rfc8882xml2.original.xml   rfc8882.xml 
<?xml version="1.0" encoding="UTF-8"?> <?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc SYSTEM "rfc2629-xhtml.ent">
<!DOCTYPE rfc SYSTEM "rfc2629.dtd" [
<!ENTITY rfc1033 PUBLIC ''
'http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.1033.xml'>
<!ENTITY rfc1034 PUBLIC ''
'http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.1034.xml'>
<!ENTITY rfc1035 PUBLIC ''
'http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.1035.xml'>
<!ENTITY rfc2045 PUBLIC ''
'http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.2045.xml'>
<!ENTITY rfc2119 PUBLIC ''
'http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml'>
<!ENTITY rfc2782 PUBLIC ''
'http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.2782.xml'>
<!ENTITY rfc3927 PUBLIC ''
'http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.3927.xml'>
<!ENTITY rfc4055 PUBLIC ''
'http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.4055.xml'>
<!ENTITY rfc4075 PUBLIC ''
'http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.4075.xml'>
<!ENTITY rfc4279 PUBLIC ''
'http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.4279.xml'>
<!ENTITY rfc4291 PUBLIC ''
'http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.4291.xml'>
<!ENTITY rfc4648 PUBLIC ''
'http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.4648.xml'>
<!ENTITY rfc5054 PUBLIC ''
'http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.5054.xml'>
<!ENTITY rfc5246 PUBLIC ''
'http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.5246.xml'>
<!ENTITY rfc6762 PUBLIC ''
'http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.6762.xml'>
<!ENTITY rfc6763 PUBLIC ''
'http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.6763.xml'>
<!ENTITY rfc7558 PUBLIC ''
'http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.7558.xml'>
<!ENTITY rfc7626 PUBLIC ''
'http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.7626.xml'>
<!ENTITY rfc7844 PUBLIC ''
'http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.7844.xml'>
<!ENTITY rfc7858 PUBLIC ''
'http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.7858.xml'>
<!ENTITY rfc8117 PUBLIC ''
'http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8117.xml'>
<!ENTITY rfc8094 PUBLIC ''
'http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8094.xml'>
<!ENTITY rfc8235 PUBLIC ''
'http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8235.xml'>
<!ENTITY rfc8236 PUBLIC ''
'http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8236.xml'>
<!ENTITY rfc8446 PUBLIC ''
'http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8446.xml'>
<!ENTITY I-D.ietf-dnssd-push PUBLIC ''
"http://xml2rfc.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-dnssd-push">
<!ENTITY I-D.ietf-dnssd-srp PUBLIC ''
"http://xml2rfc.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-dnssd-srp">
<!ENTITY I-D.ietf-tls-esni PUBLIC ''
"http://xml2rfc.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-tls-esni">
<!ENTITY kw14a PUBLIC ''
"references/reference.kw14a.xml">
<!ENTITY kw14b PUBLIC ''
"references/reference.kw14b.xml">
]>
<?xml-stylesheet type='text/xsl' href='rfc2629.xslt' ?>
<?rfc compact="yes"?>
<?rfc toc="yes"?>
<?rfc symrefs="yes"?>
<?rfc sortrefs="yes"?>
<!-- Expand crefs and put them inline -->
<?rfc comments='yes' ?>
<?rfc inline='yes' ?>
<rfc category="info"
docName="draft-ietf-dnssd-prireq-08"
ipr="trust200902">
<front> <rfc xmlns:xi="http://www.w3.org/2001/XInclude" category="info"
docName="draft-ietf-dnssd-prireq-08" ipr="trust200902" obsoletes=""
updates="" submissionType="IETF" xml:lang="en" tocInclude="true"
symRefs="true" sortRefs="true" version="3" number="8882" consensus="true">
<!-- xml2rfc v2v3 conversion 2.42.0 -->
<front>
<title abbrev="DNS-SD Privacy Requirements"> <title abbrev="DNS-SD Privacy Requirements">
DNS-SD Privacy and Security Requirements DNS-Based Service Discovery (DNS-SD) Privacy and Security Requirements
</title> </title>
<author fullname="Christian Huitema" initials="C." surname="Huitema"> <seriesInfo name="RFC" value="8882"/>
<author fullname="Christian Huitema" initials="C." surname="Huitema">
<organization>Private Octopus Inc.</organization> <organization>Private Octopus Inc.</organization>
<address> <address>
<postal> <postal>
<street></street> <street/>
<city>Friday Harbor</city> <city>Friday Harbor</city>
<code>98250</code> <code>98250</code>
<region>WA</region> <region>WA</region>
<country>U.S.A.</country> <country>United States of America</country>
</postal> </postal>
<email>huitema@huitema.net</email> <email>huitema@huitema.net</email>
<uri>http://privateoctopus.com/</uri> <uri>http://privateoctopus.com/</uri>
</address> </address>
</author> </author>
<author fullname="Daniel Kaiser" initials="D." surname="Kaiser">
<author fullname="Daniel Kaiser" initials="D." surname="Kaiser">
<organization>University of Luxembourg</organization> <organization>University of Luxembourg</organization>
<address> <address>
<postal> <postal>
<street>6, avenue de la Fonte</street> <street>6, avenue de la Fonte</street>
<city>Esch-sur-Alzette</city> <city>Esch-sur-Alzette</city>
<code>4364</code> <code>4364</code>
<region></region> <region/>
<country>Luxembourg</country> <country>Luxembourg</country>
</postal> </postal>
<email>daniel.kaiser@uni.lu</email> <email>daniel.kaiser@uni.lu</email>
<uri>https://secan-lab.uni.lu/</uri> <uri>https://secan-lab.uni.lu/</uri>
</address> </address>
</author> </author>
<date month="September" year="2020"/>
<date year="2020" /> <keyword>Multicast DNS</keyword>
<keyword>mDNS</keyword>
<abstract> <abstract>
<t> <t>DNS-SD (DNS-based Service Discovery) normally discloses information abo
DNS-SD (DNS Service Discovery) normally discloses information about devices offe ut
ring and devices offering and requesting services. This information includes
requesting services. This information includes host names, network parameters, a hostnames, network parameters, and possibly a further description of the
nd possibly corresponding service instance. Especially when mobile devices engage in
a further description of the corresponding service instance. Especially when mob DNS-based Service Discovery at a public hotspot, serious privacy problems
ile devices arise. We analyze the requirements of a privacy-respecting discovery
engage in DNS Service Discovery at a public hotspot, serious privacy service.</t>
problems arise. We analyze the requirements of a privacy-respecting discovery se
rvice.
</t>
</abstract> </abstract>
</front> </front>
<middle>
<middle> <section numbered="true" toc="default">
<section title="Introduction"> <name>Introduction</name>
<t> <t>DNS-Based Service Discovery (DNS-SD) <xref target="RFC6763"
DNS Service Discovery (DNS-SD) <xref target="RFC6763" /> over Multicast DNS format="default"/> over Multicast DNS (mDNS) <xref target="RFC6762"
(mDNS) <xref target="RFC6762" /> enables zero-configuration format="default"/> enables zero-configuration service discovery in local
service discovery in local networks. It is very convenient for users, but it req networks. It is very convenient for users, but it requires the public
uires the exposure of the offering and requesting identities along with
public exposure of the offering and requesting identities along with information information about the offered and requested services. Parts of the
about the published information can seriously breach the user's privacy. These
offered and requested services. Parts of the published information can seriously privacy issues and potential solutions are discussed in <xref
breach the target="KW14a" format="default"/>, <xref target="KW14b"
user's privacy. These privacy issues and potential solutions are format="default"/>, and <xref target="K17" format="default"/>. While the
discussed in <xref target="KW14a" />, <xref target="KW14b" /> and <xref target=" multicast nature of mDNS makes these risks obvious, most risks derive
K17" />. from the observability of transactions. These risks also need to be
While the multicast nature of mDNS makes these risks obvious, most risks derive mitigated when using server-based variants of DNS-SD.</t>
from the <t>There are cases when nodes connected to a network want to provide or
observability of transactions. consume services without exposing their identities to the other parties
These risks also need to be mitigated when using server-based variants of DNS-SD connected to the same network. Consider, for example, a traveler wanting
. to upload pictures from a phone to a laptop when both are connected to
</t> the Wi-Fi network of an Internet cafe, or two travelers who want to
<t> share files between their laptops when waiting for their plane in an
There are cases when nodes connected to a network want to provide airport lounge.</t>
or consume services without exposing their identities to the other <t>We expect that these exchanges will start with a discovery procedure
parties connected to the same network. Consider, for example, a using DNS-SD over mDNS. One of the devices will publish the availability
traveler wanting to upload pictures from a phone to a laptop of a service, such as a picture library or a file store in our
when both are connected to the Wi-Fi network of an Internet cafe, or examples. The user of the other device will discover this service and
two travelers who want to share files between their laptops then connect to it.</t>
when waiting for their plane in an airport lounge. <t>When analyzing these scenarios in <xref target="scenarios"
</t> format="default"/>, we find that the DNS-SD messages leak identifying
<t> information, such as the Service Instance Name, the hostname, or service
We expect that these exchanges will start with a discovery procedure using DNS-S properties. We use the following definitions:</t>
D over mDNS. <dl newline="true" spacing="normal">
One of the devices will publish the availability of a service, such as a picture <dt>Identity</dt>
library <dd>In this document, the term "identity" refers to the identity of
or a file store in our examples. The user of the other device will the entity (legal person) operating a device.</dd>
discover this service, and then connect to it. <dt>Disclosing an Identity</dt>
</t> <dd>In this document, "disclosing an identity" means showing the
<t> identity of operating entities to devices external to the discovery
When analyzing these scenarios in <xref target="scenarios"/>, we find that process, e.g., devices on the same network link that are listening to
the DNS-SD messages leak identifying information such as the service instance na the network traffic but are not actually involved in the discovery
me, process. This document focuses on identity disclosure by data conveyed
the host name, or service properties. We use the following definitions: via messages on the service discovery protocol layer. Still, identity
<list style="hanging"> leaks on deeper layers, e.g., the IP layer, are mentioned.</dd>
<t hangText="Identity"> <dt>Disclosing Information</dt>
In this document, the term "identity" refers to the identity of the entity (le <dd>In this document, "disclosing information" is also focused on
gal person) disclosure of data conveyed via messages on the service discovery
operating a device. protocol layer, including both identity-revealing information and
</t> other still potentially sensitive data.</dd>
<t hangText="Disclosing an Identity"> </dl>
In this document "disclosing an identity" means showing the identity of operat </section>
ing entities <section anchor="threatmodel" numbered="true" toc="default">
to devices external to the discovery process; e.g., devices on the same networ <name>Threat Model</name>
k link that are listening to the <t>This document considers the following attacker types sorted by
network traffic but are not actually involved in the discovery process. increasing power. All these attackers can either be passive (they just
This document focuses on identity disclosure by data conveyed via messages on listen to network traffic they have access to) or active (they
the service discovery protocol layer. additionally can craft and send malicious packets).</t>
Still, identity leaks on deeper layers, e.g., the IP layer, are mentioned. <dl newline="true" spacing="normal">
</t> <dt>external</dt>
<t hangText="Disclosing Information"> <dd>An external attacker is not on the same network link as victim
In this document "disclosing information" is also focused devices engaging in service discovery; thus, the external attacker is
on disclosure of data conveyed via messages on the service discovery protocol in a different multicast domain.</dd>
layer, <dt>on-link</dt>
such as generic non-identity but still potentially sensitive data. <dd>An on-link attacker is on the same network link as victim devices
</t> engaging in service discovery; thus, the on-link attacker is in the
</list> same multicast domain. This attacker can also mount all attacks an
</t> external attacker can mount.</dd>
<dt>MITM</dt>
</section> <dd>A Man-in-the-Middle (MITM) attacker either controls (parts of) a
network link or can trick two parties to send traffic via the
<section title="Threat Model" anchor="threatmodel"> attacker; thus, the MITM attacker has access to unicast traffic
between devices engaging in service discovery. This attacker can also
<t> mount all attacks an on-link attacker can mount.</dd>
This document considers the following attacker types sorted by increasing powe </dl>
r. </section>
All these attackers can either be passive (they <section anchor="threatanalysis" numbered="true" toc="default">
just listen to network traffic they have access to) or active <name>Threat Analysis</name>
(they additionally can craft and send malicious packets). <t>In this section, we analyze how the attackers described in the
</t> previous section might threaten the privacy of entities operating
devices engaging in service discovery. We focus on attacks leveraging
<t> data transmitted in service discovery protocol messages.</t>
<list style="hanging"> <section anchor="scenarios" numbered="true" toc="default">
<t hangText="external"> <name>Service Discovery Scenarios</name>
An external attacker is not on the same network link as victim devices engagin <t>In this section, we review common service discovery scenarios and
g in service discovery; discuss privacy threats and their privacy requirements. In all three
thus, the external attacker is in a different multicast domain. of these common scenarios, the attacker is of the type passive
</t> on-link.</t>
<t hangText="on-link"> <section anchor="privclipubserv" numbered="true" toc="default">
An on-link attacker is on the same network link as victim devices engaging in <name>Private Client and Public Server</name>
service discovery; <t>Perhaps the simplest private discovery scenario involves a single
thus, the on-link attacker is in the same multicast domain. client connecting to a public server through a public network. A
This attacker can also mount all attacks an external attacker can mount. common example would be a traveler using a publicly available
</t> printer in a business center, in a hotel, or at an airport.</t>
<t hangText="MITM"> <artwork name="" type="" align="left" alt=""><![CDATA[
A Man in the Middle (MITM) attacker either controls (parts of) a network link
or can trick two parties to send traffic via the attacker;
thus, the MITM attacker has access to unicast traffic between devices engaging
in service discovery.
This attacker can also mount all attacks an on-link attacker can mount.
</t>
</list>
</t>
</section>
<section title="Threat Analysis" anchor="threatanalysis">
<t>
In this section we analyse how the attackers described in the previous section
might threaten the privacy of entities operating devices engaging in service d
iscovery.
We focus on attacks leveraging data transmitted in service discovery protocol
messages.
</t>
<section title="Service Discovery Scenarios" anchor="scenarios">
<t>In this section, we review common service discovery scenarios
and discuss privacy threats and their privacy requirements.
In all three of these common scenarios the attacker is of the type passive on-
link.</t>
<section title="Private Client and Public Server" anchor="privclipubserv" >
<t>
Perhaps the simplest private discovery scenario involves a single client connect
ing
to a public server through a public network. A common example would be
a traveler using a publicly available printer in a business center,
in an hotel, or at an airport.
</t>
<t>
<figure>
<artwork>
( Taking notes: ( Taking notes:
( David is printing ( David is printing
( a document ( a document.
~~~~~~~~~~~ ~~~~~~~~~~~
o o
___ o ___ ___ o ___
/ \ _|___|_ / \ _|___|_
| | client server |* *| | | client server |* *|
\_/ __ \_/ \_/ __ \_/
| / / Discovery +----------+ | | / / Discovery +----------+ |
/|\ /_/ <-----------&gt; | +----+ | /|\ /|\ /_/ <-----------&gt; | +----+ | /|\
/ | \__/ +--| |--+ / | \ / | \__/ +--| |--+ / | \
/ | |____/ / | \ / | |____/ / | \
/ | / | \ / | / | \
/ \ / \ / \ / \
/ \ / \ / \ / \
/ \ / \ / \ / \
/ \ / \ / \ / \
/ \ / \ / \ / \
David adversary David Adversary
</artwork> ]]></artwork>
</figure> <t>In that scenario, the server is public and wants to be
</t> discovered, but the client is private. The adversary will be
<t> listening to the network traffic, trying to identify the visitors'
In that scenario, the server is public and wants to be discovered, but devices and their activity. Identifying devices leads to identifying
the client is private. The adversary will be listening to the network people, either for surveillance of these individuals in the physical
traffic, trying to identify the visitors' devices and their activity. world or as a preliminary step for a targeted cyber attack.</t>
Identifying devices leads to identifying people, either for surveillance of <t>The requirement in that scenario is that the discovery activity
these individuals in the physical world or as a preliminary step for a targeted should not disclose the identity of the client.</t>
cyber attack. </section>
</t> <section anchor="privcliprivserv" numbered="true" toc="default">
<t> <name>Private Client and Private Server</name>
The requirement in that scenario is that the discovery activity <t>The second private discovery scenario involves a private client
should not disclose the identity of the client. connecting to a private server. A common example would be two people
</t> engaging in a collaborative application in a public place, such as
</section> an airport's lounge.</t>
<artwork name="" type="" align="left" alt=""><![CDATA[
<section title="Private Client and Private Server" anchor="privcliprivserv" >
<t>
The second private discovery scenario involves a private client connecting
to a private server. A common example would be two people engaging
in a collaborative application in a public place, such as an airport's lounge.
</t>
<t>
<figure>
<artwork>
( Taking notes: ( Taking notes:
( David is meeting ( David is meeting
( with Stuart ( with Stuart.
~~~~~~~~~~~ ~~~~~~~~~~~
o o
___ ___ o ___ ___ ___ o ___
/ \ / \ _|___|_ / \ / \ _|___|_
| | server client | | |* *| | | server client | | |* *|
\_/ __ __ \_/ \_/ \_/ __ __ \_/ \_/
| / / Discovery \ \ | | | / / Discovery \ \ | |
/|\ /_/ <-----------&gt; \_\ /|\ /|\ /|\ /_/ <-----------&gt; \_\ /|\ /|\
/ | \__/ \__/ | \ / | \ / | \__/ \__/ | \ / | \
/ | | \ / | \ / | | \ / | \
/ | | \ / | \ / | | \ / | \
/ \ / \ / \ / \ / \ / \
/ \ / \ / \ / \ / \ / \
/ \ / \ / \ / \ / \ / \
/ \ / \ / \ / \ / \ / \
/ \ / \ / \ / \ / \ / \
David Stuart Adversary David Stuart Adversary
</artwork> ]]></artwork>
</figure> <t>In that scenario, the collaborative application on one of the
</t> devices will act as a server, and the application on the other
<t> device will act as a client. The server wants to be discovered by
In that scenario, the collaborative application on one of the devices will the client but has no desire to be discovered by anyone else. The
act as a server, and the application on the other device will act as a client. adversary will be listening to network traffic, attempting to
The server wants to be discovered by the client, but has no desire to discover the identity of devices as in the first scenario and also
be discovered by anyone else. The adversary will be listening to attempting to discover the patterns of traffic, as these patterns
network traffic, attempting to discover the identity of devices as in reveal the business and social interactions between the owners of
the first scenario, and also attempting to discover the patterns of traffic, the devices.</t>
as these patterns reveal the business and social interactions between <t>The requirement in that scenario is that the discovery activity
the owners of the devices. should not disclose the identity of either the client or the server
</t> nor reveal the business and social interactions between the owners
<t> of the devices.</t>
The requirement in that scenario is that the discovery activity </section>
should not disclose the identity of either the client or the server, <section anchor="wearcliserv" numbered="true" toc="default">
nor reveal the business and social interactions between the owners of <name>Wearable Client and Server</name>
the devices. <t>The third private discovery scenario involves wearable devices. A
</t> typical example would be the watch on someone's wrist connecting to
</section> the phone in their pocket.</t>
<artwork name="" type="" align="left" alt=""><![CDATA[
<section title="Wearable Client and Server" anchor="wearcliserv" >
<t>
The third private discovery scenario involves wearable devices.
A typical example would be the watch on someone's wrist connecting
to the phone in their pocket.
</t>
<t>
<figure>
<artwork>
( Taking notes: ( Taking notes:
( David is here. His watch is ( David is here. His watch is
( talking to his phone ( talking to his phone.
~~~~~~~~~~~ ~~~~~~~~~~~
o o
___ o ___ ___ o ___
/ \ _|___|_ / \ _|___|_
| | client |* *| | | client |* *|
\_/ \_/ \_/ \_/
| _/ | | _/ |
/|\ // /|\ /|\ // /|\
/ | \__/ ^ / | \ / | \__/ ^ / | \
/ |__ | Discovery / | \ / |__ | Discovery / | \
/ |\ \ v / | \ / |\ \ v / | \
/ \\_\ / \ / \\_\ / \
/ \ server / \ / \ server / \
/ \ / \ / \ / \
/ \ / \ / \ / \
/ \ / \ / \ / \
David Adversary David Adversary
</artwork> ]]></artwork>
</figure> <t>This third scenario is in many ways similar to the second
</t> scenario. It involves two devices, one acting as server and the
<t> other acting as client, and it leads to the same requirement of the
This third scenario is in many ways similar to the second scenario. It involves discovery traffic not disclosing the identity of either the client
two devices, one acting as server and the other acting as client, and it or the server. The main difference is that the devices are managed
leads to the same requirement of the discovery traffic not disclosing the by a single owner, which can lead to different methods for
identity of either the client or the server. The main difference is that establishing secure relations between the devices. There is also an
the devices are managed by a single owner, which can lead to different added emphasis on hiding the type of devices that the person
methods for establishing secure relations between the devices. There is wears.</t>
also an added emphasis on hiding the type of devices that the person <t>In addition to tracking the identity of the owner of the devices,
wears. the adversary is interested in the characteristics of the devices,
</t> such as type, brand, and model. Identifying the type of device can
lead to further attacks, from theft to device-specific hacking. The
<t> combination of devices worn by the same person will also provide a
In addition to tracking the identity of the owner of the devices, the adversary "fingerprint" of the person, risking identification.</t>
is interested in the characteristics of the devices, such as type, brand, and mo <t>This scenario also represents the general case of bringing
del. private Internet-of-Things (IoT) devices into public places. A
Identifying the type of device can lead to further attacks, from theft to wearable IoT device might
device-specific hacking. The combination of devices worn by the same person act as a DNS-SD/mDNS client, which allows attackers to infer
will also provide a "fingerprint" of the person, risking identification. information about devices' owners. While the attacker might be a
</t> person, as in the example figure, this could also be abused for
large-scale data collection installing stationary
<t> IoT-device-tracking
This scenario also represents the general case of bringing private IoT devices i servers in frequented public places.</t>
nto public places. <t>The issues described in <xref target="privclipubserv"
A wearable IoT device might act as a DNS-SD/mDNS client which allows attackers t format="default"/>, such as identifying people or using the
o infer information about devices' owners. information for targeted attacks, apply here too.</t>
While the attacker might be a person as in the example figure, </section>
this could also be abused for large scale data collection installing stationary </section>
IoT-device-tracking servers in frequented public places. <section anchor="analysis" numbered="true" toc="default">
</t> <name>DNS-SD Privacy Considerations</name>
<t>While the discovery process illustrated in the scenarios in <xref
<t> target="scenarios" format="default"/> most likely would be based on
The issues described in <xref target="privclipubserv" /> such as identifying <xref target="RFC6762" format="default"/> as a means for making
people or using the information for targeted attacks apply here too. service information available, this document considers all kinds of
</t> means for making DNS-SD resource records available. These means
comprise of but are not limited to mDNS <xref target="RFC6762"
</section> format="default"/>, DNS servers (<xref target="RFC1033"
</section> format="default"/>, <xref target="RFC1034" format="default"/>, and <xref
target="RFC1035" format="default"/>), the use of Service Registration
<section title="DNS-SD Privacy Considerations" anchor="analysis"> Protocol (SRP) <xref
target="I-D.ietf-dnssd-srp" format="default"/>, and multi-link <xref
<t> target="RFC7558" format="default"/> networks.</t>
While the discovery process illustrated in the scenarios in <xref target="scen <t>The discovery scenarios in <xref target="scenarios"
arios"/> most likely format="default"/> illustrate three separate abstract privacy
would be based on <xref target="RFC6762" /> as a means for making service info requirements that vary based on the use case. These are not limited to
rmation available, mDNS.</t>
this document considers all kinds of means for making DNS-SD resource records <ol spacing="normal" type="1">
available. <li>Client identity privacy: Client identities are not leaked during
These means comprise but are not limited to mDNS <xref target="RFC6762" />, service discovery or use.</li>
DNS servers (<xref target="RFC1033"/> <xref target="RFC1034"/>, <xref target=" <li>Multi-entity, mutual client and server identity privacy: Neither
RFC1035"/>), client nor server identities are leaked during service discovery or
using SRP <xref target="I-D.ietf-dnssd-srp"/>, and multi-link <xref target="RF use.</li>
C7558"/> networks. <li>Single-entity, mutual client and server identity privacy:
</t> Identities of clients and servers owned and managed by the same
legal person are not leaked during service discovery or use.</li>
<t>The discovery scenarios in <xref target="scenarios"/> illustrate three </ol>
separate abstract privacy requirements that vary based on the use case. These ar <t>In this section, we describe aspects of DNS-SD that make these
e not limited to mDNS. requirements difficult to achieve in practice. While it is intended to
<list style="numbers"> be thorough, it is not possible to be exhaustive.</t>
<t>Client identity privacy: Client identities are not leaked during service di <t>Client identity privacy, if not addressed properly, can be thwarted
scovery by a passive attacker (see <xref target="threatmodel"
or use.</t> format="default"/>). The type of passive attacker necessary depends on
<t>Multi-entity, mutual client and server identity privacy: Neither client nor the means of making service information available. Information
server identities are conveyed via multicast messages can be obtained by an on-link
leaked during service discovery or use.</t> attacker. Unicast messages are harder to access,
<t>Single-entity, mutual client and server identity privacy: Identities of cli but if the transmission is not encrypted they could still be accessed by
ents and servers an attacker with access to network routers or bridges. Using multi-link service
owned and managed by the same legal person are not leaked during service dis discovery
covery or use.</t> solutions <xref target="RFC7558" format="default"/>, external
</list> attackers have to be taken into consideration as well, e.g., when
</t> relaying multicast messages to other links.</t>
<t>Server identity privacy can be thwarted by a passive attacker in
<t> the same way as client identity privacy. Additionally, active
In this section, we describe aspects of DNS-SD that make these requirements attackers querying for information have to be taken into consideration
difficult to achieve in practice. as well. This is mainly relevant for unicast-based discovery, where
While it is intended to be thorough, it is not possible to be exhaustive. listening to discovery traffic requires a MITM attacker; however, an
</t> external active attacker might be able to learn the server identity by
just querying for service information, e.g., via DNS.</t>
<t> <section anchor="RRs" numbered="true" toc="default">
Client identity privacy, if not addressed properly, can be thwarted by a passi <name>Information Made Available Via DNS-SD Resource Records</name>
ve attacker (see <xref target="threatmodel"/>). <t>DNS-Based Service Discovery (DNS-SD) is defined in <xref
The type of passive attacker necessary depends on the means of making service target="RFC6763" format="default"/>. It allows nodes to publish the
information available. availability of an instance of a service by inserting specific
Information conveyed via multicast messages can be obtained by an on-link atta records in the DNS (<xref target="RFC1033" format="default"/>, <xref
cker. Unicast messages are target="RFC1034" format="default"/>, and <xref target="RFC1035"
easy to access if the transmission is not encrypted, but could still be access format="default"/>) or by publishing these records locally using
ed by an attacker with multicast DNS (mDNS) <xref target="RFC6762"
access to network routers or bridges. Using multi-link service discovery solut format="default"/>. Available services are described using three
ions <xref target="RFC7558"/>, types of records:</t>
external attackers have to be taken into consideration as well, e.g., when rel <dl newline="true" spacing="normal">
aying multicast messages to other links. <dt>PTR Record</dt>
</t> <dd>Associates a service type in the domain with an "instance"
name of this service type.</dd>
<t> <dt>SRV Record</dt>
Server identity privacy can be thwarted by a passive attacker in the same way <dd>Provides the node name, port number, priority and weight
as client identity privacy. associated with the service instance, in conformance with <xref
Additionally, active attackers querying for information have to be taken into target="RFC2782" format="default"/>.</dd>
consideration as well. <dt>TXT Record</dt>
This is mainly relevant for unicast-based discovery, where listening to discov <dd>Provides a set of attribute-value pairs describing specific
ery traffic requires a properties of the service instance.</dd>
MITM attacker; however, an external active attacker might be able to learn the </dl>
server identity by just querying for </section>
service information, e.g. via DNS. <section anchor="instanceLeak" numbered="true" toc="default">
</t> <name>Privacy Implication of Publishing Service Instance Names</name>
<t>In the first phase of discovery, clients obtain all PTR records
<section title="Information made available via DNS-SD Resource Records" anchor=" associated with a service type in a given naming domain. Each PTR
RRs"> record contains a Service Instance Name defined in
<xref target="RFC6763" sectionFormat="of" section="4"/>:</t>
<t> <sourcecode><![CDATA[
DNS-Based Service Discovery (DNS-SD) is defined in <xref target="RFC6763" />. Service Instance Name = <Instance> . <Service> . <Domain>
It allows nodes to publish the availability of an instance of a service by ]]></sourcecode>
inserting specific records in the DNS (<xref target="RFC1033"/>, <t>The &lt;Instance&gt; portion of the Service Instance Name is
<xref target="RFC1034"/>, <xref target="RFC1035"/>) or by publishing meant to convey enough information for users of discovery clients to
these records locally using easily select the desired service instance. Nodes that use DNS-SD
multicast DNS (mDNS) <xref target="RFC6762"/>. over mDNS <xref target="RFC6762" format="default"/> in a mobile
Available services are described using three types of records: environment will rely on the specificity of the instance name to
</t> identify the desired service instance. In our example of users
<t> wanting to upload pictures to a laptop in an Internet cafe, the list
<list style="hanging"> of available service instances may look like:</t>
<t hangText="PTR Record:">Associates a service type in the domain with <sourcecode>
an "instance" name of this service type.
</t>
<t hangText="SRV Record:">Provides the node name, port number, priority and
weight associated with the service instance, in conformance with <xref target="R
FC2782" />.
</t>
<t hangText="TXT Record:">Provides a set of attribute-value pairs describing
specific properties of the service instance.
</t>
</list>
</t>
</section>
<section title="Privacy Implication of Publishing Service Instance Names" anchor
="instanceLeak" >
<t>
In the first phase of discovery, clients obtain all PTR records associated with
a service type
in a given naming domain. Each PTR record contains a Service Instance Name defin
ed in Section
4 of <xref target="RFC6763" />:
</t>
<t>
<figure>
<artwork>
Service Instance Name = &lt;Instance&gt; . &lt;Service&gt; . &lt;Domain&gt;
</artwork>
</figure>
</t>
<t>
The &lt;Instance&gt; portion of the Service Instance Name is meant to convey
enough information for users of discovery clients to easily select the desired s
ervice instance.
Nodes that use DNS-SD over mDNS <xref target="RFC6762" /> in a mobile environmen
t will rely on the specificity
of the instance name to identify the desired service instance.
In our example of users wanting to upload pictures to a laptop in an Internet Ca
fe, the list of
available service instances may look like:
</t>
<t>
<figure>
<artwork>
Alice's Images . _imageStore._tcp . local Alice's Images . _imageStore._tcp . local
Alice's Mobile Phone . _presence._tcp . local Alice's Mobile Phone . _presence._tcp . local
Alice's Notebook . _presence._tcp . local Alice's Notebook . _presence._tcp . local
Bob's Notebook . _presence._tcp . local Bob's Notebook . _presence._tcp . local
Carol's Notebook . _presence._tcp . local Carol's Notebook . _presence._tcp . local
</artwork> </sourcecode>
</figure> <t>Alice will see the list on her phone and understand intuitively
</t> that she should pick the first item. The discovery will "just
<t> work". (Note that our examples of service names conform to the
Alice will see the list on her phone and understand intuitively that she should specification in <xref target="RFC6763" sectionFormat="of"
pick the first item. The discovery will "just work". (Note that our examples of section="4.1"/> but may require some character escaping when
service names conform to the specification in section 4.1 of <xref target="RFC67 entered in conventional DNS software.)</t>
63" />, <t>However, DNS-SD/mDNS will reveal to anybody that Alice is
but may require some character escaping when entered in conventional DNS softwar currently visiting the Internet cafe. It further discloses the fact
e.) that she uses two devices, shares an image store, and uses a chat
</t> application supporting the _presence protocol on both of her
<t> devices. She might currently chat with Bob or Carol, as they are
However, DNS-SD/mDNS will reveal to anybody that Alice is currently visiting the also using a _presence supporting chat application. This information
Internet Cafe. is not just available to devices actively browsing for and offering
It further discloses the fact that she uses two devices, shares an image store, services but to anybody passively listening to the network traffic,
and uses a chat application supporting the i.e., a passive on-link attacker.</t>
_presence protocol on both of her devices. She might currently chat with Bob or <t>There is, of course, also no authentication requirement to claim
Carol, a particular instance name, so an active attacker can provide
as they are also using a _presence supporting chat application. resources that claim to be Alice's but are not.</t>
This information is not just available to devices actively browsing for and offe </section>
ring <section numbered="true" toc="default">
services, but to anybody passively listening to the network traffic, i.e. a pass <name>Privacy Implication of Publishing Node Names</name>
ive on-link attacker. <t>The SRV records contain the DNS name of the node publishing the
</t> service. Typical implementations construct this DNS name by
<t> concatenating the "hostname" of the node with the name of the local
There is, of course, also no authentication requirement to claim a domain. The privacy implications of this practice are reviewed in
particular instance name, so an active attacker can provide resources <xref target="RFC8117" format="default"/>. Depending on naming
that claim to be Alice's but are not. practices, the hostname is either a strong identifier of the
</t> device or, at a minimum, a partial identifier. It enables tracking of
</section> both the device and, by extension, the device's owner.</t>
</section>
<section title="Privacy Implication of Publishing Node Names"> <section numbered="true" toc="default">
<t> <name>Privacy Implication of Publishing Service Attributes</name>
The SRV records contain the DNS name of the node publishing the <t>The TXT record's attribute-value pairs contain information on the
service. Typical implementations construct this DNS name by characteristics of the corresponding service instance. This in turn
concatenating the "host name" of the node with the name of the reveals information about the devices that publish services. The
local domain. The privacy implications of this amount of information varies widely with the particular service and
practice are reviewed in <xref target="RFC8117" />. its implementation:</t>
Depending on naming practices, the host name is either a strong <ul spacing="normal">
identifier of the device, or at a minimum a partial identifier. <li>Some attributes, such as the paper size available in a
It enables tracking of both the device, and, by extension, the device's owner. printer, are the same on many devices and thus only provide
</t> limited information to a tracker.</li>
</section> <li>Attributes that have free-form values, such as the name of a
directory, may reveal much more information.</li>
<section title="Privacy Implication of Publishing Service Attributes"> </ul>
<t> <t>Combinations of individual attributes have more information power
The TXT record's attribute-value pairs contain information on the characteristic than specific attributes and can potentially be used for
s of "fingerprinting" a specific device.</t>
the corresponding service instance. <t>Information contained in TXT records not only breaches privacy by
This in turn reveals information making devices trackable but might directly contain private
about the devices that publish services. The amount of information information about the user. For instance, the _presence service
varies widely with the particular service and its implementation: reveals the "chat status" to everyone in the same network. Users
</t> might not be aware of that.</t>
<t> <t>Further, TXT records often contain version information about
<list style="symbols"> services, allowing potential attackers to identify devices running
<t> exploit-prone versions of a certain service.</t>
Some attributes, such as the paper size available in a printer, are the </section>
same on many devices, and thus only provide limited information <section anchor="serverFingerprint" numbered="true" toc="default">
to a tracker. <name>Device Fingerprinting</name>
</t> <t>The combination of information published in DNS-SD has the
<t> potential to provide a "fingerprint" of a specific device. Such
Attributes that have freeform values, such as the name of a directory, information includes:</t>
may reveal much more information. <ul spacing="normal">
</t> <li>A list of services published by the device, which can be
</list> retrieved because the SRV records will point to the same
</t> hostname.</li>
<t> <li>Specific attributes describing these services.</li>
Combinations of individual attributes have more information power than specific <li>Port numbers used by the services.</li>
attributes, <li>Priority and weight attributes in the SRV records.</li>
and can potentially be used for "fingerprinting" a specific device. </ul>
</t> <t>This combination of services and attributes will often be
sufficient to identify the version of the software running on a
<t> device. If a device publishes many services with rich sets of
Information contained in TXT records not only breaches privacy by making devices attributes, the combination may be sufficient to identify the
trackable, but might directly contain private information about the user. specific device and track its owner.</t>
For instance the _presence service reveals the "chat status" to everyone in the <t>An argument is sometimes made that devices providing services can
same network. be identified by observing the local traffic and that trying to
Users might not be aware of that. hide the presence of the service is futile. However, there are good
</t> reasons for the discovery service layer to avoid unnecessary
exposure:</t>
<t> <ol spacing="normal" type="1">
Further, TXT records often contain version information about services, allowin <li>Providing privacy at the discovery layer is of the essence for
g potential attackers enabling automatically configured privacy-preserving network
to identify devices running exploit-prone versions of a certain service. applications. Application layer protocols are not forced to
</t> leverage the offered privacy, but if device tracking is not
prevented at the deeper layers, including the service discovery
</section> layer, obfuscating a certain service's protocol at the application
layer is futile.</li>
<section title="Device Fingerprinting" anchor="serverFingerprint"> <li>Further, in the case of mDNS-based discovery, even if the
<t> application layer does not protect privacy, services are typically
The combination of information published in DNS-SD has the potential to provided via unicast, which requires a MITM attacker, whereas
provide a "fingerprint" of a specific device. Such information includes: identifying services based on multicast discovery messages just
</t> requires an on-link attacker.</li>
<t> </ol>
<list style="symbols"> <t>The same argument can be extended to say that the pattern of
<t> services offered by a device allows for fingerprinting the
List of services published by the device, which can be retrieved because the device. This may or may not be true, since we can expect that
SRV records will point to the same host name. services will be designed or updated to avoid leaking
</t> fingerprints. In any case, the design of the discovery service
<t> should avoid making a bad situation worse and should, as much as
Specific attributes describing these services. possible, avoid providing new fingerprinting information.</t>
</t> </section>
<t> <section anchor="clientPrivacy" numbered="true" toc="default">
Port numbers used by the services. <name>Privacy Implication of Discovering Services</name>
</t> <t>The consumers of services engage in discovery and in doing so
<t> reveal some information, such as the list of services they are
Priority and weight attributes in the SRV records. interested in and the domains in which they are looking for the
</t> services. When the clients select specific instances of services,
</list> they reveal their preference for these instances. This can be benign
</t> if the service type is very common, but it could be more problematic
<t> for sensitive services, such as some private messaging services.</t>
This combination of services and attributes will often be sufficient to identify <t>One way to protect clients would be to somehow encrypt the
the version of the software running on a device. If a device publishes requested service types. Of course, just as we noted in <xref
many services with rich sets of attributes, the combination may be target="serverFingerprint" format="default"/>, traffic analysis can
sufficient to identify the specific device and track its owner. often reveal the service.</t>
</t> </section>
</section>
<t> <section numbered="true" toc="default">
An argument is sometimes made that devices providing services can be identified <name>Security Considerations</name>
by observing the local traffic, and that trying to hide the presence of the serv <t>For each of the operations described above, we must also consider
ice security threats we are concerned about.</t>
is futile. However, there are good <section numbered="true" toc="default">
reasons for the discovery service layer to avoid unnecessary exposure: <name>Authenticity, Integrity, and Freshness</name>
<list style="numbers"> <t>Can devices (both servers and clients) trust the information they
<t> receive? Has it been modified in flight by an adversary? Can
Providing privacy at the discovery layer is of the essence for enabling automati devices trust the source of the information? Is the source of
cally configured privacy-preserving information fresh, i.e., not replayed? Freshness may or may not be
network applications. Application layer protocols are not forced to leverage the required depending on whether the discovery process is meant to be
offered privacy, online. In some cases, publishing discovery information to a shared
but if device tracking is not prevented at the deeper layers, including the serv directory or registry, rather than to each online recipient through
ice discovery layer, a broadcast channel, may suffice.</t>
obfuscating a certain service's protocol at the application layer is futile. </section>
</t> <section numbered="true" toc="default">
<t> <name>Confidentiality</name>
Further, in the case of mDNS based discovery, even if the application layer does <t>Confidentiality is about restricting information access to only
not protect privacy, authorized individuals. Ideally, this should only be the appropriate
typically services are provided via unicast which requires a MITM attacker, trusted parties, though it can be challenging to define who are "the
while identifying services based on multicast discovery messages just requires a appropriate trusted parties." In some use cases, this may mean that
n on-link attacker. only mutually authenticated and trusting clients and servers can
</t> read messages sent for one another. The process of service discovery
</list> in particular is often used to discover new entities that the device
did not previously know about. It may be tricky to work out how a
The same argument can be extended to say that the pattern of services device can have an established trust relationship with a new entity
offered by a device allows for fingerprinting the device. This may or may not it has never previously communicated with.</t>
be true, since we can expect that services will be designed or updated to </section>
avoid leaking fingerprints. In any case, the design of the discovery <section numbered="true" toc="default">
service should avoid making a bad situation worse, and should as much as <name>Resistance to Dictionary Attacks</name>
possible avoid providing new fingerprinting information. <t>It can be tempting to use (publicly computable) hash functions to
</t> obscure sensitive identifiers. This transforms a sensitive unique
</section> identifier, such as an email address, into a "scrambled" but still
unique identifier. Unfortunately, simple solutions may be vulnerable
<section title="Privacy Implication of Discovering Services" anchor="clientPriva to offline dictionary attacks.</t>
cy" > </section>
<t> <section numbered="true" toc="default">
The consumers of services engage in discovery, and in doing so <name>Resistance to Denial-of-Service Attacks</name>
reveal some information such as the list of services they <t>In any protocol where the receiver of messages has to perform
are interested in and the domains in which they are looking for the cryptographic operations on those messages, there is a risk of a
services. When the clients select specific instances of services, brute-force flooding attack causing the receiver to expend excessive
they reveal their preference for these instances. This can be benign if amounts of CPU time and, where applicable, battery power just
the service type is very common, but it could be more problematic processing and discarding those messages.</t>
for sensitive services, such as some private messaging services. <t>Also, amplification attacks have to be taken into
</t> consideration. Messages with larger payloads should only be sent as
<t> an answer to a query sent by a verified client.</t>
One way to protect clients would be to somehow encrypt the requested service typ </section>
es. <section numbered="true" toc="default">
Of course, just as we noted in <xref target="serverFingerprint"/>, traffic <name>Resistance to Sender Impersonation</name>
analysis can often reveal the service. <t>Sender impersonation is an attack wherein messages, such as
</t> service offers, are forged by entities who do not possess the
</section> corresponding secret key material. These attacks may be used to
</section> learn the identity of a communicating party, actively or
passively.</t>
<section title="Security Considerations"> </section>
<t>For each of the operations described above, we must also consider security <section numbered="true" toc="default">
threats we are concerned about.</t> <name>Sender Deniability</name>
<section title="Authenticity, Integrity &amp; Freshness"> <t>Deniability of sender activity, e.g., of broadcasting a discovery
<t>Can devices (both servers and clients) trust the information they receive request, may be desirable or necessary in some use cases. This
? property ensures that eavesdroppers cannot prove senders issued a
Has it been modified in flight by an adversary? specific message destined for one or more peers. </t>
Can devices trust the source of the information? </section>
Is the source of information fresh, i.e., not replayed? </section>
Freshness may or may not be required depending on whether the <section numbered="true" toc="default">
discovery process is meant to be online. In some cases, publishing <name>Operational Considerations</name>
discovery information to a shared directory or registry, <section numbered="true" toc="default">
rather than to each online recipient through a broadcast channel, <name>Power Management</name>
may suffice.</t> <t>Many modern devices, especially battery-powered devices, use
</section> power management techniques to conserve energy. One such technique
is for a device to transfer information about itself to a proxy,
<section title="Confidentiality"> which will act on behalf of the device for some functions while the
<t>Confidentiality is about restricting information access to only device itself goes to sleep to reduce power consumption. When the
authorized individuals. Ideally this should only be the appropriate proxy determines that some action is required, which only the device
trusted parties, though it can be challenging to define who are "the itself can perform, the proxy may have some way to wake the device,
appropriate trusted parties." In some use cases, this may mean that only as described for example in <xref target="SLEEP-PROXY"
mutually authenticated and trusting clients and servers can read messages format="default"/>.</t>
sent for one another. <t>In many cases, the device may not trust the network proxy
The process of service discovery in particular is often used to discover sufficiently to share all its confidential key material with the
new entities that the device did not previously know about. proxy. This poses challenges for combining private discovery that
It may be tricky to work out how a device can have an established trust relies on per-query cryptographic operations with energy-saving
relationship with a new entity it has never previously communicated with. techniques that rely on having (somewhat untrusted) network proxies
</t> answer queries on behalf of sleeping devices.</t>
</section> </section>
<section numbered="true" toc="default">
<section title="Resistance to Dictionary Attacks"> <name>Protocol Efficiency</name>
<t>It can be tempting to use (publicly computable) hash functions to obscure <t>Creating a discovery protocol that has the desired security
sensitive identifiers. properties may result in a design that is not efficient. To perform
This transforms a sensitive unique identifier such as an email address the necessary operations, the protocol may need to send and receive a
into a "scrambled" but still unique identifier. Unfortunately simple solutio large number of network packets or require an inordinate amount of
ns multicast transmissions. This may consume an unreasonable amount of
may be vulnerable to offline dictionary attacks.</t> network capacity, particularly problematic when it is a shared
</section> wireless spectrum. Further, it may cause an unnecessary level of
power consumption, which is particularly problematic on battery
<section title="Resistance to Denial-of-Service Attacks"> devices and may result in the discovery process being slow.</t>
<t>In any protocol where the receiver of messages has to perform cryptograph <t>It is a difficult challenge to design a discovery protocol that
ic has the property of obscuring the details of what it is doing from
operations on those messages, there is a risk of a brute-force flooding unauthorized observers while also managing to perform
attack causing the receiver to expend excessive amounts of CPU time efficiently.</t>
and, where appliciable, battery power just processing and discarding those m </section>
essages.</t> <section numbered="true" toc="default">
<name>Secure Initialization and Trust Models</name>
<t> <t>One of the challenges implicit in the preceding discussions is
Also, amplification attacks have to be taken into consideration. that whenever we discuss "trusted entities" versus "untrusted
Messages with larger payloads should only be sent as an answer to entities", there needs to be some way that trust is initially
a query sent by a verified client. established to convert an "untrusted entity" into a "trusted
</t> entity".</t>
</section> <t>The purpose of this document is not to define the specific way in
which trust can be established. Protocol designers may rely on a
<section title="Resistance to Sender Impersonation"> number of existing technologies, including PKI, Trust On First Use
<t>Sender impersonation is an attack wherein messages such as service offers (TOFU), or the use of a short passphrase or PIN with cryptographic
are forged algorithms, such as Secure Remote Password (SRP) <xref
by entities who do not possess the corresponding secret key material. These target="RFC5054" format="default"></xref> or a
attacks Password-Authenticated Key
may be used to learn the identity of a communicating party, actively or pass Exchange like J-PAKE <xref target="RFC8236"
ively.</t> format="default"></xref> using a Schnorr Non-interactive
</section> Zero-Knowledge Proof <xref target="RFC8235"
format="default"></xref>.</t>
<section title="Sender Deniability"> <t>Protocol designers should consider a specific usability pitfall
<t>Deniability of sender activity, e.g., of broadcasting a discovery request when trust is established immediately prior to performing
, may be discovery. Users will have a tendency to "click OK" in order to
desirable or necessary in some use cases. This property ensures that eavesdr achieve their task. This implicit vulnerability is avoided if the
oppers trust establishment requires more significant participation of the
cannot prove senders issued a specific message destined for one or more peer user, such as entering a password or PIN.</t>
s. </t> </section>
</section> <section numbered="true" toc="default">
</section> <name>External Dependencies</name>
<t>Trust establishment may depend on external parties. Optionally,
<section title="Operational Considerations"> this might involve synchronous communication. Systems that have
<section title="Power Management"> such a dependency may be attacked by interfering with communication
to external dependencies. Where possible, such dependencies should
<t>Many modern devices, especially battery-powered devices, be minimized. Local trust models are best for secure initialization
use power management techniques to conserve energy. in the presence of active attackers.</t>
One such technique is for a device to transfer information about itself </section>
to a proxy, which will act on behalf of the device for some functions, </section>
while the device itself goes to sleep to reduce power consumption. </section>
When the proxy determines that some action is required which only <section numbered="true" toc="default">
the device itself can perform, the proxy may have some way to wake the <name>Requirements for a DNS-SD Privacy Extension</name>
device, as described for example in <xref target="SLEEP-PROXY" />.</t> <t>Given the considerations discussed in the previous sections, we state
requirements for privacy preserving DNS-SD in the following
<t>In many cases, the device may not trust the network proxy subsections.</t>
sufficiently to share all its confidential key material with the proxy. <t>Defining a solution according to these requirements is intended to
This poses challenges for combining private discovery lead to a solution that does not transmit privacy-violating DNS-SD
that relies on per-query cryptographic operations, messages and further does not open pathways to new attacks against the
with energy-saving techniques that rely on having (somewhat untrusted) operation of DNS-SD.</t>
network proxies answer queries on behalf of sleeping devices.</t> <t>However, while this document gives advice on which privacy protecting
mechanisms should be used on deeper-layer network protocols and on how
</section> to actually connect to services in a privacy-preserving way, stating
corresponding requirements is out of the scope of this document. To
<section title="Protocol Efficiency"> mitigate attacks against privacy on lower layers, both servers and
clients must use privacy options available at lower layers and, for
<t>Creating a discovery protocol that has the desired security example, avoid publishing static IPv4 or IPv6 addresses or static IEEE
properties may result in a design that is not efficient. 802 Media Access Control (MAC) addresses. For services advertised on a
To perform the necessary operations the protocol may single network link,
need to send and receive a large number of network packets, link-local IP addresses should be used; see <xref target="RFC3927"
or require an inordinate amount of multicast transmissions. format="default"/> and <xref target="RFC4291" format="default"/> for
This may consume an unreasonable amount of network capacity, IPv4 and IPv6, respectively. Static servers advertising services
particularly problematic when it is a shared wireless spectrum. globally via DNS can hide their IP addresses from unauthorized clients
Further, it may cause an unnecessary level of power consumption using the split mode topology shown in Encrypted Server Name Indication
which is particularly problematic on battery devices, <xref target="I-D.ietf-tls-esni"
and may result in the discovery process being slow.</t> format="default"/>. Hiding static MAC addresses can be achieved via MAC
address randomization (see <xref target="RFC7844"
<t>It is a difficult challenge to design a discovery protocol that has the format="default"/>).</t>
property of obscuring the details of what it is doing from unauthorized <section numbered="true" toc="default">
observers, while also managing to perform efficiently.</t> <name>Private Client Requirements</name>
<t>For all three scenarios described in <xref target="scenarios"
</section> format="default"/>, client privacy requires DNS-SD messages to:</t>
<ol spacing="normal" type="1">
<section title="Secure Initialization and Trust Models"> <li>Avoid disclosure of the client's identity, either directly or
via inference, to nodes other than select servers.</li>
<t>One of the challenges implicit in the preceding discussions is <li>Avoid exposure of linkable identifiers that allow tracing client d
that whenever we discuss "trusted entities" versus "untrusted entities", evices.</li>
there needs to be some way that trust is initially established, <li>Avoid disclosure of the client's interest in specific service
to convert an "untrusted entity" into a "trusted entity".</t> instances or service types to nodes other than select servers.</li>
</ol>
<t>The purpose of this document is not to define the specific way in <t>When listing and resolving services via current DNS-SD deployments,
which trust can be established. Protocol designers may rely on a clients typically disclose their interest in specific services types
number of existing technologies, including PKI, Trust On First Use (TOFU), and specific instances of these types, respectively.</t>
or using a short passphrase or PIN with <t>In addition to the exposure and disclosure risks noted above,
cryptographic algorithms such as protocols and implementations will have to consider fingerprinting
<xref target="RFC5054">Secure Remote Password (SRP)</xref> attacks (see <xref target="serverFingerprint" format="default"/>) that
or a Password Authenticated Key Exchange like could retrieve similar information.</t>
<xref target="RFC8236">J-PAKE</xref> </section>
using a <section numbered="true" toc="default">
<xref target="RFC8235">Schnorr Non-interactive Zero-Knowledge Proof</xref>. <name>Private Server Requirements</name>
</t> <t>Servers like the "printer" discussed in <xref
target="privclipubserv" format="default"/> are public, but
<t>Protocol designers should consider a specific usability pitfall when the servers discussed in Sections <xref target="privcliprivserv"
trust is established immediately prior to performing discovery. Users format="counter"/> and <xref target="wearcliserv" format="counter"/>
will have a tendency to "click OK" in order to achieve their task. This are, by essence, private.
implicit vulnerability is avoided if the trust establishment requires Server privacy requires DNS-SD messages
more significant participation of the user, such as entering a password or P to:</t>
IN. <ol spacing="normal" type="1">
</t> <li> Avoid disclosure of the server's identity, either directly or
via inference, to nodes other than authorized clients. In
</section> particular, servers must avoid publishing static identifiers, such as
hostnames or service names. When those fields are required by the
<section title="External Dependencies"> protocol, servers should publish randomized values. (See <xref
<t>Trust establishment may depend on external parties. target="RFC8117" format="default"/> for a discussion of hostnames.)</li
Optionally, this might involve synchronous communication. >
Systems which have such a dependency may be attacked by interfering with com <li>Avoid exposure of linkable identifiers that allow tracing servers.
munication </li>
to external dependencies. Where possible, such dependencies should be minimi <li>Avoid disclosure to unauthorized clients of Service Instance
zed. Names or service types of offered services.</li>
Local trust models are best for secure initialization in the presence of act <li>Avoid disclosure to unauthorized clients of information about
ive attackers.</t> the services they offer. </li>
</section> <li>Avoid disclosure of static IPv4 or IPv6 addresses.</li>
</ol>
</section> <t>When offering services via current DNS-SD deployments, servers
</section> typically disclose their hostnames (SRV, A/AAAA), instance names of
offered services (PTR, SRV), and information about services
<section title="Requirements for a DNS-SD Privacy Extension"> (TXT). Heeding these requirements protects a server's privacy on the
DNS-SD level.</t>
<t> <t>The current DNS-SD user interfaces present the list of discovered
Given the considerations discussed in the previous sections, we service names to the users and let them pick a service from the
state requirements for privacy preserving DNS-SD in the following subsection list. Using random identifiers for service names renders that UI flow
s. unusable. Privacy-respecting discovery protocols will have to solve
</t> this issue, for example, by presenting authenticated or decrypted
<t> service names instead of the randomized values.</t>
Defining a solution according to these requirements is intended to lead to a </section>
solution that <section numbered="true" toc="default">
does not transmit privacy-violating DNS-SD messages and further does not ope <name>Security and Operation</name>
n pathways to new attacks against the <t>In order to be secure and feasible, a DNS-SD privacy extension
operation of DNS-SD. needs to consider security and operational requirements including:</t>
</t> <ol spacing="normal" type="1">
<li>Avoiding significant CPU overhead on nodes or significantly
<t> higher network load. Such overhead or load would make nodes
However, while this document gives advice on which vulnerable to denial-of-service attacks. Further, it would increase
privacy protecting mechanisms should be used on deeper-layer network power consumption, which is damaging for IoT devices.</li>
protocols and on how to actually connect to services in a <li>Avoiding designs in which a small message can trigger a large
privacy-preserving way, stating corresponding requirements is out of the sco amount of traffic towards an unverified address, as this could be
pe of this document. exploited in amplification attacks.</li>
To mitigate attacks against privacy on lower layers, </ol>
both servers and clients must use privacy options available at lower layers, </section>
and for example avoid publishing static IPv4 or IPv6 addresses, or static IE </section>
EE 802 MAC addresses. <section anchor="iana" numbered="true" toc="default">
For services advertised on a single network link, link local IP addresses sh <name>IANA Considerations</name>
ould be used; see <t>This document has no IANA actions.</t>
<xref target="RFC3927" /> and <xref target="RFC4291" /> for IPv4 and IPv6, r </section>
espectively. </middle>
Static servers advertising services globally via DNS can hide their IP addre <back>
sses from <displayreference target="I-D.ietf-dnssd-srp" to="SRP"/>
unauthorized clients using the split mode topology shown in <xref target="I- <displayreference target="I-D.ietf-tls-esni" to="ESNI"/>
D.ietf-tls-esni"/>. <references>
Hiding static MAC addresses can be achieved via MAC address randomization (s <name>References</name>
ee <xref target="RFC7844" />). <references>
</t> <name>Normative References</name>
<xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refer
<section title="Private Client Requirements"> ence.RFC.6762.xml"/>
<t> <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refer
For all three scenarios described in <xref target="scenarios" />, client p ence.RFC.6763.xml"/>
rivacy </references>
requires DNS-SD messages to: <references>
<list style="numbers"> <name>Informative References</name>
<t> <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refer
Avoid disclosure of the client's identity, either directly or via infe ence.RFC.1033.xml"/>
rence, <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refer
to nodes other than select servers. ence.RFC.1034.xml"/>
</t> <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refer
<t> ence.RFC.1035.xml"/>
Avoid exposure of linkable identifiers that allow tracing client devic <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refer
es. ence.RFC.2782.xml"/>
</t> <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refer
<t> ence.RFC.3927.xml"/>
Avoid disclosure of the client's interest in specific service instance <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refer
s or service types to ence.RFC.4291.xml"/>
nodes other than select servers. <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refer
</t> ence.RFC.5054.xml"/>
</list> <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refer
</t> ence.RFC.7558.xml"/>
<t> <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refer
When listing and resolving services via current DNS-SD deployments, client ence.RFC.7844.xml"/>
s typically disclose their interest in <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refer
specific services types and specific instances of these types, respectivel ence.RFC.8117.xml"/>
y. <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refer
</t> ence.RFC.8235.xml"/>
<t> <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refer
In addition to the exposure and disclosure risks noted above, protocols an ence.RFC.8236.xml"/>
d implementations will have <xi:include href="https://datatracker.ietf.org/doc/bibxml3/reference.I-D
to consider fingerprinting attacks (see <xref target="serverFingerprint"/> .ietf-dnssd-srp.xml"/>
) that could retrieve similar information. <xi:include href="https://datatracker.ietf.org/doc/bibxml3/reference.I-D
</t> .ietf-tls-esni.xml"/>
</section> <reference anchor="KW14a" target="https://ieeexplore.ieee.org/xpl/articl
eDetails.jsp?arnumber=7011331">
<section title="Private Server Requirements"> <front>
<t> <title>Adding Privacy to Multicast DNS Service Discovery</title>
Servers like the "printer" discussed in scenario 1 are public, but the ser <author initials="D." surname="Kaiser" fullname="Daniel Kaiser">
vers <organization/>
discussed in scenarios 2 and 3 are by essence private. </author>
Server privacy requires DNS-SD messages to: <author initials="M." surname="Waldvogel" fullname="Marcel Waldvogel
</t> ">
<t> <organization/>
<list style="numbers"> </author>
<t> <date month="September" year="2014"/>
Avoid disclosure of the server's identity, either directly or via infe </front>
rence, <seriesInfo name="DOI" value="10.1109/TrustCom.2014.107"/>
to nodes other than authorized clients. </reference>
In particular, Servers must avoid publishing static identifiers such a
s host names or service names.
When those fields are required by the protocol, servers should publish
randomized
values. (See <xref target="RFC8117" /> for a discussion of host names.
)
</t>
<t>
Avoid exposure of linkable identifiers that allow tracing servers.
</t>
<t>
Avoid disclosure to unauthorized clients of service instance names or
service types
of offered services.
</t>
<t>
Avoid disclosure to
unauthorized clients of information about the services they offer.
</t>
<t>
Avoid disclosure of static IPv4 or IPv6 addresses.
</t>
</list>
</t>
<t>
When offering services via current DNS-SD deployments, servers typically d
isclose their hostnames (SRV, A/AAAA), instance names of
offered services (PRT, SRV), and information about services (TXT).
Heeding these requirements protects a server's privacy on the DNS-SD level
.
</t>
<t>
The current DNS-SD user interfaces present the list of discovered service
names to the users,
and let them pick a service from the list. Using random identifiers for se
rvice names renders
that UI flow unusable. Privacy-respecting discovery protocols will have to
solve this issue,
for example by presenting authenticated or decrypted service names instead
of the
randomized values.
</t>
</section>
<section title="Security and Operation">
<t>
In order to be secure and feasible, a DNS-SD privacy extension needs to co
nsider
security and operational requirements including:
<list style="numbers">
<t>
Avoiding significant CPU overhead on nodes or significantly higher net
work load.
Such overhead or load would make nodes vulnerable to denial of service
attacks. Further, it would increase power consumption which is damagin
g for IoT devices.
</t>
<t>
Avoiding designs in which a small message can trigger a large
amount of traffic towards an unverified address, as this could be expl
oited in amplification attacks.
</t>
</list>
</t>
</section>
</section>
<section title="IANA Considerations" anchor="iana">
<t>
This draft does not require any IANA action.
</t>
</section>
<section title="Acknowledgments">
<t>This draft incorporates many contributions from Stuart Cheshire and Chris
Wood. Thanks to
Florian Adamsky for extensive review and suggestions on the organization
of the threat
model. Thanks to Barry Leiba for an extensive review. Thanks to Roman Dan
yliw, Ben Kaduk,
Adam Roach and Alissa Cooper for their comments during IESG review.
</t>
</section>
</middle>
<back>
<references title="Normative References">
&rfc6762;
&rfc6763;
</references>
<references title="Informative References">
&rfc1033;
&rfc1034;
&rfc1035;
&rfc2782;
&rfc3927;
&rfc4291;
&rfc5054;
&rfc7558;
&rfc7844;
&rfc8117;
&rfc8235;
&rfc8236;
&I-D.ietf-dnssd-srp;
&I-D.ietf-tls-esni;
<reference anchor="KW14a" target="http://ieeexplore.ieee.org/xpl/articleDetails.
jsp?arnumber=7011331">
<front>
<title>Adding Privacy to Multicast DNS Service Discovery</title>
<author initials="D." surname="Kaiser" fullname="Daniel Kaiser">
<organization/>
</author>
<author initials="M." surname="Waldvogel" fullname="Marcel Waldvogel">
<organization/>
</author>
<date year="2014"/>
</front>
<seriesInfo name="DOI" value="10.1109/TrustCom.2014.107"/>
</reference>
<reference anchor="KW14b" target="http://ieeexplore.ieee.org/xpl/articleDetails.
jsp?arnumber=7056899">
<front>
<title>Efficient Privacy Preserving Multicast DNS Service Discovery</title>
<author initials="D." surname="Kaiser" fullname="Daniel Kaiser">
<organization/>
</author>
<author initials="M." surname="Waldvogel" fullname="Marcel Waldvogel">
<organization/>
</author>
<date year="2014"/>
</front>
<seriesInfo name="DOI" value="10.1109/HPCC.2014.141"/>
</reference>
<reference anchor="K17" target="http://nbn-resolving.de/urn:nbn:de:bsz:352-0-422
757">
<front>
<title>Efficient Privacy-Preserving Configurationless Service Discovery Supp
orting Multi-Link Networks</title>
<author initials="D." surname="Kaiser" fullname="Daniel Kaiser">
<organization/>
</author>
<date year="2017"/>
</front>
</reference>
<reference anchor="SLEEP-PROXY" target="http://stuartcheshire.org/SleepProxy/ind <reference anchor="KW14b" target="https://ieeexplore.ieee.org/xpl/articl
ex.html"> eDetails.jsp?arnumber=7056899">
<front> <front>
<title>Understanding Sleep Proxy Service</title> <title>Efficient Privacy Preserving Multicast DNS Service Discovery<
<author initials="S." surname="Cheshire" fullname="Stuart Cheshire"> /title>
<organization/> <author initials="D." surname="Kaiser" fullname="Daniel Kaiser">
</author> <organization/>
<date year="2009"/> </author>
</front> <author initials="M." surname="Waldvogel" fullname="Marcel Waldvogel
</reference> ">
<organization/>
</author>
<date month="August" year="2014"/>
</front>
<seriesInfo name="DOI" value="10.1109/HPCC.2014.141"/>
</reference>
</references> <reference anchor="K17" target="https://nbn-resolving.de/urn:nbn:de:bsz:
352-0-422757">
<front>
<title>Efficient Privacy-Preserving Configurationless Service Discov
ery Supporting Multi-Link Networks</title>
<author initials="D." surname="Kaiser" fullname="Daniel Kaiser">
<organization/>
</author>
<date month="August" year="2017"/>
</front>
</reference>
</back> <reference anchor="SLEEP-PROXY" target="http://stuartcheshire.org/SleepP
roxy/index.html">
<front>
<title>Understanding Sleep Proxy Service</title>
<author initials="S." surname="Cheshire" fullname="Stuart Cheshire">
<organization/>
</author>
<date month="December" year="2009"/>
</front>
</reference>
</references>
</references>
<section numbered="false" toc="default">
<name>Acknowledgments</name>
<t>This document incorporates many contributions from <contact
fullname="Stuart Cheshire"/> and <contact fullname="Chris
Wood"/>. Thanks to <contact fullname="Florian Adamsky"/> for extensive
review and suggestions on the organization of the threat model. Thanks
to <contact fullname="Barry Leiba"/> for an extensive review. Thanks to
<contact fullname="Roman Danyliw"/>, <contact fullname="Ben Kaduk"/>,
<contact fullname="Adam Roach"/>, and <contact fullname="Alissa Cooper"/>
for their comments during IESG review.</t>
</section>
</back>
</rfc> </rfc>
 End of changes. 24 change blocks. 
1041 lines changed or deleted 751 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/