietf-geopriv-lbyr-requirements] | Marshall, R., “Requirements for a Location-by-Reference Mechanism,” draft-ietf-geopriv-lbyr-requirements-09 (work in progress), November 2009 (TXT). |
TOC |
Martin Thomson | |
Andrew | |
PO Box U40 | |
Wollongong University Campus, NSW 2500 | |
AU | |
Phone: | +61 2 4221 2915 |
Email: | martin.thomson@andrew.com |
URI: | http://www.andrew.com/ |
James Winterbottom | |
Andrew | |
PO Box U40 | |
Wollongong University Campus, NSW 2500 | |
AU | |
Phone: | +61 2 4221 2938 |
Email: | james.winterbottom@andrew.com |
URI: | http://www.andrew.com/ |