GEOPRIV                                                       M. Thomson
Internet-Draft                                           J. Winterbottom
Intended status: Standards Track                                  Andrew
Expires: September 24, October 3, 2009                               March 23,                                   April 1, 2009

        Discovering the Local Location Information Server (LIS)
                  draft-ietf-geopriv-lis-discovery-08
                  draft-ietf-geopriv-lis-discovery-09

Status of this This Memo

   This Internet-Draft is submitted to IETF in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt.

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

   This Internet-Draft will expire on September 24, October 3, 2009.

Copyright Notice

   Copyright (c) 2009 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents in effect on the date of
   publication of this document (http://trustee.ietf.org/license-info).
   Please review these documents carefully, as they describe your rights
   and restrictions with respect to this document.

Abstract

   Discovery of the correct Location Information Server (LIS) in the
   local access network is necessary for devices that wish to acquire
   location information from the network.  A method is described for the
   discovery of a LIS.  Dynamic Host Configuration Protocol (DHCP)
   options for IP versions 4 and 6 are defined that specify a URI for a
   LIS in the local access network.  Additional DHCP options are
   provided that enable authentication of the indicated LIS.  An alternative method that uses
   URI-enabled NAPTR (U-NAPTR) is described for use where the DHCP
   option is unsuccessful.

Table of Contents

   1.  Introduction and Overview  . . . . . . . . . . . . . . . . . .  3
     1.1.  DHCP Discovery . . . . . . . . . . . . . . . . . . . . . .  3
     1.2.  U-NAPTR Discovery  . . . . . . . . . . . . . . . . . . . .  4  3
     1.3.  Terminology  . . . . . . . . . . . . . . . . . . . . . . .  4
   2.  LIS Discovery Using DHCP . . . . . . . . . . . . . . . . . . .  5  4
     2.1.  DHCPv4 LIS URI Option  . . . . . . . . . . . . . . . . . .  5  4
     2.2.  DHCPv6 LIS URI Option  . . . . . . . . . . . . . . . . . .  5
     2.3.
   3.  U-NAPTR for LIS Authentication . . Discovery  . . . . . . . . . . . . . . . . . .  6
       2.3.1.  Alternative Certificates . . . . . . . . . . . . . . .  7
       2.3.2.  Sub-Option Codes . . . . . . . . . . . . . . . . . . .  8
       2.3.3.  Authentication Algorithm Summary . . . . . . .
     3.1.  Determining a Domain Name  . . . .  9
       2.3.4.  DHCPv4 LIS Certificate Fingerprint Option . . . . . . 10
       2.3.5.  DHCPv6 LIS Certificate Fingerprint Option . . . . . . 11
   3.  U-NAPTR for LIS  7
   4.  Overall Discovery Procedure  . . . . . . . . . . . . . . . . . . 13
     3.1.  Determining a Domain Name  . . . . . . . . . . . . . .  7
     4.1.  Residential Gateways . . 14
   4.  Overall Discovery Procedure . . . . . . . . . . . . . . . . . 15
     4.1.  8
     4.2.  Virtual Private Networks (VPNs)  . . . . . . . . . . . . . 16  9
   5.  Security Considerations  . . . . . . . . . . . . . . . . . . . 17  9
   6.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 18 10
     6.1.  Registration of DHCPv4 and DHCPv6 LIS URI Option Codes . . 18 10
     6.2.  Registration of DHCPv4 and DHCPv6 LIS Certificate
           Fingerprint Option Codes . . . . . . . . . . . . . . . . . 18
     6.3.  Creation of Registry for LIS Certificate Fingerprint
           Sub-Option Codes . . . . . . . . . . . . . . . . . . . . . 18
     6.4.  Registration of a Location Server Application Service
           Tag  . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
     6.5. 10
     6.3.  Registration of a Location Server Application Protocol
           Tag for HELD . . . . . . . . . . . . . . . . . . . . . . . 19 11
   7.  Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 20 11
   8.  References . . . . . . . . . . . . . . . . . . . . . . . . . . 21 11
     8.1.  Normative References . . . . . . . . . . . . . . . . . . . 21 11
     8.2.  Informative References . . . . . . . . . . . . . . . . . . 22
   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 23 13

1.  Introduction and Overview

   The location of a device is a useful and sometimes necessary part of
   many services.  A Location Information Server (LIS) is responsible
   for providing that location information to devices with an access
   network.  The LIS uses knowledge of the access network and its
   physical topology to generate and serve location information to
   devices.

   Each access network requires specific knowledge about topology.
   Therefore, it is important to discover the LIS that has the specific
   knowledge necessary to locate a device.  That is, the LIS that serves
   the current access network.  Automatic discovery is important where
   there is any chance of movement outside a single access network.
   Reliance on static configuration can lead to unexpected errors if a
   device moves between access networks.

   This document describes DHCP options and DNS records that a device
   can use to discover a LIS.

   The product of a discovery process, such as the one described in this
   document, is the address of the service.  In this document, the
   result is an http: or https: URI, which identifies a LIS.

   The URI result from the discovery process is suitable for location
   configuration only; that is, the device MUST dereference the URI
   using the process described in HELD
   [I-D.ietf-geopriv-http-location-delivery].  URIs discovered in this
   way are not "location URIs" [I-D.ietf-geopriv-lbyr-requirements];
   dereferencing one of them provides the location of the requester
   only.  Devices MUST NOT embed these URIs in fields in other protocols
   designed to carry the location of the device.

1.1.  DHCP Discovery

   DHCP ([RFC2131], [RFC3315]) is a commonly used mechanism for
   providing bootstrap configuration information allowing a device to
   operate in a specific network environment.  The bulk of DHCP
   information is largely static; consisting of configuration
   information that does not change over the period that the device is
   attached to the network.  Physical location information might change
   over this time, however the address of the LIS does not.  Thus, DHCP
   is suitable for configuring a device with the address of a LIS.

   A second DHCP option is defined that enables the authentication of a
   LIS based on a fingerprint of the X.509 certificate [RFC5280] it
   presents.  Use of this option provides an alternative to the
   authentication defined in HELD that relies on the domain name of the
   LIS.

1.2.  U-NAPTR Discovery

   Where DHCP is not available, the DNS might be able to provide a URI.
   This document describes a method that uses URI-enabled NAPTR
   (U-NAPTR) [RFC4848], a Dynamic Delegation Discovery Service (DDDS)
   profile that supports URI results.

   For the LIS discovery DDDS application, an Application Service tag
   "LIS" and an Application Protocol tag "HELD" are created and
   registered with the IANA.  Taking a domain name, this U-NAPTR
   application uses the two tags to determine the LIS URI.

   A domain name is the crucial input to the U-NAPTR resolution process.
   Section 3.1 of this document describes several methods for deriving
   an appropriate domain name.

1.3.  Terminology

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [RFC2119].

   This document also uses the term "device" to refer to an end host, or
   client consistent with its use in HELD.  In HELD and RFC3693
   [RFC3693] parlance, the Device is also the Target.

   The terms "access network" refers to the network that a device
   connects to for Internet access.  The "access network provider" is
   the entity that operates the access network.  This is consistent with
   the definition in [I-D.ietf-geopriv-l7-lcp-ps] which combines the
   Internet Access Provider (IAP) and Internet Service Provider (ISP).
   The access network provider is responsible for allocating the device
   a public IP address and for directly or indirectly providing a LIS
   service.

2.  LIS Discovery Using DHCP

   DHCP allows the access network provider to specify the address of a
   LIS as part of network configuration.  If the device is able to
   acquire a LIS URI using DHCP then this URI is used directly; the
   U-NAPTR process is not necessary if this option is provided.

   This document registers a DHCP options option for a LIS URI for both IPv4 and
   IPv6.  A second option for both DHCP versions  An "https:" LIS URI that is also registered to
   convey a fingerprint product of the certificate expected to U-NAPTR MUST be used by
   authenticated using the
   LIS. domain name method described in Section 3.1
   of RFC 2818 [RFC2818].

2.1.  DHCPv4 LIS URI Option

   This section defines a DHCP for IPv4 (DHCPv4) option for the address
   of a LIS.

    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |    LIS_URI    |    Length     |                               |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+                               |
   .                            LIS URI                            .
   .                              ...                              .
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

                      Figure 1: DHCPv4 LIS URI Option

   LIS_URI:  The IANA assigned option number (TBD).  [[IANA/RFC-Editor
      Note: Please replace TBD with the assigned DHCPv4 option code.]]

   Length:  The length of the entire LIS URI option in octets.

   LIS URI:  The address of the LIS.  The URI MUST NOT be terminated by
      a zero octet.

      The DHCPv4 version of this URI SHOULD NOT exceed 255 octets in
      length, but MAY be extended by concatenating multiple option
      values if necessary, as described in [RFC3396].

2.2.  DHCPv6 LIS URI Option

   This section defines a DHCP for IPv6 (DHCPv6) option for the address
   of a LIS.  The DHCPv6 option for this parameter is similarly
   formatted to the DHCPv4 option.

    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |       OPTION_LIS_URI          |           Length              |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   .                            LIS URI                            .
   .                              ...                              .
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

                      Figure 2: DHCPv6 LIS URI Option

   OPTION_LIS_URI:  The IANA assigned option number (TBD).  [[IANA/
      RFC-Editor Note: Please replace TBD with the assigned DHCPv6
      option code.]]

   Length:  The length of the LIS URI option in octets.

      The semantics and format of the remainder of the LIS URI option
      are identical to the DHCPv4 option, except for the larger
      allowance for URI length granted by the 16 bit length field.
      DHCPv6 prohibits concatenation of option values.

2.3.

3.  U-NAPTR for LIS Authentication

   HTTP over TLS [RFC2818] describes how Discovery

   U-NAPTR resolution for a host is authenticated based
   on an expected domain name using public key infrastructure.  Relying
   exclusively on LIS takes a domain name for authentication is not appropriate
   for as input and
   produces a LIS, since the domain name associated with URI that identifies the access network
   might not be known.  Indeed, it is often inappropriate to attempt to
   assign any particular domain name to an access network. LIS.  This specification defines process also requires
   an alternative means of establishing Application Service tag and an
   expected identity Application Protocol tag, which
   differentiate LIS-related NAPTR records from other records for the server that uses a certificate fingerprint.
   One or more fingerprints for the server certificate used by the LIS
   domain.

   Section 6.2 defines an Application Service tag of "LIS", which is included in a second DHCP option.  The device uses the fingerprint
   information provided by the DHCP server
   used to authenticate identify the LIS when
   it establishes location service for a TLS session. particular domain.  The domain name MUST NOT be
   Application Protocol tag "HELD", defined in Section 6.3, is used to
   authenticate the LIS if
   identify a non-empty fingerprint information option is
   provided.

   This fingerprint option is of particular use for private networks
   where authentication based on domain name is either infeasible or not
   desirable.

   The LIS certificate fingerprint option uses a format of "sub-
   options", that allows for understands the inclusion of multiple fingerprint
   values.  Each "sub-option" includes a fingerprint generated by a
   different cryptographic hash algorithm. HELD protocol
   [I-D.ietf-geopriv-http-location-delivery].

   The "sub-option" code
   indicates the hash algorithm used for generating the fingerprint.
   Each hash algorithm is identified by the assigned code from the IANA
   registry "TLS HashAlgorithm Registry" established in [RFC5246].

   The use of sub-options provides a means to upgrade hash functions
   without affecting backward compatibility.  New hash algorithms can be
   used without affecting devices that do not yet support the algorithm.
   A device MUST use the first fingerprint that it supports.  If any
   supported fingerprint does not match, the LIS MUST be considered
   unauthenticated.  If none of the specified hash algorithms are
   supported by the device, it MUST consider the LIS to be
   unauthenticated.

   A fingerprint is generated or checked by applying a cryptographic
   hash function to the DER-encoded certificate.  Implementations MUST
   support the SHA-1 algorithm, using a sub-option code of 2.

   A device SHOULD request the LIS certificate fingerprint option at the
   same time as the LIS URI option.  Without the LIS certificate
   fingerprint option a device cannot authenticate the LIS; absence of
   this option prevents authentication.

   An access network operator is able to nominate authentication based
   on a domain name by omitting fingerprints.  If an empty option is
   provided, the device MUST authenticate the server using the default
   method for the applicable URI scheme.  For https: URIs, the
   authentication described in Section 3.1 of RFC 2818 [RFC2818] MUST be
   used if the LIS certificate fingerprint option is empty.

   The certificate fingerprint can be ignored if the LIS URI indicates a
   protocol that does not support exchange of certificates (such as
   http:).  Such a LIS cannot be authenticated using this option.  The
   LIS certificate fingerprint option MUST be empty if no means of
   achieving authentication is available.

   Note:  Whether the device goes on to use the information provided by
      an unauthenticated LIS depends on device policy.  A device might
      choose to continue with discovery using different network
      interfaces or methods before falling back to an unauthenticated
      LIS.

2.3.1.  Alternative Certificates

   There is a need to renew certificates as they expire.  Around the
   time that a certificate is replaced, DHCP configuration identifying
   the certificate fingerprint might become invalid.  Therefore, to
   prevent , or where circumstances require that the LIS function is
   served by multiple hosts, there is a need to allow for alternative
   certificates.  Authentication based on a fingerprint of a single
   certificate fails around the time that a certificate is replaced, or
   if there is a need for alternative servers that use different
   certificates.

   A sub-option code of 0 indicates that the sub-option contains a
   certificate serial number.  The value of the sub-option is the
   integer value in network byte order.  All subsequent fingerprint
   values until the next occurence of sub-option 0 apply only to
   certificates with the given serial number.

   This method means that ordering of sub-options is signficant.  All
   fingerprint values after a certificate serial number apply to
   certificates with that serial number only.  The DHCP server MUST NOT
   include fingerprint values before the first serial number, if a
   serial number is used.  Serial numbers can be omitted if there is
   only one valid certificate.

   Note that serial number alone is not a guarantee of uniqueness.
   There is small probability that two different certificate issuers
   could provide the same serial number with the same fingerprint.  If
   re-issue of the certificate is not viable, selection of a different
   hash function might remove the collision.

2.3.2.  Sub-Option Codes

   The LIS certificate fingerprint option use sub-option codes that
   identify the hash function that is used to generate the fingerprint.
   A value of 0 indicates that the sub-option contains a certificate
   serial number.

   The following list is the current state of the "TLS HashAlgorithm
   Registry" established in [RFC5246] and maintained by the IANA.  As
   additional values are added to the registry, these MAY be used as
   option.

   0: (serial number) This code indicates that the sub-option contains a
      certificate serial number.

   1: The sub-option contains a fingerprint generated using the MD5 hash
      algorithm.

   2: A fingerprint generated using SHA-1.

   3: A fingerprint generated using SHA-224.

   4: A fingerprint generated using SHA-256.

   5: A fingerprint generated using SHA-384.

   6: A fingerprint generated using SHA-512.

   The sub-option code of 0 corresponds to the "none" value in the "TLS
   HashAlgorithm Registry"; sub-option codes 1 through 6 correspond to
   the same value.

   Sub-option 0 contains a long integer value in network byte order.
   This value is compared numerically.  Negative and zero values are
   possible (see [RFC5280]), and are expressed in twos complement;
   therefore, the most significant bit of the first octet is interpreted
   as having a negative value.  This value could be up to 20 octets in
   size.  Note that the sub-option does not contain values encoded using
   the distinguished encoding rules (DER).

2.3.3.  Authentication Algorithm Summary

   Once a device acquires the LIS URI option and the LIS certificate
   fingerprint option, it is able to authenticate a LIS.  Assuming that
   the LIS URI indicates use of TLS, the device establishes a TLS
   session and acquires a certificate from the LIS.

   The LIS certificate fingerprint option is either empty, or it
   contains a set of fingerprints.  The set of fingerprints is either
   divided into groups based on certificate serial number, or all of the
   fingerprints describe the same certificate using different hash
   algorithms.  This is shown in Figure 3.

        Without serial numbers          With serial numbers

          <hash> : <value>          <serial> : <hash> : <value>
          <hash> : <value>                   : <hash> : <value>
          ...                       <serial> : <hash> : <value>
                                             : <hash> : <value>
                                    ...

          Figure 3: LIS Certificate Fingerprint Option Structure

   If the LIS certificate fingerprint option is empty, the LIS is
   authenticated using the domain name indicated in its offered
   certificate, using the mechanism described in Section 3.1 of
   [RFC2818].

   If the LIS certificate fingerprint option contains data, the LIS is
   authenticated based on a fingerprint of its certificate.  If multiple
   certificates are indicated using serial numbers, the first sub-option
   contains the serial numbers sub-option (code 0).

   No serial numbers:  The device matches the certificate fingerprint it
      calculates from the LIS certificate against any of the fingerprint
      sub-options.

   Serial numbers:  The device matches the certificate fingerprint it
      calculates against a fingerprint sub-option that follows a serial
      number sub-option containing the certificate serial number.

   If no match can be found, the LIS is not authenticated.

2.3.4.  DHCPv4 LIS Certificate Fingerprint Option

   This section defines a DHCP for IPv4 (DHCPv4) option for LIS
   certificate fingerprints.

    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |  LIS_CERT_FP  |    Length     |                               |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+                               |
   .                   Fingerprint-Sub-Options                     .
   .                                                               .
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

            Figure 4: DHCPv4 LIS Certificate Fingerprint Option

   LIS_CERT_FP:  The IANA assigned option number (TBD).  [[IANA/
      RFC-Editor Note: Please replace TBD with the assigned DHCPv4
      option code.]]

   Length:  The length of the entire LIS certificate fingerprint option
      in octets.

   Fingerprint-Sub-Options:  A series of one or more sub-options, as
      shown in Figure 5.

    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |  Sub-Option   |    Length     |      Fingerprint-Value      ...
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

          Figure 5: DHCPv4 LIS Certificate Fingerprint Sub-Option
   Sub-Option:  A code that identifies the hash algorithm used to
      generate the fingerprint, or a certificate serial number.  The set
      of codes are defined in Section 2.3.2.

   Length:  The length, in octets of the "Fingerprint-Value" sub-option.

   Fingerprint-Value:  The octet values of the certificate fingerprint
      (or a certificate serial number for sub-option 0).  An invalid
      fingerprint is not equivalent to no fingerprint.  If the length of
      this field does not match the expected length of the hash function
      output, the fingerprint MUST be considered invalid.

   DHCPv4 option concatenation [RFC3396] SHOULD be avoided, but is
   permitted if long values are required.  The sub-options described in
   this document do not require any more than 255 octets to express
   fully, so concatenation of sub-options is not necessary.

2.3.5.  DHCPv6 LIS Certificate Fingerprint Option

   This section defines a DHCP for IPv6 (DHCPv6) option for LIS
   certificate fingerprints.  The DHCPv6 option for this parameter is
   similarly formatted to the DHCPv4 option.

    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |      OPTION_LIS_CERT_FP       |            Length             |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   .                   Fingerprint-Sub-Options                     .
   .                                                               .
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

            Figure 6: DHCPv6 LIS Certificate Fingerprint Option

   OPTION_LIS_CERT_FP:  The IANA assigned option number (TBD).  [[IANA/
      RFC-Editor Note: Please replace TBD with the assigned DHCPv6
      option code.]]

   Length:  The length of the LIS certificate fingerprint option in
      octets.

   Fingerprint-Sub-Options:  A series of one or more sub-options, as
      shown in Figure 7.

    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |          Sub-Option           |            Length             |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   .                       Fingerprint-Value                       .
   .                              ...                              .
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

          Figure 7: DHCPv6 LIS Certificate Fingerprint Sub-Option

   The semantics of the DHCPv6 LIS certificate fingerprint sub-options
   are identical to the DHCPv4 option except that concatenation is
   neither required nor permitted.  Length fields are 16 bits in length;
   therefore, concatenation is not needed to accomodate values longer
   than 255 octets.  DHCPv6 prohibits concatenation of option values.

3.  U-NAPTR for LIS Discovery

   U-NAPTR resolution for a LIS takes a domain name as input and
   produces a URI that identifies the LIS.  This process also requires
   an Application Service tag and an Application Protocol tag, which
   differentiate LIS-related NAPTR records from other records for that
   domain.

   Section 6.4 defines an Application Service tag of "LIS", which is
   used to identify the location service for a particular domain.  The
   Application Protocol tag "HELD", defined in Section 6.5, is used to
   identify a LIS that understands the HELD protocol
   [I-D.ietf-geopriv-http-location-delivery].

   The NAPTR records in NAPTR records in the following example demonstrate the use of the
   Application Service and Protocol tags.  Iterative NAPTR resolution is
   used to delegate responsibility for the LIS service from
   "zonea.example.net." and "zoneb.example.net." to
   "outsource.example.com.".

      zonea.example.net.
      ;;       order pref flags
      IN NAPTR 100   10   ""  "LIS:HELD" (          ; service
          ""                                        ; regex
          outsource.example.com.                    ; replacement
          )
      zoneb.example.net.
      ;;       order pref flags
      IN NAPTR 100   10   ""  "LIS:HELD" (          ; service
          ""                                        ; regex
          outsource.example.com.                    ; replacement
          )
      outsource.example.com.
      ;;       order pref flags
      IN NAPTR 100   10   "u"  "LIS:HELD" (         ; service
          "!*.!https://lis.example.org:4802/?c=ex!" ; regex
          .                                         ; replacement
          )

              Figure 8: 3: Sample LIS:HELD Service NAPTR Records

   Details for the "LIS" Application Service tag and the "HELD"
   Application Protocol tag are included in Section 6.

   U-NAPTR MUST only be used if the DHCP LIS URI option is not
   available.

   An https: "https:" LIS URI that is a product of U-NAPTR MUST be
   authenticated using the domain name method described in Section 3.1
   of RFC 2818 [RFC2818].

3.1.  Determining a Domain Name

   The U-NAPTR discovery method described requires a domain name as
   input.  This document does not specify how that domain name is
   acquired by a device.  If a device knows one or more of the domain names assigned to it,
   that might be used for discovery, it MAY is able to attempt to use each
   domain name as
   input. input to the U-NAPTR discovery process.  Static
   configuration of a device is possible if a domain name is known to
   work for this purpose.

   A fully qualified domain name (FQDN) for the device might be provided
   by a DHCP server ([RFC4702] for DHCPv4, [RFC4704] for DHCPv6).
   DHCPv4 option 15 [RFC2131] could also be used as a source of a domain
   name suffix for the device.  If DHCP and any of these options are
   available, these values could be used as input the U-NAPTR procedure;
   however, implementers need to be aware that many DHCP servers do not
   provide a sensible value for these options.  Therefore, this method
   of discovery SHOULD be given lesser precedence than methods that are
   based on more explicit assurances.

4.  Overall Discovery Procedure

   The individual components of discovery are combined into a single
   discovery procedure.  Some networks maintain a topology analogous to
   an onion and are comprised of layers, or segments, separating hosts devices
   from the Internet through intermediate networks.  Applying the
   individual discovery methods in an order that favours a physically
   proximate LIS over a remote LIS is preferred.

   A host device MUST support DHCP discovery and MAY discovery, where applicable.  Devices
   SHOULD support U-NAPTR discovery.
   The process described in this document is known to not work in a very
   common deployment scenario, namely the fixed wired environment
   described in Section 3.1 of [I-D.ietf-geopriv-l7-lcp-ps].
   Alternative methods of discovery to address this limitation are
   likely. unless no input domain names can be
   determined.

   The following process ensures a greater likelihood of a LIS in close
   physical proximity being discovered:

   1.  Request the DHCP LIS URI Option for each network interface.

   2.  Use U-NAPTR to discover a LIS URI using all known domain names.

   3.  Use a statically configured LIS URI.

   A host device that has multiple network interfaces could potentially be
   served by a different access network on each interface, each with a
   different LIS.  The host device SHOULD attempt to discover the LIS
   applicable to each network interface, stopping when a LIS is
   successfully discovered on any interface.

   A host device that discovers a LIS URI MUST attempt to verify that the LIS
   is able to provide location information.  For the HELD protocol, the
   host
   device MUST make a location request to the LIS.  If - at any time -
   the LIS responds to
   this a request with the "notLocatable" error code (see
   Section 4.3.2 of [I-D.ietf-geopriv-http-location-delivery]), the host
   device MUST continue or restart the discovery process and not process.  A device
   SHOULD NOT make further requests to a LIS that provides a
   "notLocatable" error until its network attachment changes, or it
   discovers the LIS on
   that an alternative network interface.

   DHCP discovery MUST be attempted before any other discovery method.
   This allows the network access provider a direct and explicit means
   of configuring a LIS address.  Alternative methods are only specified
   as a means to discover a LIS where the DHCP infrastructure does not
   support the LIS URI option.

   This document does not mandate any particular source for the domain
   name that is used as input to U-NAPTR.  Alternative methods for
   determining the domain name MAY be used.

   Static configuration MAY be used if all other discovery methods fail.
   Note however, that if a host device has moved from its customary location,
   static configuration might indicate a LIS that is unable to provide a
   location.
   accurate location information.

   The product of the LIS discovery process is an http: "https:" or https: "http:"
   URI.  Nothing distinguishes this URI from other URIs with the same
   scheme, aside from the fact that it is the product of this process.
   Only URIs produced by the discovery process can be used for location
   configuration using HELD.  URIs that are not a product of LIS
   discovery MUST NOT be used for location configuration.

4.1.  Residential Gateways

   The process described in this document is known to not work in a very
   common deployment scenario.  A fixed wireline scenario is described
   in more detail in Section 3.1 of [I-D.ietf-geopriv-l7-lcp-ps].  In
   this fixed wireline environment an intervening residential gateway
   exists between the device and the access network.  If the residential
   gateway does not provide this option to the devices it serves, those
   devices are unable to discover a LIS.

   Support of this specification by residential gateways ensures that
   the devices they serve are able to acquire location information.  In
   most cases the residential gateway configures the devices it serves
   using DHCP.  When DHCP is used, the residential gateway MUST provide
   the devices it serves with a LIS URI option.  In order to provide a
   sensible value for this option, the residential gateway MUST either:

   1.  act as a LIS and provide location information to the devices that
       it serves, or

   2.  discover a LIS on its external interface and relay this
       information to devices.

   In either case, the residential gateway provides a LIS URI option to
   devices.

4.2.  Virtual Private Networks (VPNs)

   LIS discovery over a VPN network interface SHOULD NOT be performed.
   A LIS discovered in this way is unlikely to have the information
   necessary to determine an accurate location.

   Since not

   Not all interfaces connected to a VPN can be detected by
   devices, a devices or
   the software running on them.  A LIS MUST NOT provide location
   information in response to requests that it can identify as
   originating from a device on the remote end of a VPN interface. tunnel, unless
   it is able to accurately determine location.  The "notLocatable" HELD
   error code can be used to indicate to a device that discovery has
   revealed an unsuitable LIS.  This ensures that even if a host device
   discovers a LIS over the VPN, it does not rely on a LIS that is
   unable to provide accurate location information.  The exception to
   this is where the LIS and host are able to determine a location
   without access network support.

5.  Security Considerations

   The primary attack against the methods described in this document is
   one that would lead to impersonation of a LIS.  The LIS is
   responsible for providing location information and this information
   is critical to a number of network services; furthermore, a host device
   does not necessarily have a prior relationship with a LIS.  Several
   methods are described here that can limit the probablity of, or
   provide some protection against, such an attack.

   The address of a LIS is usually well-known within an access network;
   therefore, interception of messages does not introduce any specific
   concerns.

   Section 2.3 describes how a LIS is authenticated by devices, using
   either certificate fingerprints or a domain name certificate.  This
   mechanism relies on the integrity access network;
   therefore, interception of the information provided by the
   DHCP server. messages does not introduce any specific
   concerns.

   An attacker that is able to modify or spoof messages from a DHCP
   server could provide a falsified LIS URI and certificate fingerprint
   options that a device would be able
   to use to successfully authenticate the LIS.  Preventing DHCP
   messages from being modified or spoofed by attackers is necessary if
   this information is to be relied upon.  Physical or link layer
   security are commonplace methods that can reduce the possibility of
   such an attack within an access network; alternatively, DHCP
   authentication [RFC3118] can provide a degree of protection against
   modification or spoofing.

   An attacker could attempt to compromise the U-NAPTR resolution.  A
   more thorough description of the security considerations for U-NAPTR
   applications is included in [RFC4848].  In addition to considerations
   related to U-NAPTR, it is important to recognize that the output of this
   U-NAPTR discovery is entirely dependent on its input.  An attacker
   who can control the domain name is therefore able to control the
   final URI.

   A LIS that is identified by an "http:" URI cannot be authenticated.
   Use of HTTP also does not meet requirements in HELD for
   confidentiality and integrity.  If an "http:" URI is the product of
   DHCP or U-NAPTR discovery, this leaves devices vulnerable to several
   attacks.  Lower layer protections, such as layer 2 traffic separation
   might provide some guarantees.

6.  IANA Considerations

6.1.  Registration of DHCPv4 and DHCPv6 LIS URI Option Codes

   The IANA has assigned an option code of (TBD) for the DHCPv4 option
   for a LIS URI, as described in Section 2.1 of this document.

   The IANA has assigned an option code of (TBD) for the DHCPv6 option
   for a LIS URI, as described in Section 2.2 of this document.

6.2.  Registration of DHCPv4 and DHCPv6 LIS Certificate Fingerprint
      Option Codes

   The IANA has assigned an option code of (TBD) for the DHCPv4 option
   for LIS certificate fingerprints, as described in Section 2.3.4 of
   this document.

   The IANA has assigned an option code of (TBD) for the DHCPv6 option
   for LIS certificate fingerprints, as described in Section 2.3.5 of
   this document.

6.3.  Creation of Registry for LIS Certificate Fingerprint Sub-Option
      Codes

   The IANA has created a registry entitled "DHCP Certificate
   Fingerprint Sub-Option Codes" that contains codes identifying the
   sub-option codes used for the DHCPv4 and DHCPv6 LIS certificate
   fingerprint option.  This registry is a sub-registry of "Dynamic Host
   Configuration Protocol (DHCP) and Bootstrap Protocol (BOOTP)
   Parameters".

   The registry contains the following fields for each registration:

   Sub-Option Code:  The numerical value of the sub-option code.  Values
      from 0 through 255 (decimal) apply to DHCPv4 and DHCPv6.  Values
      from 256 to 65535 only apply to the DHCPv6 option.

   Semantics:  The name of the hash algorithm that the sub-option
      represents, or a reference to the document defining specific
      semantics.

   TLS HashAlgorithm Code:  For sub-options that refer to hash
      algorithms, the code used in the "TLS HashAlgorithm Registry".

   The initial values for this registry are included in Section 2.3.2 of
   this document.

   This registry operates under the "Specification Required" rule
   [RFC5226].  For hash algorithms, the only specification required is
   the specification referenced in the "TLS HashAlgorithm Registry".

6.4.  Registration of a Location Server Application Service Tag

   This section registers a new S-NAPTR/U-NAPTR Application Service tag
   for a LIS, as mandated by [RFC3958].

   Application Service Tag:  LIS

   Intended usage:  Identifies a service that provides a host device with its
      location information.

   Defining publication:  RFCXXXX

   Related publications:  HELD [I-D.ietf-geopriv-http-location-delivery]
   Contact information:  The authors of this document

   Author/Change controller:  The IESG

6.5.

6.3.  Registration of a Location Server Application Protocol Tag for
      HELD

   This section registers a new S-NAPTR/U-NAPTR Application Protocol tag
   for the HELD [I-D.ietf-geopriv-http-location-delivery] protocol, as
   mandated by [RFC3958].

   Application Service Tag:  HELD

   Intended Usage:  Identifies the HELD protocol.

   Applicable Service Tag(s):  LIS

   Terminal NAPTR Record Type(s):  U

   Defining Publication:  RFCXXXX

   Related Publications:  HELD [I-D.ietf-geopriv-http-location-delivery]

   Contact Information:  The authors of this document

   Author/Change Controller:  The IESG

7.  Acknowledgements

   The authors would like to thank Leslie Daigle for her work on
   U-NAPTR; Peter Koch for feedback on how not to use DNS for discovery;
   Andy Newton for constructive suggestions with regards to document
   direction; Hannes Tschofenig and Richard Barnes for input and
   reviews; Dean Willis for constructive feedback; Pasi Eronen for the
   certificate fingerprint concept; Ralph Droms, David W. Hankins,
   Damien Neil, and Bernie Volz for DHCP option format. feedback.

8.  References

8.1.  Normative References

   [RFC2131]                                  Droms, R., "Dynamic Host
                                              Configuration Protocol",
                                              RFC 2131, March 1997.

   [RFC2818]                                  Rescorla, E., "HTTP Over
                                              TLS", RFC 2818, May 2000.

   [RFC3315]                                  Droms, R., Bound, J.,
                                              Volz, B., Lemon, T.,
                                              Perkins, C., and M.
                                              Carney, "Dynamic Host
                                              Configuration Protocol for
                                              IPv6 (DHCPv6)", RFC 3315,
                                              July 2003.

   [RFC3396]                                  Lemon, T. and S. Cheshire,
                                              "Encoding Long Options in
                                              the Dynamic Host
                                              Configuration Protocol
                                              (DHCPv4)", RFC 3396,
                                              November 2002.

   [RFC4702]                                  Stapp, M., Volz, B., and
                                              Y. Rekhter, "The Dynamic
                                              Host Configuration
                                              Protocol (DHCP) Client
                                              Fully Qualified Domain
                                              Name (FQDN) Option",
                                              RFC 4702, October 2006.

   [RFC4704]                                  Volz, B., "The Dynamic
                                              Host Configuration
                                              Protocol for IPv6 (DHCPv6)
                                              Client Fully Qualified
                                              Domain Name (FQDN)
                                              Option", RFC 4704,
                                              October 2006.

   [RFC4848]                                  Daigle, L., "Domain-Based
                                              Application Service
                                              Location Using URIs and
                                              the Dynamic Delegation
                                              Discovery Service (DDDS)",
                                              RFC 4848, April 2007.

   [RFC5226]  Narten, T. and H. Alvestrand, "Guidelines for Writing an
              IANA Considerations Section in RFCs", BCP 26, RFC 5226,
              May 2008.

   [RFC5246]  Dierks, T. and E. Rescorla, "The Transport Layer Security
              (TLS) Protocol Version 1.2", RFC 5246, August 2008.

   [I-D.ietf-geopriv-http-location-delivery]  Barnes, M., Winterbottom,
                                              J., Thomson, M., and B.
                                              Stark, "HTTP Enabled
                                              Location Delivery (HELD)",
              draft-ietf-geopriv-http-location-delivery-13
                                              draft-ietf-geopriv-http-
                                              location-delivery-13 (work
                                              in progress),
                                              February 2009.

   [RFC2119]                                  Bradner, S., "Key words
                                              for use in RFCs to
                                              Indicate Requirement
                                              Levels", BCP 14, RFC 2119,
                                              March 1997.

8.2.  Informative References

   [RFC3118]                                  Droms, R. and W. Arbaugh,
                                              "Authentication for DHCP
                                              Messages", RFC 3118,
                                              June 2001.

   [RFC3693]                                  Cuellar, J., Morris, J.,
                                              Mulligan, D., Peterson,
                                              J., and J. Polk, "Geopriv
                                              Requirements", RFC 3693,
                                              February 2004.

   [RFC3958]                                  Daigle, L. and A. Newton,
                                              "Domain-Based Application
                                              Service Location Using SRV
                                              RRs and the Dynamic
                                              Delegation Discovery
                                              Service (DDDS)", RFC 3958,
                                              January 2005.

   [RFC5280]  Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
              Housley, R., and W. Polk, "Internet X.509 Public Key
              Infrastructure Certificate and Certificate Revocation List
              (CRL) Profile", RFC 5280, May 2008.

   [I-D.ietf-geopriv-l7-lcp-ps]               Tschofenig, H. and H.
                                              Schulzrinne, "GEOPRIV
                                              Layer 7 Location
                                              Configuration Protocol;
                                              Problem Statement and
                                              Requirements", draft-ietf-geopriv-l7-lcp-ps-09 draft-ietf-
                                              geopriv-l7-lcp-ps-09 (work
                                              in progress),
                                              February 2009.

   [I-D.ietf-geopriv-lbyr-requirements]       Marshall, R.,
                                              "Requirements for a
                                              Location-by-Reference
                                              Mechanism", draft-ietf-geopriv-lbyr-requirements-07 draft-ietf-
                                              geopriv-lbyr-requirements-
                                              07 (work in progress),
                                              February 2009.

Authors' Addresses

   Martin Thomson
   Andrew
   PO Box U40
   Wollongong University Campus, NSW  2500
   AU

   Phone: +61 2 4221 2915
   Email:
   EMail: martin.thomson@andrew.com
   URI:   http://www.andrew.com/

   James Winterbottom
   Andrew
   PO Box U40
   Wollongong University Campus, NSW  2500
   AU

   Phone: +61 2 4221 2938
   Email:
   EMail: james.winterbottom@andrew.com
   URI:   http://www.andrew.com/