GEOPRIV                                                       M. Thomson
Internet-Draft                                           J. Winterbottom
Intended status: Standards Track                                  Andrew
Expires: May 3, June 20, 2009                                    October 30,                                 December 17, 2008

        Discovering the Local Location Information Server (LIS)
                  draft-ietf-geopriv-lis-discovery-04
                  draft-ietf-geopriv-lis-discovery-05

Status of this Memo

   By submitting this Internet-Draft, each author represents that any
   applicable patent or other IPR claims of which he or she is aware
   have been or will be disclosed, and any of which he or she becomes
   aware will be disclosed, in accordance with Section 6 of BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt.

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

   This Internet-Draft will expire on May 3, June 20, 2009.

Abstract

   A method is described for the discovery of a Location Information
   Server.  The method uses a Dynamic Host Configuration Protocol (DHCP)
   option.  DHCP options are defined for both IPv4 and IPv6 DHCP.  A
   URI-enabled NAPTR (U-NAPTR) method is described for use where the
   DHCP option is unsuccessful.  This document defines a U-NAPTR
   Application Service for a LIS, with a specific Application Protocol
   for the HTTP Enabled Location Delivery (HELD) protocol.

Table of Contents

   1.  Introduction and Overview  . . . . . . . . . . . . . . . . . .  3
     1.1.  DHCP Discovery . . . . . . . . . . . . . . . . . . . . . .  3
     1.2.  U-NAPTR Discovery  . . . . . . . . . . . . . . . . . . . .  3
     1.3.  Terminology  . . . . . . . . . . . . . . . . . . . . . . .  4
   2.  LIS Discovery Using DHCP . . . . . . . . . . . . . . . . . . .  5
     2.1.  DHCPv4 Option for a  LIS Address Authentication . . . . . . . . . . . . . . . . . . . .  5
     2.2.  DHCPv6  DHCPv4 Option for a LIS Address  . . . . . . . . . . . . .  5
   3.  U-NAPTR  6
     2.3.  DHCPv6 Option for a LIS Discovery Address  . . . . . . . . . . . . .  7
   3.  U-NAPTR for LIS Discovery  . . . . .  7
   4.  Determining the Access Network Domain Name . . . . . . . . . .  8
     4.1.  DHCP Domain Name Option . . .  9
     3.1.  Determining a Domain Name  . . . . . . . . . . . . . .  8
     4.2.  Reverse DNS . . 10
   4.  Overall Discovery Procedure  . . . . . . . . . . . . . . . . . 11
     4.1.  Virtual Private Networks (VPNs)  . . . .  8
       4.2.1.  Determining an External IP Address using STUN . . . .  9
       4.2.2.  Alternate Methods for External IP Addresses . . . . . 10 12
   5.  Overall Discovery Procedure  Security Considerations  . . . . . . . . . . . . . . . . . 12
     5.1.  Virtual Private Networks (VPNs) . . 13
   6.  IANA Considerations  . . . . . . . . . . . 13
   6.  Access Network Guidance . . . . . . . . . . 14
     6.1.  Registration of DHCPv4 and DHCPv6 Option Codes . . . . . . 14
     6.2.  Registration of a Location Server Application Service
           Tag  . . . 14
   7.  Security Considerations . . . . . . . . . . . . . . . . . . . 16
   8.  IANA Considerations . . . . . 14
     6.3.  Registration of a Location Server Application Protocol
           Tag for HELD . . . . . . . . . . . . . . . . 17
     8.1.  Registration of DHCPv4 and DHCPv6 Option Codes . . . . . . 17
     8.2.  Registration of a Location Server Application Service
           Tag . 14
   7.  Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 16
   8.  References . . . 17
     8.3.  Registration of a Location Server Application Protocol
           Tag for HELD . . . . . . . . . . . . . . . . . . . . . . . 17
   9.  Acknowledgements . .
     8.1.  Normative References . . . . . . . . . . . . . . . . . . . 17
     8.2.  Informative References . . 19
   10. References . . . . . . . . . . . . . . . . 17
   Appendix A.  DHCP LIS URI Option Examples  . . . . . . . . . . 20
     10.1. Normative References . . 19
     A.1.  LIS URI Only . . . . . . . . . . . . . . . . . 20
     10.2. Informative References . . . . . . 19
     A.2.  LIS URI with Fingerprint . . . . . . . . . . . . 20
   Appendix A.  Residential Broadband LIS Discovery Example . . . . . 22 19
   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 25 21
   Intellectual Property and Copyright Statements . . . . . . . . . . 26 22

1.  Introduction and Overview

   Discovering

   The location of a device is a useful and sometimes necessary part of
   many services.  A Location Information Server (LIS) is an important part
   of the responsible
   for providing that location acquisition process. information to devices with an access
   network.  The LIS is an uses knowledge of the access network
   service that needs and its
   physical topology to be discovered before it can be used.  This generate and serve location information to
   devices.

   Each access network requires specific knowledge about topology.
   Therefore, it is important to discover the LIS that has the specific
   knowledge necessary to locate a device.  That is, the LIS that serves
   the current access network.  Automatic discovery is important where
   there is any chance of movement outside a single access network.
   Reliance on static configuration can lead to unexpected errors if a
   device moves between access networks.

   This document describes a method DHCP options and DNS records that a host device
   can use to discover a URI for
   a LIS.

   The product of a discovery process, such as the one described in this
   document, is the address of the service.  In this document, the
   result is an http: or https: URI, which identifies a LIS.

   The URI result from the discovery process is suitable for location
   configuration only; that is, the client MUST dereference the URI
   using the process described in HELD
   [I-D.ietf-geopriv-http-location-delivery].  URIs discovered in this
   way are not "location by reference" URIs; dereferencing one of them
   provides the location of the requester only.  Clients MUST NOT embed
   these URIs in fields in other protocols designed to carry the
   location of the client.

   The discovery process requires that the host first attempt LIS
   discovery using Dynamic Host Configuration protocol (DHCP).  If DHCP
   is not available, or the option is not supported by the network, the
   host attempts to discover the LIS using the DNS and URI-enabled
   Naming Authority Pointer (U-NAPTR).  Finally, the host can rely on
   proprietary methods for determining the address of the LIS, including
   static configuration.

1.1.  DHCP Discovery

   DHCP ([RFC2131], [RFC3315]) is a commonly used mechanism for
   providing bootstrap configuration information allowing a host device to
   operate in a specific network environment.  The bulk of DHCP
   information is largely static; consisting of configuration
   information that does not change over the period that the host device is
   attached to the network.  Physical location information might change
   over this time, however the address of the LIS does not.  Thus, DHCP
   is suitable for configuring a host device with the address of a LIS.

1.2.  U-NAPTR Discovery

   Where DHCP is not available, the DNS might be able to provide a URI.
   This document describes a method that uses URI-enabled NAPTR
   (U-NAPTR) [RFC4848], a Dynamic Delegation Discovery Service (DDDS)
   profile that supports URI results.

   For the LIS discovery DDDS application, an Application Service tag
   "LIS" and an Application Protocol tag "HELD" are created and
   registered with the IANA.  Taking a domain name, this U-NAPTR
   application uses the two tags to determine the LIS URI.

   A domain name is the crucial input to the U-NAPTR resolution process.
   Section 4 3.1 of this document describes several methods for deriving
   an appropriate domain name.

1.3.  Terminology

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [RFC2119].

   This document also uses the term "host" "device" to refer to an end host, or
   client consistent with its use in DHCP documents. HELD.  In HELD and RFC3693
   [RFC3693] parlance, the host Device is the Device, which might also be the Target.

   The terms "access network" refers to the network that a host device
   connects to for Internet access.  The "access network provider" is
   the entity that operates the access network.  This is consistent with
   the definition in [I-D.ietf-geopriv-l7-lcp-ps] which combines the
   Internet Access Provider (IAP) and Internet Service Provider (ISP).
   The access network provider is responsible for allocating the host device
   a public IP address and for directly or indirectly providing a LIS
   service.

2.  LIS Discovery Using DHCP

   DHCP allows the access network provider to specify the address of a
   LIS as part of network configuration.  If the host device is able to
   acquire a LIS URI using DHCP then this URI is used directly; the
   U-NAPTR process is not necessary if this option is provided.

   This document registers DHCP options for a LIS address for both IPv4
   and IPv6.

2.1.  DHCPv4 Option for a  LIS Address

   This section defines a Authentication

   The DHCP for IPv4 (DHCPv4) LIS URI option includes an optional authentication method
   for the address
   of a LIS.

    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |    LIS_URI    |    Length     |         URI ...               .
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                              URI                            ...
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

                      Figure 1: DHCPv4 LIS  If an https: URI Option

   LIS_URI:  The IANA assigned is provided for the LIS, the option number (TBD).

   Length:  The length
   can optionally include a fingerprint of the URI in octets.

   URI: server certificate.  The address of
   device can use this fingerprint to authenticate the LIS.  This URI SHOULD NOT be more than 253
      bytes in length, but MAY be extended by concatenating multiple
      option values, as described in [RFC3396].  The URI MUST NOT server.

   HTTP over TLS [RFC2818] describes how a host can be
      NULL terminated.

2.2.  DHCPv6 Option authenticated
   based on an expected domain name.  Relying exclusively on a domain
   name for authentication is not appropriate for a LIS Address LIS, since the
   domain name associated with the access network might not be known.
   Indeed, it is often innapropriate to attempt to assign any particular
   domain name to an access network.

   This section specification defines a DHCP for IPv6 (DHCPv6) option an alternative means of establishing an
   expected identity for the address
   of server that uses a LIS. certificate fingerprint.
   The DHCPv6 DHCP option includes a fingerprint for this parameter the server certificate
   that is similarly
   formatted to offered by the DHCPv4 option.

    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |       OPTION_LIS_URI          |           Length              |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                              URI                            ...
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                      Figure 2: DHCPv6 LIS URI Option

   OPTION_LIS_URI:  The IANA assigned option number (TBD).

   Length:  The length of when the associated URI is accessed.

   An access network operator is still able to nominate authentication
   based on a domain name.  If no fingerprint information is included,
   the device MUST authenticate the server using the method described in octets.

   URI:  The address
   Section 3.1 of RFC 2818 [RFC2818].  If a fingerprint exists, the LIS.  The URI
   domain name method MUST NOT be NULL terminated.

3.  U-NAPTR for LIS Discovery

   U-NAPTR resolution for a used.

   The certificate fingerprint can be ignored if the LIS takes URI doesn't
   indicate a domain name as input and
   produces a URI protocol that identifies supports exchange of certificates (such as
   http:).  The LIS MUST be considered unauthenticated.

   Note:  Whether the LIS.  This process also requires
   an Application Service tag and an Application Protocol tag, which
   differentiate LIS-related NAPTR records from other records for that
   domain.

   Section 8.2 defines device goes on to use the information provided by
      an Application Service tag unauthenticated LIS depends on device policy.  A device might
      choose to continue with alternative methods of "LIS", which is
   used discovery before
      falling back to identify the location service for a particular domain. an unauthenticated LIS.

   The
   Application Protocol tag "HELD", defined in Section 8.3, is used mechanism to
   identify generate a LIS that understands the HELD protocol
   [I-D.ietf-geopriv-http-location-delivery].

   The NAPTR records in the following example demonstrate fingerprint is to take the use hash of the
   Application Service and Protocol tags.  Iterative NAPTR resolution is
   DER-encoded certificate using a cryptographically strong algorithm.
   The hash algorithm used to delegate responsibility for generating the LIS service fingerprint is identified
   by a textual name taken from
   "zonea.example.com." and "zoneb.example.com." to
   "outsource.example.com.".

      zonea.example.com.
      ;;       order pref flags
      IN NAPTR 100   10   ""  "LIS:HELD" (          ; service
          ""                                        ; regex
          outsource.example.com.                    ; replacement
          )
      zoneb.example.com.
      ;;       order pref flags
      IN NAPTR 100   10   ""  "LIS:HELD" (          ; service
          ""                                        ; regex
          outsource.example.com.                    ; replacement
          )
      outsource.example.com.
      ;;       order pref flags
      IN NAPTR 100   10   "u"  "LIS:HELD" (         ; service
          "!*.!https://lis.outsource.example.com/!" ; regex
          .                                         ; replacement
          )

              Figure 3: Sample LIS:HELD Service NAPTR Records

   Details for the "LIS" Application Service tag and the "HELD"
   Application Protocol tag are included IANA registry "Hash Function Textual
   Names" defined in Section 8.

4.  Determining [RFC4572].  Implementations MUST support SHA-1 as
   the Access Network Domain Name

   The U-NAPTR discovery method described in Section 3 requires that hash algorithm and use the
   domain name applicable label "sha-1" to identify the access network SHA-1
   algorithm.

   Multiple fingerprints MAY be included.  If a hash algorithm is known.  An
   unconfigured host might
   indicated, but not have this information, therefore it must
   determine this value before the U-NAPTR method can be attempted.

   This section describes several methods for discovering supported by a domain name
   for device, it MUST choose the local access network.  Each method is attempted where
   applicable until a domain name is derived.  If a domain name is
   successfully derived but first
   algorithm that domain name it supports.  If any supported fingerprint does not produce any
   U-NAPTR records, alternative methods can be attempted to determine
   additional domain names.  Reattempting with different methods is
   particularly applicable when NAT is used, as is shown in
   Section 4.2.1.

4.1.  DHCP Domain Name Option

   For IP version 4, Dynamic Host Configuration Protocol (DHCP) option
   15 [RFC2131] includes the domain name suffix for the host.  If DHCP
   and option 15 are available, this value should be used as input the
   U-NAPTR procedure.

   Alternatively, a fully qualified domain name (FQDN) for the host
   might be provided by the server ([RFC4702] for DHCPv4, [RFC4704] for
   DHCPv6).  The domain part of
   match, the FQDN can LIS MUST be used considered as input to the
   U-NAPTR resolution and unauthenticated.  If no hash
   algorithm is obtained supported by removing the first label.  If the host has provided a fully qualified domain name using this
   option, device, it SHOULD NOT be used - MUST consider the domain known LIS to the host might
   not be the same as that of the access network.

   Note that these options should only be used if the
   unauthenticated.

2.2.  DHCPv4 Option for a LIS address option
   is not available; they SHOULD be used if Address

   This section defines a DHCP is available.

4.2.  Reverse DNS

   DNS "PTR" records in the "in-addr.arpa." domain can be used to
   determine for IPv4 (DHCPv4) option for the domain name address
   of a host, and therefore, the name of the
   domain for that host.  The use of the "in-addr.arpa." domain is
   described in [RFC1034] and results in LIS.

    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |    LIS_URI    |    Length     |   F-Code(1)   |   F-Length    |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   | Hash-Type-Len |                  Hash-Type                  ...
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                       Fingerprint-Value                     ...
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |    F-Code(0)  |                    URI                        .
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                           URI (cont.)                       ...
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

                  Figure 1: DHCPv4 LIS URI Option Example

   LIS_URI:  The IANA assigned option number (TBD).  [[IANA/RFC-Editor
      Note: Please replace TBD with the domain name assigned DHCPv4 option code.]]

   Length:  The length of the host.
   Likewise, IPv6 hosts use the "ip6.arpa." domain.  In entire LIS URI option in octets.

   F-Code:  A single octet indicates the majority type of
   cases, the domain part data that follows:
      fingerprint or URI.  A value of this name (everything excluding the first
   label) is also the domain name for 1 indicates that the access network.  Assuming following
      data includes a certificate fingerprint.  A value of 0 indicates
      that
   this no more supplementary data is true, this domain name can be used as input to included and the U-NAPTR
   process.

   For example, for an address URI follows.
      An "F-Code" with a value of "192.0.2.3", if the "PTR" record at
   "3.2.0.192.in-addr.arpa." refers to "h3-2-0-192.example.com.", this
   results 0 MUST be included.

      Values other than zero or one MAY be ignored.  Any other value
      MUST be specified in a U-NAPTR search for "example.com."

   The DNS hierarchy does not necessarily directly map onto a network
   topology (see [RFC4367]); therefore, this method standards track RFC that SHOULD establish
      an IANA registry.

   F-Length:  If the "F-Code" is non-zero, it MUST only be used
   for the domain name determined followed by removing an
      octet that indicates the first label only. length, in octets, of the data.  This method assumes that
      value includes the access network provider also provides sum of the reverse DNS record lengths of: "Hash-Type-Len",
      "Hash-Type", and they control "Fingerprint-Value".

   Hash-Type-Len:  The length, in octets, of the domain "Hash-Type" field.

   Hash-Type:  A text tag that is indicated
   in identifies the "PTR" record.

   Furthermore, this method might not apply where a host is given a
   domain name that is different from the domain name of hash algorithm used to
      generate the access
   network.  This might occur in some hosting configurations, such as
   where a number fingerprint.  The set of web server hosts, with widely varying domain names, values are co-located.  From the above example, the access network provider
   allocated "10.1.2.3" to the host; therefore, they also need to
   control the DNS domain "example.com" and defined in the associated NAPTR
   records.  DNS Security Extensions (DNSSEC) [RFC4033] provides a
   cryptographic means
      "Hash Function Textual Names" IANA registry [RFC4572].

   Fingerprint-Value:  The octet values of validating this association, through data
   origin authentication.

4.2.1.  Determining an External IP Address using STUN

   Reverse DNS relies on knowing the IP address certificate fingerprint.
      The length of a host within the
   access domain.  Initially, this SHOULD be attempted using the IP
   address that field is assigned to a local interface on the host.  However,
   when a NAT device exists between defined by the device hash algorithm and MUST
      match the Internet, the
   public IP address remainder of the NAT device is substituted for fingerprint data.  If this does not
      equal the source IP
   address.  The IP address value of "F-Length" less the NAT device length "Hash-Type-Len" and
      "Hash-Type", the corresponding
   domain name can fingerprint MUST be used to discover the LIS.

   In order to use reverse DNS in this configuration, the hosts need considered invalid.

      Note:  An invalid fingerprint is not equivalent to
   know the IP no fingerprint.

   URI:  The address that the NAT device uses.  A host can use of the
   Session Traversal Utilities for NAT (STUN)
   [I-D.ietf-behave-rfc3489bis] to determine a public IP address. LIS.  The
   host uses the "Binding Request" message and the resulting
   "XOR-MAPPED-ADDRESS" parameter that is returned in URI takes the response.

   These methods are particularly useful in residential broadband
   configurations.  A large proportion remainder of residential broadband services
   employ a NAT device so that several hosts can share the same Internet
   access.  Since the network behind the NAT device are generally very
   small, both
      DHCP option.  The URI MUST NOT be NULL terminated.

      The DHCPv4 version of this URI SHOULD NOT exceed 225 octets in numbers and geographical area, it isn't necessary
      length, but MAY be extended by concatenating multiple option
      values, as described in [RFC3396].

2.3.  DHCPv6 Option for a LIS to operate within that network; the hosts are able to access Address

   This section defines a
   LIS in the access network outside of the NAT device.

   The following figure shows a typical home broadband deployment
   scenario.  In this scenario, DHCP for IPv6 (DHCPv6) option for the public address
   of the Router/NAT can
   be used a LIS.  The DHCPv6 option for this parameter is similarly
   formatted to discover the LIS in the access network.

                                   +-----+ DHCPv4 option.

    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   | LIS       OPTION_LIS_URI          |
                                   +--+--+
                                     /     ________
    +------+     +------------+     /    (/        \)     +------+           Length              | Host |-----| Router/NAT |----+----(( Internet ))----| STUN
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |
    +------+  ^  +------------+   ^      (\________/)     +------+   F-Code(1)   |   F-Length    |
         Home Network       Access Network
          (Private)

   Using STUN requires cooperation from a publicly accessible STUN
   server. Hash-Type-Len |  Hash-Type  ...
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                       Fingerprint-Value                     ...
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |    F-Code(0)  |                    URI                        .
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                           URI (cont.)                       ...
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

                      Figure 2: DHCPv6 LIS URI Option
   OPTION_LIS_URI:  The host also requires configuration information that
   identifies the STUN server, or a domain name that can be used for
   STUN server discovery.  To be selected for this purpose, IANA assigned option number (TBD).  [[IANA/
      RFC-Editor Note: Please replace TBD with the STUN
   server needs to provide assigned DHCPv6
      option code.]]

   Length:  The length of the public reflexive transport address LIS URI option in octets.

      The format of remainder of the
   host; STUN servers that provide private addresses for any reason are
   not appropriate for LIS discovery.

4.2.2.  Alternate Methods URI option is identical to the
      DHCPv4 option.

3.  U-NAPTR for External IP Addresses

   Alternative methods LIS Discovery

   U-NAPTR resolution for determining other IP addresses MAY be used by a LIS takes a domain name as input and
   produces a URI that identifies the host.  Universal Plug and Play (UPnP) [UPnP-IGD-WANIPConnection1]
   and NAT Port Mapping LIS.  This process also requires
   an Application Service tag and an Application Protocol (NAT-PMP) [I-D.cheshire-nat-pmp] are
   both able tag, which
   differentiate LIS-related NAPTR records from other records for that
   domain.

   Section 6.2 defines an Application Service tag of "LIS", which is
   used to provide identify the external address of location service for a routing device.
   Proprietary methods for determining other addresses might also be
   available.  Because there is no assurance that these methods will be
   supported by any access network these methods are not mandated. particular domain.  The source IP address
   Application Protocol tag "HELD", defined in any IP packet can be Section 6.3, is used to determine the
   public IP address of
   identify a host.  While LIS that understands the STUN method uses a small part
   of a more sophisticated protocol, this principle can be applied using
   any other protocol.  Like STUN, this method requires prior knowledge HELD protocol
   [I-D.ietf-geopriv-http-location-delivery].

   The NAPTR records in the following example demonstrate the use of the publicly accessible server
   Application Service and the method that it supports.

   For instance, a publicly accessible host could be configured to
   respond Protocol tags.  Iterative NAPTR resolution is
   used to a UDP packet on a predefined port; delegate responsibility for the data of LIS service from
   "zonea.example.net." and "zoneb.example.net." to
   "outsource.example.com.".

      zonea.example.net.
      ;;       order pref flags
      IN NAPTR 100   10   ""  "LIS:HELD" (          ; service
          ""                                        ; regex
          outsource.example.com.                    ; replacement
          )
      zoneb.example.net.
      ;;       order pref flags
      IN NAPTR 100   10   ""  "LIS:HELD" (          ; service
          ""                                        ; regex
          outsource.example.com.                    ; replacement
          )
      outsource.example.com.
      ;;       order pref flags
      IN NAPTR 100   10   "u"  "LIS:HELD" (         ; service
          "!*.!https://lis.example.org:4802/?c=ex!" ; regex
          .                                         ; replacement
          )

              Figure 3: Sample LIS:HELD Service NAPTR Records

   Details for the
   response could contain "LIS" Application Service tag and the source IP address that was "HELD"
   Application Protocol tag are included in the request.
   Alternatively, a HTTP server at a particular URL could Section 6.

   U-NAPTR MUST only be configured
   to respond to a GET request with a "text/plain" body containing used if the
   IP address DHCP LIS URI option is not
   available.

   An https: LIS URI that is a product of U-NAPTR MUST be authenticated
   using the requester.  HTTP proxies render this domain name method
   unusable; described in particular, transparent HTTP proxies might affect the
   results of this method without the knowledge Section 3.1 of the host.  Such
   services already exist on the public Internet. RFC 2818
   [RFC2818].

3.1.  Determining a Domain Name

   The U-NAPTR discovery procedure assumes method described requires a domain name as
   input.  This document does not specify how that domain name is
   acquired by a device.  If a device knows one or more of the correct LIS domain
   names assigned to it, it MAY attempt to use each domain name as
   input.  Static configuration of a device is in possible if a network
   segment that domain name
   is closer known to work for this purpose.

   A fully qualified domain name (FQDN) for the host.  Each network segment between device might be provided
   by a DHCP server ([RFC4702] for DHCPv4, [RFC4704] for DHCPv6).
   DHCPv4 option 15 [RFC2131] could also be used as a source of a domain
   name suffix for the
   host device.  If DHCP and LIS decreases the chance that any of these options are
   available, these values could be used as input the LIS is able U-NAPTR procedure;
   however, implementers need to correctly
   determine be aware that many DHCP servers do not
   provide a location sensible value for the host. these options.

4.  Overall Discovery Procedure

   The individual components of discovery are combined into a single
   discovery procedure.  Some networks maintain a topology analogous to
   an onion and are comprised of layers, or segments, separating hosts
   from the Internet through intermediate networks.  Applying the
   individual discovery methods follow in an order of precedence.  The exception that favours a physically
   proximate LIS over a remote LIS is
   for alternative methods of determining the hosts IP address preferred.

   A host MUST support DHCP discovery and MAY support U-NAPTR discovery.
   The process described in each
   network segment; precedence this document is given known to addresses not work in a very
   common deployment scenario, namely the network
   segments closer fixed wired environment
   described in Section 3.1 of [I-D.ietf-geopriv-l7-lcp-ps].
   Alternative methods of discovery to the host.  Therefore, the host attempts to use the
   IP address assigned to its local network interface before attempting
   to determine alternative IP addresses.  Precedence is given to
   methods that provide an IP address in network segments closer to the
   host, since these networks are more likely to have knowledge of the
   physical network access.  Methods for determining addresses on the
   public Internet are given lower precedence.

5.  Overall Discovery Procedure

   To claim compliance with this document, a host MUST support both DHCP
   discovery and U-NAPTR discovery.  Further, the host MUST support
   retrieval of domain name from DHCP and reverse DNS, using a local
   interface address and the reflexive transport address provided by
   STUN.  Additional methods for determining the IP address of the host
   in different network segments limitation are optional.

   These individual components of discovery are combined into a single
   discovery procedure.  Some networks maintain a topology analogous to
   an onion and are comprised of layers, or segments, separating hosts
   from the Internet through intermediate networks.  Applying the
   individual discovery methods in the
   likely.

   The following order provides process ensures a higher
   probability that greater likelihood of a host discovers the LIS physically closest to it: in close
   physical proximity being discovered:

   1.  Request the DHCP LIS URI Option for each network interface.

   2.  DNS  Use U-NAPTR Discovery, to discover a LIS URI using the all known domain name from:

       A.  DHCP Domain Name Option

       B.  Reverse DNS, using the IP address from:

           1.  the local network interface and immediate network segment

           2.  the public reflexive transport address, as revealed by
               STUN names.

   3.  Alternative methods, including static configuration  Use a statically configured LIS URI.

   A host that has multiple network interfaces could potentially be
   served by a different access network on each interface, each with a
   different LIS.  The host SHOULD attempt to discover the LIS
   applicable to each network interface, stopping when a LIS is
   successfully discovered on any interface.

   A host that discovers a LIS URI MUST attempt to verify that the LIS
   is able to provide location information.  For the HELD protocol, the
   host MUST make a location request to the LIS.  If the LIS responds to
   this request with the "notLocatable" error code (see Section 4.3.2 of
   [I-D.ietf-geopriv-http-location-delivery]), the host MUST continue
   the discovery process and not make further requests to that LIS on
   that network interface.

   DHCP discovery MUST be attempted before DNS discovery. any other discovery method.
   This allows the network access provider a direct and explicit means
   of configuring a LIS address.  DNS discovery is used  Alternative methods are only specified
   as a failsafe,
   providing a means to discover a LIS where the DHCP infrastructure does not
   support the LIS URI option.

   LIS discovery through DNS requires the host to determine

   This document does not mandate any particular source for the domain
   name of the local access network.  Where DHCP that is available, used as input to U-NAPTR.  Alternative methods for
   determining the DHCP domain name option (Section 4.1) can MAY be used to provide this
   information.  If the domain name cannot be determined from DHCP, or
   the resulting domain name fails to yield a valid LIS address then
   reverse DNS is used.  Alternative methods for determining the domain
   name MAY be used, providing they consider the guidance in
   Section 4.2.2.

   Static host configuration MAY be used to provide a LIS address if
   both DHCP and DNS all other discovery methods fail.
   Note however, that if a host has moved from its customary location,
   static configuration might indicate a LIS that is unable to provide a
   location.

   If the discovery process fails, user interaction is NOT RECOMMENDED.
   The discovery process is not easily diagnosed by a user.

   The product of the LIS discovery process is an http: or https: URI.
   Nothing distinguishes this URI from other URIs with the same scheme,
   aside from the fact that it is the product of this process.  Only
   URIs produced by the discovery process can be used for location
   configuration using HELD.  URIs that are not a product of LIS
   discovery MUST NOT be used for location configuration.

5.1.

4.1.  Virtual Private Networks (VPNs)

   LIS discovery over a VPN network interface SHOULD NOT be performed
   since such a performed.
   A LIS does not discovered in this way is unlikely to have the physical presence generally information
   necessary to determine an accurate location.  However, since

   Since not all interfaces connected to a VPN can be detected by hosts,
   a LIS SHOULD NOT provide location information in response to requests
   that it can identify as originating from a VPN pool.  This ensures
   that even if a host discovers a LIS over the VPN, it does not rely on
   a LIS that is unable to provide accurate location information.  The
   exception to this is where the LIS and host are able to determine a
   location without access network support.

6.  Access Network Guidance

   In order

5.  Security Considerations

   The primary attack against the methods described in this document is
   one that would lead to successfully discover a LIS, impersonation of a host relies on LIS.  The LIS is
   responsible for providing location information
   provided by the access network.  DHCP and DNS servers need to be able
   to provide the data that the device depends on.  This section
   provides guidance on what this information needs to be made available
   is critical to a number of network services; furthermore, a host for it to successfully discover does
   not necessarily have a prior relationship with a LIS.

   Access networks  Several
   methods are described here that can limit the probablity of, or
   provide both some protection against, such an attack.

   The address of a LIS and a is usually well-known within an access network;
   therefore, interception of messages does not introduce any specific
   concerns.

   If DHCP server must
   provide is used, the integrity of DHCP option for options is limited by the LIS address.  Since
   security of the channel over which they are provided.  Physical
   security and separation of DHCP must be
   attempted first, if it messages from other packets are
   commonplace methods that can be guaranteed that DHCP can be used by all
   hosts in reduce the network, no further configuration is necessary.

   Unless possibility of attack within
   an access network; alternatively, DHCP authentication [RFC3118] can be relied upon for all hosts in the network (see
   [I-D.ietf-geopriv-l7-lcp-ps] for common scenarios where this isn't
   the case), DNS discovery methods must also be supported.  To support
   the DNS discovery methods, the access network must
   provide two sets
   of DNS records: the (U-)NAPTR records that enable the discovery of a
   LIS URI from a domain name; and the reverse DNS records that enable
   the discovery degree of a domain name based on protection against modification.

   An attacker could attempt to compromise the IP address U-NAPTR resolution.  A
   more thorough description of the host.

   Access networks that provide a LIS should also provide reverse DNS
   records security considerations for all IP addresses they administer.  For each domain that U-NAPTR
   applications is referenced in reverse DNS records, a NAPTR record included in [RFC4848].

   In addition to considerations related to U-NAPTR, it is important to
   recognize that domain
   must be provided for the "LIS:HELD" service that output of this is entirely dependent on its input.
   An attacker who can be used control the domain name is therefore able to
   resolve
   control the address of a LIS.

   The requirement final URI.  Any mechanism for PTR automatically determining
   such a domain name MUST consider such attacks.

6.  IANA Considerations

6.1.  Registration of DHCPv4 and NAPTR records extends DHCPv6 Option Codes

   The IANA is requested to both public and
   private addresses used by access networks.  A host that discovers assign an option code for the
   external address of DHCPv4 option
   for a router by proprietary means must be able LIS address, as described in Section 2.2 of this document.

   The IANA is requested to use assign an option code for the resulting private address DHCPv6 option
   for a LIS address, as input to described in Section 2.3 of this document.

6.2.  Registration of a reverse DNS lookup and
   U-NAPTR discovery.  Similarly, Location Server Application Service Tag

   This section registers a host that discovers new S-NAPTR/U-NAPTR Application Service tag
   for a public
   reflexive transport address using STUN must be able to use the public
   address.

   The following figure shows the addresses that could be revealed LIS, as mandated by [RFC3958].

   Application Service Tag:  LIS

   Intended usage:  Identifies a
   first hop method, like UPnP [UPnP-IGD-WANIPConnection1] or NAT-PMP
   [I-D.cheshire-nat-pmp] (the private address marked with '{N}') and
   STUN (the public address marked service that provides a host with '{S}'). its
      location information.

   Defining publication:  RFCXXXX

   Related publications:  HELD [I-D.ietf-geopriv-http-location-delivery]

   Contact information:  The access network
   provider should provide the necessary DNS records for both authors of these
   addresses.

                                   +-----+              +------+
                                   | LIS |              | STUN |
                                   +--+--+              +---+--+
                               {N}   /         {S}    _____/__
    +------+     +------------+ /   /   +-----+ /   (/        \)
    | Host |-----| Router/NAT |----+----| NAT |----(( Internet ))
    +------+  ^  +------------+   ^     +-----+     (\________/)
              |                   |
         Home Network       Access Network
          (Private)           (Private)

   Note:  The DHCP domain name option is notably absent from this
      guidance. document

   Author/Change controller:  The domain name option provides IESG

6.3.  Registration of a quicker and more
      reliable means to discover the domain name in the case where Location Server Application Protocol Tag for
      HELD

   This section registers a
      DHCP server does not support new S-NAPTR/U-NAPTR Application Protocol tag
   for the LIS URI option.  If DHCP is
      available, it is expected that access network providers use HELD [I-D.ietf-geopriv-http-location-delivery] protocol, as
   mandated by [RFC3958].

   Application Service Tag:  HELD

   Intended Usage:  Identifies the HELD protocol.

   Applicable Service Tag(s):  LIS URI option.

7.  Security Considerations

   Terminal NAPTR Record Type(s):  U

   Defining Publication:  RFCXXXX
   Related Publications:  HELD [I-D.ietf-geopriv-http-location-delivery]

   Contact Information:  The primary attack against the methods described in authors of this document is
   one that

   Author/Change Controller:  The IESG

7.  Acknowledgements

   The authors would lead like to impersonation of a LIS.  The LIS is
   responsible thank Leslie Daigle for providing location information and this information
   is critical to a number of network services; furthermore, a host does
   not necessarily have a prior relationship with a LIS.  Several
   methods are described here that can limit the probablity of, or
   provide some protection against, such an attack.

   The address of a LIS is usually well-known within an access network;
   therefore, interception of messages does not introduce any specific
   concerns.

   If DHCP is used, the integrity of DHCP options is limited by the
   security of the channel over which they are provided.  Physical
   security and separation of DHCP messages from other packets are
   commonplace methods that can reduce the possibility of attack within
   an access network; alternatively, DHCP authentication [RFC3118] can
   provide a degree of protection against modification.

   An attacker could attempt to compromise the U-NAPTR resolution.  A
   description of the security considerations for U-NAPTR applications
   is included in [RFC4848].

   In addition to considerations related to U-NAPTR, it is important to
   recognize that the output of this is entirely dependent on its input.
   An attacker who can control the domain name can also control the
   final URI.  Because a number of methods are provided for determining
   the domain name, a host implementation needs to consider attacks
   against each of the methods that are used.

   Reverse DNS is subject to the maintenance of the "in-addr.arpa." or
   "ip6.arpa." domain and the integrity of the results that it provides.
   DNSSEC [RFC4033] provides some measures that can improve the
   reliability of DNS results.  In particular, DNSSEC SHOULD be applied
   to ensure that the reverse DNS record and the resulting domain are
   provided by the same entity before this method is used.  Without this
   assurance, the host cannot be certain that the access network
   provider has provided the NAPTR record for the domain name that is
   provided.

   Hosts behind NAT devices are also subject to attacks when retrieving
   their public IP address.  [I-D.ietf-behave-rfc3489bis] describes some
   means of mitigating this attack for STUN.

8.  IANA Considerations

8.1.  Registration of DHCPv4 and DHCPv6 Option Codes

   The IANA is requested to assign an option code for the DHCPv4 option
   for a LIS address, as described in Section 2.1 of this document.

   The IANA is requested to assign an option code for the DHCPv6 option
   for a LIS address, as described in Section 2.2 of this document.

8.2.  Registration of a Location Server Application Service Tag

   This section registers a new S-NAPTR/U-NAPTR Application Service tag
   for a LIS, as mandated by [RFC3958].

   Application Service Tag:  LIS

   Intended usage:  Identifies a service that provides a host with its
      location information.

   Defining publication:  RFCXXXX

   Related publications:  HELD [I-D.ietf-geopriv-http-location-delivery]

   Contact information:  The authors of this document

   Author/Change controller:  The IESG

8.3.  Registration of a Location Server Application Protocol Tag for
      HELD

   This section registers a new S-NAPTR/U-NAPTR Application Protocol tag
   for the HELD [I-D.ietf-geopriv-http-location-delivery] protocol, as
   mandated by [RFC3958].

   Application Service Tag:  HELD

   Intended Usage:  Identifies the HELD protocol.

   Applicable Service Tag(s):  LIS

   Terminal NAPTR Record Type(s):  U

   Defining Publication:  RFCXXXX
   Related Publications:  HELD [I-D.ietf-geopriv-http-location-delivery]

   Contact Information:  The authors of this document

   Author/Change Controller:  The IESG

9.  Acknowledgements

   The authors would like to thank Leslie Daigle for her work on
   U-NAPTR; Peter Koch for his feedback on the DNS aspects her work on
   U-NAPTR; Peter Koch for his feedback on the DNS aspects of this
   document; Andy Newton for constructive suggestions with regards to
   document direction; Hannes Tschofenig and Richard Barnes for input
   and reviews; Dean Willis for constructive feedback.

10. feedback; Pasi Eronen for
   the certificate fingerprint concept.

8.  References

10.1.

8.1.  Normative References

   [RFC1034]  Mockapetris, P., "Domain names - concepts and facilities",
              STD 13, RFC 1034, November 1987.

   [RFC2131]  Droms, R., "Dynamic Host Configuration Protocol",
              RFC 2131, March 1997.

   [RFC2818]  Rescorla, E., "HTTP Over TLS", RFC 2818, May 2000.

   [RFC3315]  Droms, R., Bound, J., Volz, B., Lemon, T., Perkins, C.,
              and M. Carney, "Dynamic Host Configuration Protocol for
              IPv6 (DHCPv6)", RFC 3315, July 2003.

   [RFC3396]  Lemon, T. and S. Cheshire, "Encoding Long Options in the
              Dynamic Host Configuration Protocol (DHCPv4)", RFC 3396,
              November 2002.

   [RFC4572]  Lennox, J., "Connection-Oriented Media Transport over the
              Transport Layer Security (TLS) Protocol in the Session
              Description Protocol (SDP)", RFC 4572, July 2006.

   [RFC4702]  Stapp, M., Volz, B., and Y. Rekhter, "The Dynamic Host
              Configuration Protocol (DHCP) Client Fully Qualified
              Domain Name (FQDN) Option", RFC 4702, October 2006.

   [RFC4704]  Volz, B., "The Dynamic Host Configuration Protocol for
              IPv6 (DHCPv6) Client Fully Qualified Domain Name (FQDN)
              Option", RFC 4704, October 2006.

   [RFC4848]  Daigle, L., "Domain-Based Application Service Location
              Using URIs and the Dynamic Delegation Discovery Service
              (DDDS)", RFC 4848, April 2007.

   [I-D.ietf-behave-rfc3489bis]
              Rosenberg, J., Mahy, R., Matthews, P., and D. Wing,
              "Session Traversal Utilities for NAT (STUN)",
              draft-ietf-behave-rfc3489bis-18 (work in progress),
              July 2008.

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.

10.2.  Informative References

   [RFC3118]  Droms, R. and W. Arbaugh, "Authentication for DHCP
              Messages", RFC 3118, June 2001.

   [RFC3693]  Cuellar, J., Morris, J., Mulligan, D., Peterson, J., and
              J. Polk, "Geopriv Requirements", RFC 3693, February 2004.

   [RFC3958]  Daigle, L. and A. Newton, "Domain-Based Application
              Service Location Using SRV RRs and the Dynamic Delegation
              Discovery Service (DDDS)", RFC 3958, January 2005.

   [RFC4033]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
              Rose, "DNS Security Introduction and Requirements",
              RFC 4033, March 2005.

   [RFC4367]  Rosenberg, J. and IAB, "What's in a Name: False
              Assumptions about DNS Names", RFC 4367, February 2006.

   [I-D.ietf-geopriv-l7-lcp-ps]
              Tschofenig, H. and H. Schulzrinne, "GEOPRIV Layer 7
              Location Configuration Protocol; Problem Statement and
              Requirements", draft-ietf-geopriv-l7-lcp-ps-08 (work in
              progress), June 2008. the Dynamic Delegation Discovery Service
              (DDDS)", RFC 4848, April 2007.

   [I-D.ietf-geopriv-http-location-delivery]
              Barnes, M., Winterbottom, J., Thomson, M., and B. Stark,
              "HTTP Enabled Location Delivery (HELD)",
              draft-ietf-geopriv-http-location-delivery-10 (work in
              progress), October 2008.

   [UPnP-IGD-WANIPConnection1]
              UPnP Forum, "Internet Gateway Device (IGD) Standardized
              Device Control Protocol V 1.0: WANIPConnection:1 Service
              Template Version 1.01 For UPnP Version 1.0", DCP 05-001,
              Nov 2001.

   [I-D.cheshire-nat-pmp]
              Cheshire,

   [RFC2119]  Bradner, S., "NAT Port Mapping Protocol (NAT-PMP)",
              draft-cheshire-nat-pmp-03 (work in progress), April 2008.

Appendix A.  Residential Broadband LIS Discovery Example

   This example shows how LIS discovery using U-NAPTR and DNS might be
   performed in a residential broadband scenario.  The assumed network
   topology "Key words for this network is shown in Figure 4.

                                     +-----+
                                     | DNS |
                (DHCP Server)        +-----+
                      \                 |      ________
      +------+     +--------+           |    (/        \)
      | Host |-----| Router |-------+---+---(( Internet ))
      +------+     +--------+       |        (\________/)
    {192.168.0.55}  {192.0.2.75}    |               \
                                 +-----+             \
                                 | LIS |          +--------+
                            .    +-----+    .     |  STUN  |
                            :               :     | Server |
                            |    Access     |     +--------+
                            |<-- Network -->|
                               (my.isp.net)

                    Figure 4: Example Network Topology

   In this example, the host sits behind a home router that includes a
   NAT function.  The host is assigned an address from the private
   192.168.x.x address range, in this case 192.168.0.55.  The outbound
   IP address provided to the home router is public and and belongs to
   the my.isp.net domain; use in this example the home router is assigned
   192.0.2.75, which is also given the domain name 192-0-2-
   75.my.isp.net.

   In this example, several methods are not possible due RFCs to the
   configuration of the devices Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.

8.2.  Informative References

   [RFC3118]  Droms, R. and network.  The W. Arbaugh, "Authentication for DHCP server on the
   home router does not support the LIS URI option,
              Messages", RFC 3118, June 2001.

   [RFC3693]  Cuellar, J., Morris, J., Mulligan, D., Peterson, J., and a domain name is
   not configured on the router.  In addition to this, the UPnP service
   on home router is disabled.  Therefore, the host attempts these
   methods
              J. Polk, "Geopriv Requirements", RFC 3693, February 2004.

   [RFC3958]  Daigle, L. and is unsuccessful.

   The example first covers the unsuccessful attempts to discover the
   LIS, followed by a successful application of DNS discovery based on
   an address provided by a STUN server.  In this situation, the STUN
   server is provided by a Voice A. Newton, "Domain-Based Application
              Service Provider (VSP) that the owner
   of the host purchases a voice service from.  The address of the STUN
   server is configured on the host.  The VSP is a separate entity on
   the public Internet with no relation to the access network provider.

   The sequence diagram below shows each of the failed attempts to
   discover the LIS, followed by the successful discovery using the STUN
   server, reverse DNS Location Using SRV RRs and the DNS discovery method.

   +-------+         +--------+     +-----+     +-----+    +--------+
   | Host  |         | Router |     | DNS |     | LIS |    |  STUN  |
   +---+---+         +----+---+     +--+--+     +--+--+    +---+----+
       |                  |            |           |           |
     1 +--- DHCPINFORM -->|            |           |           |
       |                  |            |           |           |
     2 |<---- DHCPACK ----+            |           |           |
       |                  |            |           |           |
     3 +------- DNS: PTR ------------->|           |           |
       |   55.0.168.192.in-addr.arpa.  |           |           |
       |                  |            |           |           |
     4 |<------ DNS: no domain --------+           |           |
       |                  |            |           |           |
     5 +---------------- STUN: Binding Request --------------->|
       |                  |            |           |           |
     6 |<-------- STUN: XOR-MAPPED-ADDRESS (192.0.2.75) -------+
       |                  |            |           |           |
     7 +------- DNS: PTR ------------->|           |           |
       |    75.2.0.192.in-addr.arpa.   |           |           |
       |                  |            |           |           |
     8 |<--- 192-0-2-205.my.isp.net ---+           |           |
       |                  |            |           |           |
     9 +--- DNS: NAPTR my.isp.net ---->|           |           |
       |                  |            |           |           |
    10 |<--- https://lis.my.isp.net/ --+           |           |
       |                  |            |           |           |
    11 +-------- HELD: locationRequest ----------->|           |
       |                  |            |           |           |
       .                  .            .           .           .

                     Figure 5: LIS Dynamic Delegation
              Discovery Sequence

   1.   The host makes a Service (DDDS)", RFC 3958, January 2005.

   [I-D.ietf-geopriv-l7-lcp-ps]
              Tschofenig, H. and H. Schulzrinne, "GEOPRIV Layer 7
              Location Configuration Protocol; Problem Statement and
              Requirements", draft-ietf-geopriv-l7-lcp-ps-08 (work in
              progress), June 2008.

Appendix A.  DHCP request for the LIS URI option.  To reduce
        the overall time required in case the Option Examples

A.1.  LIS URI option is not
        available, the host also requests the domain name option.

   2.   The DHCP server (in the home router) responds but cannot provide
        either option.  Therefore, the host Only

   Figure 4 shows an example LIS URI option for DHCPv6 in hexadecimal
   form.  This example is unable to use the DHCP
        method, or use the domain name to perform U-NAPTR discovery.

   3.   The host then attempts reverse DNS based on its IP address
        (192.168.0.55).  The host makes a DNS PTR request for
        "55.0.168.192.in-addr.arpa."
   4.   The DNS has simplest form, with an http: URI and no knowledge
   fingerprint information.

   Hexadecimal representation of LIS option, including the private network segment leading
   DHCPv4 option code and so
        indicates that there is no such domain.

   5.   The host contacts a STUN server, which is configured on the
        host.  It sends a Binding Request to length octets: [[IANA/RFC-Editor Note: Please
   replace instances of "??:??" in the STUN server.

   6.   The STUN server responds to following example with the Binding Request, including
   hexadecimal representation of the
        XOR-MAPPED-ADDRESS parameter, which reveals IANA allocated DHCPv6 option code;
   replace "???" with the IP address decimal representation of the home router: "192.0.2.75".

   7.   The host requests the domain name assigned to 192.0.2.75.  It
        makes IANA allocated
   DHCPv6 option code.]]

   ??:??:00:1d:00:68:74:74:70:3a:2f:2f:6c:69:73:2e:65:78:61:6d:
   70:6c:65:2e:6f:72:67:3a:34:38:30:31:2f

     Octet   Value   Description
    ------- ------- --------------------------------------------------
     00-01   ??:??     LIS URI Option Code (???)
      02     00:1d     Option Length = 29
      03      00       F-Code = 0 (URI)

     04-     68:74:74:70:3a:2f:2f:6c:69:73:2e:65:78:61:6d:70:
       -1f     6c:65:2e:6f:72:67:3a:34:38:30:31:2f
                      - LIS URI = "http://lis.example.org:4801/"

               Figure 4: Example of a DNS PTR request to "75.2.0.192.in-addr.arpa."

   8.   The DNS server indicates that 192.0.2.75 is assigned the name
        "192-0-2-75.my.isp.net."

   9.   The host removes Simple LIS URI Option

A.2.  LIS URI with Fingerprint

   Figure 5 shows an example LIS URI option for DHCPv4 in hexadecimal
   form.  This example shows the host part inclusion of two fingerprints, the domain name
   first based on SHA-256, and makes a
        DNS NAPTR request for the domain "my.isp.net."

   10.  The DNS server provides all NAPTR records for second based on SHA-1.

   Hexadecimal representation of LIS option, including the "my.isp.net."
        domain.  The host finds leading
   DHCPv4 option code and length octets: [[IANA/RFC-Editor Note: Please
   replace two instances of "??" in the record following example with a service tag the
   hexadecimal representation of
        "LIS:HELD" and retrieves the URI from IANA allocated DHCPv4 option code;
   replace "???" with the regexp field.  The URI decimal representation of the IANA allocated
   DHCPv4 option code.]]

   ??:69:01:28:07:73:68:61:2d:32:35:36:49:20:77:6f:6e:64:65:72:
   20:69:66:74:68:69:73:20:77:69:6c:6c:20:62:65:20:6e:6f:74:69:
   63:65:64:3f:01:1a:07:73:68:61:2d:31:39:39:62:6f:74:74:6c:65:
   73:6f:66:62:65:65:72:6f:6e:74:68:65:00:68:74:74:70:73:3a:2f:
   2f:6c:69:73:2e:65:78:61:6d:70:6c:65:2e:6f:72:67:3a:34:38:30:
   32:2f:3f:63:3d:65:78

     Octet   Value   Description
    ------- ------- --------------------------------------------------
      00      ??     LIS is found to be "https://lis.my.isp.net/".

   11.  The host sends a HELD "locationRequest" to the LIS. URI Option Code (???)
      01      6a     Option Length = 106
      02      01     F-Code = 1 (Fingerprint)
      03      28     F-Length = 40
      04      07     Hash-Type-Len = 7

     05-0b   73:68:61:2d:32:35:36
                      - Hash-Type = "sha-256"

     0c-     49:20:77:6f:6e:64:65:72:20:69:66:74:68:69:73:20:
       -2b     77:69:6c:6c:20:62:65:20:6e:6f:74:69:63:65:64:3f
                      - Fingerprint-Value (SHA-256 output)

      2c      01     F-Code = 1 (Fingerprint)
      2d      1a     F-Length = 26
      2e      07     Hash-Type-Len = 5

     2f-33   73:68:61:2d:31
                      - Hash-Type = "sha-1"

     34-     39:39:62:6f:74:74:6c:65:73:6f:
       -47     66:62:65:65:72:6f:6e:74:68:65
                      - Fingerprint-Value (SHA-1 output)

      48      00     F-Code = 0 (URI)

     49-     68:74:74:70:73:3a:2f:2f:6c:69:73:2e:65:78:61:6d:70:
       -6a     6c:65:2e:6f:72:67:3a:34:38:30:32:2f:3f:63:3d:65:78
                      - LIS URI = "https://lis.example.org:4802/?c=ex"

          Figure 5: Example LIS URI Option with Fingerprint Data

Authors' Addresses

   Martin Thomson
   Andrew
   PO Box U40
   Wollongong University Campus, NSW  2500
   AU

   Phone: +61 2 4221 2915
   Email: martin.thomson@andrew.com
   URI:   http://www.andrew.com/

   James Winterbottom
   Andrew
   PO Box U40
   Wollongong University Campus, NSW  2500
   AU

   Phone: +61 2 4221 2938
   Email: james.winterbottom@andrew.com
   URI:   http://www.andrew.com/

Full Copyright Statement

   Copyright (C) The IETF Trust (2008).

   This document is subject to the rights, licenses and restrictions
   contained in BCP 78, and except as set forth therein, the authors
   retain all their rights.

   This document and the information contained herein are provided on an
   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
   THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
   OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
   THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Intellectual Property

   The IETF takes no position regarding the validity or scope of any
   Intellectual Property Rights or other rights that might be claimed to
   pertain to the implementation or use of the technology described in
   this document or the extent to which any license under such rights
   might or might not be available; nor does it represent that it has
   made any independent effort to identify any such rights.  Information
   on the procedures with respect to rights in RFC documents can be
   found in BCP 78 and BCP 79.

   Copies of IPR disclosures made to the IETF Secretariat and any
   assurances of licenses to be made available, or the result of an
   attempt made to obtain a general license or permission for the use of
   such proprietary rights by implementers or users of this
   specification can be obtained from the IETF on-line IPR repository at
   http://www.ietf.org/ipr.

   The IETF invites any interested party to bring to its attention any
   copyrights, patents or patent applications, or other proprietary
   rights that may cover technology that may be required to implement
   this standard.  Please address the information to the IETF at
   ietf-ipr@ietf.org.