<?xml version="1.0"encoding="US-ASCII"?>encoding="UTF-8"?> <!DOCTYPE rfc SYSTEM"rfc2629.dtd"> <?rfc toc="yes"?> <?rfc tocompact="yes"?> <?rfc tocdepth="3"?> <?rfc tocindent="yes"?> <?rfc symrefs="yes"?> <?rfc sortrefs="yes"?> <?rfc comments="yes"?> <?rfc inline="yes"?> <?rfc compact="yes"?> <?rfc subcompact="no"?>"rfc2629-xhtml.ent"> <rfccategory="std"xmlns:xi="http://www.w3.org/2001/XInclude" docName="draft-ietf-dots-server-discovery-15"ipr="trust200902">number="8973" ipr="trust200902" obsoletes="" updates="" submissionType="IETF" category="std" consensus="true" xml:lang="en" tocInclude="true" tocDepth="3" symRefs="true" sortRefs="true" version="3"> <!-- xml2rfc v2v3 conversion 3.4.0 --> <front> <title abbrev="DOTS Server/Call Home ClientDiscovery">Distributed-Denial-of-ServiceDiscovery">DDoS Open Threat Signaling (DOTS) Agent Discovery</title> <seriesInfo name="RFC" value="8973"/> <author fullname="Mohamed Boucadair" initials="M." surname="Boucadair"> <organization>Orange</organization> <address> <postal><street></street><street/> <city>Rennes</city><region></region><region/> <code>35000</code> <country>France</country> </postal> <email>mohamed.boucadair@orange.com</email> </address> </author> <author fullname="TirumaleswarReddy"Reddy.K" initials="T."surname="Reddy">surname="Reddy.K"> <organization abbrev="McAfee">McAfee, Inc.</organization> <address> <postal> <street>Embassy Golf Link Business Park</street> <city>Bangalore</city> <region>Karnataka</region> <code>560071</code> <country>India</country> </postal> <email>TirumaleswarReddy_Konda@McAfee.com</email> </address> </author> <date/>year="2021" month="January"/> <workgroup>DOTS</workgroup> <keyword>Automation</keyword> <keyword>Provisioning</keyword> <keyword>Configuration</keyword> <keyword>Location</keyword> <keyword>Deployment</keyword> <keyword>Multihoming</keyword> <keyword>DDoS</keyword> <keyword>Security</keyword> <abstract> <t>This document specifies mechanisms to configureDistributed Denial of ServiceDDoS Open Threat Signaling (DOTS) clients with their DOTS servers. The discovery procedure also covers the DOTSSignal Channelsignal channel Call Home.KnowingIt can be useful to know the appropriate DOTS server for a given locationcan be usefulin order to engage mitigationactionsactions. This is true even in cases where the DOTS client cannot localize theattack, butattack: cases where it only knows that some resources are under attack and that help is needed.</t> </abstract> </front> <middle> <sectiontitle="Introduction">numbered="true" toc="default"> <name>Introduction</name> <t>DDoS Open Threat Signaling (DOTS) <xreftarget="RFC8811"></xref>target="RFC8811" format="default"/> specifies anarchitecture,architecture in which a DOTS client can inform a DOTS server that the network is under a potential attack and that appropriate mitigation actions are required. Indeed, because the lack of a common method to coordinate a real-time response among involved actors and network domains inhibits the effectiveness of DDoS attack mitigation, the DOTS signal channel protocol <xreftarget="RFC8782"></xref>target="RFC8782" format="default"/> is meant to carry requests for DDoS attack mitigation. With this approach, DOTS can reduce the impact of an attack and lead to more efficient defensive actions in various deploymentscenariosscenarios, such as those discussed in <xreftarget="I-D.ietf-dots-use-cases"></xref>.target="I-D.ietf-dots-use-cases" format="default"/>. Moreover, DOTS clients can instruct a DOTS server to install named filtering rules by means of the DOTS data channel protocol <xreftarget="RFC8783"></xref>.</t>target="RFC8783" format="default"/>.</t> <t>The basic high-level DOTS architecture is illustrated in <xreftarget="arch"></xref>.</t> <t><figure align="center" anchor="arch" title="Basictarget="arch" format="default"/>.</t> <figure anchor="arch"> <name>Basic DOTSArchitecture">Architecture</name> <artworkalign="center"><![CDATA[align="center" name="" type="" alt=""><![CDATA[ +-----------+ +-------------+ | Mitigator | ~~~~~~~~~~ | DOTS Server | +-----------+ +------+------+ | | | +---------------+ +------+------+ | Attack Target | ~~~~~~ | DOTS Client | +---------------+ +-------------+ ]]></artwork></figure></t></figure> <t><xreftarget="RFC8811"></xref>target="RFC8811" format="default"/> specifies that the DOTS client may be provided with a list of DOTS servers, each associated with one or more IP addresses. These addresses may or may not be of the same address family. The DOTS client establishes one or more DOTS sessions by connecting to the provided DOTS server addresses.</t> <t>This document specifies methods for DOTS clients to discover their DOTS server(s). The rationale for specifying multiple discovery mechanisms is discussed in <xreftarget="rationale"></xref>.</t>target="rationale" format="default"/>.</t> <t>The discovery methods can also be used by a DOTS server to locate a DOTS client in the context of DOTSSignal Channelsignal channel Call Home <xreftarget="I-D.ietf-dots-signal-call-home"></xref>.target="I-D.ietf-dots-signal-call-home" format="default"/>. The basic high-level DOTS Call Home architecture is illustrated in <xreftarget="fa"></xref>.</t> <t><figure align="center" anchor="fa" title="Basictarget="fa" format="default"/>.</t> <figure anchor="fa"> <name>Basic DOTS Signal Channel Call Home FunctionalArchitecture">Architecture</name> <artworkalign="center"><![CDATA[+---------------+align="center" name="" type="" alt=""><![CDATA[ +---------------+ +-------------+ | Alert | ~~~~~~ | Call Home | | | | DOTSclientClient | +---------------+ +------+------+ | | | +---------------+ +------+------+ | Attack | ~~~~~~ | Call Home | | Source(s) | | DOTSserverServer | +---------------+ +-------------+ ]]></artwork></figure></t></figure> <t>A DOTS agent may be used to establish base DOTS channels, DOTS Call Home, or both. This specification accommodates all these deployment cases.</t> <t>Considerations for the selection of DOTS server(s) bymulti-homedmultihomed DOTS clients are out of thisdocumentdocument's scope; readers should refer to <xreftarget="I-D.ietf-dots-multihoming"></xref>target="I-D.ietf-dots-multihoming" format="default"/> for more details.</t> <t>This document assumes that security credentials to authenticate DOTS server(s) are pre-provisioned to a DOTS client using a mechanism such as (but not limited to) those discussed in <xreftarget="RFC8572"></xref>target="RFC8572" format="default"/> or <xreftarget="I-D.ietf-anima-bootstrapping-keyinfra"></xref>.target="I-D.ietf-anima-bootstrapping-keyinfra" format="default"/>. DOTS clients use those credentials for authentication purposes following the rules documented in <xreftarget="RFC8782"></xref>.</t>target="RFC8782" format="default"/>.</t> </section> <sectiontitle="Terminology"> <t>Thenumbered="true" toc="default"> <name>Terminology</name> <t> The key words"MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY","<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>", "<bcp14>MAY</bcp14>", and"OPTIONAL""<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as described inBCP 14BCP 14 <xref target="RFC2119"/> <xreftarget="RFC2119"></xref><xref target="RFC8174"></xref>target="RFC8174"/> when, and only when, they appear in all capitals, as shownhere.</t>here. </t> <t>The reader should be familiar with the terms defined in <xreftarget="RFC3958"></xref>.</t> <t>DHCP referstarget="RFC3958" format="default"/>.</t> <t>This document makes use of the following terms:</t> <dl newline="false" spacing="normal"> <dt>DHCP:</dt> <dd>refers to both DHCPv4 <xreftarget="RFC2131"></xref>target="RFC2131" format="default"/> and DHCPv6 <xreftarget="RFC8415"></xref>.</t> <t>"DOTS client" referstarget="RFC8415" format="default"/>.</dd> <dt>DOTS client:</dt> <dd>refers to a DOTS-aware software module responsible for requesting attack response coordination with other DOTS-awareelements.</t> <t>"DOTS server" iselements.</dd> <dt>DOTS server:</dt> <dd>is a DOTS-aware software module handling and responding to messages from DOTS clients. The DOTS server enables mitigation on behalf of the DOTS client, if requested, by communicating the DOTS client's request to the mitigator and returning selected mitigator feedback to the requesting DOTSclient.</t> <t>"Call Home DOTS client" (or "Callclient.</dd> <dt>Call Home DOTSserver") refersclient or server:</dt> <dd>refers to a DOTS client(or DOTS server)or server deployed in a Call Home scenario (<xreftarget="fa"></xref>).</t> <t>"DOTS agent" istarget="fa" format="default"/>).</dd> <dt>DOTS agent:</dt> <dd>is any DOTS-aware software module capable of participating in a DOTSchannel.</t> <t>"Peerchannel.</dd> <dt>Peer DOTSagent" refersagent:</dt> <dd>refers to the peer DOTS server (base DOTS operation) or to a peer Call Home DOTS client (for DOTSSignal Channelsignal channel CallHome).</t>Home).</dd> </dl> </section> <section anchor="rationale"title="Whynumbered="true" toc="default"> <name>Why Multiple DiscoveryMechanisms?">Mechanisms?</name> <t>Analysis of the various use cases sketched in <xreftarget="I-D.ietf-dots-use-cases"></xref>target="I-D.ietf-dots-use-cases" format="default"/> reveals that it is unlikely that one single discovery method can be suitable for all the sample deployments.Concretely:<list style="symbols"> <t>ManyConcretely:</t> <ul spacing="normal"> <li>Many of the use cases discussed in <xreftarget="I-D.ietf-dots-use-cases"></xref>target="I-D.ietf-dots-use-cases" format="default"/> do involveaCustomer Premises Equipment(CPE) device.(CPE). MultipleCPEs,CPEs connected to distinct networkproviders,providers may even be considered. It is intuitive to leverage existingmechanismsmechanisms, such as discovery using service resolution orDHCPDHCP, to provision the CPE acting as a DOTS client with the DOTSserver(s).</t> <t>Resolvingserver(s).</li> <li>Resolving a DOTS server domain name offered by an upstream transit provider provisioned to a DOTS client into IP address(es) requires the use of the appropriate DNS resolvers; otherwise, resolving those names will fail. The use ofprotocolsprotocols, such asDHCPDHCP, does allow associating provisioned DOTS server domain names with a list of DNS servers to be used for name resolution. Furthermore, DHCP allows for directly providing IPaddresses thereforeaddresses, therefore, avoiding the need for extra lookupdelays.</t> <t>Somedelays.</li> <li>Some of the use cases may allow DOTS clients to have direct communications with upstream DOTS servers, that is, no DOTS gateway is involved. Leveraging existing protocol behaviors that do not require specific features on the node embedding the DOTS client may ease DOTS deployment. Typically, the use of Straightforward-Naming Authority Pointer (S-NAPTR) lookups <xreftarget="RFC3958"></xref>target="RFC3958" format="default"/> allows the DOTS server administrators to provision the preferred DOTS transport protocol between the DOTS client and the DOTS server and allows the DOTS client to discover thispreference.</t> <t>Thepreference.</li> <li>The upstream network provider is not the DDoS mitigation provider for some of these use cases. It is safe to assumethatthat, for such deployments, the DOTS server(s) domain name is provided during the service subscription (i.e., manual/localconfiguration).</t> <t>Multipleconfiguration).</li> <li>Multiple DOTS clients may be enabled within a network (e.g., an enterprise network). Dynamic discovery needs to be deterministic from an operationalstandpoint.</t> <t>Somestandpoint.</li> <li>Some of the use cases may involve a DOTS gateway that is responsible for selecting the appropriate DOTS server(s) to relay requests received from DOTSclients.</t> </list></t>clients.</li> </ul> <t>Consequently, this document describes a unified discovery logic (<xreftarget="logic"></xref>) whichtarget="logic" format="default"/>) that involves the following mechanisms:</t><t><list style="symbols"> <t>Dynamic<ul spacing="normal"> <li>dynamic discovery using DHCP (<xreftarget="dhcp"></xref>).</t> <t>Atarget="dhcp" format="default"/>)</li> <li>a resolution mechanism based onStraightforward Naming Authority Pointer (S-NAPTR)S-NAPTR resource records in theDomain Name System (DNS)DNS (<xreftarget="srvr"></xref>).</t> <t>DNStarget="srvr" format="default"/>)</li> <li>DNS Service Discovery (<xreftarget="DNSSD"></xref>).</t> </list></t>target="DNSSD" format="default"/>)</li> </ul> </section> <section anchor="logic"title="DOTSnumbered="true" toc="default"> <name>DOTS DiscoveryProcedure">Procedure</name> <t>Operators will need a consistent set of ways in which DOTS clients can discover this information and a consistent priority among these options. If some devices prefer manual configuration over dynamicdiscovery,discovery while others prefer dynamic discovery over manual configuration, the result will be a process where the operator must find devices that are using the wrong DOTS server(s), determine how to ensure the devices are configured properly, and then reconfigure the device through the preferred method.</t> <t>All DOTS clientsMUST<bcp14>MUST</bcp14> support at least one of the three mechanisms below to determine a DOTS server list. All DOTS clientsSHOULD<bcp14>SHOULD</bcp14> implement all three, or as many as are practical for any specific device, of the following ways to discover DOTS servers in order to facilitate the deployment of DOTS inlarge scalelarge-scale environments. For example, a CPE will support the first two mechanisms, a host within a LAN will support the last two mechanisms, or an application server will support a local configuration. More examples are discussed in <xreftarget="rationale"></xref>.target="rationale" format="default"/>. DOTS clients will prefer information received from the discovery methods in the order listed below.</t><t><list style="numbers"><ol spacing="normal" type="1"><li> <t>Explicitconfiguration:<list style="symbols"> <t>Local/Manual configuration: AConfiguration:</t> <dl newline="false" spacing="normal"> <dt>Local/Manual Configuration:</dt> <dd><t>A DOTS client will learn the DOTS server(s) by means of local or manual DOTS configuration (i.e., DOTS servers configured at the system level). Configuration discovered from a DOTS client application is consideredasa localconfiguration.<vspace blankLines="1" />Anconfiguration.</t> <t>An implementation may give the user an opportunity (e.g., by means of configuration file options or menu items) to specify DOTS server(s) for each address family. These may be specified either as a list of IP addresses or the DNS name of a DOTS server. When only DOTS server IP addresses are configured, a reference identifier must also be configured for authenticationpurposes.</t> <t>Automatic configurationpurposes.</t></dd> </dl> <dl newline="false" spacing="normal"> <dt>Automatic Configuration (e.g.,DHCP): TheDHCP):</dt> <dd>The DOTS client attempts to discover DOTS server(s) names and/or addresses from DHCP, as described in <xreftarget="dhcp"></xref>.</t> </list></t> <t>Service Resolution :target="dhcp" format="default"/>.</dd> </dl> </li> <li>Service Resolution: The DOTS client attempts to discover DOTS server name(s) using service resolution, as specified in <xreftarget="srvr"></xref>.</t> <t>DNS SD: DNStarget="srvr" format="default"/>.</li> <li>DNS-SD: DNS-based Service Discovery. The DOTS client attempts to discover DOTS server name(s) using DNS service discovery, as specified in <xreftarget="DNSSD"></xref>.</t> </list></t>target="DNSSD" format="default"/>.</li> </ol> <t>Some of these mechanisms imply the use of DNS to resolve the IP address(es) of the DOTS server, while others imply an IP address of the relevant DOTS server is obtained directly. Implementation options may vary on aper deviceper-device basis, as some devices may not have DNS capabilities and/or suitable DNS configuration.</t> <t>On hosts with more than one interface or address family (IPv4/IPv6), the DOTS server discovery procedure has to be performed for eachinterface/address-familyinterface-/address-family combination. A DOTS client may choose to perform the discovery procedure only for a desired interface/address combination if the client does not wish to discover a DOTS server for allinterface/address-familyinterface-/address-family combinations.</t> <t>This procedure is also followed by a Call Home DOTS server to discover its Call Home DOTS client in the context of <xreftarget="I-D.ietf-dots-signal-call-home"></xref>.</t>target="I-D.ietf-dots-signal-call-home" format="default"/>.</t> <t>The discovery method is performed upon the bootstrapping of a DOTSagent,agent and is reiterated by the DOTS agent upon the following events:</t><t><list style="symbols"> <t>Expiry<ul spacing="normal"> <li>expiry of a validity timer (e.g., DHCP lease, DHCP information refresh time, or DNS TTL) associated with a discovered DOTSagent.</t> <t>Expiryagent</li> <li>expiry of the certificate of a peer DOTS agent currently inuse.</t> <t>Attachmentuse</li> <li>attachment to a newnetwork.</t> </list></t>network</li> </ul> </section> <section anchor="dhcp"title="DHCPnumbered="true" toc="default"> <name>DHCP Options for DOTS AgentDiscovery">Discovery</name> <t>As reported inSection 1.7.2 of<xreftarget="RFC6125"></xref>:<list style="empty"> <t>"Sometarget="RFC6125" sectionFormat="of" section="1.7.2"/>:</t> <blockquote> Some certification authorities issue server certificates based on IP addresses, but preliminary evidence indicates that such certificates are a very small percentage (less than 1%) of issuedcertificates".</t> </list></t>certificates. </blockquote> <t>In order to allow for PKIX-based authentication between a DOTS client and server while accommodating the current best practices for issuing certificates, this document allows DOTS agents to retrieve the names of their peer DOTS agents. These names can be used for two purposes: (1) to retrieve the list of IP addresses of a peer DOTS agent or (2) to be presented as a reference identifier for authentication purposes.</t> <t>Defining the option to include a list of IP addresses would avoida dependencydepending on an underlying name resolution, but that design requires also supplying a name for PKIX-based authentication purposes.</t> <t>Given that DOTS gateways can be involved in a DOTS session, a peer DOTS agent can be reachable using a link-local address. Such addresses can also be discovered using the options defined in <xreftarget="opt"></xref>.</t>target="opt" format="default"/>.</t> <t>The list of the IP addresses returned by DHCP servers is typically used to feed the DOTS server selectionprocedureprocedure, including when DOTS agents are provided with primary and backup IP addresses of their peer DOTS agents. An example of the DOTS server selection procedure is specified inSection 4.3 of<xreftarget="RFC8782"></xref>.</t>target="RFC8782" sectionFormat="of" section="4.3"/>.</t> <t>The design assumes that the same peer DOTS agent is used for establishing both signal and data channels. For more customized configurations (e.g., transport-specificconfiguration,configuration and distinct DOTS servers for the signal andthedata channels), an operator can supply only a DOTS reference identifier that will be then passed to the procedure described in <xreftarget="srvr"></xref>.</t>target="srvr" format="default"/>.</t> <t>The design allows terminating the base DOTS channels and DOTS Call Home on the same or distinct peer DOTS agents. If distinct peer DOTS agents are deployed, the DHCP option can return, for example, a list of IP addresses to a requesting DOTS agent. This list includes the IP address to be used for the base DOTS channels and the IP address for the DOTS Call Home. The DOTS client (or Call Home DOTS server) will then use the address selection procedure specified inSection 4.3 of<xreftarget="RFC8782"></xref>target="RFC8782" sectionFormat="of" section="4.3"/> to identify the IP address of the peer DOTS server (or Call Home DOTS client).For example: <list style="empty"> <t>Let's</t> <t>For example, let's consider that the DOTS server is reachable at2001:db8:122:300::12001:db8:122:300::1, while the Call Home DOTS client is reachable at 2001:db8:122:300::2. The DHCP server will then return one DOTS reference identifier and a list that includes both 2001:db8:122:300::1 and 2001:db8:122:300::2 to a requesting DHCP client. That list is passed to the DOTS client (or Call Home DOTSserver)server), which will try to establish connections to the addresses of that list and destination port number 4646 (or the Call Home port number). As a result, the DOTS client (or Call Home DOTS server) will select 2001:db8:122:300::1 (or 2001:db8:122:300::2) as a DOTS server (or Call Home DOTS client).</t></list></t><section anchor="opt"title="DHCPv6numbered="true" toc="default"> <name>DHCPv6 DOTSOptions">Options</name> <sectiontitle="Formatnumbered="true" toc="default"> <name>Format of DOTS Reference IdentifierOption">Option</name> <t>The DHCPv6 DOTS Reference Identifier option is used to configureathe name of the DOTS server (or the name of the Call Home DOTS client). The format of this option is shown in <xreftarget="ri_option"></xref>.</t> <t><figure anchor="ri_option" title="DHCPv6target="ri_option" format="default"/>.</t> <figure anchor="ri_option"> <name>DHCPv6 DOTS Reference IdentifierOption"> <artwork><![CDATA[Option</name> <artwork name="" type="" align="left" alt=""><![CDATA[ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | OPTION_V6_DOTS_RI | Option-length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | dots-agent-name (FQDN) | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ]]></artwork></figure>The</figure> <t>The fields of the option shown in <xreftarget="ri_option"></xref>target="ri_option" format="default"/> are asfollows:<?rfc subcompact="yes" ?></t> <t><list style="symbols"> <t>Option-code: OPTION_V6_DOTS_RI (TBA1,follows:</t> <dl newline="false" spacing="compact"> <dt>Option-code:</dt> <dd>OPTION_V6_DOTS_RI (141, see <xreftarget="iana6"></xref>)</t> <t>Option-length: Lengthtarget="iana6" format="default"/>).</dd> <dt>Option-length:</dt> <dd>Length of the dots-agent-name field inoctets.</t> <t>dots-agent-name: Aoctets.</dd> <dt>dots-agent-name:</dt> <dd>A fully qualified domain name of the peer DOTS agent. This field is formatted as specified inSection 10 of<xreftarget="RFC8415"></xref>.</t> </list></t> <t><?rfc subcompact="no" ?>Antarget="RFC8415" sectionFormat="of" section="10"/>.</dd> </dl> <t>An example of the dots-agent-name encoding is shown in <xreftarget="fqdn"></xref>.target="fqdn" format="default"/>. This example conveys the FQDN"dots.example.com.”,"dots.example.com", and the resulting Option-length field is 18.</t><t><figure anchor="fqdn" title="An example<figure anchor="fqdn"> <name>An Example of the dots-agent-nameEncoding"> <artwork><![CDATA[Encoding</name> <artwork name="" type="" align="left" alt=""><![CDATA[ +------+------+------+------+------+------+------+------+------+ | 0x04 | d | o | t | s | 0x07 | e | x | a | +------+------+------+------+------+------+------+------+------+ | m | p | l | e | 0x03 | c | o | m | 0x00 | +------+------+------+------+------+------+------+------+------+ ]]></artwork></figure></t> <t></t></figure> <t/> </section> <section anchor="add"title="Formatnumbered="true" toc="default"> <name>Format of DOTS AddressOption">Option</name> <t>The DHCPv6 DOTS Address option can be used to configure a list of IPv6 addresses of a DOTS server (or a Call Home DOTS client). The format of this option is shown in <xreftarget="dhcpv6_option"></xref>.</t> <t><figure anchor="dhcpv6_option" title="DHCPv6target="dhcpv6_option" format="default"/>.</t> <figure anchor="dhcpv6_option"> <name>DHCPv6 DOTS AddressOption"> <artwork><![CDATA[Option</name> <artwork name="" type="" align="left" alt=""><![CDATA[ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | OPTION_V6_DOTS_ADDRESS | Option-length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | DOTS ipv6-address | | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | DOTS ipv6-address | | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ]]></artwork></figure>The</figure> <t>The fields of the option shown in <xreftarget="dhcpv6_option"></xref>target="dhcpv6_option" format="default"/> are asfollows:<?rfc subcompact="yes" ?></t> <t><list style="symbols"> <t>Option-code: OPTION_V6_DOTS_ADDRESS (TBA2,follows:</t> <dl newline="false" spacing="compact"> <dt>Option-code:</dt> <dd>OPTION_V6_DOTS_ADDRESS (142, see <xreftarget="iana6"></xref>)</t> <t>Option-length: Lengthtarget="iana6" format="default"/>).</dd> <dt>Option-length:</dt> <dd>Length of the'DOTS ipv6-address(es)' fieldDOTS ipv6-address fields in octets.MUSTThis <bcp14>MUST</bcp14> be a multiple of16.</t> <t>DOTS ipv6-address(es): Includes16.</dd> <dt>DOTS ipv6-address:</dt> <dd>Includes one or more IPv6 addresses <xreftarget="RFC4291"></xref>target="RFC4291" format="default"/> of the peer DOTS agent to be used by a DOTS agent for establishing a DOTS session. The addresses are listed in the order of preference for use by the DOTSagent.<vspace blankLines="1" />Note,agent.</dd> </dl> <t>Note that IPv4-mapped IPv6 addresses(Section 2.5.5.2 of <xref target="RFC4291"></xref>)(<xref target="RFC4291" sectionFormat="of" section="2.5.5.2"/>) may be included in this option when there is no DHCPv4 server able to advertise the DHCPv4 DOTS options (<xreftarget="dhcpv4"></xref>)target="dhcpv4" format="default"/>) and when only IPv4 connectivity is possible to the peer DOTS agent.</t></list></t> <t><?rfc subcompact="no" ?></t><t/> </section> <sectiontitle="DHCPv6numbered="true" toc="default"> <name>DHCPv6 ClientBehavior">Behavior</name> <t>DHCP clientsMAY<bcp14>MAY</bcp14> request options OPTION_V6_DOTS_RI and OPTION_V6_DOTS_ADDRESS, as defined in<xref target="RFC8415"></xref>,Sections18.2.1, 18.2.2, 18.2.4, 18.2.5, 18.2.6,<xref target="RFC8415" section="18.2.1" sectionFormat="bare"/>, <xref target="RFC8415" section="18.2.2" sectionFormat="bare"/>, <xref target="RFC8415" section="18.2.4" sectionFormat="bare"/>, <xref target="RFC8415" section="18.2.5" sectionFormat="bare"/>, <xref target="RFC8415" section="18.2.6" sectionFormat="bare"/>, and21.7.<xref target="RFC8415" section="21.7" sectionFormat="bare"/> of <xref target="RFC8415"/>. As a convenience to the reader, it is mentioned here that the DHCP client includes the requested option codes in the Option RequestOption.</t>option.</t> <t>If the DHCP client receives more than one instance of option OPTION_V6_DOTS_RI (orOPTION_V6_DOTS_ADDRESS) option,OPTION_V6_DOTS_ADDRESS), itMUST<bcp14>MUST</bcp14> use only the first instance of that option.</t> <t>The DHCP clientMUST<bcp14>MUST</bcp14> silently discard multicast and host loopback addresses <xreftarget="RFC6890"></xref>target="RFC6890" format="default"/> conveyed in OPTION_V6_DOTS_ADDRESS.</t> <t>If the DHCP client receives and validates both OPTION_V6_DOTS_RI and OPTION_V6_DOTS_ADDRESS, the content of OPTION_V6_DOTS_RI is used as the reference identifier for authentication purposes (e.g., PKIX <xreftarget="RFC6125"></xref>),target="RFC6125" format="default"/>), while the valid addresses included in OPTION_V6_DOTS_ADDRESS are used to reach the peer DOTS agent. In other words, the name conveyed in OPTION_V6_DOTS_RIMUST NOT<bcp14>MUST NOT</bcp14> be passed to an underlying resolution library in the presence of a valid OPTION_V6_DOTS_ADDRESS in a response.</t> <t>If the DHCP client receives OPTION_V6_DOTS_RI only, but OPTION_V6_DOTS_RI contains more than one name, the DHCP clientMUST<bcp14>MUST</bcp14> use only the first name. Once the name is validated(Section 10 of <xref target="RFC8415"></xref>),(<xref target="RFC8415" sectionFormat="of" section="10"/>), the name is passed to a name resolution library. Moreover, that name is also used as a reference identifier for authentication purposes.</t> <t>If the DHCP client receives OPTION_V6_DOTS_ADDRESS only, the address(es) included in OPTION_V6_DOTS_ADDRESS are used to reach the peer DOTS agent. In addition, these addresses can be used as identifiers for authentication.</t> </section> </section> <section anchor="dhcpv4"title="DHCPv4numbered="true" toc="default"> <name>DHCPv4 DOTSOptions">Options</name> <sectiontitle="Formatnumbered="true" toc="default"> <name>Format of DOTS Reference IdentifierOption">Option</name> <t>The DHCPv4 <xreftarget="RFC2132"></xref>target="RFC2132" format="default"/> DOTS Reference Identifier option is used to configure a name of the peer DOTS agent. The format of this option is illustrated in <xreftarget="dhcpri_dots"></xref>.</t> <t><figure anchor="dhcpri_dots" title="DHCPv4target="dhcpri_dots" format="default"/>.</t> <figure anchor="dhcpri_dots"> <name>DHCPv4 DOTS Reference IdentifierOption"> <artwork><![CDATA[Option</name> <artwork name="" type="" align="left" alt=""><![CDATA[ Code Length Peer DOTS agent name +-----+-----+-----+-----+-----+-----+-----+--|TBA3| 147 | n | s1 | s2 | s3 | s4 | s5 | ... +-----+-----+-----+-----+-----+-----+-----+--The]]></artwork> </figure> <t>The values s1, s2, s3, etc. represent the domain name labels in the domain nameencoding. ]]></artwork> </figure></t>encoding.</t> <t>The fields of the option shown in <xreftarget="dhcpri_dots"></xref>target="dhcpri_dots" format="default"/> are asfollows:<?rfc subcompact="yes" ?><list style="symbols"> <t>Code: OPTION_V4_DOTS_RI (TBA3,follows:</t> <dl newline="false" spacing="compact"> <dt>Code:</dt> <dd>OPTION_V4_DOTS_RI (147, see <xreftarget="iana4"></xref>).</t> <t>Length: Includestarget="iana4" format="default"/>).</dd> <dt>Length:</dt> <dd>Includes the length of the "Peer DOTS agent name" field inoctets.</t> <t>Peeroctets.</dd> <dt>Peer DOTS agentname: Thename:</dt> <dd>The domain name of the peer DOTS agent. This field is formatted as specified inSection 10 of<xreftarget="RFC8415"></xref>.</t> </list></t> <t><?rfc subcompact="no" ?></t>target="RFC8415" sectionFormat="of" section="10"/>.</dd> </dl> </section> <sectiontitle="Formatnumbered="true" toc="default"> <name>Format of DOTS AddressOption">Option</name> <t>The DHCPv4 DOTS Address option can be used to configure a list of IPv4 addresses of a peer DOTS agent. The format of this option is illustrated in <xreftarget="dhcp_dots"></xref>.</t> <t><figure anchor="dhcp_dots" title="DHCPv4target="dhcp_dots" format="default"/>.</t> <figure anchor="dhcp_dots"> <name>DHCPv4 DOTS AddressOption"> <artwork><![CDATA[Option</name> <artwork name="" type="" align="left" alt=""><![CDATA[ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |Code=TBA4Code=148 | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |+| DOTS IPv4 Address | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ --- | | |+| DOTS IPv4 Address | | | | optional +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | . ... . | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ --- ]]></artwork></figure></t></figure> <t>The fields of the option shown in <xreftarget="dhcp_dots"></xref>target="dhcp_dots" format="default"/> are asfollows:<?rfc subcompact="yes" ?><list style="symbols"> <t>Code: OPTION_V4_DOTS_ADDRESS (TBA4,follows:</t> <dl newline="false" spacing="compact"> <dt>Code:</dt> <dd>OPTION_V4_DOTS_ADDRESS (148, see <xreftarget="iana4"></xref>).</t> <t>Length: is settarget="iana4" format="default"/>).</dd> <dt>Length:</dt> <dd>Set to 4*N, where N is the number of IPv4 addresses included in theoption.</t> <t>DOTSoption.</dd> <dt>DOTS IPv4Address(es): ContainsAddress(es):</dt> <dd>Contains one or more IPv4 addresses of the peer DOTS agent to be used by a DOTS agent. The addresses are listed in the order of preference for use by the DOTSagent.</t> </list></t> <t><?rfc subcompact="no" ?>OPTION_V4_DOTS_ADDRESSagent.</dd> </dl> <t>OPTION_V4_DOTS_ADDRESS is a concatenation-requiring option. As such, the mechanism specified in <xreftarget="RFC3396"></xref> MUSTtarget="RFC3396" format="default"/> <bcp14>MUST</bcp14> be used if OPTION_V4_DOTS_ADDRESS exceeds the maximum DHCPv4 option size of 255 octets.</t> </section> <sectiontitle="DHCPv4numbered="true" toc="default"> <name>DHCPv4 ClientBehavior">Behavior</name> <t>To discover a peer DOTS agent, the DHCPv4 clientMUST<bcp14>MUST</bcp14> include both OPTION_V4_DOTS_RI and OPTION_V4_DOTS_ADDRESS in a Parameter Request ListOptionoption <xreftarget="RFC2132"></xref>.</t>target="RFC2132" format="default"/>.</t> <t>If the DHCP client receives more than one instance of OPTION_V4_DOTS_RI option, itMUST<bcp14>MUST</bcp14> use only the first instance of that option.</t> <t>The DHCP clientMUST<bcp14>MUST</bcp14> silently discard multicast and host loopback addresses <xreftarget="RFC6890"></xref>target="RFC6890" format="default"/> conveyed in OPTION_V4_DOTS_ADDRESS.</t> <t>If the DHCP client receives and validates both OPTION_V4_DOTS_RI and OPTION_V4_DOTS_ADDRESS, the content of OPTION_V4_DOTS_RI is used as the reference identifier for authentication purposes (e.g., PKIX <xreftarget="RFC6125"></xref>),target="RFC6125" format="default"/>), while the valid addresses included in OPTION_V4_DOTS_ADDRESS are used to reach the peer DOTS agent. In other words, the name conveyed in OPTION_V4_DOTS_RIMUST NOT<bcp14>MUST NOT</bcp14> be passed to an underlying resolution library in the presence of valid OPTION_V4_DOTS_ADDRESS in a response.</t> <t>If the DHCP client receives OPTION_V4_DOTS_RI only, but OPTION_V4_DOTS_RI option contains more than one name, as distinguished by the presence of multiple root labels, the DHCP clientMUST<bcp14>MUST</bcp14> use only the first name. Once the name is validated(Section 10 of <xref target="RFC8415"></xref>),(<xref target="RFC8415" sectionFormat="of" section="10"/>), the name is passed to a name resolution library. Moreover, that name is also used as a reference identifier for authentication purposes.</t> <t>If the DHCP client receives OPTION_V4_DOTS_ADDRESS only, the address(es) included in OPTION_V4_DOTS_ADDRESS are used to reach the peer DOTS server. In addition, these addresses can be used as identifiers for authentication.</t> </section> </section> </section> <section anchor="srvr"title="Discovery usingnumbered="true" toc="default"> <name>Discovery Using ServiceResolution">Resolution</name> <t>This mechanism is performed in twosteps:<list style="numbers"> <t>Asteps:</t> <ol spacing="normal" type="1"> <li>A DNS domain name is retrieved for each combination of interface and address family. A DOTS agent has to determine the domain in which it is located relying on dynamicmeansmeans, such as DHCP (<xreftarget="dhcp"></xref>).target="dhcp" format="default"/>). Implementations may allow the user to specify a default name that isused,used if no specific name has beenconfigured.</t> <t>Retrievedconfigured.</li> <li>Retrieved DNS domain names are then used for S-NAPTR lookups <xreftarget="RFC3958"></xref>.target="RFC3958" format="default"/>. Further DNS lookups may be necessary to determine the peer DOTS agent IPaddress(es).</t> </list></t>address(es).</li> </ol> <t>Once the DOTS agent has retrieved its DNS domain or discovered the peer DOTS agent name that needs to be resolved, an S-NAPTR lookup with the appropriate application service and the desired protocol tag is made to obtain information necessary to connect to the authoritative peer DOTS agent within the given domain.</t> <!--IANA flag--> <t>This specification defines'DOTS'"DOTS" and'DOTS-CALL-HOME'"DOTS-CALL-HOME" as application service tags (Sections <xref format="counter"target="serviceT"></xref>target="serviceT"/> and <xref format="counter"target="serviceT2"></xref>).target="serviceT2"/>). It also defines "signal.udp" (<xreftarget="suappt"></xref>),target="suappt" format="default"/>), "signal.tcp" (<xreftarget="stappt"></xref>),target="stappt" format="default"/>), and "data.tcp" (<xreftarget="dappt"></xref>)target="dappt" format="default"/>) as application protocol tags. An example is provided in <xreftarget="ssrv"></xref>.</t>target="ssrv" format="default"/>.</t> <t>In the example below, for domain'example.net',"example.net", the resolution algorithm will result in IPaddress(es),address, port, tag, and protocol tuples listed inTable 1.</t> <t><figure anchor="ssrv" title="Example<xref target="results" format="default"/>.</t> <figure anchor="ssrv"> <name>Example of Discovery of DOTS ServersusingUsing ServiceResolution"> <artwork><![CDATA[Resolution</name> <artwork name="" type="" align="left" alt=""><![CDATA[ example.net. IN NAPTR 100 10 "" DOTS:signal.udp "" signal.example.net. IN NAPTR 200 10 "" DOTS:signal.tcp "" signal.example.net. IN NAPTR 300 10 "" DOTS:data.tcp "" data.example.net. signal.example.net. IN NAPTR 100 10 "s" DOTS:signal.udp "" _dots-signal._udp.example.net. IN NAPTR 200 10 "s" DOTS:signal.tcp "" _dots-signal._tcp.example.net. data.example.net. IN NAPTR 100 10 "s" DOTS:data.tcp "" _dots-data._tcp.example.net. IN NAPTR 200 10 "a" DOTS:data.tcp "" b.example.net. _dots-signal._udp.example.net. IN SRV 0 0 5000 a.example.net. _dots-signal._tcp.example.net. IN SRV 0 0 5001 a.example.net. _dots-data._tcp.example.net. IN SRV 0 0 5002 a.example.net. a.example.net. IN AAAA 2001:db8::1 b.example.net. IN AAAA 2001:db8::2 ]]></artwork></figure><figure> <artwork><![CDATA[ +-------+----------+-------------+------+--------+ | Order | Protocol | IP address | Port | Tag | +-------+----------+-------------+------+--------+ | 1 | UDP | 2001:db8::1 | 5000 | Signal | | 2 | TCP | 2001:db8::1 | 5001 | Signal | | 3 | TCP | 2001:db8::1 | 5002 | Data | | 4 | TCP | 2001:db8::2 | 443 | Data | +-------+----------+-------------+------+--------+ Table 1: Resolution Results]]></artwork> </figure></t></figure> <table anchor="results" align="center"> <name>Resolution Results</name> <thead> <tr> <th>Order</th> <th>Protocol</th> <th>IP address</th> <th>Port</th> <th>Tag</th> </tr> </thead> <tbody> <tr> <td>1</td> <td>UDP</td> <td>2001:db8::1</td> <td>5000</td> <td>Signal</td> </tr> <tr> <td>2</td> <td>TCP</td> <td>2001:db8::1</td> <td>5001</td> <td>Signal</td> </tr> <tr> <td>3</td> <td>TCP</td> <td>2001:db8::1</td> <td>5002</td> <td>Data</td> </tr> <tr> <td>4</td> <td>TCP</td> <td>2001:db8::2</td> <td>443</td> <td>Data</td> </tr> </tbody> </table> <t>An example is provided in <xreftarget="callhome"></xref>target="callhome" format="default"/> for the Call Home case. In this example, the resolution algorithm will result in IPaddress(es),address, port, and protocol tuples listed inTable 2<xref target="call-home" format="default"/> for domain'example.net'.</t> <t><figure anchor="callhome" title="Example"example.net".</t> <figure anchor="callhome"> <name>Example of Discovery of DOTS Call Home ClientusingUsing ServiceResolution"> <artwork><![CDATA[Resolution</name> <artwork name="" type="" align="left" alt=""><![CDATA[ example.net. IN NAPTR 100 10 "" DOTS-CALL-HOME:signal.udp "" signal.example.net. IN NAPTR 200 10 "" DOTS-CALL-HOME:signal.tcp "" signal.example.net. signal.example.net. IN NAPTR 100 10 "s" DOTS-CALL-HOME:signal.udp "" _dots-call-home._udp.example.net. IN NAPTR 200 10 "s" DOTS-CALL-HOME:signal.tcp "" _dots-call-home._tcp.example.net. _dots-call-home._udp.example.net. IN SRV 0 0 6000 b.example.net. _dots-call-home._tcp.example.net. IN SRV 0 0 6001 b.example.net. b.example.net. IN AAAA 2001:db8::2 ]]></artwork></figure><figure> <artwork><![CDATA[ +-------+----------+-------------+------+ | Order | Protocol | IP address | Port | +-------+----------+-------------+------+ | 1 | UDP | 2001:db8::2 | 6000 | | 2 | TCP | 2001:db8::2 | 6001 | +-------+----------+-------------+------+ Table 2: Resolution</figure> <table anchor="call-home" align="center"> <name>Resolution Results (CallHome)]]></artwork> </figure></t>Home)</name> <thead> <tr> <th>Order</th> <th>Protocol</th> <th>IP address</th> <th>Port</th> </tr> </thead> <tbody> <tr> <td>1</td> <td>UDP</td> <td>2001:db8::2</td> <td>6000</td> </tr> <tr> <td>2</td> <td>TCP</td> <td>2001:db8::2</td> <td>6001</td> </tr> </tbody> </table> <t>Note that customized port numbers are used for the DOTS signal channel, DOTS data channel, and DOTS signal channelcall homeCall Home in the examples shown in Figures <xref format="counter"target="ssrv"></xref>target="ssrv"/> and <xref format="counter"target="callhome"></xref>target="callhome"/> for illustration purposes. If default port numbers are used in a deployment, the discovery procedure will return 4646 (DOTS signal channel) and 443 (DOTS data channel) as DOTS service port numbers.</t> <t>If no DOTS-specific S-NAPTR records can be retrieved, the discovery procedure fails for this domain name (and the corresponding interface and IP protocol version). If more domain names are known, the discovery procedureMAY<bcp14>MAY</bcp14> perform the corresponding S-NAPTR lookups immediately. However, before retrying a lookup that has failed, a DOTS clientMUST<bcp14>MUST</bcp14> wait a time period that is appropriate for the encountered error (e.g., NXDOMAIN, timeout, etc.).</t> </section> <section anchor="DNSSD"title="DNSnumbered="true" toc="default"> <name>DNS ServiceDiscovery">Discovery</name> <t>DNS-based Service Discovery (DNS-SD) <xreftarget="RFC6763"></xref>target="RFC6763" format="default"/> provides generic solutions for discovering services. DNS-SD defines a set of naming rules for certain DNS record types that they use for advertising and discovering services.</t><t>Section 4.1 of <xref target="RFC6763"></xref><t><xref target="RFC6763" sectionFormat="of" section="4.1"/> specifies that a service instance name in DNS-SD has the following structure:</t><t><figure align="center"> <artwork><![CDATA[<Instance><artwork name="" type="" align="left" alt=""><![CDATA[ <Instance> . <Service> .<Domain>]]></artwork> </figure></t><Domain> ]]></artwork> <t>The <Domain> portion specifies the DNSsub-domainsubdomain where the service instance is registered. It is a conventional domainnamename, such as"example.com.".</t>"example.com".</t> <t>The <Service> portion of the DOTS service instance nameMUST<bcp14>MUST</bcp14> be"_dots-signal._udp" or "_dots-signal._tcp" or "_dots-data._tcp" or "_dots-call-home._udp""_dots-signal._udp", "_dots-signal._tcp", "_dots-data._tcp", "_dots-call-home._udp", or "_dots-call-home._tcp".</t> <t>This document does not define any keys; the TXT record of a DNS-SD service is thus empty(Section 6 of <xref target="RFC6763"></xref>).</t>(<xref target="RFC6763" sectionFormat="of" section="6"/>).</t> <t><xreftarget="sdex"></xref>target="sdex" format="default"/> depicts an excerpt of the DNS zone configuration file listing record examples to discover two DOTS signal channel servers. In this example, only UDP is supported as transport for the establishment of the DOTS signal channel.</t><t><figure anchor="sdex" title="An<figure anchor="sdex"> <name>An Example of DNS-SD Records for the UDP DOTS Signal ChannelinvolvingInvolving Two Servers with the SamePriority."> <artwork><![CDATA[_dots-signal._udp.example.net.Priority</name> <artwork name="" type="" align="left" alt=""><![CDATA[_dots-signal._udp.example.net. PTR a._dots-signal._udp.example.net. _dots-signal._udp.example.net. PTR b._dots-signal._udp.example.net. a._dots-signal._udp.example.net. SRV 0 0 4646 a.example.net. b._dots-signal._udp.example.net. SRV 0 0 4646 b.example.net. a._dots-signal._udp.example.net. TXT "" b._dots-signal._udp.example.net. TXT "" ]]></artwork></figure></t></figure> </section> <section anchor="Security"title="Security Considerations">numbered="true" toc="default"> <name>Security Considerations</name> <t>DOTS-related security considerations are discussed inSection 4 of<xreftarget="RFC8811"></xref>.target="RFC8811" sectionFormat="of" section="5"/>. As a reminder, DOTS agents must authenticate each other using (D)TLS before a DOTS session is considered valid according to the <xreftarget="RFC8782"></xref>.</t>target="RFC8782" format="default"/>.</t> <t>An attacker may block some protocol messages (e.g., DHCP) to force the client to use a discovery mechanism with a lower priority. The security implications of such attack are those inherent to the fallback discovery mechanism discussed in the following subsections.</t> <t>The results of the discovery procedure are a function of the interface/address family. Contacting a discovered DOTS server via an interface to which it is not bound may exacerbate the delay required to establish a DOTS channel. Moreover, such behavior may reveal that a DOTS service is enabled by a DOTS client domain and exposes the identity of the DOTS service provider(that(which can be inferred from the name and the destination IP address) to external networks.</t> <t>Security considerations related to how security credentials to authenticate DOTS server(s) are provisioned to a DOTS client are those inherent to the mechanism used for that purpose(see for(for example, see <xreftarget="RFC8572"></xref>).</t>target="RFC8572" format="default"/>).</t> <sectiontitle="DHCP">numbered="true" toc="default"> <name>DHCP</name> <t>The security considerations in <xreftarget="RFC2131"></xref>target="RFC2131" format="default"/> and <xreftarget="RFC8415"></xref>target="RFC8415" format="default"/> are to be considered. In particular, issues related to rogue DHCP servers and means to mitigate many of these attacks are discussed inSection 22 of<xreftarget="RFC8415"></xref>.</t>target="RFC8415" sectionFormat="of" section="22"/>.</t> <t>An attacker can get a domain name, get a domain-validated public certificate from aCA,certification authority (CA), and host a DOTS agent. An active attacker can then spoof DHCP responses to include the attacker's DOTS agent. Such an attacker can also launch otherattacksattacks, as discussed inSection 22 of<xreftarget="RFC8415"></xref>.target="RFC8415" sectionFormat="of" section="22"/>. In addition to the mitigations listed inSection 22 of<xreftarget="RFC8415"></xref>,target="RFC8415" sectionFormat="of" section="22"/>, a DOTS agent may bepre-configuredpreconfigured with a list of trusted DOTS domain names. If such a list ispre-configured,preconfigured, a DOTS agent will accept a DHCP-discovered name if it matches a name in that list. Also, the DOTS agent has to check that the'DNS-ID'"DNS-ID" identifier type within subjectAltName in the server certificate matches apre-configuredpreconfigured name. If the DOTS agent is instructed to trust subdomains of the names in that list as well (e.g., "*.example.com"), a DOTS agent will accept a DHCP-discovered name that matches a name in thepre-configuredpreconfigured list (e.g., "dots-1.example.com" or "dots-2.example.com").</t> <t>Relying on an underlying resolution library to resolve a supplied reference identifier has similar security issues as those discussed in <xreftarget="res"></xref>target="res" format="default"/> (e.g., an active attacker may modify DNS messages used to resolve the supplied reference identifier and point the client to an attacker server).</t> <t>Supplying both an IP address and the reference identifier makes it easier to use a mis-issued certificate.</t> </section> <section anchor="res"title="Service Resolution">numbered="true" toc="default"> <name>Service Resolution</name> <t>The primary attack against the methods described in <xreftarget="srvr"></xref>target="srvr" format="default"/> is one that would lead to impersonation of a peer DOTS agent. An attacker could attempt to compromise the S-NAPTR resolution.</t> <t>The DOTS client (or a Call Home DOTS server) constructs one reference identifier for the DOTS server (or a Call Home DOTS client) based on the domain namewhichthat is used for S-NAPTR lookup: DNS-ID. If the reference identifier is found (as described inSection 6 of<xreftarget="RFC6125"></xref>)target="RFC6125" sectionFormat="of" section="6"/>) in the PKIX certificate's subjectAltName extension, the DOTS client should accept the certificate for the server.</t> <t>DNS Security Extensions (DNSSEC) <xreftarget="RFC4033"></xref>target="RFC4033" format="default"/> uses cryptographic keys and digital signatures to provide authentication of DNS data. The information that is retrieved from the S-NAPTR lookup and that is validated using DNSSEC is thereby proved to be the authoritative data.</t> </section> <sectiontitle="DNSnumbered="true" toc="default"> <name>DNS ServiceDiscovery">Discovery</name> <t>Since DNS-SD is a specification for how to name and use records in the existing DNS system, it has no specific additional security requirements over and above those that already apply to DNS queries and DNS updates. For DNS queries, DNSSECSHOULD<bcp14>SHOULD</bcp14> be used where the authenticity of information is important. For DNS updates, secure updates <xreftarget="RFC2136"></xref><xref target="RFC3007"></xref> SHOULDtarget="RFC2136" format="default"/> <xref target="RFC3007" format="default"/> <bcp14>SHOULD</bcp14> generally be used to control which clients have permission to update DNS records.</t> <t>Note that means such as DNS over TLS (DoT) <xreftarget="RFC7858"></xref>target="RFC7858" format="default"/> or DNS over HTTPS (DoH) <xreftarget="RFC8484"></xref>target="RFC8484" format="default"/> can be used to prevent eavesdroppers from accessing DNS messages.</t> </section> </section> <section anchor="IANA"title="IANA Considerations"> <t></t>numbered="true" toc="default"> <name>IANA Considerations</name> <t/> <sectiontitle="The Servicenumbered="true" toc="default"> <name>Service Name and Transport Protocol Port NumberRegistry">Registry</name> <t>IANAis requested to allocatehas allocated the following service names from the registry available at:https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml.</t> <t><figure align="center"> <artwork><![CDATA[ Service Name: dots-data Port Number: N/A Transport Protocol(s): TCP Description: DOTS<eref target="https://www.iana.org/assignments/service-names-port-numbers/l" brackets="angle"/>.</t> <dl newline="false" spacing="compact" indent="25"> <dt>Service Name:</dt> <dd>dots-data</dd> <dt>Port Number:</dt> <dd>N/A</dd> <dt>Transport Protocol(s):</dt> <dd>TCP</dd> <dt>Description:</dt> <dd>DOTS Data ChannelProtocolProtocol. The service name is used to construct the SRV service name "_dots-data._tcp" for discovering DOTS servers used to establish DOTS datachannel. Assignee: IESG <iesg@ietf.org> Contact: IETF Chair <chair@ietf.org> Reference: [ThisDocument] Service Name: dots-call-home Transport Protocol(s): TCP/UDP Description: DOTSchannel.</dd> <dt>Assignee:</dt> <dd>IESG: iesg@ietf.org</dd> <dt>Contact:</dt> <dd>IETF Chair: chair@ietf.org</dd> <dt>Reference:</dt> <dd>[RFC8973]</dd> </dl> <dl newline="false" spacing="compact" indent="25"> <dt>Service Name:</dt> <dd>dots-call-home</dd> <dt>Transport Protocol(s):</dt> <dd>TCP/UDP</dd> <dt>Description:</dt> <dd>DOTS Signal Channel Call Home Protocol. The service name is used to construct the SRV service names "_dots-call-home._udp" and "_dots-call-home._tcp" for discovering Call Home DOTS clients used to establish DOTS signal channelcall home. Assignee: IESG <iesg@ietf.org> Contact: IETF Chair <chair@ietf.org> Reference: [ThisDocument] ]]></artwork> </figure></t>Call Home.</dd> <dt>Assignee:</dt> <dd>IESG: iesg@ietf.org</dd> <dt>Contact:</dt> <dd>IETF Chair: chair@ietf.org</dd> <dt>Reference:</dt> <dd>[RFC8973]</dd> </dl> <t>IANAis requested to updatehas updated the following entry from the registry available at:https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml.</t> <t><figure align="center"> <artwork><![CDATA[ Service Name: dots-signal Port Number: 4646 Transport Protocol(s): TCP/UDP Description: DOTS<eref target="https://www.iana.org/assignments/service-names-port-numbers/" brackets="angle"/>.</t> <dl newline="false" spacing="compact" indent="25"> <dt>Port Number:</dt> <dd>4646</dd> <dt>Transport Protocol(s):</dt> <dd>TCP/UDP</dd> <dt>Description:</dt> <dd>DOTS Signal Channel Protocol. The service name is used to construct the SRV service names "_dots-signal._udp" and "_dots-signal._tcp" for discovering DOTS servers used to establish DOTS signalchannel. Assignee: IESG <iesg@ietf.org> Contact: IETF Chair <chair@ietf.org> Reference: [RFC8782][ThisDocument] ]]></artwork> </figure></t>channel.</dd> <dt>Assignee:</dt> <dd>IESG: iesg@ietf.org</dd> <dt>Contact:</dt> <dd>IETF Chair: chair@ietf.org</dd> <dt>Reference:</dt> <dd>[RFC8782][RFC8973]</dd> </dl> </section> <section anchor="iana6"title="DHCPv6 Options">numbered="true" toc="default"> <name>DHCPv6 Options</name> <t>IANAis requested to assignhas assigned the following new DHCPv6 Option Codes in the registry maintainedin: https://www.iana.org/assignments/dhcpv6-parameters/dhcpv6-parameters.xhtml#dhcpv6-parameters-2.</t> <t><figure> <artwork><![CDATA[Value Description Client ORO Singleton Option TBA1 OPTION_V6_DOTS_RI Yes Yes TBA2 OPTION_V6_DOTS_ADDRESS Yes Yes]]></artwork> </figure></t>in <eref target="https://www.iana.org/assignments/dhcpv6-parameters/" brackets="angle"/>.</t> <table align="center"> <name>DHCPv6 Options</name> <thead> <tr> <th>Value</th> <th>Description</th> <th>Client ORO</th> <th>Singleton Option</th> </tr> </thead> <tbody> <tr> <td>141</td> <td>OPTION_V6_DOTS_RI</td> <td>Yes</td> <td>Yes</td> </tr> <tr> <td>142</td> <td>OPTION_V6_DOTS_ADDRESS</td> <td>Yes</td> <td>Yes</td> </tr> </tbody> </table> </section> <section anchor="iana4"title="DHCPv4 Options">numbered="true" toc="default"> <name>DHCPv4 Options</name> <t>IANAis requested to assignhas assigned the following new DHCPv4 Option Codes in the registry maintainedin: https://www.iana.org/assignments/bootp-dhcp-parameters/bootp-dhcp-parameters.xhtml#options.</t> <texttable style="headers"> <ttcol align="right">Name</ttcol> <ttcol>Tag</ttcol> <ttcol>Data Length</ttcol> <ttcol>Meaning</ttcol> <ttcol>Reference</ttcol> <c>OPTION_V4_DOTS_RI</c> <c>TBA3</c> <c>N</c> <c>Thein <eref target="https://www.iana.org/assignments/bootp-dhcp-parameters/" brackets="angle"/>.</t> <table align="left"> <name>DHCPv4 Options</name> <thead> <tr> <th align="right">Name</th> <th align="left">Tag</th> <th align="left">Data Length</th> <th align="left">Meaning</th> <th align="left">Reference</th> </tr> </thead> <tbody> <tr> <td align="right">OPTION_V4_DOTS_RI</td> <td align="left">147</td> <td align="left">N</td> <td align="left">The name of the peer DOTSagent.</c> <c>[ThisDocument]</c> <c>OPTION_V4_DOTS_ADDRESS</c> <c>TBA4</c> <c>Nagent.</td> <td align="left">[RFC8973]</td> </tr> <tr> <td align="right">OPTION_V4_DOTS_ADDRESS</td> <td align="left">148</td> <td align="left">N (the minimal length is4)</c> <c>N/44)</td> <td align="left">N/4 IPv4 addresses of peer DOTSagent(s).</c> <c>[ThisDocument]</c> </texttable> <t></t>agent(s).</td> <td align="left">[RFC8973]</td> </tr> </tbody> </table> <t/> </section> <sectiontitle="Applicationnumbered="true" toc="default"> <name>Application Service & Application ProtocolTags"> <t>This document requests IANA to makeTags</name> <t>IANA has made the following allocations from the registries availableat: https://www.iana.org/assignments/s-naptr-parameters/s-naptr-parameters.xhtml#s-naptr-parameters-1at <eref target="https://www.iana.org/assignments/s-naptr-parameters/" brackets="angle"/> forApplication Service Tagsapplication service tags andhttps://www.iana.org/assignments/s-naptr-parameters/s-naptr-parameters.xhtml#s-naptr-parameters-2 for Application Protocol Tags.</t>application protocol tags.</t> <section anchor="serviceT"title="DOTSnumbered="true" toc="default"> <name>DOTS Application Service TagRegistration"> <t><list style="symbols"> <t>ApplicationRegistration</name> <dl newline="false" spacing="compact" indent="35"> <dt>Application ServiceTag: DOTS</t> <t>Intended Usage: See <xref target="srvr"></xref></t> <t>Security Considerations: See <xref target="Security"></xref></t> <t>Interoperability considerations: None</t> <t>Relevant publications: This document</t> </list></t>Tag:</dt> <dd>DOTS</dd> <dt>Intended Usage:</dt> <dd>See <xref target="srvr" format="default"/></dd> <dt>Security Considerations:</dt> <dd>See <xref target="Security" format="default"/></dd> <dt>Interoperability Considerations:</dt> <dd>None</dd> <dt>Relevant Publications:</dt> <dd>RFC 8973</dd> </dl> </section> <section anchor="serviceT2"title="DOTSnumbered="true" toc="default"> <name>DOTS Call Home Application Service TagRegistration"> <t><list style="symbols"> <t>ApplicationRegistration</name> <dl newline="false" spacing="compact" indent="35"> <dt>Application ServiceTag: DOTS-CALL-HOME</t> <t>Intended Usage: See <xref target="srvr"></xref></t> <t>Security Considerations: See <xref target="Security"></xref></t> <t>Interoperability considerations: None</t> <t>Relevant publications: This document</t> </list></t>Tag:</dt> <dd>DOTS-CALL-HOME</dd> <dt>Intended Usage:</dt> <dd>See <xref target="srvr" format="default"/></dd> <dt>Security Considerations:</dt> <dd>See <xref target="Security" format="default"/></dd> <dt>Interoperability Considerations:</dt> <dd>None</dd> <dt>Relevant Publications:</dt> <dd>RFC 8973</dd> </dl> </section> <section anchor="suappt"title="signal.udpnumbered="true" toc="default"> <name>signal.udp Application Protocol TagRegistration"> <t><list style="symbols"> <t>ApplicationRegistration</name> <dl newline="false" spacing="compact" indent="35"> <dt>Application ProtocolTag: signal.udp</t> <t>Intended Usage: See <xref target="srvr"></xref></t> <t>Security Considerations: See <xref target="Security"></xref></t> <t>Interoperability considerations: None</t> <t>Relevant publications: This document</t> </list></t>Tag:</dt> <dd>signal.udp</dd> <dt>Intended Usage:</dt> <dd>See <xref target="srvr" format="default"/></dd> <dt>Security Considerations:</dt> <dd>See <xref target="Security" format="default"/></dd> <dt>Interoperability Considerations:</dt> <dd>None</dd> <dt>Relevant Publications:</dt> <dd>RFC 8973</dd> </dl> </section> <section anchor="stappt"title="signal.tcpnumbered="true" toc="default"> <name>signal.tcp Application Protocol TagRegistration"> <t><list style="symbols"> <t>ApplicationRegistration</name> <dl newline="false" spacing="compact" indent="35"> <dt>Application ProtocolTag: signal.tcp</t> <t>Intended Usage: See <xref target="srvr"></xref></t> <t>Security Considerations: See <xref target="Security"></xref></t> <t>Interoperability considerations: None</t> <t>Relevant publications: This document</t> </list></t>Tag:</dt> <dd>signal.tcp</dd> <dt>Intended Usage:</dt> <dd>See <xref target="srvr" format="default"/></dd> <dt>Security Considerations:</dt> <dd>See <xref target="Security" format="default"/></dd> <dt>Interoperability Considerations:</dt> <dd>None</dd> <dt>Relevant Publications:</dt> <dd>RFC 8973</dd> </dl> </section> <section anchor="dappt"title="data.tcpnumbered="true" toc="default"> <name>data.tcp Application Protocol TagRegistration"> <t><list style="symbols"> <t>ApplicationRegistration</name> <dl newline="false" spacing="compact" indent="35"> <dt>Application ProtocolTag: data.tcp</t> <t>Intended Usage: See <xref target="srvr"></xref></t> <t>Security Considerations: See <xref target="Security"></xref></t> <t>Interoperability considerations: None</t> <t>Relevant publications: This document</t> </list></t>Tag:</dt> <dd>data.tcp</dd> <dt>Intended Usage:</dt> <dd>See <xref target="srvr" format="default"/></dd> <dt>Security Considerations:</dt> <dd>See <xref target="Security" format="default"/></dd> <dt>Interoperability Considerations:</dt> <dd>None</dd> <dt>Relevant Publications:</dt> <dd>RFC 8973</dd> </dl> </section> </section> </section><section title="Contributors"> <t><figure> <artwork><![CDATA[ Prashanth Patil Cisco Systems, Inc. Email: praspati@cisco.com]]></artwork> </figure></t> </section></middle> <back> <displayreference target="I-D.ietf-dots-signal-call-home" to="DOTS-SIG-CALL-HOME"/> <displayreference target="I-D.ietf-dots-multihoming" to="DOTS-MULTIHOMING"/> <displayreference target="I-D.ietf-anima-bootstrapping-keyinfra" to="BTSRP-KEYINFR"/> <displayreference target="I-D.ietf-dots-use-cases" to="DOTS-USE-CASES"/> <references> <name>References</name> <references> <name>Normative References</name> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8415.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.3958.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.2131.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.2132.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.6763.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.3396.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.4291.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.6890.xml"/> </references> <references> <name>Informative References</name> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8782.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.7858.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8484.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8811.xml"/> <!-- [I-D.ietf-dots-signal-call-home] IESG state Waiting for Writeup --> <xi:include href="https://datatracker.ietf.org/doc/bibxml3/reference.I-D.ietf-dots-signal-call-home.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8572.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.6125.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.4033.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.2136.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.3007.xml"/> <!-- [I-D.ietf-dots-use-cases] in AUTH48 state as of 12/15/20; RFC 8903 --> <xi:include href="https://datatracker.ietf.org/doc/bibxml3/reference.I-D.ietf-dots-use-cases.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8783.xml"/> <!-- [I-D.ietf-anima-bootstrapping-keyinfra] in EDIT*R state as of 12/15/20; --> <xi:include href="https://datatracker.ietf.org/doc/bibxml3/reference.I-D.ietf-anima-bootstrapping-keyinfra.xml"/> <!-- [I-D.ietf-dots-multihoming] IESG state I-D Exists --> <xi:include href="https://datatracker.ietf.org/doc/bibxml3/reference.I-D.ietf-dots-multihoming.xml"/> </references> </references> <section anchor="Acknowledgements"title="Acknowledgements">numbered="false" toc="default"> <name>Acknowledgements</name> <t>Thanks toBrian Carpenter<contact fullname="Brian Carpenter"/> for the review of theBRSKIBootstrapping Remote Secure Key Infrastructure (BRSKI) text usedbein previous draft versions of the specification.</t> <t>Many thanks toRuss White<contact fullname="Russ White"/> for the review, comments, and text contribution.</t> <t>Thanks toDan Wing, Pei Wei, Valery Smyslov, and Jon Shallow<contact fullname="Dan Wing"/>, <contact fullname="Pei Wei"/>, <contact fullname="Valery Smyslov"/>, and <contact fullname="Jon Shallow"/> for the review and comments.</t> <t>Thanks toBernie Volz<contact fullname="Bernie Volz"/> for the review of the DHCP section.</t> <t>Many thanks toBenjamin Kaduk<contact fullname="Benjamin Kaduk"/> for the detailed AD review.</t> <t>Thanks toZhen Cao, Kyle Rose, Nagendra Nainar, and Peter Yee<contact fullname="Zhen Cao"/>, <contact fullname="Kyle Rose"/>, <contact fullname="Nagendra Nainar"/>, and <contact fullname="Peter Yee"/> for the directorate reviews.</t> <t>Thanks toBarry Leiba, Martin Duke, Roman Danyliw, Eric Vyncke, and Magnus Westerlund<contact fullname="Barry Leiba"/>, <contact fullname="Martin Duke"/>, <contact fullname="Roman Danyliw"/>, <contact fullname="Éric Vyncke"/>, and <contact fullname="Magnus Westerlund"/> for the IESG review.</t> </section></middle> <back> <references title="Normative References"> <?rfc include="reference.RFC.2119"?> <?rfc include='reference.RFC.8415'?> <?rfc include='reference.RFC.3958'?> <?rfc include='reference.RFC.2131'?> <?rfc include='reference.RFC.2132'?> <?rfc include='reference.RFC.6763'?> <?rfc include='reference.RFC.3396'?> <?rfc include='reference.RFC.4291'?> <?rfc include='reference.RFC.8174'?> <?rfc include='reference.RFC.6890'?> </references> <references title="Informative References"> <?rfc include='reference.RFC.8782'?> <?rfc include='reference.RFC.7858'?> <?rfc include='reference.RFC.8484'?> <?rfc include='reference.RFC.8811'?> <?rfc include='reference.I-D.ietf-dots-signal-call-home'?> <?rfc include='reference.RFC.8572'?> <?rfc include='reference.RFC.6125'?> <?rfc include='reference.RFC.4033'?> <?rfc include='reference.RFC.2136'?> <?rfc include='reference.RFC.3007'?> <?rfc include='reference.I-D.ietf-dots-use-cases' ?> <?rfc include='reference.RFC.8783'?> <?rfc include='reference.I-D.ietf-anima-bootstrapping-keyinfra'?> <?rfc include='reference.I-D.ietf-dots-multihoming'?> </references><section numbered="false" toc="default"> <name>Contributors</name> <contact fullname="Prashanth Patil"> <organization>Cisco Systems, Inc.</organization> <address> <postal/> <email>praspati@cisco.com</email> </address> </contact> </section> </back> </rfc>