draft-ietf-geopriv-lis-discovery-07.txt   draft-ietf-geopriv-lis-discovery-08.txt 
GEOPRIV M. Thomson GEOPRIV M. Thomson
Internet-Draft J. Winterbottom Internet-Draft J. Winterbottom
Intended status: Standards Track Andrew Intended status: Standards Track Andrew
Expires: August 13, 2009 February 9, 2009 Expires: September 24, 2009 March 23, 2009
Discovering the Local Location Information Server (LIS) Discovering the Local Location Information Server (LIS)
draft-ietf-geopriv-lis-discovery-07 draft-ietf-geopriv-lis-discovery-08
Status of this Memo Status of this Memo
This Internet-Draft is submitted to IETF in full conformance with the This Internet-Draft is submitted to IETF in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet- other groups may also distribute working documents as Internet-
Drafts. Drafts.
skipping to change at page 1, line 32 skipping to change at page 1, line 32
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on August 13, 2009. This Internet-Draft will expire on September 24, 2009.
Copyright Notice Copyright Notice
Copyright (c) 2009 IETF Trust and the persons identified as the Copyright (c) 2009 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents in effect on the date of
(http://trustee.ietf.org/license-info) in effect on the date of publication of this document (http://trustee.ietf.org/license-info).
publication of this document. Please review these documents Please review these documents carefully, as they describe your rights
carefully, as they describe your rights and restrictions with respect and restrictions with respect to this document.
to this document.
Abstract Abstract
Discovery of the correct Location Information Server (LIS) in the Discovery of the correct Location Information Server (LIS) in the
local access network is necessary for devices that wish to acquire local access network is necessary for devices that wish to acquire
location information from the network. A method is described for the location information from the network. A method is described for the
discovery of a LIS. Dynamic Host Configuration Protocol (DHCP) discovery of a LIS. Dynamic Host Configuration Protocol (DHCP)
options for IP versions 4 and 6 are defined that specify a URI for a options for IP versions 4 and 6 are defined that specify a URI for a
LIS in the local access network. Additional DHCP options are LIS in the local access network. Additional DHCP options are
provided that enable authentication of the indicated LIS. An provided that enable authentication of the indicated LIS. An
alternative method that uses URI-enabled NAPTR (U-NAPTR) is described alternative method that uses URI-enabled NAPTR (U-NAPTR) is described
for use where the DHCP option is unsuccessful. for use where the DHCP option is unsuccessful.
Table of Contents Table of Contents
1. Introduction and Overview . . . . . . . . . . . . . . . . . . 3 1. Introduction and Overview . . . . . . . . . . . . . . . . . . 3
1.1. DHCP Discovery . . . . . . . . . . . . . . . . . . . . . . 3 1.1. DHCP Discovery . . . . . . . . . . . . . . . . . . . . . . 3
1.2. U-NAPTR Discovery . . . . . . . . . . . . . . . . . . . . 3 1.2. U-NAPTR Discovery . . . . . . . . . . . . . . . . . . . . 4
1.3. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4 1.3. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4
2. LIS Discovery Using DHCP . . . . . . . . . . . . . . . . . . . 5 2. LIS Discovery Using DHCP . . . . . . . . . . . . . . . . . . . 5
2.1. DHCPv4 LIS URI Option . . . . . . . . . . . . . . . . . . 5 2.1. DHCPv4 LIS URI Option . . . . . . . . . . . . . . . . . . 5
2.2. DHCPv6 LIS URI Option . . . . . . . . . . . . . . . . . . 5 2.2. DHCPv6 LIS URI Option . . . . . . . . . . . . . . . . . . 5
2.3. LIS Authentication . . . . . . . . . . . . . . . . . . . . 6 2.3. LIS Authentication . . . . . . . . . . . . . . . . . . . . 6
2.3.1. DHCPv4 LIS Certificate Fingerprints Option . . . . . . 7 2.3.1. Alternative Certificates . . . . . . . . . . . . . . . 7
2.3.2. DHCPv6 LIS Certificate Fingerprints Option . . . . . . 9 2.3.2. Sub-Option Codes . . . . . . . . . . . . . . . . . . . 8
3. U-NAPTR for LIS Discovery . . . . . . . . . . . . . . . . . . 10 2.3.3. Authentication Algorithm Summary . . . . . . . . . . . 9
3.1. Determining a Domain Name . . . . . . . . . . . . . . . . 11 2.3.4. DHCPv4 LIS Certificate Fingerprint Option . . . . . . 10
4. Overall Discovery Procedure . . . . . . . . . . . . . . . . . 12 2.3.5. DHCPv6 LIS Certificate Fingerprint Option . . . . . . 11
4.1. Virtual Private Networks (VPNs) . . . . . . . . . . . . . 13 3. U-NAPTR for LIS Discovery . . . . . . . . . . . . . . . . . . 13
5. Security Considerations . . . . . . . . . . . . . . . . . . . 14 3.1. Determining a Domain Name . . . . . . . . . . . . . . . . 14
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 15 4. Overall Discovery Procedure . . . . . . . . . . . . . . . . . 15
6.1. Registration of DHCPv4 and DHCPv6 LIS URI Option Codes . . 15 4.1. Virtual Private Networks (VPNs) . . . . . . . . . . . . . 16
5. Security Considerations . . . . . . . . . . . . . . . . . . . 17
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 18
6.1. Registration of DHCPv4 and DHCPv6 LIS URI Option Codes . . 18
6.2. Registration of DHCPv4 and DHCPv6 LIS Certificate 6.2. Registration of DHCPv4 and DHCPv6 LIS Certificate
Fingerprints Option Codes . . . . . . . . . . . . . . . . 15 Fingerprint Option Codes . . . . . . . . . . . . . . . . . 18
6.3. Registration of a Location Server Application Service 6.3. Creation of Registry for LIS Certificate Fingerprint
Tag . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Sub-Option Codes . . . . . . . . . . . . . . . . . . . . . 18
6.4. Registration of a Location Server Application Protocol 6.4. Registration of a Location Server Application Service
Tag for HELD . . . . . . . . . . . . . . . . . . . . . . . 15 Tag . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 17 6.5. Registration of a Location Server Application Protocol
8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Tag for HELD . . . . . . . . . . . . . . . . . . . . . . . 19
8.1. Normative References . . . . . . . . . . . . . . . . . . . 18 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 20
8.2. Informative References . . . . . . . . . . . . . . . . . . 18 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 20 8.1. Normative References . . . . . . . . . . . . . . . . . . . 21
8.2. Informative References . . . . . . . . . . . . . . . . . . 22
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 23
1. Introduction and Overview 1. Introduction and Overview
The location of a device is a useful and sometimes necessary part of The location of a device is a useful and sometimes necessary part of
many services. A Location Information Server (LIS) is responsible many services. A Location Information Server (LIS) is responsible
for providing that location information to devices with an access for providing that location information to devices with an access
network. The LIS uses knowledge of the access network and its network. The LIS uses knowledge of the access network and its
physical topology to generate and serve location information to physical topology to generate and serve location information to
devices. devices.
skipping to change at page 3, line 30 skipping to change at page 3, line 30
device moves between access networks. device moves between access networks.
This document describes DHCP options and DNS records that a device This document describes DHCP options and DNS records that a device
can use to discover a LIS. can use to discover a LIS.
The product of a discovery process, such as the one described in this The product of a discovery process, such as the one described in this
document, is the address of the service. In this document, the document, is the address of the service. In this document, the
result is an http: or https: URI, which identifies a LIS. result is an http: or https: URI, which identifies a LIS.
The URI result from the discovery process is suitable for location The URI result from the discovery process is suitable for location
configuration only; that is, the client MUST dereference the URI configuration only; that is, the device MUST dereference the URI
using the process described in HELD using the process described in HELD
[I-D.ietf-geopriv-http-location-delivery]. URIs discovered in this [I-D.ietf-geopriv-http-location-delivery]. URIs discovered in this
way are not "location by reference" URIs; dereferencing one of them way are not "location URIs" [I-D.ietf-geopriv-lbyr-requirements];
provides the location of the requester only. Clients MUST NOT embed dereferencing one of them provides the location of the requester
these URIs in fields in other protocols designed to carry the only. Devices MUST NOT embed these URIs in fields in other protocols
location of the client. designed to carry the location of the device.
1.1. DHCP Discovery 1.1. DHCP Discovery
DHCP ([RFC2131], [RFC3315]) is a commonly used mechanism for DHCP ([RFC2131], [RFC3315]) is a commonly used mechanism for
providing bootstrap configuration information allowing a device to providing bootstrap configuration information allowing a device to
operate in a specific network environment. The bulk of DHCP operate in a specific network environment. The bulk of DHCP
information is largely static; consisting of configuration information is largely static; consisting of configuration
information that does not change over the period that the device is information that does not change over the period that the device is
attached to the network. Physical location information might change attached to the network. Physical location information might change
over this time, however the address of the LIS does not. Thus, DHCP over this time, however the address of the LIS does not. Thus, DHCP
is suitable for configuring a device with the address of a LIS. is suitable for configuring a device with the address of a LIS.
A second DHCP option is defined that enables the authentication of a
LIS based on a fingerprint of the X.509 certificate [RFC5280] it
presents. Use of this option provides an alternative to the
authentication defined in HELD that relies on the domain name of the
LIS.
1.2. U-NAPTR Discovery 1.2. U-NAPTR Discovery
Where DHCP is not available, the DNS might be able to provide a URI. Where DHCP is not available, the DNS might be able to provide a URI.
This document describes a method that uses URI-enabled NAPTR This document describes a method that uses URI-enabled NAPTR
(U-NAPTR) [RFC4848], a Dynamic Delegation Discovery Service (DDDS) (U-NAPTR) [RFC4848], a Dynamic Delegation Discovery Service (DDDS)
profile that supports URI results. profile that supports URI results.
For the LIS discovery DDDS application, an Application Service tag For the LIS discovery DDDS application, an Application Service tag
"LIS" and an Application Protocol tag "HELD" are created and "LIS" and an Application Protocol tag "HELD" are created and
registered with the IANA. Taking a domain name, this U-NAPTR registered with the IANA. Taking a domain name, this U-NAPTR
skipping to change at page 5, line 27 skipping to change at page 5, line 27
2.1. DHCPv4 LIS URI Option 2.1. DHCPv4 LIS URI Option
This section defines a DHCP for IPv4 (DHCPv4) option for the address This section defines a DHCP for IPv4 (DHCPv4) option for the address
of a LIS. of a LIS.
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| LIS_URI | Length | | | LIS_URI | Length | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
. .
. LIS URI . . LIS URI .
. . . ... .
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 1: DHCPv4 LIS URI Option Figure 1: DHCPv4 LIS URI Option
LIS_URI: The IANA assigned option number (TBD). [[IANA/RFC-Editor LIS_URI: The IANA assigned option number (TBD). [[IANA/RFC-Editor
Note: Please replace TBD with the assigned DHCPv4 option code.]] Note: Please replace TBD with the assigned DHCPv4 option code.]]
Length: The length of the entire LIS URI option in octets. Length: The length of the entire LIS URI option in octets.
LIS URI: The address of the LIS. The URI MUST NOT be terminated by LIS URI: The address of the LIS. The URI MUST NOT be terminated by
a zero octet. a zero octet.
The DHCPv4 version of this URI SHOULD NOT exceed 255 octets in The DHCPv4 version of this URI SHOULD NOT exceed 255 octets in
length, but MAY be extended by concatenating multiple option length, but MAY be extended by concatenating multiple option
values, as described in [RFC3396]. values if necessary, as described in [RFC3396].
2.2. DHCPv6 LIS URI Option 2.2. DHCPv6 LIS URI Option
This section defines a DHCP for IPv6 (DHCPv6) option for the address This section defines a DHCP for IPv6 (DHCPv6) option for the address
of a LIS. The DHCPv6 option for this parameter is similarly of a LIS. The DHCPv6 option for this parameter is similarly
formatted to the DHCPv4 option. formatted to the DHCPv4 option.
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| OPTION_LIS_URI | Length | | OPTION_LIS_URI | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
. .
. LIS URI . . LIS URI .
. . . ... .
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 2: DHCPv6 LIS URI Option Figure 2: DHCPv6 LIS URI Option
OPTION_LIS_URI: The IANA assigned option number (TBD). [[IANA/ OPTION_LIS_URI: The IANA assigned option number (TBD). [[IANA/
RFC-Editor Note: Please replace TBD with the assigned DHCPv6 RFC-Editor Note: Please replace TBD with the assigned DHCPv6
option code.]] option code.]]
Length: The length of the LIS URI option in octets. Length: The length of the LIS URI option in octets.
skipping to change at page 6, line 40 skipping to change at page 6, line 39
HTTP over TLS [RFC2818] describes how a host is authenticated based HTTP over TLS [RFC2818] describes how a host is authenticated based
on an expected domain name using public key infrastructure. Relying on an expected domain name using public key infrastructure. Relying
exclusively on a domain name for authentication is not appropriate exclusively on a domain name for authentication is not appropriate
for a LIS, since the domain name associated with the access network for a LIS, since the domain name associated with the access network
might not be known. Indeed, it is often inappropriate to attempt to might not be known. Indeed, it is often inappropriate to attempt to
assign any particular domain name to an access network. assign any particular domain name to an access network.
This specification defines an alternative means of establishing an This specification defines an alternative means of establishing an
expected identity for the server that uses a certificate fingerprint. expected identity for the server that uses a certificate fingerprint.
One or more fingerprints for the server certificate used by the LIS One or more fingerprints for the server certificate used by the LIS
is included in a second DHCP option. The client uses the fingerprint is included in a second DHCP option. The device uses the fingerprint
information provided by the DHCP server to authenticate the LIS when information provided by the DHCP server to authenticate the LIS when
it establishes a TLS session. The domain name MUST NOT be used to it establishes a TLS session. The domain name MUST NOT be used to
authenticate the LIS if fingerprint information is provided. authenticate the LIS if a non-empty fingerprint information option is
provided.
The LIS certificate fingerprints option uses a format of "sub- This fingerprint option is of particular use for private networks
where authentication based on domain name is either infeasible or not
desirable.
The LIS certificate fingerprint option uses a format of "sub-
options", that allows for the inclusion of multiple fingerprint options", that allows for the inclusion of multiple fingerprint
values. Each "sub-option" includes a fingerprint generated by a values. Each "sub-option" includes a fingerprint generated by a
different cryptographic hash algorithm. The "sub-option" code different cryptographic hash algorithm. The "sub-option" code
indicates the hash algorithm used for generating the fingerprint. indicates the hash algorithm used for generating the fingerprint.
Each hash algorithm is identified by the assigned code from the IANA Each hash algorithm is identified by the assigned code from the IANA
registry "TLS HashAlgorithm Registry" established in [RFC5246]. registry "TLS HashAlgorithm Registry" established in [RFC5246].
The use of sub-options provides a means to upgrade hash functions The use of sub-options provides a means to upgrade hash functions
without affecting backward compatibility. New hash algorithms can be without affecting backward compatibility. New hash algorithms can be
used without affecting devices that do not yet support the algorithm. used without affecting devices that do not yet support the algorithm.
A device MUST use the first fingerprint that it supports. If any A device MUST use the first fingerprint that it supports. If any
supported fingerprint does not match, the LIS MUST be considered supported fingerprint does not match, the LIS MUST be considered
unauthenticated. If none of the specified hash algorithms are unauthenticated. If none of the specified hash algorithms are
supported by the device, it MUST consider the LIS to be supported by the device, it MUST consider the LIS to be
unauthenticated. unauthenticated.
A fingerprint is generated or checked by applying a cryptographic A fingerprint is generated or checked by applying a cryptographic
hash function to the DER-encoded certificate. Implementations MUST hash function to the DER-encoded certificate. Implementations MUST
support the SHA-1 algorithm, using a sub-option code of 2. support the SHA-1 algorithm, using a sub-option code of 2.
A client SHOULD request the LIS certificate fingerprints option at A device SHOULD request the LIS certificate fingerprint option at the
the same time as the LIS URI option. Without the LIS certificate same time as the LIS URI option. Without the LIS certificate
fingerprints option a client cannot authenticate the LIS; absence of fingerprint option a device cannot authenticate the LIS; absence of
this option prevents authentication. this option prevents authentication.
An access network operator is able to nominate authentication based An access network operator is able to nominate authentication based
on a domain name by omitting fingerprints. If a hash algorithm of on a domain name by omitting fingerprints. If an empty option is
"none" is indicated (value of 0) is indicated, the device MUST provided, the device MUST authenticate the server using the default
authenticate the server using the method described in Section 3.1 of method for the applicable URI scheme. For https: URIs, the
RFC 2818 [RFC2818]. The LIS certificate fingerprints option MUST NOT authentication described in Section 3.1 of RFC 2818 [RFC2818] MUST be
include any other fingerprint information if a hash algorithm of used if the LIS certificate fingerprint option is empty.
"none" is indicated.
The certificate fingerprint can be ignored if the LIS URI indicates a The certificate fingerprint can be ignored if the LIS URI indicates a
protocol that does not support exchange of certificates (such as protocol that does not support exchange of certificates (such as
http:). Such a LIS cannot be authenticated using this option. The http:). Such a LIS cannot be authenticated using this option. The
LIS certificate fingerprints option SHOULD indicate a hash algorithm LIS certificate fingerprint option MUST be empty if no means of
of "none" if no means of achieving authentication is available. achieving authentication is available.
Note: Whether the device goes on to use the information provided by Note: Whether the device goes on to use the information provided by
an unauthenticated LIS depends on device policy. A device might an unauthenticated LIS depends on device policy. A device might
choose to continue with discovery using different network choose to continue with discovery using different network
interfaces or methods before falling back to an unauthenticated interfaces or methods before falling back to an unauthenticated
LIS. LIS.
2.3.1. DHCPv4 LIS Certificate Fingerprints Option 2.3.1. Alternative Certificates
There is a need to renew certificates as they expire. Around the
time that a certificate is replaced, DHCP configuration identifying
the certificate fingerprint might become invalid. Therefore, to
prevent , or where circumstances require that the LIS function is
served by multiple hosts, there is a need to allow for alternative
certificates. Authentication based on a fingerprint of a single
certificate fails around the time that a certificate is replaced, or
if there is a need for alternative servers that use different
certificates.
A sub-option code of 0 indicates that the sub-option contains a
certificate serial number. The value of the sub-option is the
integer value in network byte order. All subsequent fingerprint
values until the next occurence of sub-option 0 apply only to
certificates with the given serial number.
This method means that ordering of sub-options is signficant. All
fingerprint values after a certificate serial number apply to
certificates with that serial number only. The DHCP server MUST NOT
include fingerprint values before the first serial number, if a
serial number is used. Serial numbers can be omitted if there is
only one valid certificate.
Note that serial number alone is not a guarantee of uniqueness.
There is small probability that two different certificate issuers
could provide the same serial number with the same fingerprint. If
re-issue of the certificate is not viable, selection of a different
hash function might remove the collision.
2.3.2. Sub-Option Codes
The LIS certificate fingerprint option use sub-option codes that
identify the hash function that is used to generate the fingerprint.
A value of 0 indicates that the sub-option contains a certificate
serial number.
The following list is the current state of the "TLS HashAlgorithm
Registry" established in [RFC5246] and maintained by the IANA. As
additional values are added to the registry, these MAY be used as
option.
0: (serial number) This code indicates that the sub-option contains a
certificate serial number.
1: The sub-option contains a fingerprint generated using the MD5 hash
algorithm.
2: A fingerprint generated using SHA-1.
3: A fingerprint generated using SHA-224.
4: A fingerprint generated using SHA-256.
5: A fingerprint generated using SHA-384.
6: A fingerprint generated using SHA-512.
The sub-option code of 0 corresponds to the "none" value in the "TLS
HashAlgorithm Registry"; sub-option codes 1 through 6 correspond to
the same value.
Sub-option 0 contains a long integer value in network byte order.
This value is compared numerically. Negative and zero values are
possible (see [RFC5280]), and are expressed in twos complement;
therefore, the most significant bit of the first octet is interpreted
as having a negative value. This value could be up to 20 octets in
size. Note that the sub-option does not contain values encoded using
the distinguished encoding rules (DER).
2.3.3. Authentication Algorithm Summary
Once a device acquires the LIS URI option and the LIS certificate
fingerprint option, it is able to authenticate a LIS. Assuming that
the LIS URI indicates use of TLS, the device establishes a TLS
session and acquires a certificate from the LIS.
The LIS certificate fingerprint option is either empty, or it
contains a set of fingerprints. The set of fingerprints is either
divided into groups based on certificate serial number, or all of the
fingerprints describe the same certificate using different hash
algorithms. This is shown in Figure 3.
Without serial numbers With serial numbers
<hash> : <value> <serial> : <hash> : <value>
<hash> : <value> : <hash> : <value>
... <serial> : <hash> : <value>
: <hash> : <value>
...
Figure 3: LIS Certificate Fingerprint Option Structure
If the LIS certificate fingerprint option is empty, the LIS is
authenticated using the domain name indicated in its offered
certificate, using the mechanism described in Section 3.1 of
[RFC2818].
If the LIS certificate fingerprint option contains data, the LIS is
authenticated based on a fingerprint of its certificate. If multiple
certificates are indicated using serial numbers, the first sub-option
contains the serial numbers sub-option (code 0).
No serial numbers: The device matches the certificate fingerprint it
calculates from the LIS certificate against any of the fingerprint
sub-options.
Serial numbers: The device matches the certificate fingerprint it
calculates against a fingerprint sub-option that follows a serial
number sub-option containing the certificate serial number.
If no match can be found, the LIS is not authenticated.
2.3.4. DHCPv4 LIS Certificate Fingerprint Option
This section defines a DHCP for IPv4 (DHCPv4) option for LIS This section defines a DHCP for IPv4 (DHCPv4) option for LIS
certificate fingerprints. certificate fingerprints.
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| LIS_CERT_FP | Length | | | LIS_CERT_FP | Length | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
. Fingerprint-Sub-Options . . Fingerprint-Sub-Options .
. . . .
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 3: DHCPv4 LIS Certificate Fingerprints Option Figure 4: DHCPv4 LIS Certificate Fingerprint Option
LIS_CERT_FP: The IANA assigned option number (TBD). [[IANA/ LIS_CERT_FP: The IANA assigned option number (TBD). [[IANA/
RFC-Editor Note: Please replace TBD with the assigned DHCPv4 RFC-Editor Note: Please replace TBD with the assigned DHCPv4
option code.]] option code.]]
Length: The length of the entire LIS certificate fingerprints option Length: The length of the entire LIS certificate fingerprint option
in octets. in octets.
Fingerprint-Sub-Options: A series of one or more sub-options, as Fingerprint-Sub-Options: A series of one or more sub-options, as
shown in Figure 4. shown in Figure 5.
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| HashAlgorithm | Length | Fingerprint-Value ... | Sub-Option | Length | Fingerprint-Value ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 4: DHCPv4 LIS Certificate Fingerprints Sub-Option Figure 5: DHCPv4 LIS Certificate Fingerprint Sub-Option
Sub-Option: A code that identifies the hash algorithm used to
HashAlgorithm: A code that identifies the hash algorithm used to generate the fingerprint, or a certificate serial number. The set
generate the fingerprint. The set of codes are defined in the of codes are defined in Section 2.3.2.
"TLS HashAlgorithm Registry" IANA registry [RFC5246].
Length: The length, in octets of the "Fingerprint-Value" sub-option. Length: The length, in octets of the "Fingerprint-Value" sub-option.
Fingerprint-Value: The octet values of the certificate fingerprint. Fingerprint-Value: The octet values of the certificate fingerprint
An invalid fingerprint is not equivalent to no fingerprint. If (or a certificate serial number for sub-option 0). An invalid
the length of this field does not match the expected length of the fingerprint is not equivalent to no fingerprint. If the length of
hash function output, the fingerprint MUST be considered invalid. this field does not match the expected length of the hash function
output, the fingerprint MUST be considered invalid.
DHCPv4 option concatenation [RFC3396] SHOULD be avoided, but is DHCPv4 option concatenation [RFC3396] SHOULD be avoided, but is
permitted if long values are required. Similarly, sub-options MAY be permitted if long values are required. The sub-options described in
concatenated to allow for hash algorithm that produce output longer this document do not require any more than 255 octets to express
than 2040 bits (255 octets). fully, so concatenation of sub-options is not necessary.
2.3.2. DHCPv6 LIS Certificate Fingerprints Option 2.3.5. DHCPv6 LIS Certificate Fingerprint Option
This section defines a DHCP for IPv6 (DHCPv6) option for LIS This section defines a DHCP for IPv6 (DHCPv6) option for LIS
certificate fingerprints. The DHCPv6 option for this parameter is certificate fingerprints. The DHCPv6 option for this parameter is
similarly formatted to the DHCPv4 option. similarly formatted to the DHCPv4 option.
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| OPTION_LIS_CERT_FP | Length | | OPTION_LIS_CERT_FP | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
. Fingerprint-Sub-Options . . Fingerprint-Sub-Options .
. . . .
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 5: DHCPv6 LIS Certificate Fingerprints Option Figure 6: DHCPv6 LIS Certificate Fingerprint Option
OPTION_LIS_CERT_FP: The IANA assigned option number (TBD). [[IANA/ OPTION_LIS_CERT_FP: The IANA assigned option number (TBD). [[IANA/
RFC-Editor Note: Please replace TBD with the assigned DHCPv6 RFC-Editor Note: Please replace TBD with the assigned DHCPv6
option code.]] option code.]]
Length: The length of the LIS certificate fingerprints option in Length: The length of the LIS certificate fingerprint option in
octets. octets.
Fingerprint-Sub-Options: A series of one or more sub-options, as Fingerprint-Sub-Options: A series of one or more sub-options, as
shown in Figure 6. shown in Figure 7.
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| HashAlgorithm | Length | | Sub-Option | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
. Fingerprint-Value . . Fingerprint-Value .
. ... . . ... .
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 6: DHCPv6 LIS Certificate Fingerprints Sub-Option Figure 7: DHCPv6 LIS Certificate Fingerprint Sub-Option
The semantics of the DHCPv6 LIS certificate fingerprints sub-options The semantics of the DHCPv6 LIS certificate fingerprint sub-options
are identical to the DHCPv4 option except that concatenation is are identical to the DHCPv4 option except that concatenation is
neither required nor permitted. Length fields are 16 bits in length; neither required nor permitted. Length fields are 16 bits in length;
therefore, concatenation is not needed to accomodate values longer therefore, concatenation is not needed to accomodate values longer
than 255 octets. DHCPv6 prohibits concatenation of option values. than 255 octets. DHCPv6 prohibits concatenation of option values.
3. U-NAPTR for LIS Discovery 3. U-NAPTR for LIS Discovery
U-NAPTR resolution for a LIS takes a domain name as input and U-NAPTR resolution for a LIS takes a domain name as input and
produces a URI that identifies the LIS. This process also requires produces a URI that identifies the LIS. This process also requires
an Application Service tag and an Application Protocol tag, which an Application Service tag and an Application Protocol tag, which
differentiate LIS-related NAPTR records from other records for that differentiate LIS-related NAPTR records from other records for that
domain. domain.
Section 6.3 defines an Application Service tag of "LIS", which is Section 6.4 defines an Application Service tag of "LIS", which is
used to identify the location service for a particular domain. The used to identify the location service for a particular domain. The
Application Protocol tag "HELD", defined in Section 6.4, is used to Application Protocol tag "HELD", defined in Section 6.5, is used to
identify a LIS that understands the HELD protocol identify a LIS that understands the HELD protocol
[I-D.ietf-geopriv-http-location-delivery]. [I-D.ietf-geopriv-http-location-delivery].
The NAPTR records in the following example demonstrate the use of the The NAPTR records in the following example demonstrate the use of the
Application Service and Protocol tags. Iterative NAPTR resolution is Application Service and Protocol tags. Iterative NAPTR resolution is
used to delegate responsibility for the LIS service from used to delegate responsibility for the LIS service from
"zonea.example.net." and "zoneb.example.net." to "zonea.example.net." and "zoneb.example.net." to
"outsource.example.com.". "outsource.example.com.".
zonea.example.net. zonea.example.net.
skipping to change at page 10, line 44 skipping to change at page 13, line 44
"" ; regex "" ; regex
outsource.example.com. ; replacement outsource.example.com. ; replacement
) )
outsource.example.com. outsource.example.com.
;; order pref flags ;; order pref flags
IN NAPTR 100 10 "u" "LIS:HELD" ( ; service IN NAPTR 100 10 "u" "LIS:HELD" ( ; service
"!*.!https://lis.example.org:4802/?c=ex!" ; regex "!*.!https://lis.example.org:4802/?c=ex!" ; regex
. ; replacement . ; replacement
) )
Figure 7: Sample LIS:HELD Service NAPTR Records Figure 8: Sample LIS:HELD Service NAPTR Records
Details for the "LIS" Application Service tag and the "HELD" Details for the "LIS" Application Service tag and the "HELD"
Application Protocol tag are included in Section 6. Application Protocol tag are included in Section 6.
U-NAPTR MUST only be used if the DHCP LIS URI option is not U-NAPTR MUST only be used if the DHCP LIS URI option is not
available. available.
An https: LIS URI that is a product of U-NAPTR MUST be authenticated An https: LIS URI that is a product of U-NAPTR MUST be authenticated
using the domain name method described in Section 3.1 of RFC 2818 using the domain name method described in Section 3.1 of RFC 2818
[RFC2818]. [RFC2818].
skipping to change at page 13, line 23 skipping to change at page 16, line 23
URIs produced by the discovery process can be used for location URIs produced by the discovery process can be used for location
configuration using HELD. URIs that are not a product of LIS configuration using HELD. URIs that are not a product of LIS
discovery MUST NOT be used for location configuration. discovery MUST NOT be used for location configuration.
4.1. Virtual Private Networks (VPNs) 4.1. Virtual Private Networks (VPNs)
LIS discovery over a VPN network interface SHOULD NOT be performed. LIS discovery over a VPN network interface SHOULD NOT be performed.
A LIS discovered in this way is unlikely to have the information A LIS discovered in this way is unlikely to have the information
necessary to determine an accurate location. necessary to determine an accurate location.
Since not all interfaces connected to a VPN can be detected by hosts, Since not all interfaces connected to a VPN can be detected by
a LIS SHOULD NOT provide location information in response to requests devices, a LIS MUST NOT provide location information in response to
that it can identify as originating from a VPN pool. This ensures requests that it can identify as originating from a device on the
that even if a host discovers a LIS over the VPN, it does not rely on remote end of a VPN interface. This ensures that even if a host
a LIS that is unable to provide accurate location information. The discovers a LIS over the VPN, it does not rely on a LIS that is
exception to this is where the LIS and host are able to determine a unable to provide accurate location information. The exception to
location without access network support. this is where the LIS and host are able to determine a location
without access network support.
5. Security Considerations 5. Security Considerations
The primary attack against the methods described in this document is The primary attack against the methods described in this document is
one that would lead to impersonation of a LIS. The LIS is one that would lead to impersonation of a LIS. The LIS is
responsible for providing location information and this information responsible for providing location information and this information
is critical to a number of network services; furthermore, a host does is critical to a number of network services; furthermore, a host does
not necessarily have a prior relationship with a LIS. Several not necessarily have a prior relationship with a LIS. Several
methods are described here that can limit the probablity of, or methods are described here that can limit the probablity of, or
provide some protection against, such an attack. provide some protection against, such an attack.
The address of a LIS is usually well-known within an access network; The address of a LIS is usually well-known within an access network;
therefore, interception of messages does not introduce any specific therefore, interception of messages does not introduce any specific
concerns. concerns.
The integrity of DHCP options is limited by the security of the Section 2.3 describes how a LIS is authenticated by devices, using
channel over which they are provided. Physical security and either certificate fingerprints or a domain name certificate. This
separation of DHCP messages from other packets are commonplace mechanism relies on the integrity of the information provided by the
methods that can reduce the possibility of attack within an access DHCP server.
network; alternatively, DHCP authentication [RFC3118] can provide a
degree of protection against modification.
Section 2.3 describes how a LIS is authenticated by clients, using An attacker that is able to modify or spoof messages from a DHCP
either certificate fingerprints or a domain name certificate. server could provide a falsified LIS URI and certificate fingerprint
options that a device would be able to use to successfully
authenticate the LIS. Preventing DHCP messages from being modified
or spoofed by attackers is necessary if this information is to be
relied upon. Physical or link layer security are commonplace methods
that can reduce the possibility of such an attack within an access
network; alternatively, DHCP authentication [RFC3118] can provide a
degree of protection against modification or spoofing.
An attacker could attempt to compromise the U-NAPTR resolution. A An attacker could attempt to compromise the U-NAPTR resolution. A
more thorough description of the security considerations for U-NAPTR more thorough description of the security considerations for U-NAPTR
applications is included in [RFC4848]. applications is included in [RFC4848].
In addition to considerations related to U-NAPTR, it is important to In addition to considerations related to U-NAPTR, it is important to
recognize that the output of this is entirely dependent on its input. recognize that the output of this is entirely dependent on its input.
An attacker who can control the domain name is therefore able to An attacker who can control the domain name is therefore able to
control the final URI. control the final URI.
6. IANA Considerations 6. IANA Considerations
6.1. Registration of DHCPv4 and DHCPv6 LIS URI Option Codes 6.1. Registration of DHCPv4 and DHCPv6 LIS URI Option Codes
The IANA has assigned an option code of (TBD) for the DHCPv4 option The IANA has assigned an option code of (TBD) for the DHCPv4 option
for a LIS URI, as described in Section 2.1 of this document. for a LIS URI, as described in Section 2.1 of this document.
The IANA has assigned an option code of (TBD) for the DHCPv6 option The IANA has assigned an option code of (TBD) for the DHCPv6 option
for a LIS URI, as described in Section 2.2 of this document. for a LIS URI, as described in Section 2.2 of this document.
6.2. Registration of DHCPv4 and DHCPv6 LIS Certificate Fingerprints 6.2. Registration of DHCPv4 and DHCPv6 LIS Certificate Fingerprint
Option Codes Option Codes
The IANA has assigned an option code of (TBD) for the DHCPv4 option The IANA has assigned an option code of (TBD) for the DHCPv4 option
for a LIS certificate fingerprints, as described in Section 2.3.1 of for LIS certificate fingerprints, as described in Section 2.3.4 of
this document. this document.
The IANA has assigned an option code of (TBD) for the DHCPv6 option The IANA has assigned an option code of (TBD) for the DHCPv6 option
for a LIS certificate fingerprints, as described in Section 2.3.2 of for LIS certificate fingerprints, as described in Section 2.3.5 of
this document. this document.
6.3. Registration of a Location Server Application Service Tag 6.3. Creation of Registry for LIS Certificate Fingerprint Sub-Option
Codes
The IANA has created a registry entitled "DHCP Certificate
Fingerprint Sub-Option Codes" that contains codes identifying the
sub-option codes used for the DHCPv4 and DHCPv6 LIS certificate
fingerprint option. This registry is a sub-registry of "Dynamic Host
Configuration Protocol (DHCP) and Bootstrap Protocol (BOOTP)
Parameters".
The registry contains the following fields for each registration:
Sub-Option Code: The numerical value of the sub-option code. Values
from 0 through 255 (decimal) apply to DHCPv4 and DHCPv6. Values
from 256 to 65535 only apply to the DHCPv6 option.
Semantics: The name of the hash algorithm that the sub-option
represents, or a reference to the document defining specific
semantics.
TLS HashAlgorithm Code: For sub-options that refer to hash
algorithms, the code used in the "TLS HashAlgorithm Registry".
The initial values for this registry are included in Section 2.3.2 of
this document.
This registry operates under the "Specification Required" rule
[RFC5226]. For hash algorithms, the only specification required is
the specification referenced in the "TLS HashAlgorithm Registry".
6.4. Registration of a Location Server Application Service Tag
This section registers a new S-NAPTR/U-NAPTR Application Service tag This section registers a new S-NAPTR/U-NAPTR Application Service tag
for a LIS, as mandated by [RFC3958]. for a LIS, as mandated by [RFC3958].
Application Service Tag: LIS Application Service Tag: LIS
Intended usage: Identifies a service that provides a host with its Intended usage: Identifies a service that provides a host with its
location information. location information.
Defining publication: RFCXXXX Defining publication: RFCXXXX
Related publications: HELD [I-D.ietf-geopriv-http-location-delivery] Related publications: HELD [I-D.ietf-geopriv-http-location-delivery]
Contact information: The authors of this document Contact information: The authors of this document
Author/Change controller: The IESG Author/Change controller: The IESG
6.4. Registration of a Location Server Application Protocol Tag for 6.5. Registration of a Location Server Application Protocol Tag for
HELD HELD
This section registers a new S-NAPTR/U-NAPTR Application Protocol tag This section registers a new S-NAPTR/U-NAPTR Application Protocol tag
for the HELD [I-D.ietf-geopriv-http-location-delivery] protocol, as for the HELD [I-D.ietf-geopriv-http-location-delivery] protocol, as
mandated by [RFC3958]. mandated by [RFC3958].
Application Service Tag: HELD Application Service Tag: HELD
Intended Usage: Identifies the HELD protocol. Intended Usage: Identifies the HELD protocol.
skipping to change at page 18, line 34 skipping to change at page 21, line 34
Domain Name (FQDN) Option", RFC 4702, October 2006. Domain Name (FQDN) Option", RFC 4702, October 2006.
[RFC4704] Volz, B., "The Dynamic Host Configuration Protocol for [RFC4704] Volz, B., "The Dynamic Host Configuration Protocol for
IPv6 (DHCPv6) Client Fully Qualified Domain Name (FQDN) IPv6 (DHCPv6) Client Fully Qualified Domain Name (FQDN)
Option", RFC 4704, October 2006. Option", RFC 4704, October 2006.
[RFC4848] Daigle, L., "Domain-Based Application Service Location [RFC4848] Daigle, L., "Domain-Based Application Service Location
Using URIs and the Dynamic Delegation Discovery Service Using URIs and the Dynamic Delegation Discovery Service
(DDDS)", RFC 4848, April 2007. (DDDS)", RFC 4848, April 2007.
[RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an
IANA Considerations Section in RFCs", BCP 26, RFC 5226,
May 2008.
[RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security
(TLS) Protocol Version 1.2", RFC 5246, August 2008. (TLS) Protocol Version 1.2", RFC 5246, August 2008.
[I-D.ietf-geopriv-http-location-delivery] [I-D.ietf-geopriv-http-location-delivery]
Barnes, M., Winterbottom, J., Thomson, M., and B. Stark, Barnes, M., Winterbottom, J., Thomson, M., and B. Stark,
"HTTP Enabled Location Delivery (HELD)", "HTTP Enabled Location Delivery (HELD)",
draft-ietf-geopriv-http-location-delivery-12 (work in draft-ietf-geopriv-http-location-delivery-13 (work in
progress), January 2009. progress), February 2009.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
8.2. Informative References 8.2. Informative References
[RFC3118] Droms, R. and W. Arbaugh, "Authentication for DHCP [RFC3118] Droms, R. and W. Arbaugh, "Authentication for DHCP
Messages", RFC 3118, June 2001. Messages", RFC 3118, June 2001.
[RFC3693] Cuellar, J., Morris, J., Mulligan, D., Peterson, J., and [RFC3693] Cuellar, J., Morris, J., Mulligan, D., Peterson, J., and
J. Polk, "Geopriv Requirements", RFC 3693, February 2004. J. Polk, "Geopriv Requirements", RFC 3693, February 2004.
[RFC3958] Daigle, L. and A. Newton, "Domain-Based Application [RFC3958] Daigle, L. and A. Newton, "Domain-Based Application
Service Location Using SRV RRs and the Dynamic Delegation Service Location Using SRV RRs and the Dynamic Delegation
Discovery Service (DDDS)", RFC 3958, January 2005. Discovery Service (DDDS)", RFC 3958, January 2005.
[RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
Housley, R., and W. Polk, "Internet X.509 Public Key
Infrastructure Certificate and Certificate Revocation List
(CRL) Profile", RFC 5280, May 2008.
[I-D.ietf-geopriv-l7-lcp-ps] [I-D.ietf-geopriv-l7-lcp-ps]
Tschofenig, H. and H. Schulzrinne, "GEOPRIV Layer 7 Tschofenig, H. and H. Schulzrinne, "GEOPRIV Layer 7
Location Configuration Protocol; Problem Statement and Location Configuration Protocol; Problem Statement and
Requirements", draft-ietf-geopriv-l7-lcp-ps-08 (work in Requirements", draft-ietf-geopriv-l7-lcp-ps-09 (work in
progress), June 2008. progress), February 2009.
[I-D.ietf-geopriv-lbyr-requirements]
Marshall, R., "Requirements for a Location-by-Reference
Mechanism", draft-ietf-geopriv-lbyr-requirements-07 (work
in progress), February 2009.
Authors' Addresses Authors' Addresses
Martin Thomson Martin Thomson
Andrew Andrew
PO Box U40 PO Box U40
Wollongong University Campus, NSW 2500 Wollongong University Campus, NSW 2500
AU AU
Phone: +61 2 4221 2915 Phone: +61 2 4221 2915
 End of changes. 51 change blocks. 
103 lines changed or deleted 279 lines changed or added

This html diff was produced by rfcdiff 1.35. The latest version is available from http://tools.ietf.org/tools/rfcdiff/