draft-ietf-geopriv-lis-discovery-04.txt   draft-ietf-geopriv-lis-discovery-05.txt 
GEOPRIV M. Thomson GEOPRIV M. Thomson
Internet-Draft J. Winterbottom Internet-Draft J. Winterbottom
Intended status: Standards Track Andrew Intended status: Standards Track Andrew
Expires: May 3, 2009 October 30, 2008 Expires: June 20, 2009 December 17, 2008
Discovering the Local Location Information Server (LIS) Discovering the Local Location Information Server (LIS)
draft-ietf-geopriv-lis-discovery-04 draft-ietf-geopriv-lis-discovery-05
Status of this Memo Status of this Memo
By submitting this Internet-Draft, each author represents that any By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79. aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
skipping to change at page 1, line 34 skipping to change at page 1, line 34
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on May 3, 2009. This Internet-Draft will expire on June 20, 2009.
Abstract Abstract
A method is described for the discovery of a Location Information A method is described for the discovery of a Location Information
Server. The method uses a Dynamic Host Configuration Protocol (DHCP) Server. The method uses a Dynamic Host Configuration Protocol (DHCP)
option. DHCP options are defined for both IPv4 and IPv6 DHCP. A option. DHCP options are defined for both IPv4 and IPv6 DHCP. A
URI-enabled NAPTR (U-NAPTR) method is described for use where the URI-enabled NAPTR (U-NAPTR) method is described for use where the
DHCP option is unsuccessful. This document defines a U-NAPTR DHCP option is unsuccessful. This document defines a U-NAPTR
Application Service for a LIS, with a specific Application Protocol Application Service for a LIS, with a specific Application Protocol
for the HTTP Enabled Location Delivery (HELD) protocol. for the HTTP Enabled Location Delivery (HELD) protocol.
Table of Contents Table of Contents
1. Introduction and Overview . . . . . . . . . . . . . . . . . . 3 1. Introduction and Overview . . . . . . . . . . . . . . . . . . 3
1.1. DHCP Discovery . . . . . . . . . . . . . . . . . . . . . . 3 1.1. DHCP Discovery . . . . . . . . . . . . . . . . . . . . . . 3
1.2. U-NAPTR Discovery . . . . . . . . . . . . . . . . . . . . 3 1.2. U-NAPTR Discovery . . . . . . . . . . . . . . . . . . . . 3
1.3. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4 1.3. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4
2. LIS Discovery Using DHCP . . . . . . . . . . . . . . . . . . . 5 2. LIS Discovery Using DHCP . . . . . . . . . . . . . . . . . . . 5
2.1. DHCPv4 Option for a LIS Address . . . . . . . . . . . . . 5 2.1. LIS Authentication . . . . . . . . . . . . . . . . . . . . 5
2.2. DHCPv6 Option for a LIS Address . . . . . . . . . . . . . 5 2.2. DHCPv4 Option for a LIS Address . . . . . . . . . . . . . 6
3. U-NAPTR for LIS Discovery . . . . . . . . . . . . . . . . . . 7 2.3. DHCPv6 Option for a LIS Address . . . . . . . . . . . . . 7
4. Determining the Access Network Domain Name . . . . . . . . . . 8 3. U-NAPTR for LIS Discovery . . . . . . . . . . . . . . . . . . 9
4.1. DHCP Domain Name Option . . . . . . . . . . . . . . . . . 8 3.1. Determining a Domain Name . . . . . . . . . . . . . . . . 10
4.2. Reverse DNS . . . . . . . . . . . . . . . . . . . . . . . 8 4. Overall Discovery Procedure . . . . . . . . . . . . . . . . . 11
4.2.1. Determining an External IP Address using STUN . . . . 9 4.1. Virtual Private Networks (VPNs) . . . . . . . . . . . . . 12
4.2.2. Alternate Methods for External IP Addresses . . . . . 10 5. Security Considerations . . . . . . . . . . . . . . . . . . . 13
5. Overall Discovery Procedure . . . . . . . . . . . . . . . . . 12 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 14
5.1. Virtual Private Networks (VPNs) . . . . . . . . . . . . . 13 6.1. Registration of DHCPv4 and DHCPv6 Option Codes . . . . . . 14
6. Access Network Guidance . . . . . . . . . . . . . . . . . . . 14 6.2. Registration of a Location Server Application Service
7. Security Considerations . . . . . . . . . . . . . . . . . . . 16 Tag . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 17 6.3. Registration of a Location Server Application Protocol
8.1. Registration of DHCPv4 and DHCPv6 Option Codes . . . . . . 17 Tag for HELD . . . . . . . . . . . . . . . . . . . . . . . 14
8.2. Registration of a Location Server Application Service 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 16
Tag . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 17
8.3. Registration of a Location Server Application Protocol 8.1. Normative References . . . . . . . . . . . . . . . . . . . 17
Tag for HELD . . . . . . . . . . . . . . . . . . . . . . . 17 8.2. Informative References . . . . . . . . . . . . . . . . . . 17
9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 19 Appendix A. DHCP LIS URI Option Examples . . . . . . . . . . . . 19
10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 20 A.1. LIS URI Only . . . . . . . . . . . . . . . . . . . . . . . 19
10.1. Normative References . . . . . . . . . . . . . . . . . . . 20 A.2. LIS URI with Fingerprint . . . . . . . . . . . . . . . . . 19
10.2. Informative References . . . . . . . . . . . . . . . . . . 20 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 21
Appendix A. Residential Broadband LIS Discovery Example . . . . . 22 Intellectual Property and Copyright Statements . . . . . . . . . . 22
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 25
Intellectual Property and Copyright Statements . . . . . . . . . . 26
1. Introduction and Overview 1. Introduction and Overview
Discovering a Location Information Server (LIS) is an important part The location of a device is a useful and sometimes necessary part of
of the location acquisition process. The LIS is an access network many services. A Location Information Server (LIS) is responsible
service that needs to be discovered before it can be used. This for providing that location information to devices with an access
document describes a method that a host can use to discover a URI for network. The LIS uses knowledge of the access network and its
a LIS. physical topology to generate and serve location information to
devices.
Each access network requires specific knowledge about topology.
Therefore, it is important to discover the LIS that has the specific
knowledge necessary to locate a device. That is, the LIS that serves
the current access network. Automatic discovery is important where
there is any chance of movement outside a single access network.
Reliance on static configuration can lead to unexpected errors if a
device moves between access networks.
This document describes DHCP options and DNS records that a device
can use to discover a LIS.
The product of a discovery process, such as the one described in this The product of a discovery process, such as the one described in this
document, is the address of the service. In this document, the document, is the address of the service. In this document, the
result is an http: or https: URI, which identifies a LIS. result is an http: or https: URI, which identifies a LIS.
The URI result from the discovery process is suitable for location The URI result from the discovery process is suitable for location
configuration only; that is, the client MUST dereference the URI configuration only; that is, the client MUST dereference the URI
using the process described in HELD using the process described in HELD
[I-D.ietf-geopriv-http-location-delivery]. URIs discovered in this [I-D.ietf-geopriv-http-location-delivery]. URIs discovered in this
way are not "location by reference" URIs; dereferencing one of them way are not "location by reference" URIs; dereferencing one of them
provides the location of the requester only. Clients MUST NOT embed provides the location of the requester only. Clients MUST NOT embed
these URIs in fields in other protocols designed to carry the these URIs in fields in other protocols designed to carry the
location of the client. location of the client.
The discovery process requires that the host first attempt LIS
discovery using Dynamic Host Configuration protocol (DHCP). If DHCP
is not available, or the option is not supported by the network, the
host attempts to discover the LIS using the DNS and URI-enabled
Naming Authority Pointer (U-NAPTR). Finally, the host can rely on
proprietary methods for determining the address of the LIS, including
static configuration.
1.1. DHCP Discovery 1.1. DHCP Discovery
DHCP ([RFC2131], [RFC3315]) is a commonly used mechanism for DHCP ([RFC2131], [RFC3315]) is a commonly used mechanism for
providing bootstrap configuration information allowing a host to providing bootstrap configuration information allowing a device to
operate in a specific network environment. The bulk of DHCP operate in a specific network environment. The bulk of DHCP
information is largely static; consisting of configuration information is largely static; consisting of configuration
information that does not change over the period that the host is information that does not change over the period that the device is
attached to the network. Physical location information might change attached to the network. Physical location information might change
over this time, however the address of the LIS does not. Thus, DHCP over this time, however the address of the LIS does not. Thus, DHCP
is suitable for configuring a host with the address of a LIS. is suitable for configuring a device with the address of a LIS.
1.2. U-NAPTR Discovery 1.2. U-NAPTR Discovery
Where DHCP is not available, the DNS might be able to provide a URI. Where DHCP is not available, the DNS might be able to provide a URI.
This document describes a method that uses URI-enabled NAPTR This document describes a method that uses URI-enabled NAPTR
(U-NAPTR) [RFC4848], a Dynamic Delegation Discovery Service (DDDS) (U-NAPTR) [RFC4848], a Dynamic Delegation Discovery Service (DDDS)
profile that supports URI results. profile that supports URI results.
For the LIS discovery DDDS application, an Application Service tag For the LIS discovery DDDS application, an Application Service tag
"LIS" and an Application Protocol tag "HELD" are created and "LIS" and an Application Protocol tag "HELD" are created and
registered with the IANA. Taking a domain name, this U-NAPTR registered with the IANA. Taking a domain name, this U-NAPTR
application uses the two tags to determine the LIS URI. application uses the two tags to determine the LIS URI.
A domain name is the crucial input to the U-NAPTR resolution process. A domain name is the crucial input to the U-NAPTR resolution process.
Section 4 of this document describes several methods for deriving an Section 3.1 of this document describes several methods for deriving
appropriate domain name. an appropriate domain name.
1.3. Terminology 1.3. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
This document also uses the term "host" to refer to an end host, This document also uses the term "device" to refer to an end host, or
consistent with its use in DHCP documents. In RFC3693 [RFC3693] client consistent with its use in HELD. In HELD and RFC3693
parlance, the host is the Device, which might also be the Target. [RFC3693] parlance, the Device is also the Target.
The terms "access network" refers to the network that a host connects The terms "access network" refers to the network that a device
to for Internet access. The "access network provider" is the entity connects to for Internet access. The "access network provider" is
that operates the access network. This is consistent with the the entity that operates the access network. This is consistent with
definition in [I-D.ietf-geopriv-l7-lcp-ps] which combines the the definition in [I-D.ietf-geopriv-l7-lcp-ps] which combines the
Internet Access Provider (IAP) and Internet Service Provider (ISP). Internet Access Provider (IAP) and Internet Service Provider (ISP).
The access network provider is responsible for allocating the host a The access network provider is responsible for allocating the device
public IP address and for directly or indirectly providing a LIS a public IP address and for directly or indirectly providing a LIS
service. service.
2. LIS Discovery Using DHCP 2. LIS Discovery Using DHCP
DHCP allows the access network provider to specify the address of a DHCP allows the access network provider to specify the address of a
LIS as part of network configuration. If the host is able to acquire LIS as part of network configuration. If the device is able to
a LIS URI using DHCP then this URI is used directly; the U-NAPTR acquire a LIS URI using DHCP then this URI is used directly; the
process is not necessary if this option is provided. U-NAPTR process is not necessary if this option is provided.
This document registers DHCP options for a LIS address for both IPv4 This document registers DHCP options for a LIS address for both IPv4
and IPv6. and IPv6.
2.1. DHCPv4 Option for a LIS Address 2.1. LIS Authentication
The DHCP LIS URI option includes an optional authentication method
for the LIS. If an https: URI is provided for the LIS, the option
can optionally include a fingerprint of the server certificate. The
device can use this fingerprint to authenticate the server.
HTTP over TLS [RFC2818] describes how a host can be authenticated
based on an expected domain name. Relying exclusively on a domain
name for authentication is not appropriate for a LIS, since the
domain name associated with the access network might not be known.
Indeed, it is often innapropriate to attempt to assign any particular
domain name to an access network.
This specification defines an alternative means of establishing an
expected identity for the server that uses a certificate fingerprint.
The DHCP option includes a fingerprint for the server certificate
that is offered by the LIS when the associated URI is accessed.
An access network operator is still able to nominate authentication
based on a domain name. If no fingerprint information is included,
the device MUST authenticate the server using the method described in
Section 3.1 of RFC 2818 [RFC2818]. If a fingerprint exists, the
domain name method MUST NOT be used.
The certificate fingerprint can be ignored if the LIS URI doesn't
indicate a protocol that supports exchange of certificates (such as
http:). The LIS MUST be considered unauthenticated.
Note: Whether the device goes on to use the information provided by
an unauthenticated LIS depends on device policy. A device might
choose to continue with alternative methods of discovery before
falling back to an unauthenticated LIS.
The mechanism to generate a fingerprint is to take the hash of the
DER-encoded certificate using a cryptographically strong algorithm.
The hash algorithm used for generating the fingerprint is identified
by a textual name taken from the IANA registry "Hash Function Textual
Names" defined in [RFC4572]. Implementations MUST support SHA-1 as
the hash algorithm and use the label "sha-1" to identify the SHA-1
algorithm.
Multiple fingerprints MAY be included. If a hash algorithm is
indicated, but not supported by a device, it MUST choose the first
algorithm that it supports. If any supported fingerprint does not
match, the LIS MUST be considered as unauthenticated. If no hash
algorithm is supported by the device, it MUST consider the LIS to be
unauthenticated.
2.2. DHCPv4 Option for a LIS Address
This section defines a DHCP for IPv4 (DHCPv4) option for the address This section defines a DHCP for IPv4 (DHCPv4) option for the address
of a LIS. of a LIS.
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| LIS_URI | Length | URI ... . | LIS_URI | Length | F-Code(1) | F-Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| URI ... | Hash-Type-Len | Hash-Type ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Fingerprint-Value ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| F-Code(0) | URI .
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| URI (cont.) ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 1: DHCPv4 LIS URI Option Figure 1: DHCPv4 LIS URI Option Example
LIS_URI: The IANA assigned option number (TBD). LIS_URI: The IANA assigned option number (TBD). [[IANA/RFC-Editor
Note: Please replace TBD with the assigned DHCPv4 option code.]]
Length: The length of the URI in octets. Length: The length of the entire LIS URI option in octets.
URI: The address of the LIS. This URI SHOULD NOT be more than 253 F-Code: A single octet indicates the type of data that follows:
bytes in length, but MAY be extended by concatenating multiple fingerprint or URI. A value of 1 indicates that the following
option values, as described in [RFC3396]. The URI MUST NOT be data includes a certificate fingerprint. A value of 0 indicates
NULL terminated. that no more supplementary data is included and the URI follows.
An "F-Code" with a value of 0 MUST be included.
2.2. DHCPv6 Option for a LIS Address Values other than zero or one MAY be ignored. Any other value
MUST be specified in a standards track RFC that SHOULD establish
an IANA registry.
F-Length: If the "F-Code" is non-zero, it MUST be followed by an
octet that indicates the length, in octets, of the data. This
value includes the sum of the lengths of: "Hash-Type-Len",
"Hash-Type", and "Fingerprint-Value".
Hash-Type-Len: The length, in octets, of the "Hash-Type" field.
Hash-Type: A text tag that identifies the hash algorithm used to
generate the fingerprint. The set of values are defined in the
"Hash Function Textual Names" IANA registry [RFC4572].
Fingerprint-Value: The octet values of the certificate fingerprint.
The length of this field is defined by the hash algorithm and MUST
match the remainder of the fingerprint data. If this does not
equal the value of "F-Length" less the length "Hash-Type-Len" and
"Hash-Type", the fingerprint MUST be considered invalid.
Note: An invalid fingerprint is not equivalent to no fingerprint.
URI: The address of the LIS. The URI takes the remainder of the
DHCP option. The URI MUST NOT be NULL terminated.
The DHCPv4 version of this URI SHOULD NOT exceed 225 octets in
length, but MAY be extended by concatenating multiple option
values, as described in [RFC3396].
2.3. DHCPv6 Option for a LIS Address
This section defines a DHCP for IPv6 (DHCPv6) option for the address This section defines a DHCP for IPv6 (DHCPv6) option for the address
of a LIS. The DHCPv6 option for this parameter is similarly of a LIS. The DHCPv6 option for this parameter is similarly
formatted to the DHCPv4 option. formatted to the DHCPv4 option.
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| OPTION_LIS_URI | Length | | OPTION_LIS_URI | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| URI ... | F-Code(1) | F-Length | Hash-Type-Len | Hash-Type ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Fingerprint-Value ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| F-Code(0) | URI .
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| URI (cont.) ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 2: DHCPv6 LIS URI Option
OPTION_LIS_URI: The IANA assigned option number (TBD). Figure 2: DHCPv6 LIS URI Option
OPTION_LIS_URI: The IANA assigned option number (TBD). [[IANA/
RFC-Editor Note: Please replace TBD with the assigned DHCPv6
option code.]]
Length: The length of the URI in octets. Length: The length of the LIS URI option in octets.
URI: The address of the LIS. The URI MUST NOT be NULL terminated. The format of remainder of the LIS URI option is identical to the
DHCPv4 option.
3. U-NAPTR for LIS Discovery 3. U-NAPTR for LIS Discovery
U-NAPTR resolution for a LIS takes a domain name as input and U-NAPTR resolution for a LIS takes a domain name as input and
produces a URI that identifies the LIS. This process also requires produces a URI that identifies the LIS. This process also requires
an Application Service tag and an Application Protocol tag, which an Application Service tag and an Application Protocol tag, which
differentiate LIS-related NAPTR records from other records for that differentiate LIS-related NAPTR records from other records for that
domain. domain.
Section 8.2 defines an Application Service tag of "LIS", which is Section 6.2 defines an Application Service tag of "LIS", which is
used to identify the location service for a particular domain. The used to identify the location service for a particular domain. The
Application Protocol tag "HELD", defined in Section 8.3, is used to Application Protocol tag "HELD", defined in Section 6.3, is used to
identify a LIS that understands the HELD protocol identify a LIS that understands the HELD protocol
[I-D.ietf-geopriv-http-location-delivery]. [I-D.ietf-geopriv-http-location-delivery].
The NAPTR records in the following example demonstrate the use of the The NAPTR records in the following example demonstrate the use of the
Application Service and Protocol tags. Iterative NAPTR resolution is Application Service and Protocol tags. Iterative NAPTR resolution is
used to delegate responsibility for the LIS service from used to delegate responsibility for the LIS service from
"zonea.example.com." and "zoneb.example.com." to "zonea.example.net." and "zoneb.example.net." to
"outsource.example.com.". "outsource.example.com.".
zonea.example.com. zonea.example.net.
;; order pref flags ;; order pref flags
IN NAPTR 100 10 "" "LIS:HELD" ( ; service IN NAPTR 100 10 "" "LIS:HELD" ( ; service
"" ; regex "" ; regex
outsource.example.com. ; replacement outsource.example.com. ; replacement
) )
zoneb.example.com. zoneb.example.net.
;; order pref flags ;; order pref flags
IN NAPTR 100 10 "" "LIS:HELD" ( ; service IN NAPTR 100 10 "" "LIS:HELD" ( ; service
"" ; regex "" ; regex
outsource.example.com. ; replacement outsource.example.com. ; replacement
) )
outsource.example.com. outsource.example.com.
;; order pref flags ;; order pref flags
IN NAPTR 100 10 "u" "LIS:HELD" ( ; service IN NAPTR 100 10 "u" "LIS:HELD" ( ; service
"!*.!https://lis.outsource.example.com/!" ; regex "!*.!https://lis.example.org:4802/?c=ex!" ; regex
. ; replacement . ; replacement
) )
Figure 3: Sample LIS:HELD Service NAPTR Records Figure 3: Sample LIS:HELD Service NAPTR Records
Details for the "LIS" Application Service tag and the "HELD" Details for the "LIS" Application Service tag and the "HELD"
Application Protocol tag are included in Section 8. Application Protocol tag are included in Section 6.
4. Determining the Access Network Domain Name
The U-NAPTR discovery method described in Section 3 requires that the
domain name applicable to the access network is known. An
unconfigured host might not have this information, therefore it must
determine this value before the U-NAPTR method can be attempted.
This section describes several methods for discovering a domain name
for the local access network. Each method is attempted where
applicable until a domain name is derived. If a domain name is
successfully derived but that domain name does not produce any
U-NAPTR records, alternative methods can be attempted to determine
additional domain names. Reattempting with different methods is
particularly applicable when NAT is used, as is shown in
Section 4.2.1.
4.1. DHCP Domain Name Option
For IP version 4, Dynamic Host Configuration Protocol (DHCP) option
15 [RFC2131] includes the domain name suffix for the host. If DHCP
and option 15 are available, this value should be used as input the
U-NAPTR procedure.
Alternatively, a fully qualified domain name (FQDN) for the host
might be provided by the server ([RFC4702] for DHCPv4, [RFC4704] for
DHCPv6). The domain part of the FQDN can be used as input to the
U-NAPTR resolution and is obtained by removing the first label. If
the host has provided a fully qualified domain name using this
option, it SHOULD NOT be used - the domain known to the host might
not be the same as that of the access network.
Note that these options should only be used if the LIS address option
is not available; they SHOULD be used if DHCP is available.
4.2. Reverse DNS
DNS "PTR" records in the "in-addr.arpa." domain can be used to
determine the domain name of a host, and therefore, the name of the
domain for that host. The use of the "in-addr.arpa." domain is
described in [RFC1034] and results in the domain name of the host.
Likewise, IPv6 hosts use the "ip6.arpa." domain. In the majority of
cases, the domain part of this name (everything excluding the first
label) is also the domain name for the access network. Assuming that
this is true, this domain name can be used as input to the U-NAPTR
process.
For example, for an address of "192.0.2.3", if the "PTR" record at
"3.2.0.192.in-addr.arpa." refers to "h3-2-0-192.example.com.", this
results in a U-NAPTR search for "example.com."
The DNS hierarchy does not necessarily directly map onto a network
topology (see [RFC4367]); therefore, this method MUST only be used
for the domain name determined by removing the first label only.
This method assumes that the access network provider also provides
the reverse DNS record and they control the domain that is indicated
in the "PTR" record.
Furthermore, this method might not apply where a host is given a
domain name that is different from the domain name of the access
network. This might occur in some hosting configurations, such as
where a number of web server hosts, with widely varying domain names,
are co-located. From the above example, the access network provider
allocated "10.1.2.3" to the host; therefore, they also need to
control the DNS domain "example.com" and the associated NAPTR
records. DNS Security Extensions (DNSSEC) [RFC4033] provides a
cryptographic means of validating this association, through data
origin authentication.
4.2.1. Determining an External IP Address using STUN
Reverse DNS relies on knowing the IP address of a host within the
access domain. Initially, this SHOULD be attempted using the IP
address that is assigned to a local interface on the host. However,
when a NAT device exists between the device and the Internet, the
public IP address of the NAT device is substituted for the source IP
address. The IP address of the NAT device and the corresponding
domain name can be used to discover the LIS.
In order to use reverse DNS in this configuration, the hosts need to
know the IP address that the NAT device uses. A host can use the
Session Traversal Utilities for NAT (STUN)
[I-D.ietf-behave-rfc3489bis] to determine a public IP address. The
host uses the "Binding Request" message and the resulting
"XOR-MAPPED-ADDRESS" parameter that is returned in the response.
These methods are particularly useful in residential broadband
configurations. A large proportion of residential broadband services
employ a NAT device so that several hosts can share the same Internet
access. Since the network behind the NAT device are generally very
small, both in numbers and geographical area, it isn't necessary for
a LIS to operate within that network; the hosts are able to access a
LIS in the access network outside of the NAT device.
The following figure shows a typical home broadband deployment
scenario. In this scenario, the public address of the Router/NAT can
be used to discover the LIS in the access network.
+-----+
| LIS |
+--+--+
/ ________
+------+ +------------+ / (/ \) +------+
| Host |-----| Router/NAT |----+----(( Internet ))----| STUN |
+------+ ^ +------------+ ^ (\________/) +------+
| |
Home Network Access Network
(Private)
Using STUN requires cooperation from a publicly accessible STUN
server. The host also requires configuration information that
identifies the STUN server, or a domain name that can be used for
STUN server discovery. To be selected for this purpose, the STUN
server needs to provide the public reflexive transport address of the
host; STUN servers that provide private addresses for any reason are
not appropriate for LIS discovery.
4.2.2. Alternate Methods for External IP Addresses
Alternative methods for determining other IP addresses MAY be used by
the host. Universal Plug and Play (UPnP) [UPnP-IGD-WANIPConnection1]
and NAT Port Mapping Protocol (NAT-PMP) [I-D.cheshire-nat-pmp] are
both able to provide the external address of a routing device.
Proprietary methods for determining other addresses might also be
available. Because there is no assurance that these methods will be
supported by any access network these methods are not mandated.
The source IP address in any IP packet can be used to determine the U-NAPTR MUST only be used if the DHCP LIS URI option is not
public IP address of a host. While the STUN method uses a small part available.
of a more sophisticated protocol, this principle can be applied using
any other protocol. Like STUN, this method requires prior knowledge
of the publicly accessible server and the method that it supports.
For instance, a publicly accessible host could be configured to An https: LIS URI that is a product of U-NAPTR MUST be authenticated
respond to a UDP packet on a predefined port; the data of the using the domain name method described in Section 3.1 of RFC 2818
response could contain the source IP address that was in the request. [RFC2818].
Alternatively, a HTTP server at a particular URL could be configured
to respond to a GET request with a "text/plain" body containing the
IP address of the requester. HTTP proxies render this method
unusable; in particular, transparent HTTP proxies might affect the
results of this method without the knowledge of the host. Such
services already exist on the public Internet.
The discovery procedure assumes that the correct LIS is in a network 3.1. Determining a Domain Name
segment that is closer to the host. Each network segment between the
host and LIS decreases the chance that the LIS is able to correctly
determine a location for the host.
Discovery methods follow an order of precedence. The exception is The U-NAPTR discovery method described requires a domain name as
for alternative methods of determining the hosts IP address in each input. This document does not specify how that domain name is
network segment; precedence is given to addresses in the network acquired by a device. If a device knows one or more of the domain
segments closer to the host. Therefore, the host attempts to use the names assigned to it, it MAY attempt to use each domain name as
IP address assigned to its local network interface before attempting input. Static configuration of a device is possible if a domain name
to determine alternative IP addresses. Precedence is given to is known to work for this purpose.
methods that provide an IP address in network segments closer to the
host, since these networks are more likely to have knowledge of the
physical network access. Methods for determining addresses on the
public Internet are given lower precedence.
5. Overall Discovery Procedure A fully qualified domain name (FQDN) for the device might be provided
by a DHCP server ([RFC4702] for DHCPv4, [RFC4704] for DHCPv6).
DHCPv4 option 15 [RFC2131] could also be used as a source of a domain
name suffix for the device. If DHCP and any of these options are
available, these values could be used as input the U-NAPTR procedure;
however, implementers need to be aware that many DHCP servers do not
provide a sensible value for these options.
To claim compliance with this document, a host MUST support both DHCP 4. Overall Discovery Procedure
discovery and U-NAPTR discovery. Further, the host MUST support
retrieval of domain name from DHCP and reverse DNS, using a local
interface address and the reflexive transport address provided by
STUN. Additional methods for determining the IP address of the host
in different network segments are optional.
These individual components of discovery are combined into a single The individual components of discovery are combined into a single
discovery procedure. Some networks maintain a topology analogous to discovery procedure. Some networks maintain a topology analogous to
an onion and are comprised of layers, or segments, separating hosts an onion and are comprised of layers, or segments, separating hosts
from the Internet through intermediate networks. Applying the from the Internet through intermediate networks. Applying the
individual discovery methods in the following order provides a higher individual discovery methods in an order that favours a physically
probability that a host discovers the LIS physically closest to it: proximate LIS over a remote LIS is preferred.
1. DHCP LIS URI Option
2. DNS U-NAPTR Discovery, using the domain name from:
A. DHCP Domain Name Option A host MUST support DHCP discovery and MAY support U-NAPTR discovery.
The process described in this document is known to not work in a very
common deployment scenario, namely the fixed wired environment
described in Section 3.1 of [I-D.ietf-geopriv-l7-lcp-ps].
Alternative methods of discovery to address this limitation are
likely.
B. Reverse DNS, using the IP address from: The following process ensures a greater likelihood of a LIS in close
physical proximity being discovered:
1. the local network interface and immediate network segment 1. Request the DHCP LIS URI Option for each network interface.
2. the public reflexive transport address, as revealed by 2. Use U-NAPTR to discover a LIS URI using all known domain names.
STUN
3. Alternative methods, including static configuration 3. Use a statically configured LIS URI.
A host that has multiple network interfaces could potentially be A host that has multiple network interfaces could potentially be
served by a different access network on each interface, each with a served by a different access network on each interface, each with a
different LIS. The host SHOULD attempt to discover the LIS different LIS. The host SHOULD attempt to discover the LIS
applicable to each network interface, stopping when a LIS is applicable to each network interface, stopping when a LIS is
successfully discovered on any interface. successfully discovered on any interface.
A host that discovers a LIS URI MUST attempt to verify that the LIS A host that discovers a LIS URI MUST attempt to verify that the LIS
is able to provide location information. For the HELD protocol, the is able to provide location information. For the HELD protocol, the
host MUST make a location request to the LIS. If the LIS responds to host MUST make a location request to the LIS. If the LIS responds to
this request with the "notLocatable" error code (see Section 4.3.2 of this request with the "notLocatable" error code (see Section 4.3.2 of
[I-D.ietf-geopriv-http-location-delivery]), the host MUST continue [I-D.ietf-geopriv-http-location-delivery]), the host MUST continue
the discovery process and not make further requests to that LIS on the discovery process and not make further requests to that LIS on
that network interface. that network interface.
DHCP discovery MUST be attempted before DNS discovery. This allows DHCP discovery MUST be attempted before any other discovery method.
the network access provider a direct and explicit means of This allows the network access provider a direct and explicit means
configuring a LIS address. DNS discovery is used as a failsafe, of configuring a LIS address. Alternative methods are only specified
providing a means to discover a LIS where the DHCP infrastructure as a means to discover a LIS where the DHCP infrastructure does not
does not support the LIS URI option. support the LIS URI option.
LIS discovery through DNS requires the host to determine the domain
name of the local access network. Where DHCP is available, the DHCP
domain name option (Section 4.1) can be used to provide this
information. If the domain name cannot be determined from DHCP, or
the resulting domain name fails to yield a valid LIS address then
reverse DNS is used. Alternative methods for determining the domain
name MAY be used, providing they consider the guidance in
Section 4.2.2.
Static host configuration MAY be used to provide a LIS address if This document does not mandate any particular source for the domain
both DHCP and DNS methods fail. Note however, that if a host has name that is used as input to U-NAPTR. Alternative methods for
moved from its customary location, static configuration might determining the domain name MAY be used.
indicate a LIS that is unable to provide a location.
If the discovery process fails, user interaction is NOT RECOMMENDED. Static configuration MAY be used if all other discovery methods fail.
The discovery process is not easily diagnosed by a user. Note however, that if a host has moved from its customary location,
static configuration might indicate a LIS that is unable to provide a
location.
The product of the LIS discovery process is an http: or https: URI. The product of the LIS discovery process is an http: or https: URI.
Nothing distinguishes this URI from other URIs with the same scheme, Nothing distinguishes this URI from other URIs with the same scheme,
aside from the fact that it is the product of this process. Only aside from the fact that it is the product of this process. Only
URIs produced by the discovery process can be used for location URIs produced by the discovery process can be used for location
configuration using HELD. URIs that are not a product of LIS configuration using HELD. URIs that are not a product of LIS
discovery MUST NOT be used for location configuration. discovery MUST NOT be used for location configuration.
5.1. Virtual Private Networks (VPNs) 4.1. Virtual Private Networks (VPNs)
LIS discovery over a VPN network interface SHOULD NOT be performed
since such a LIS does not have the physical presence generally
necessary to determine location. However, since not all interfaces
connected to a VPN can be detected by hosts, a LIS SHOULD NOT provide
location information in response to requests originating from a VPN
pool. This ensures that even if a host discovers a LIS over the VPN,
it does not rely on a LIS that is unable to provide accurate location
information. The exception to this is where the LIS and host are
able to determine a location without access network support.
6. Access Network Guidance
In order to successfully discover a LIS, a host relies on information
provided by the access network. DHCP and DNS servers need to be able
to provide the data that the device depends on. This section
provides guidance on what information needs to be made available to a
host for it to successfully discover a LIS.
Access networks that provide both a LIS and a DHCP server must
provide the DHCP option for the LIS address. Since DHCP must be
attempted first, if it can be guaranteed that DHCP can be used by all
hosts in the network, no further configuration is necessary.
Unless DHCP can be relied upon for all hosts in the network (see
[I-D.ietf-geopriv-l7-lcp-ps] for common scenarios where this isn't
the case), DNS discovery methods must also be supported. To support
the DNS discovery methods, the access network must provide two sets
of DNS records: the (U-)NAPTR records that enable the discovery of a
LIS URI from a domain name; and the reverse DNS records that enable
the discovery of a domain name based on the IP address of the host.
Access networks that provide a LIS should also provide reverse DNS
records for all IP addresses they administer. For each domain that
is referenced in reverse DNS records, a NAPTR record in that domain
must be provided for the "LIS:HELD" service that can be used to
resolve the address of a LIS.
The requirement for PTR and NAPTR records extends to both public and
private addresses used by access networks. A host that discovers the
external address of a router by proprietary means must be able to use
the resulting private address as input to a reverse DNS lookup and
U-NAPTR discovery. Similarly, a host that discovers a public
reflexive transport address using STUN must be able to use the public
address.
The following figure shows the addresses that could be revealed by a
first hop method, like UPnP [UPnP-IGD-WANIPConnection1] or NAT-PMP
[I-D.cheshire-nat-pmp] (the private address marked with '{N}') and
STUN (the public address marked with '{S}'). The access network
provider should provide the necessary DNS records for both of these
addresses.
+-----+ +------+ LIS discovery over a VPN network interface SHOULD NOT be performed.
| LIS | | STUN | A LIS discovered in this way is unlikely to have the information
+--+--+ +---+--+ necessary to determine an accurate location.
{N} / {S} _____/__
+------+ +------------+ / / +-----+ / (/ \)
| Host |-----| Router/NAT |----+----| NAT |----(( Internet ))
+------+ ^ +------------+ ^ +-----+ (\________/)
| |
Home Network Access Network
(Private) (Private)
Note: The DHCP domain name option is notably absent from this Since not all interfaces connected to a VPN can be detected by hosts,
guidance. The domain name option provides a quicker and more a LIS SHOULD NOT provide location information in response to requests
reliable means to discover the domain name in the case where a that it can identify as originating from a VPN pool. This ensures
DHCP server does not support the LIS URI option. If DHCP is that even if a host discovers a LIS over the VPN, it does not rely on
available, it is expected that access network providers use the a LIS that is unable to provide accurate location information. The
LIS URI option. exception to this is where the LIS and host are able to determine a
location without access network support.
7. Security Considerations 5. Security Considerations
The primary attack against the methods described in this document is The primary attack against the methods described in this document is
one that would lead to impersonation of a LIS. The LIS is one that would lead to impersonation of a LIS. The LIS is
responsible for providing location information and this information responsible for providing location information and this information
is critical to a number of network services; furthermore, a host does is critical to a number of network services; furthermore, a host does
not necessarily have a prior relationship with a LIS. Several not necessarily have a prior relationship with a LIS. Several
methods are described here that can limit the probablity of, or methods are described here that can limit the probablity of, or
provide some protection against, such an attack. provide some protection against, such an attack.
The address of a LIS is usually well-known within an access network; The address of a LIS is usually well-known within an access network;
skipping to change at page 16, line 27 skipping to change at page 13, line 27
concerns. concerns.
If DHCP is used, the integrity of DHCP options is limited by the If DHCP is used, the integrity of DHCP options is limited by the
security of the channel over which they are provided. Physical security of the channel over which they are provided. Physical
security and separation of DHCP messages from other packets are security and separation of DHCP messages from other packets are
commonplace methods that can reduce the possibility of attack within commonplace methods that can reduce the possibility of attack within
an access network; alternatively, DHCP authentication [RFC3118] can an access network; alternatively, DHCP authentication [RFC3118] can
provide a degree of protection against modification. provide a degree of protection against modification.
An attacker could attempt to compromise the U-NAPTR resolution. A An attacker could attempt to compromise the U-NAPTR resolution. A
description of the security considerations for U-NAPTR applications more thorough description of the security considerations for U-NAPTR
is included in [RFC4848]. applications is included in [RFC4848].
In addition to considerations related to U-NAPTR, it is important to In addition to considerations related to U-NAPTR, it is important to
recognize that the output of this is entirely dependent on its input. recognize that the output of this is entirely dependent on its input.
An attacker who can control the domain name can also control the An attacker who can control the domain name is therefore able to
final URI. Because a number of methods are provided for determining control the final URI. Any mechanism for automatically determining
the domain name, a host implementation needs to consider attacks such a domain name MUST consider such attacks.
against each of the methods that are used.
Reverse DNS is subject to the maintenance of the "in-addr.arpa." or
"ip6.arpa." domain and the integrity of the results that it provides.
DNSSEC [RFC4033] provides some measures that can improve the
reliability of DNS results. In particular, DNSSEC SHOULD be applied
to ensure that the reverse DNS record and the resulting domain are
provided by the same entity before this method is used. Without this
assurance, the host cannot be certain that the access network
provider has provided the NAPTR record for the domain name that is
provided.
Hosts behind NAT devices are also subject to attacks when retrieving
their public IP address. [I-D.ietf-behave-rfc3489bis] describes some
means of mitigating this attack for STUN.
8. IANA Considerations 6. IANA Considerations
8.1. Registration of DHCPv4 and DHCPv6 Option Codes 6.1. Registration of DHCPv4 and DHCPv6 Option Codes
The IANA is requested to assign an option code for the DHCPv4 option The IANA is requested to assign an option code for the DHCPv4 option
for a LIS address, as described in Section 2.1 of this document. for a LIS address, as described in Section 2.2 of this document.
The IANA is requested to assign an option code for the DHCPv6 option The IANA is requested to assign an option code for the DHCPv6 option
for a LIS address, as described in Section 2.2 of this document. for a LIS address, as described in Section 2.3 of this document.
8.2. Registration of a Location Server Application Service Tag 6.2. Registration of a Location Server Application Service Tag
This section registers a new S-NAPTR/U-NAPTR Application Service tag This section registers a new S-NAPTR/U-NAPTR Application Service tag
for a LIS, as mandated by [RFC3958]. for a LIS, as mandated by [RFC3958].
Application Service Tag: LIS Application Service Tag: LIS
Intended usage: Identifies a service that provides a host with its Intended usage: Identifies a service that provides a host with its
location information. location information.
Defining publication: RFCXXXX Defining publication: RFCXXXX
Related publications: HELD [I-D.ietf-geopriv-http-location-delivery] Related publications: HELD [I-D.ietf-geopriv-http-location-delivery]
Contact information: The authors of this document Contact information: The authors of this document
Author/Change controller: The IESG Author/Change controller: The IESG
8.3. Registration of a Location Server Application Protocol Tag for 6.3. Registration of a Location Server Application Protocol Tag for
HELD HELD
This section registers a new S-NAPTR/U-NAPTR Application Protocol tag This section registers a new S-NAPTR/U-NAPTR Application Protocol tag
for the HELD [I-D.ietf-geopriv-http-location-delivery] protocol, as for the HELD [I-D.ietf-geopriv-http-location-delivery] protocol, as
mandated by [RFC3958]. mandated by [RFC3958].
Application Service Tag: HELD Application Service Tag: HELD
Intended Usage: Identifies the HELD protocol. Intended Usage: Identifies the HELD protocol.
skipping to change at page 19, line 5 skipping to change at page 16, line 5
Terminal NAPTR Record Type(s): U Terminal NAPTR Record Type(s): U
Defining Publication: RFCXXXX Defining Publication: RFCXXXX
Related Publications: HELD [I-D.ietf-geopriv-http-location-delivery] Related Publications: HELD [I-D.ietf-geopriv-http-location-delivery]
Contact Information: The authors of this document Contact Information: The authors of this document
Author/Change Controller: The IESG Author/Change Controller: The IESG
9. Acknowledgements 7. Acknowledgements
The authors would like to thank Leslie Daigle for her work on The authors would like to thank Leslie Daigle for her work on
U-NAPTR; Peter Koch for his feedback on the DNS aspects of this U-NAPTR; Peter Koch for his feedback on the DNS aspects of this
document; Andy Newton for constructive suggestions with regards to document; Andy Newton for constructive suggestions with regards to
document direction; Hannes Tschofenig and Richard Barnes for input document direction; Hannes Tschofenig and Richard Barnes for input
and reviews; Dean Willis for constructive feedback. and reviews; Dean Willis for constructive feedback; Pasi Eronen for
the certificate fingerprint concept.
10. References
10.1. Normative References 8. References
[RFC1034] Mockapetris, P., "Domain names - concepts and facilities", 8.1. Normative References
STD 13, RFC 1034, November 1987.
[RFC2131] Droms, R., "Dynamic Host Configuration Protocol", [RFC2131] Droms, R., "Dynamic Host Configuration Protocol",
RFC 2131, March 1997. RFC 2131, March 1997.
[RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818, May 2000.
[RFC3315] Droms, R., Bound, J., Volz, B., Lemon, T., Perkins, C., [RFC3315] Droms, R., Bound, J., Volz, B., Lemon, T., Perkins, C.,
and M. Carney, "Dynamic Host Configuration Protocol for and M. Carney, "Dynamic Host Configuration Protocol for
IPv6 (DHCPv6)", RFC 3315, July 2003. IPv6 (DHCPv6)", RFC 3315, July 2003.
[RFC3396] Lemon, T. and S. Cheshire, "Encoding Long Options in the [RFC3396] Lemon, T. and S. Cheshire, "Encoding Long Options in the
Dynamic Host Configuration Protocol (DHCPv4)", RFC 3396, Dynamic Host Configuration Protocol (DHCPv4)", RFC 3396,
November 2002. November 2002.
[RFC4572] Lennox, J., "Connection-Oriented Media Transport over the
Transport Layer Security (TLS) Protocol in the Session
Description Protocol (SDP)", RFC 4572, July 2006.
[RFC4702] Stapp, M., Volz, B., and Y. Rekhter, "The Dynamic Host [RFC4702] Stapp, M., Volz, B., and Y. Rekhter, "The Dynamic Host
Configuration Protocol (DHCP) Client Fully Qualified Configuration Protocol (DHCP) Client Fully Qualified
Domain Name (FQDN) Option", RFC 4702, October 2006. Domain Name (FQDN) Option", RFC 4702, October 2006.
[RFC4704] Volz, B., "The Dynamic Host Configuration Protocol for [RFC4704] Volz, B., "The Dynamic Host Configuration Protocol for
IPv6 (DHCPv6) Client Fully Qualified Domain Name (FQDN) IPv6 (DHCPv6) Client Fully Qualified Domain Name (FQDN)
Option", RFC 4704, October 2006. Option", RFC 4704, October 2006.
[RFC4848] Daigle, L., "Domain-Based Application Service Location [RFC4848] Daigle, L., "Domain-Based Application Service Location
Using URIs and the Dynamic Delegation Discovery Service Using URIs and the Dynamic Delegation Discovery Service
(DDDS)", RFC 4848, April 2007. (DDDS)", RFC 4848, April 2007.
[I-D.ietf-behave-rfc3489bis] [I-D.ietf-geopriv-http-location-delivery]
Rosenberg, J., Mahy, R., Matthews, P., and D. Wing, Barnes, M., Winterbottom, J., Thomson, M., and B. Stark,
"Session Traversal Utilities for NAT (STUN)", "HTTP Enabled Location Delivery (HELD)",
draft-ietf-behave-rfc3489bis-18 (work in progress), draft-ietf-geopriv-http-location-delivery-10 (work in
July 2008. progress), October 2008.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
10.2. Informative References 8.2. Informative References
[RFC3118] Droms, R. and W. Arbaugh, "Authentication for DHCP [RFC3118] Droms, R. and W. Arbaugh, "Authentication for DHCP
Messages", RFC 3118, June 2001. Messages", RFC 3118, June 2001.
[RFC3693] Cuellar, J., Morris, J., Mulligan, D., Peterson, J., and [RFC3693] Cuellar, J., Morris, J., Mulligan, D., Peterson, J., and
J. Polk, "Geopriv Requirements", RFC 3693, February 2004. J. Polk, "Geopriv Requirements", RFC 3693, February 2004.
[RFC3958] Daigle, L. and A. Newton, "Domain-Based Application [RFC3958] Daigle, L. and A. Newton, "Domain-Based Application
Service Location Using SRV RRs and the Dynamic Delegation Service Location Using SRV RRs and the Dynamic Delegation
Discovery Service (DDDS)", RFC 3958, January 2005. Discovery Service (DDDS)", RFC 3958, January 2005.
[RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S.
Rose, "DNS Security Introduction and Requirements",
RFC 4033, March 2005.
[RFC4367] Rosenberg, J. and IAB, "What's in a Name: False
Assumptions about DNS Names", RFC 4367, February 2006.
[I-D.ietf-geopriv-l7-lcp-ps] [I-D.ietf-geopriv-l7-lcp-ps]
Tschofenig, H. and H. Schulzrinne, "GEOPRIV Layer 7 Tschofenig, H. and H. Schulzrinne, "GEOPRIV Layer 7
Location Configuration Protocol; Problem Statement and Location Configuration Protocol; Problem Statement and
Requirements", draft-ietf-geopriv-l7-lcp-ps-08 (work in Requirements", draft-ietf-geopriv-l7-lcp-ps-08 (work in
progress), June 2008. progress), June 2008.
[I-D.ietf-geopriv-http-location-delivery] Appendix A. DHCP LIS URI Option Examples
Barnes, M., Winterbottom, J., Thomson, M., and B. Stark,
"HTTP Enabled Location Delivery (HELD)",
draft-ietf-geopriv-http-location-delivery-10 (work in
progress), October 2008.
[UPnP-IGD-WANIPConnection1]
UPnP Forum, "Internet Gateway Device (IGD) Standardized
Device Control Protocol V 1.0: WANIPConnection:1 Service
Template Version 1.01 For UPnP Version 1.0", DCP 05-001,
Nov 2001.
[I-D.cheshire-nat-pmp]
Cheshire, S., "NAT Port Mapping Protocol (NAT-PMP)",
draft-cheshire-nat-pmp-03 (work in progress), April 2008.
Appendix A. Residential Broadband LIS Discovery Example A.1. LIS URI Only
This example shows how LIS discovery using U-NAPTR and DNS might be Figure 4 shows an example LIS URI option for DHCPv6 in hexadecimal
performed in a residential broadband scenario. The assumed network form. This example is the simplest form, with an http: URI and no
topology for this network is shown in Figure 4. fingerprint information.
+-----+ Hexadecimal representation of LIS option, including the leading
| DNS | DHCPv4 option code and length octets: [[IANA/RFC-Editor Note: Please
(DHCP Server) +-----+ replace instances of "??:??" in the following example with the
\ | ________ hexadecimal representation of the IANA allocated DHCPv6 option code;
+------+ +--------+ | (/ \) replace "???" with the decimal representation of the IANA allocated
| Host |-----| Router |-------+---+---(( Internet )) DHCPv6 option code.]]
+------+ +--------+ | (\________/)
{192.168.0.55} {192.0.2.75} | \
+-----+ \
| LIS | +--------+
. +-----+ . | STUN |
: : | Server |
| Access | +--------+
|<-- Network -->|
(my.isp.net)
Figure 4: Example Network Topology ??:??:00:1d:00:68:74:74:70:3a:2f:2f:6c:69:73:2e:65:78:61:6d:
70:6c:65:2e:6f:72:67:3a:34:38:30:31:2f
In this example, the host sits behind a home router that includes a Octet Value Description
NAT function. The host is assigned an address from the private ------- ------- --------------------------------------------------
192.168.x.x address range, in this case 192.168.0.55. The outbound 00-01 ??:?? LIS URI Option Code (???)
IP address provided to the home router is public and and belongs to 02 00:1d Option Length = 29
the my.isp.net domain; in this example the home router is assigned 03 00 F-Code = 0 (URI)
192.0.2.75, which is also given the domain name 192-0-2-
75.my.isp.net.
In this example, several methods are not possible due to the 04- 68:74:74:70:3a:2f:2f:6c:69:73:2e:65:78:61:6d:70:
configuration of the devices and network. The DHCP server on the -1f 6c:65:2e:6f:72:67:3a:34:38:30:31:2f
home router does not support the LIS URI option, and a domain name is - LIS URI = "http://lis.example.org:4801/"
not configured on the router. In addition to this, the UPnP service
on home router is disabled. Therefore, the host attempts these
methods and is unsuccessful.
The example first covers the unsuccessful attempts to discover the Figure 4: Example of a Simple LIS URI Option
LIS, followed by a successful application of DNS discovery based on
an address provided by a STUN server. In this situation, the STUN
server is provided by a Voice Service Provider (VSP) that the owner
of the host purchases a voice service from. The address of the STUN
server is configured on the host. The VSP is a separate entity on
the public Internet with no relation to the access network provider.
The sequence diagram below shows each of the failed attempts to A.2. LIS URI with Fingerprint
discover the LIS, followed by the successful discovery using the STUN
server, reverse DNS and the DNS discovery method.
+-------+ +--------+ +-----+ +-----+ +--------+ Figure 5 shows an example LIS URI option for DHCPv4 in hexadecimal
| Host | | Router | | DNS | | LIS | | STUN | form. This example shows the inclusion of two fingerprints, the
+---+---+ +----+---+ +--+--+ +--+--+ +---+----+ first based on SHA-256, and the second based on SHA-1.
| | | | |
1 +--- DHCPINFORM -->| | | |
| | | | |
2 |<---- DHCPACK ----+ | | |
| | | | |
3 +------- DNS: PTR ------------->| | |
| 55.0.168.192.in-addr.arpa. | | |
| | | | |
4 |<------ DNS: no domain --------+ | |
| | | | |
5 +---------------- STUN: Binding Request --------------->|
| | | | |
6 |<-------- STUN: XOR-MAPPED-ADDRESS (192.0.2.75) -------+
| | | | |
7 +------- DNS: PTR ------------->| | |
| 75.2.0.192.in-addr.arpa. | | |
| | | | |
8 |<--- 192-0-2-205.my.isp.net ---+ | |
| | | | |
9 +--- DNS: NAPTR my.isp.net ---->| | |
| | | | |
10 |<--- https://lis.my.isp.net/ --+ | |
| | | | |
11 +-------- HELD: locationRequest ----------->| |
| | | | |
. . . . .
Figure 5: LIS Discovery Sequence Hexadecimal representation of LIS option, including the leading
DHCPv4 option code and length octets: [[IANA/RFC-Editor Note: Please
replace two instances of "??" in the following example with the
hexadecimal representation of the IANA allocated DHCPv4 option code;
replace "???" with the decimal representation of the IANA allocated
DHCPv4 option code.]]
1. The host makes a DHCP request for the LIS URI option. To reduce ??:69:01:28:07:73:68:61:2d:32:35:36:49:20:77:6f:6e:64:65:72:
the overall time required in case the LIS URI option is not 20:69:66:74:68:69:73:20:77:69:6c:6c:20:62:65:20:6e:6f:74:69:
available, the host also requests the domain name option. 63:65:64:3f:01:1a:07:73:68:61:2d:31:39:39:62:6f:74:74:6c:65:
73:6f:66:62:65:65:72:6f:6e:74:68:65:00:68:74:74:70:73:3a:2f:
2f:6c:69:73:2e:65:78:61:6d:70:6c:65:2e:6f:72:67:3a:34:38:30:
32:2f:3f:63:3d:65:78
2. The DHCP server (in the home router) responds but cannot provide Octet Value Description
either option. Therefore, the host is unable to use the DHCP ------- ------- --------------------------------------------------
method, or use the domain name to perform U-NAPTR discovery. 00 ?? LIS URI Option Code (???)
01 6a Option Length = 106
02 01 F-Code = 1 (Fingerprint)
03 28 F-Length = 40
04 07 Hash-Type-Len = 7
3. The host then attempts reverse DNS based on its IP address 05-0b 73:68:61:2d:32:35:36
(192.168.0.55). The host makes a DNS PTR request for - Hash-Type = "sha-256"
"55.0.168.192.in-addr.arpa."
4. The DNS has no knowledge of the private network segment and so
indicates that there is no such domain.
5. The host contacts a STUN server, which is configured on the 0c- 49:20:77:6f:6e:64:65:72:20:69:66:74:68:69:73:20:
host. It sends a Binding Request to the STUN server. -2b 77:69:6c:6c:20:62:65:20:6e:6f:74:69:63:65:64:3f
- Fingerprint-Value (SHA-256 output)
6. The STUN server responds to the Binding Request, including the 2c 01 F-Code = 1 (Fingerprint)
XOR-MAPPED-ADDRESS parameter, which reveals the IP address of 2d 1a F-Length = 26
the home router: "192.0.2.75". 2e 07 Hash-Type-Len = 5
7. The host requests the domain name assigned to 192.0.2.75. It 2f-33 73:68:61:2d:31
makes a DNS PTR request to "75.2.0.192.in-addr.arpa." - Hash-Type = "sha-1"
8. The DNS server indicates that 192.0.2.75 is assigned the name 34- 39:39:62:6f:74:74:6c:65:73:6f:
"192-0-2-75.my.isp.net." -47 66:62:65:65:72:6f:6e:74:68:65
- Fingerprint-Value (SHA-1 output)
9. The host removes the host part of the domain name and makes a 48 00 F-Code = 0 (URI)
DNS NAPTR request for the domain "my.isp.net."
10. The DNS server provides all NAPTR records for the "my.isp.net." 49- 68:74:74:70:73:3a:2f:2f:6c:69:73:2e:65:78:61:6d:70:
domain. The host finds the record with a service tag of -6a 6c:65:2e:6f:72:67:3a:34:38:30:32:2f:3f:63:3d:65:78
"LIS:HELD" and retrieves the URI from the regexp field. The URI - LIS URI = "https://lis.example.org:4802/?c=ex"
of the LIS is found to be "https://lis.my.isp.net/".
11. The host sends a HELD "locationRequest" to the LIS. Figure 5: Example LIS URI Option with Fingerprint Data
Authors' Addresses Authors' Addresses
Martin Thomson Martin Thomson
Andrew Andrew
PO Box U40 PO Box U40
Wollongong University Campus, NSW 2500 Wollongong University Campus, NSW 2500
AU AU
Phone: +61 2 4221 2915 Phone: +61 2 4221 2915
 End of changes. 92 change blocks. 
506 lines changed or deleted 328 lines changed or added

This html diff was produced by rfcdiff 1.35. The latest version is available from http://tools.ietf.org/tools/rfcdiff/