DNS-Based Service Discovery (DNS-SD) Privacy and Security Requirements
RFC 8882
| Document | Type | RFC - Informational (September 2020) | |
|---|---|---|---|
| Authors | Christian Huitema , Daniel Kaiser | ||
| Last updated | 2020-09-10 | ||
| RFC stream | Internet Engineering Task Force (IETF) | ||
| Formats | |||
| Additional resources | Mailing list discussion | ||
| IESG | Responsible AD | Éric Vyncke | |
| Send notices to | (None) |
RFC 8882
Internet Engineering Task Force (IETF) C. Huitema
Request for Comments: 8882 Private Octopus Inc.
Category: Informational D. Kaiser
ISSN: 2070-1721 University of Luxembourg
September 2020
DNS-Based Service Discovery (DNS-SD) Privacy and Security Requirements
Abstract
DNS-SD (DNS-based Service Discovery) normally discloses information
about devices offering and requesting services. This information
includes hostnames, network parameters, and possibly a further
description of the corresponding service instance. Especially when
mobile devices engage in DNS-based Service Discovery at a public
hotspot, serious privacy problems arise. We analyze the requirements
of a privacy-respecting discovery service.
Status of This Memo
This document is not an Internet Standards Track specification; it is
published for informational purposes.
This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by the
Internet Engineering Steering Group (IESG). Not all documents
approved by the IESG are candidates for any level of Internet
Standard; see Section 2 of RFC 7841.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
https://www.rfc-editor.org/info/rfc8882.
Copyright Notice
Copyright (c) 2020 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction
2. Threat Model
3. Threat Analysis
3.1. Service Discovery Scenarios
3.1.1. Private Client and Public Server
3.1.2. Private Client and Private Server
3.1.3. Wearable Client and Server
3.2. DNS-SD Privacy Considerations
3.2.1. Information Made Available Via DNS-SD Resource Records
3.2.2. Privacy Implication of Publishing Service Instance
Names
3.2.3. Privacy Implication of Publishing Node Names
3.2.4. Privacy Implication of Publishing Service Attributes
3.2.5. Device Fingerprinting
3.2.6. Privacy Implication of Discovering Services
3.3. Security Considerations
3.3.1. Authenticity, Integrity, and Freshness
3.3.2. Confidentiality
3.3.3. Resistance to Dictionary Attacks
3.3.4. Resistance to Denial-of-Service Attacks
3.3.5. Resistance to Sender Impersonation
3.3.6. Sender Deniability
3.4. Operational Considerations
3.4.1. Power Management
3.4.2. Protocol Efficiency
3.4.3. Secure Initialization and Trust Models
3.4.4. External Dependencies
4. Requirements for a DNS-SD Privacy Extension
4.1. Private Client Requirements
4.2. Private Server Requirements
4.3. Security and Operation
5. IANA Considerations
6. References
6.1. Normative References
6.2. Informative References
Acknowledgments
Authors' Addresses
1. Introduction
DNS-Based Service Discovery (DNS-SD) [RFC6763] over Multicast DNS
(mDNS) [RFC6762] enables zero-configuration service discovery in
local networks. It is very convenient for users, but it requires the
public exposure of the offering and requesting identities along with
information about the offered and requested services. Parts of the
published information can seriously breach the user's privacy. These
privacy issues and potential solutions are discussed in [KW14a],
[KW14b], and [K17]. While the multicast nature of mDNS makes these
risks obvious, most risks derive from the observability of
transactions. These risks also need to be mitigated when using
server-based variants of DNS-SD.
There are cases when nodes connected to a network want to provide or
consume services without exposing their identities to the other
parties connected to the same network. Consider, for example, a
traveler wanting to upload pictures from a phone to a laptop when
both are connected to the Wi-Fi network of an Internet cafe, or two
travelers who want to share files between their laptops when waiting
for their plane in an airport lounge.
We expect that these exchanges will start with a discovery procedure
using DNS-SD over mDNS. One of the devices will publish the
availability of a service, such as a picture library or a file store
in our examples. The user of the other device will discover this
service and then connect to it.
When analyzing these scenarios in Section 3.1, we find that the DNS-
SD messages leak identifying information, such as the Service
Instance Name, the hostname, or service properties. We use the
following definitions:
Identity
In this document, the term "identity" refers to the identity of
the entity (legal person) operating a device.
Disclosing an Identity
In this document, "disclosing an identity" means showing the
identity of operating entities to devices external to the
discovery process, e.g., devices on the same network link that are
listening to the network traffic but are not actually involved in
the discovery process. This document focuses on identity
disclosure by data conveyed via messages on the service discovery
protocol layer. Still, identity leaks on deeper layers, e.g., the
IP layer, are mentioned.
Disclosing Information
In this document, "disclosing information" is also focused on
disclosure of data conveyed via messages on the service discovery
protocol layer, including both identity-revealing information and
other still potentially sensitive data.
2. Threat Model
This document considers the following attacker types sorted by
increasing power. All these attackers can either be passive (they
just listen to network traffic they have access to) or active (they
additionally can craft and send malicious packets).
external
An external attacker is not on the same network link as victim
devices engaging in service discovery; thus, the external attacker
is in a different multicast domain.
on-link
An on-link attacker is on the same network link as victim devices
engaging in service discovery; thus, the on-link attacker is in
the same multicast domain. This attacker can also mount all
attacks an external attacker can mount.
MITM
A Man-in-the-Middle (MITM) attacker either controls (parts of) a
network link or can trick two parties to send traffic via the
attacker; thus, the MITM attacker has access to unicast traffic
between devices engaging in service discovery. This attacker can
also mount all attacks an on-link attacker can mount.
3. Threat Analysis
In this section, we analyze how the attackers described in the
previous section might threaten the privacy of entities operating
devices engaging in service discovery. We focus on attacks
leveraging data transmitted in service discovery protocol messages.
3.1. Service Discovery Scenarios
In this section, we review common service discovery scenarios and
discuss privacy threats and their privacy requirements. In all three
of these common scenarios, the attacker is of the type passive on-
link.
3.1.1. Private Client and Public Server
Perhaps the simplest private discovery scenario involves a single
client connecting to a public server through a public network. A
common example would be a traveler using a publicly available printer
in a business center, in a hotel, or at an airport.
( Taking notes:
( David is printing
( a document.
~~~~~~~~~~~
o
___ o ___
/ \ _|___|_
| | client server |* *|
\_/ __ \_/
| / / Discovery +----------+ |
/|\ /_/ <-----------> | +----+ | /|\
/ | \__/ +--| |--+ / | \
/ | |____/ / | \
/ | / | \
/ \ / \
/ \ / \
/ \ / \
/ \ / \
/ \ / \
David Adversary
In that scenario, the server is public and wants to be discovered,
but the client is private. The adversary will be listening to the
network traffic, trying to identify the visitors";
}
typedef oper-state {
type enumeration {
enum unknown {
value 1;
description
"The resource is unable to report its operational state.";
}
enum disabled {
value 2;
description
"The resource is totally inoperable.";
}
enum enabled {
value 3;
description
"The resource is partially or fully operable.";
}
enum testing {
value 4;
description
"The resource is currently being tested and cannot
therefore report whether it is operational or not.";
}
}
description
"Represents the possible values of operational states.";
reference "RFC 4268: EntityOperState";
}
typedef usage-state {
Bierman, et al. Expires April 19, 2018 [Page 10]
Internet-Draft YANG Hardware Management October 2017
type enumeration {
enum unknown {
value 1;
description
"The resource is unable to report usage state.";
}
enum idle {
value 2;
description
"The resource is servicing no users.";
}
enum active {
value 3;
description
"The resource is currently in use and it has sufficient
spare capacity to provide for additional users.";
}
enum busy {
value 4;
description
"The resource is currently in use, but it currently has no
spare capacity to provide for additional users.";
}
}
description
"Represents the possible values of usage states.";
reference "RFC 4268, EntityUsageState";
}
typedef alarm-state {
type bits {
bit unknown {
position 0;
description
"The resource is unable to report alarm state.";
}
bit under-repair {
position 1;
description
"The resource is currently being repaired, which, depending
on the implementation, may make the other values in this
bit string not meaningful.";
}
bit critical {
position 2;
description
"One or more critical alarms are active against the
resource.";
Bierman, et al. Expires April 19, 2018 [Page 11]
Internet-Draft YANG Hardware Management October 2017
}
bit major {
position 3;
description
"One or more major alarms are active against the
resource.";
}
bit minor {
position 4;
description
"One or more minor alarms are active against the
resource.";
}
bit warning {
position 5;
description
"One or more warning alarms are active against the
resource.";
}
bit indeterminate {
position 6;
description
"One or more alarms of whose perceived severity cannot be
determined are active against this resource.";
}
}
description
"Represents the possible values of alarm states. An alarm is a
persistent indication of an error or warning condition.
When no bits of this attribute are set, then no active alarms
are known against this component and it is not under repair.";
reference "RFC 4268: EntityAlarmStatus";
}
typedef standby-state {
type enumeration {
enum unknown {
value 1;
description
"The resource is unable to report standby state.";
}
enum hot-standby {
value 2;
description
"The resource is not providing service, but it will be
immediately able to take over the role of the resource to
be backed up, without the need for initialization
Bierman, et al. Expires April 19, 2018 [Page 12]
Internet-Draft YANG Hardware Management October 2017
activity, and will contain the same information as the
resource to be backed up.";
}
enum cold-standby {
value 3;
description
"The resource is to back up another resource, but will not
be immediately able to take over the role of a resource to
be backed up, and will require some initialization
activity.";
}
enum providing-service {
value 4;
description
"The resource is providing service.";
}
}
description
"Represents the possible values of standby states.";
reference "RFC 4268: EntityStandbyStatus";
}
typedef sensor-value-type {
type enumeration {
enum other {
value 1;
description
"A measure other than those listed below.";
}
enum unknown {
value 2;
description
"An unknown measurement, or arbitrary, relative numbers";
}
enum volts-AC {
value 3;
description
"A measure of electric potential (alternating current).";
}
enum volts-DC {
value 4;
description
"A measure of electric potential (direct current).";
}
enum amperes {
value 5;
description
"A measure of electric current.";
Bierman, et al. Expires April 19, 2018 [Page 13]
Internet-Draft YANG Hardware Management October 2017
}
enum watts {
value 6;
description
"A measure of power.";
}
enum hertz {
value 7;
description
"A measure of frequency.";
}
enum celsius {
value 8;
description
"A measure of temperature.";
}
enum percent-RH {
value 9;
description
"A measure of percent relative humidity.";
}
enum rpm {
value 10;
description
"A measure of shaft revolutions per minute.";
}
enum cmm {
value 11;
description
"A measure of cubic meters per minute (airflow).";
}
enum truth-value {
value 12;
description
"Value is one of 1 (true) or 2 (false)";
}
}
description
"A node using this data type represents the sensor measurement
data type associated with a physical sensor value. The actual
data units are determined by examining a node of this type
together with the associated sensor-value-scale node.
A node of this type SHOULD be defined together with nodes of
type sensor-value-scale and sensor-value-precision. These
three types are used to identify the semantics of a node of
type sensor-value.";
reference "RFC 3433: EntitySensorDataType";
Bierman, et al. Expires April 19, 2018 [Page 14]
Internet-Draft YANG Hardware Management October 2017
}
typedef sensor-value-scale {
type enumeration {
enum yocto {
value 1;
description
"Data scaling factor of 10^-24.";
}
enum zepto {
value 2;
description
"Data scaling factor of 10^-21.";
}
enum atto {
value 3;
description
"Data scaling factor of 10^-18.";
}
enum femto {
value 4;
description
"Data scaling factor of 10^-15.";
}
enum pico {
value 5;
description
"Data scaling factor of 10^-12.";
}
enum nano {
value 6;
description
"Data scaling factor of 10^-9.";
}
enum micro {
value 7;
description
"Data scaling factor of 10^-6.";
}
enum milli {
value 8;
description
"Data scaling factor of 10^-3.";
}
enum units {
value 9;
description
"Data scaling factor of 10^0.";
Bierman, et al. Expires April 19, 2018 [Page 15]
Internet-Draft YANG Hardware Management October 2017
}
enum kilo {
value 10;
description
"Data scaling factor of 10^3.";
}
enum mega {
value 11;
description
"Data scaling factor of 10^6.";
}
enum giga {
value 12;
description
"Data scaling factor of 10^9.";
}
enum tera {
value 13;
description
"Data scaling factor of 10^12.";
}
enum exa {
value 14;
description
"Data scaling factor of 10^15.";
}
enum peta {
value 15;
description
"Data scaling factor of 10^18.";
}
enum zetta {
value 16;
description
"Data scaling factor of 10^21.";
}
enum yotta {
value 17;
description
"Data scaling factor of 10^24.";
}
}
description
"A node using this data type represents a data scaling factor,
represented with an International System of Units (SI) prefix.
The actual data units are determined by examining a node of
this type together with the associated sensor-value-type.
Bierman, et al. Expires April 19, 2018 [Page 16]
Internet-Draft YANG Hardware Management October 2017
A node of this type SHOULD be defined together with nodes of
type sensor-value-type and sensor-value-precision. Together,
associated nodes of these three types are used to identify the
semantics of a node of type sensor-value.";
reference "RFC 3433: EntitySensorDataScale";
}
typedef sensor-value-precision {
type int32 {
range "-8 .. 9";
}
description
"A node using this data type represents a sensor value
precision range.
A node of this type SHOULD be defined together with nodes of
type sensor-value-type and sensor-value-scale. Together,
associated nodes of these three types are used to identify the
semantics of a node of type sensor-value.
If a node of this type contains a value in the range 1 to 9,
it represents the number of decimal places in the fractional
part of an associated sensor-value fixed- point number.
If a node of this type contains a value in the range -8 to -1,
it represents the number of accurate digits in the associated
sensor-value fixed-point number.
The value zero indicates the associated sensor-value node is
not a fixed-point number.
Server implementers must choose a value for the associated
sensor-value-precision node so that the precision and accuracy
of the associated sensor-value node is correctly indicated.
For example, a component representing a temperature sensor
that can measure 0 degrees to 100 degrees C in 0.1 degree
increments, +/- 0.05 degrees, would have an
sensor-value-precision value of '1', an sensor-value-scale
value of 'units', and an sensor-value ranging from '0' to
'1000'. The sensor-value would be interpreted as
'degrees C * 10'.";
reference "RFC 3433: EntitySensorPrecision";
}
typedef sensor-value {
type int32 {
range "-1000000000 .. 1000000000";
Bierman, et al. Expires April 19, 2018 [Page 17]
Internet-Draft YANG Hardware Management October 2017
}
description
"A node using this data type represents an sensor value.
A node of this type SHOULD be defined together with nodes of
type sensor-value-type, sensor-value-scale, and
sensor-value-precision. Together, associated nodes of those
three types are used to identify the semantics of a node of
this data type.
The semantics of a node using this data type are determined by
the value of the associated sensor-value-type node.
If the associated sensor-value-type node is equal to 'voltsAC',
'voltsDC', 'amperes', 'watts', 'hertz', 'celsius', or 'cmm',
then a node of this type MUST contain a fixed point number
ranging from -999,999,999 to +999,999,999. The value
-1000000000 indicates an underflow error. The value +1000000000
indicates an overflow error. The sensor-value-precision
indicates how many fractional digits are represented in the
associated sensor-value node.
If the associated sensor-value-type node is equal to
'percentRH', then a node of this type MUST contain a number
ranging from 0 to 100.
If the associated sensor-value-type node is equal to 'rpm',
then a node of this type MUST contain a number ranging from
-999,999,999 to +999,999,999.
If the associated sensor-value-type node is equal to
'truth-value', then a node of this type MUST contain either the
value 1 (true) or the value 2 (false)'.
If the associated sensor-value-type node is equal to 'other' or
unknown', then a node of this type MUST contain a number
ranging from -1000000000 to 1000000000.";
reference "RFC 3433: EntitySensorValue";
}
typedef sensor-status {
type enumeration {
enum ok {
value 1;
description
"Indicates that the server can obtain the sensor value.";
}
enum unavailable {
Bierman, et al. Expires April 19, 2018 [Page 18]
Internet-Draft YANG Hardware Management October 2017
value 2;
description
"Indicates that the server presently cannot obtain the
sensor value.";
}
enum nonoperational {
value 3;
description
"Indicates that the server believes the sensor is broken.
The sensor could have a hard failure (disconnected wire),
or a soft failure such as out-of-range, jittery, or wildly
fluctuating readings.";
}
}
description
"A node using this data type represents the operational status
of a physical sensor.";
reference "RFC 3433: EntitySensorStatus";
}
/*
* Data nodes
*/
container hardware {
description
"Data nodes representing components.
If the server supports configuration of hardware components,
then this data model is instantiated in the configuration
datastores supported by the server. The leaf-list 'datastore'
for the module 'ietf-hardware' in the YANG library provides
this information.";
leaf last-change {
type yang:date-and-time;
config false;
description
"The time the '/hardware/component' list changed in the
operational state.";
}
list component {
key name;
description
"List of components.
When the server detects a new hardware component, it
Bierman, et al. Expires April 19, 2018 [Page 19]
Internet-Draft YANG Hardware Management October 2017
initializes a list entry in the operational state.
If the server does not support configuration of hardware
components, list entries in the operational state are
initialized with values for all nodes as detected by the
implementation.
Otherwise, the following procedure is followed:
1. If there is an entry in the /hardware/component list in
the intended configuration with values for the nodes
'class', 'parent', 'parent-rel-pos' that are equal to
the detected values, then:
1a. If the configured entry has a value for 'mfg-name'
that is equal to the detected value, or if the
'mfg-name' value cannot be detected, then the list
entry in the operational state is initialized with the
configured values for all configured nodes, including
the 'name'.
Otherwise, the list entry in the operational state is
initialized with values for all nodes as detected by
the implementation. The implementation may raise an
alarm that informs about the 'mfg-name' mismatch
condition. How this is done is outside the scope of
this document.
1b. Otherwise (i.e., there is no matching configuration
entry), the list entry in the operational state is
initialized with values for all nodes as detected by
the implementation.
If the /hardware/component list in the intended
configuration is modified, then the system MUST behave as if
it re-initializes itself, and follow the procedure in (1).";
reference "RFC 6933: entPhysicalEntry";
leaf name {
type string;
description
"The name assigned to this component.
This name is not required to be the same as
entPhysicalName.";
}
leaf class {
Bierman, et al. Expires April 19, 2018 [Page 20]
#x27; devices and their
activity. Identifying devices leads to identifying people, either
for surveillance of these individuals in the physical world or as a
preliminary step for a targeted cyber attack.
The requirement in that scenario is that the discovery activity
should not disclose the identity of the client.
3.1.2. Private Client and Private Server
The second private discovery scenario involves a private client
connecting to a private server. A common example would be two people
engaging in a collaborative application in a public place, such as an
airport's lounge.
( Taking notes:
( David is meeting
( with Stuart.
~~~~~~~~~~~
o
___ ___ o ___
/ \ / \ _|___|_
| | server client | | |* *|
\_/ __ __ \_/ \_/
| / / Discovery \ \ | |
/|\ /_/ <-----------> \_\ /|\ /|\
/ | \__/ \__/ | \ / | \
/ | | \ / | \
/ | | \ / | \
/ \ / \ / \
/ \ / \ / \
/ \ / \ / \
/ \ / \ / \
/ \ / \ / \
David Stuart Adversary
In that scenario, the collaborative application on one of the devices
will act as a server, and the application on the other device will
act as a client. The server wants to be discovered by the client but
has no desire to be discovered by anyone else. The adversary will be
listening to network traffic, attempting to discover the identity of
devices as in the first scenario and also attempting to discover the
patterns of traffic, as these patterns reveal the business and social
interactions between the owners of the devices.
The requirement in that scenario is that the discovery activity
should not disclose the identity of either the client or the server
nor reveal the business and social interactions between the owners of
the devices.
3.1.3. Wearable Client and Server
The third private discovery scenario involves wearable devices. A
typical example would be the watch on someone's wrist connecting to
the phone in their pocket.
( Taking notes:
( David is here. His watch is
( talking to his phone.
~~~~~~~~~~~
o
___ o ___
/ \ _|___|_
| | client |* *|
\_/ \_/
| _/ |
/|\ // /|\
/ | \__/ ^ / | \
/ |__ | Discovery / | \
/ |\ \ v / | \
/ \\_\ / \
/ \ server / \
/ \ / \
/ \ / \
/ \ / \
David Adversary
This third scenario is in many ways similar to the second scenario.
It involves two devices, one acting as server and the other acting as
client, and it leads to the same requirement of the discovery traffic
not disclosing the identity of either the client or the server. The
main difference is that the devices are managed by a single owner,
which can lead to different methods for establishing secure relations
between the devices. There is also an added emphasis on hiding the
type of devices that the person wears.
In addition to tracking the identity of the owner of the devices, the
adversary is interested in the characteristics of the devices, such
as type, brand, and model. Identifying the type of device can lead
to further attacks, from theft to device-specific hacking. The
combination of devices worn by the same person will also provide a
"fingerprint" of the person, risking identification.
This scenario also represents the general case of bringing private
Internet-of-Things (IoT) devices into public places. A wearable IoT
device might act as a DNS-SD/mDNS client, which allows attackers to
infer information about devices' owners. While the attacker might be
a person, as in the example figure, this could also be abused for
large-scale data collection installing stationary IoT-device-tracking
servers in frequented public places.
The issues described in Section 3.1.1, such as identifying people or
using the information for targeted attacks, apply here too.
3.2. DNS-SD Privacy Considerations
While the discovery process illustrated in the scenarios in
Section 3.1 most likely would be based on [RFC6762] as a means for
making service information available, this document considers all
kinds of means for making DNS-SD resource records available. These
means comprise of but are not limited to mDNS [RFC6762], DNS servers
([RFC1033], [RFC1034], and [RFC1035]), the use of Service
Registration Protocol (SRP) [SRP], and multi-link [RFC7558] networks.
The discovery scenarios in Section 3.1 illustrate three separate
abstract privacy requirements that vary based on the use case. These
are not limited to mDNS.
1. Client identity privacy: Client identities are not leaked during
service discovery or use.
2. Multi-entity, mutual client and server identity privacy: Neither
client nor server identities are leaked during service discovery
or use.
3. Single-entity, mutual client and server identity privacy:
Identities of clients and servers owned and managed by the same
legal person are not leaked during service discovery or use.
In this section, we describe aspects of DNS-SD that make these
requirements difficult to achieve in practice. While it is intended
to be thorough, it is not possible to be exhaustive.
Client identity privacy, if not addressed properly, can be thwarted
by a passive attacker (see Section 2). The type of passive attacker
necessary depends on the means of making service information
available. Information conveyed via multicast messages can be
obtained by an on-link attacker. Unicast messages are harder to
access, but if the transmission is not encrypted they could still be
accessed by an attacker with access to network routers or bridges.
Using multi-link service discovery solutions [RFC7558], external
attackers have to be taken into consideration as well, e.g., when
relaying multicast messages to other links.
Server identity privacy can be thwarted by a passive attacker in the
same way as client identity privacy. Additionally, active attackers
querying for information have to be taken into consideration as well.
This is mainly relevant for unicast-based discovery, where listening
to discovery traffic requires a MITM attacker; however, an external
active attacker might be able to learn the server identity by just
querying for service information, e.g., via DNS.
3.2.1. Information Made Available Via DNS-SD Resource Records
DNS-Based Service Discovery (DNS-SD) is defined in [RFC6763]. It
allows nodes to publish the availability of an instance of a service
by inserting specific records in the DNS ([RFC1033], [RFC1034], and
[RFC1035]) or by publishing these records locally using multicast DNS
(mDNS) [RFC6762]. Available services are described using three types
of records:
PTR Record
Associates a service type in the domain with an "instance" name of
this service type.
SRV Record
Provides the node name, port number, priority and weight
associated with the service instance, in conformance with
[RFC2782].
TXT Record
Provides a set of attribute-value pairs describing specific
properties of the service instance.
3.2.2. Privacy Implication of Publishing Service Instance Names
In the first phase of discovery, clients obtain all PTR records
associated with a service type in a given naming domain. Each PTR
record contains a Service Instance Name defined in Section 4 of
[RFC6763]:
Service Instance Name = <Instance> . <Service> . <Domain>
The <Instance> portion of the Service Instance Name is meant to
convey enough information for users of discovery clients to easily
select the desired service instance. Nodes that use DNS-SD over mDNS
[RFC6762] in a mobile environment will rely on the specificity of the
instance name to identify the desired service instance. In our
example of users wanting to upload pictures to a laptop in an
Internet cafe, the list of available service instances may look like:
Alice's Images . _imageStore._tcp . local
Alice's Mobile Phone . _presence._tcp . local
Alice's Notebook . _presence._tcp . local
Bob's Notebook . _presence._tcp . local
Carol's Notebook . _presence._tcp . local
Alice will see the list on her phone and understand intuitively that
she should pick the first item. The discovery will "just work".
(Note that our examples of service names conform to the specification
in Section 4.1 of [RFC6763] but may require some character escaping
when entered in conventional DNS software.)
However, DNS-SD/mDNS will reveal to anybody that Alice is currently
visiting the Internet cafe. It further discloses the fact that she
uses two devices, shares an image store, and uses a chat application
supporting the _presence protocol on both of her devices. She might
currently chat with Bob or Carol, as they are also using a _presence
supporting chat application. This information is not just available
to devices actively browsing for and offering services but to anybody
passively listening to the network traffic, i.e., a passive on-link
attacker.
There is, of course, also no authentication requirement to claim a
particular instance name, so an active attacker can provide resources
that claim to be Alice's but are not.
3.2.3. Privacy Implication of Publishing Node Names
The SRV records contain the DNS name of the node publishing the
service. Typical implementations construct this DNS name by
concatenating the "hostname" of the node with the name of the local
domain. The privacy implications of this practice are reviewed in
[RFC8117]. Depending on naming practices, the hostname is either a
strong identifier of the device or, at a minimum, a partial
identifier. It enables tracking of both the device and, by
extension, the device's owner.
3.2.4. Privacy Implication of Publishing Service Attributes
The TXT record's attribute-value pairs contain information on the
characteristics of the corresponding service instance. This in turn
reveals information about the devices that publish services. The
amount of information varies widely with the particular service and
its implementation:
* Some attributes, such as the paper size available in a printer,
are the same on many devices and thus only provide limited
information to a tracker.
* Attributes that have free-form values, such as the name of a
directory, may reveal much more information.
Combinations of individual attributes have more information power
than specific attributes and can potentially be used for
"fingerprinting" a specific device.
Information contained in TXT records not only breaches privacy by
making devices trackable but might directly contain private
information about the user. For instance, the _presence service
reveals the "chat status" to everyone in the same network. Users
might not be aware of that.
Further, TXT records often contain version information about
services, allowing potential attackers to identify devices running
exploit-prone versions of a certain service.
3.2.5. Device Fingerprinting
The combination of information published in DNS-SD has the potential
to provide a "fingerprint" of a specific device. Such information
includes:
* A list of services published by the device, which can be retrieved
because the SRV records will point to the same hostname.
* Specific attributes describing these services.
* Port numbers used by the services.
* Priority and weight attributes in the SRV records.
This combination of services and attributes will often be sufficient
to identify the version of the software running on a device. If a
device publishes many services with rich sets of attributes, the
combination may be sufficient to identify the specific device and
track its owner.
An argument is sometimes made that devices providing services can be
identified by observing the local traffic and that trying to hide the
presence of the service is futile. However, there are good reasons
for the discovery service layer to avoid unnecessary exposure:
1. Providing privacy at the discovery layer is of the essence for
enabling automatically configured privacy-preserving network
applications. Application layer protocols are not forced to
leverage the offered privacy, but if device tracking is not
prevented at the deeper layers, including the service discovery
layer, obfuscating a certain service's protocol at the
application layer is futile.
2. Further, in the case of mDNS-based discovery, even if the
application layer does not protect privacy, services are
typically provided via unicast, which requires a MITM attacker,
whereas identifying services based on multicast discovery
messages just requires an on-link attacker.
The same argument can be extended to say that the pattern of services
offered by a device allows for fingerprinting the device. This may
or may not be true, since we can expect that services will be
designed or updated to avoid leaking fingerprints. In any case, the
design of the discovery service should avoid making a bad situation
worse and should, as much as possible, avoid providing new
fingerprinting information.
3.2.6. Privacy Implication of Discovering Services
The consumers of services engage in discovery and in doing so reveal
some information, such as the list of services they are interested in
and the domains in which they are looking for the services. When the
clients select specific instances of services, they reveal their
preference for these instances. This can be benign if the service
type is very common, but it could be more problematic for sensitive
services, such as some private messaging services.
One way to protect clients would be to somehow encrypt the requested
service types. Of course, just as we noted in Section 3.2.5, traffic
analysis can often reveal the service.
3.3. Security Considerations
For each of the operations described above, we must also consider
security threats we are concerned about.
3.3.1. Authenticity, Integrity, and Freshness
Can devices (both servers and clients) trust the information they
receive? Has it been modified in flight by an adversary? Can
devices trust the source of the information? Is the source of
information fresh, i.e., not replayed? Freshness may or may not be
required depending on whether the discovery process is meant to be
online. In some cases, publishing discovery information to a shared
directory or registry, rather than to each online recipient through a
broadcast channel, may suffice.
3.3.2. Confidentiality
Confidentiality is about restricting information access to only
authorized individuals. Ideally, this should only be the appropriate
trusted parties, though it can be challenging to define who are "the
appropriate trusted parties." In some use cases, this may mean that
only mutually authenticated and trusting clients and servers can read
messages sent for one another. The process of service discovery in
particular is often used to discover new entities that the device did
not previously know about. It may be tricky to work out how a device
can have an established trust relationship with a new entity it has
never previously communicated with.
3.3.3. Resistance to Dictionary Attacks
It can be tempting to use (publicly computable) hash functions to
obscure sensitive identifiers. This transforms a sensitive unique
identifier, such as an email address, into a "scrambled&Internet-Draft YANG Hardware Management October 2017
type identityref {
base ianahw:hardware-class;
}
mandatory true;
description
"An indication of the general hardware type of the
component.";
reference "RFC 6933: entPhysicalClass";
}
leaf physical-index {
if-feature entity-mib;
type int32 {
range "1..2147483647";
}
config false;
description
"The entPhysicalIndex for the entPhysicalEntry represented
by this list entry.";
reference "RFC 6933: entPhysicalIndex";
}
leaf description {
type string;
config false;
description
"A textual description of component. This node should
contain a string that identifies the manufacturer's name
for the component and should be set to a distinct value
for each version or model of the component.";
reference "RFC 6933: entPhysicalDescr";
}
leaf parent {
type leafref {
path "../../component/name";
require-instance false;
}
description
"The name of the component that physically contains this
component.
If this leaf is not instantiated, it indicates that this
component is not contained in any other component.
In the event that a physical component is contained by
more than one physical component (e.g., double-wide
modules), this node contains the name of one of these
Bierman, et al. Expires April 19, 2018 [Page 21]
Internet-Draft YANG Hardware Management October 2017
components. An implementation MUST use the same name
every time this node is instantiated.";
reference "RFC 6933: entPhysicalContainedIn";
}
leaf parent-rel-pos {
type int32 {
range "0 .. 2147483647";
}
description
"An indication of the relative position of this child
component among all its sibling components. Sibling
components are defined as components that:
o Share the same value of the 'parent' node; and
o Share a common base identity for the 'class' node.
Note that the last rule gives implementations flexibility
in how components are numbered. For example, some
implementations might have a single number series for all
components derived from 'ianahw:port', while some others
might have different number series for different
components with identities derived from 'ianahw:port' (for
example, one for RJ45 and one for SFP).";
reference "RFC 6933: entPhysicalParentRelPos";
}
leaf-list contains-child {
type leafref {
path "../../component/name";
}
config false;
description
"The name of the contained component.";
reference "RFC 6933: entPhysicalChildIndex";
}
leaf hardware-rev {
type string;
config false;
description
"The vendor-specific hardware revision string for the
component. The preferred value is the hardware revision
identifier actually printed on the component itself (if
present).";
reference "RFC 6933: entPhysicalHardwareRev";
Bierman, et al. Expires April 19, 2018 [Page 22]
Internet-Draft YANG Hardware Management October 2017
}
leaf firmware-rev {
type string;
config false;
description
"The vendor-specific firmware revision string for the
component.";
reference "RFC 6933: entPhysicalFirmwareRev";
}
leaf software-rev {
type string;
config false;
description
"The vendor-specific software revision string for the
component.";
reference "RFC 6933: entPhysicalSoftwareRev";
}
leaf serial-num {
type string;
config false;
description
"The vendor-specific serial number string for the
component. The preferred value is the serial number
string actually printed on the component itself (if
present).";
reference "RFC 6933: entPhysicalSerialNum";
}
leaf mfg-name {
type string;
description
"The name of the manufacturer of this physical component.
The preferred value is the manufacturer name string
actually printed on the component itself (if present).
Note that comparisons between instances of the model-name,
firmware-rev, software-rev, and the serial-num nodes are
only meaningful amongst component with the same value of
mfg-name.
If the manufacturer name string associated with the
physical component is unknown to the server, then this
node is not instantiated.";
reference "RFC 6933: entPhysicalMfgName";
}
Bierman, et al. Expires April 19, 2018 [Page 23]
Internet-Draft YANG Hardware Management October 2017
leaf model-name {
type string;
config false;
description
"The vendor-specific model name identifier string
associated with this physical component. The preferred
value is the customer-visible part number, which may be
printed on the component itself.
If the model name string associated with the physical
component is unknown to the server, then this node is not
instantiated.";
reference "RFC 6933: entPhysicalModelName";
}
leaf alias {
type string;
description
"An 'alias' name for the component, as specified by a
network manager, and provides a non-volatile 'handle' for
the component.
If no configured value exists, the server MAY set the
value of this node to a locally unique value in the
operational state.
A server implementation MAY map this leaf to the
entPhysicalAlias MIB object. Such an implementation needs
to use some mechanism to handle the differences in size
and characters allowed between this leaf and
entPhysicalAlias. The definition of such a mechanism is
outside the scope of this document.";
reference "RFC 6933: entPhysicalAlias";
}
leaf asset-id {
type string;
description
"This node is a user-assigned asset tracking identifier for
the component.
A server implementation MAY map this leaf to the
entPhysicalAssetID MIB object. Such an implementation
needs to use some mechanism to handle the differences in
size and characters allowed between this leaf and
entPhysicalAssetID. The definition of such a mechanism is
outside the scope of this document.";
reference "RFC 6933: entPhysicalAssetID";
Bierman, et al. Expires April 19, 2018 [Page 24]
Internet-Draft YANG Hardware Management October 2017
}
leaf is-fru {
type boolean;
config false;
description
"This node indicates whether or not this component is
considered a 'field replaceable unit' by the vendor. If
this node contains the value 'true', then this component
identifies a field replaceable unit. For all components
that are permanently contained within a field replaceable
unit, the value 'false' should be returned for this
node.";
reference "RFC 6933: entPhysicalIsFRU";
}
leaf mfg-date {
type yang:date-and-time;
config false;
description
"The date of manufacturing of the managed component.";
reference "RFC 6933: entPhysicalMfgDate";
}
leaf-list uri {
type inet:uri;
description
"This node contains identification information about the
component.";
reference "RFC 6933: entPhysicalUris";
}
leaf uuid {
type yang:uuid;
config false;
description
"A Universally Unique Identifier of the component.";
reference "RFC 6933: entPhysicalUUID";
}
container state {
if-feature hardware-state;
description
"State-related nodes";
reference "RFC 4268: Entity State MIB";
leaf state-last-changed {
type yang:date-and-time;
Bierman, et al. Expires April 19, 2018 [Page 25]
Internet-Draft YANG Hardware Management October 2017
config false;
description
"The date and time when the value of any of the
admin-state, oper-state, usage-state, alarm-state, or
standby-state changed for this component.
If there has been no change since the last
re-initialization of the local system, this node
contains the date and time of local system
initialization. If there has been no change since the
component was added to the local system, this node
contains the date and time of the insertion.";
reference "RFC 4268: entStateLastChanged";
}
leaf admin-state {
type admin-state;
description
"The administrative state for this component.
This node refers to a component's administrative
permission to service both other components within its
containment hierarchy as well other users of its
services defined by means outside the scope of this
module.
Some components exhibit only a subset of the remaining
administrative state values. Some components cannot be
locked, and hence this node exhibits only the 'unlocked'
state. Other components cannot be shutdown gracefully,
and hence this node does not exhibit the 'shutting-down'
state.";
reference "RFC 4268: entStateAdmin";
}
leaf oper-state {
type oper-state;
config false;
description
"The operational state for this component.
Note that this node does not follow the administrative
state. An administrative state of down does not predict
an operational state of disabled.
Note that some implementations may not be able to
accurately report oper-state while the admin-state node
has a value other than 'unlocked'. In these cases, this
Bierman, et al. Expires April 19, 2018 [Page 26]
Internet-Draft YANG Hardware Management October 2017
node MUST have a value of 'unknown'.";
reference "RFC 4268: entStateOper";
}
leaf usage-state {
type usage-state;
config false;
description
"The usage state for this component.
This node refers to a component's ability to service
more components in a containment hierarchy.
Some components will exhibit only a subset of the usage
state values. Components that are unable to ever
service any components within a containment hierarchy
will always have a usage state of 'busy'. Some
components will only ever be able to support one
component within its containment hierarchy and will
therefore only exhibit values of 'idle' and 'busy'.";
reference "RFC 4268, entStateUsage";
}
leaf alarm-state {
type alarm-state;
config false;
description
"The alarm state for this component. It does not
include the alarms raised on child components within its
containment hierarchy.";
reference "RFC 4268: entStateAlarm";
}
leaf standby-state {
type standby-state;
config false;
description
"The standby state for this component.
Some components will exhibit only a subset of the
remaining standby state values. If this component
cannot operate in a standby role, the value of this node
will always be 'providing-service'.";
reference "RFC 4268: entStateStandby";
}
}
container sensor-data {
Bierman, et al. Expires April 19, 2018 [Page 27]
Internet-Draft YANG Hardware Management October 2017
when 'derived-from-or-self(../class,
"ianahw:sensor")' {
description
"Sensor data nodes present for any component of type
'sensor'";
}
if-feature hardware-sensor;
config false;
description
"Sensor-related nodes.";
reference "RFC 3433: Entity Sensor MIB";
leaf value {
type sensor-value;
description
"The most recent measurement obtained by the server
for this sensor.
A client that periodically fetches this node should also
fetch the nodes 'value-type', 'value-scale', and
'value-precision', since they may change when the value
is changed.";
reference "RFC 3433: entPhySensorValue";
}
leaf value-type {
type sensor-value-type;
description
"The type of data units associated with the
sensor value";
reference "RFC 3433: entPhySensorType";
}
leaf value-scale {
type sensor-value-scale;
description
"The (power of 10) scaling factor associated
with the sensor value";
reference "RFC 3433: entPhySensorScale";
}
leaf value-precision {
type sensor-value-precision;
description
"The number of decimal places of precision
associated with the sensor value";
reference "RFC 3433: entPhySensorPrecision";
Bierman, et al. Expires April 19, 2018 [Page 28]
Internet-Draft YANG Hardware Management October 2017
}
leaf oper-status {
type sensor-status;
description
"The operational status of the sensor.";
reference "RFC 3433: entPhySensorOperStatus";
}
leaf units-display {
type string;
description
"A textual description of the data units that should be
used in the display of the sensor value.";
reference "RFC 3433: entPhySensorUnitsDisplay";
}
leaf value-timestamp {
type yang:date-and-time;
description
"The time the status and/or value of this sensor was last
obtained by the server.";
reference "RFC 3433: entPhySensorValueTimeStamp";
}
leaf value-update-rate {
type uint32;
units "milliseconds";
description
"An indication of the frequency that the server updates
the associated 'value' node, representing in
milliseconds. The value zero indicates:
- the sensor value is updated on demand (e.g.,
when polled by the server for a get-request),
- the sensor value is updated when the sensor
value changes (event-driven),
- the server does not know the update rate.";
reference "RFC 3433: entPhySensorValueUpdateRate";
}
}
}
}
/*
* Notifications
*/
Bierman, et al. Expires April 19, 2018 [Page 29]
Internet-Draft YANG Hardware Management October 2017
notification hardware-state-change {
description
"A hardware-state-change notification is generated when the
value of /hardware/last-change changes in the operational
state.";
reference "RFC 6933, entConfigChange";
}
notification hardware-state-oper-enabled {
if-feature hardware-state;
description
"A hardware-state-oper-enabled notification signifies that a
component has transitioned into the 'enabled' state.";
leaf name {
type leafref {
path "/hardware/component/name";
}
description
"The name of the component that has transitioned into the
'enabled' state.";
}
leaf admin-state {
type leafref {
path "/hardware/component/state/admin-state";
}
description
"The administrative state for the component.";
}
leaf alarm-state {
type leafref {
path "/hardware/component/state/alarm-state";
}
description
"The alarm state for the component.";
}
reference "RFC 4268, entStateOperEnabled";
}
notification hardware-state-oper-disabled {
if-feature hardware-state;
description
"A hardware-state-oper-disabled notification signifies that a
component has transitioned into the 'disabled' state.";
leaf name {
type leafref {
path "/hardware/component/name";
quot; but still
unique identifier. Unfortunately, simple solutions may be vulnerable
to offline dictionary attacks.
3.3.4. Resistance to Denial-of-Service Attacks
In any protocol where the receiver of messages has to perform
cryptographic operations on those messages, there is a risk of a
brute-force flooding attack causing the receiver to expend excessive
amounts of CPU time and, where applicable, battery power just
processing and discarding those messages.
Also, amplification attacks have to be taken into consideration.
Messages with larger payloads should only be sent as an answer to a
query sent by a verified client.
3.3.5. Resistance to Sender Impersonation
Sender impersonation is an attack wherein messages, such as service
offers, are forged by entities who do not possess the corresponding
secret key material. These attacks may be used to learn the identity
of a communicating party, actively or passively.
3.3.6. Sender Deniability
Deniability of sender activity, e.g., of broadcasting a discovery
request, may be desirable or necessary in some use cases. This
property ensures that eavesdroppers cannot prove senders issued a
specific message destined for one or more peers.
3.4. Operational Considerations
3.4.1. Power Management
Many modern devices, especially battery-powered devices, use power
management techniques to conserve energy. One such technique is for
a device to transfer information about itself to a proxy, which will
act on behalf of the device for some functions while the device
itself goes to sleep to reduce power consumption. When the proxy
determines that some action is required, which only the device itself
can perform, the proxy may have some way to wake the device, as
described for example in [SLEEP-PROXY].
In many cases, the device may not trust the network proxy
sufficiently to share all its confidential key material with the
proxy. This poses challenges for combining private discovery that
relies on per-query cryptographic operations with energy-saving
techniques that rely on having (somewhat untrusted) network proxies
answer queries on behalf of sleeping devices.
3.4.2. Protocol Efficiency
Creating a discovery protocol that has the desired security
properties may result in a design that is not efficient. To perform
the necessary operations, the protocol may need to send and receive a
large number of network packets or require an inordinate amount of
multicast transmissions. This may consume an unreasonable amount of
network capacity, particularly problematic when it is a shared
wireless spectrum. Further, it may cause an unnecessary level of
power consumption, which is particularly problematic on battery
devices and may result in the discovery process being slow.
It is a difficult challenge to design a discovery protocol that has
the property of obscuring the details of what it is doing from
unauthorized observers while also managing to perform efficiently.
3.4.3. Secure Initialization and Trust Models
One of the challenges implicit in the preceding discussions is that
whenever we discuss "trusted entities" versus "untrusted entities",
there needs to be some way that trust is initially established to
convert an "untrusted entity" into a "trusted entity".
The purpose of this document is not to define the specific way in
which trust can be established. Protocol designers may rely on a
number of existing technologies, including PKI, Trust On First Use
(TOFU), or the use of a short passphrase or PIN with cryptographic
algorithms, such as Secure Remote Password (SRP) [RFC5054] or a
Password-Authenticated Key Exchange like J-PAKE [RFC8236] using a
Schnorr Non-interactive Zero-Knowledge Proof [RFC8235].
Protocol designers should consider a specific usability pitfall when
trust is established immediately prior to performing discovery.
Users will have a tendency to "click OK" in order to achieve their
task. This implicit vulnerability is avoided if the trust
establishment requires more significant participation of the user,
such as entering a password or PIN.
3.4.4. External Dependencies
Trust establishment may depend on external parties. Optionally, this
might involve synchronous communication. Systems that have such a
dependency may be attacked by interfering with communication to
external dependencies. Where possible, such dependencies should be
minimized. Local trust models are best for secure initialization in
the presence of active attackers.
4. Requirements for a DNS-SD Privacy Extension
Given the considerations discussed in the previous sections, we state
requirements for privacy preserving DNS-SD in the following
subsections.
Defining a solution according to these requirements is intended to
lead to a solution that does not transmit privacy-violating DNS-SD
messages and further does not open pathways to new attacks against
the operation of DNS-SD.
However, while this document gives advice on which privacy protecting
mechanisms should be used on deeper-layer network protocols and on
how to actually connect to services in a privacy-preserving way,
stating corresponding requirements is out of the scope of this
document. To mitigate attacks against privacy on lower layers, both
servers and clients must use privacy options available at lower
layers and, for example, avoid publishing static IPv4 or IPv6
addresses or static IEEE 802 Media Access Control (MAC) addresses.
For services advertised on a single network link, link-local IP
addresses should be used; see [RFC3927] and [RFC4291] for IPv4 and
IPv6, respectively. Static servers advertising services globally via
DNS can hide their IP addresses from unauthorized clients using the
split mode topology shown in Encrypted Server Name Indication [ESNI].
Hiding static MAC addresses can be achieved via MAC address
randomization (see [RFC7844]).
4.1. Private Client Requirements
For all three scenarios described in Section 3.1, client privacy
requires DNS-SD messages to:
1. Avoid disclosure of the client's identity, either directly or via
inference, to nodes other than select servers.
2. Avoid exposure of linkable identifiers that allow tracing client
devices.
3. Avoid disclosure of the client's interest in specific service
instances or service types to nodes other than select servers.
When listing and resolving services via current DNS-SD deployments,
clients typically disclose their interest in specific services types
and specific instances of these types, respectively.
In addition to the exposure and disclosure risks noted above,
protocols and implementations will have to consider fingerprinting
attacks (see Section 3.2.5) that could retrieve similar information.
4.2. Private Server Requirements
Servers like the "printer" discussed in Section 3.1.1 are public, but
the servers discussed in Sections 3.1.2 and 3.1.3 are, by essence,
private. Server privacy requires DNS-SD messages to:
1. Avoid disclosure of the server's identity, either directly or via
inference, to nodes other than authorized clients. In
particular, servers must avoid publishing static identifiers,
such as hostnames or service names. When those fields are
required by the protocol, servers should publish randomized
values. (See [RFC8117] for a discussion of hostnames.)
2. Avoid exposure of linkable identifiers that allow tracing
servers.
3. Avoid disclosure to unauthorized clients of Service Instance
Names or service types of offered services.
4. Avoid disclosure to unauthorized clients of information about the
services they offer.
5. Avoid disclosure of static IPv4 or IPv6 addresses.
When offering services via current DNS-SD deployments, servers
typically disclose their hostnames (SRV, A/AAAA), instance names of
offered services (PTR, SRV), and information about services (TXT).
Heeding these requirements protects a server's privacy on the DNS-SD
level.
The current DNS-SD user interfaces present the list of discovered
service names to the users and let them pick a service from the list.
Using random identifiers for service names renders that UI flow
unusable. Privacy-respecting discovery protocols will have to solve
this issue, for example, by presenting authenticated or decrypted
service names instead of the randomized values.
4.3. Security and Operation
In order to be secure and feasible, a DNS-SD privacy extension needs
to consider security and operational requirements including:
1. Avoiding significant CPU overhead on nodes or significantly
higher network load. Such overhead or load would make nodes
vulnerable to denial-of-service attacks. Further, it would
increase power consumption, which is damaging for IoT devices.
2. Avoiding designs in which a small message can trigger a large
amount of traffic towards an unverified address, as this could be
exploited in amplification attacks.
5. IANA Considerations
This document has no IANA actions.
6. References
6.1. Normative References
[RFC6762] Cheshire, S. and M. Krochmal, "Multicast DNS", RFC 6762,
DOI 10.17487/RFC6762, February 2013,
<https://www.rfc-editor.org/info/rfc6762>.
[RFC6763] Cheshire, S. and M. Krochmal, "DNS-Based Service
Discovery", RFC 6763, DOI 10.17487/RFC6763, February 2013,
<https://www.rfc-editor.org/info/rfc6763>.
6.2. Informative References
[ESNI] Rescorla, E., Oku, K., Sullivan, N., and C. A. Wood, "TLS
Encrypted Client Hello", Work in Progress, Internet-Draft,
draft-ietf-tls-esni-07, June 1, 2020,
<https://tools.ietf.org/html/draft-ietf-tls-esni-07>.
[K17] Kaiser, D., "Efficient Privacy-Preserving
Configurationless Service Discovery Supporting Multi-Link
Networks", August 2017,
<https://nbn-resolving.de/urn:nbn:de:bsz:352-0-422757>.
[KW14a] Kaiser, D. and M. Waldvogel, "Adding Privacy to Multicast
DNS Service Discovery", DOI 10.1109/TrustCom.2014.107,
September 2014, <https://ieeexplore.ieee.org/xpl/
articleDetails.jsp?arnumber=7011331>.
[KW14b] Kaiser, D. and M. Waldvogel, "Efficient Privacy Preserving
Multicast DNS Service Discovery",
DOI 10.1109/HPCC.2014.141, August 2014,
<https://ieeexplore.ieee.org/xpl/
articleDetails.jsp?arnumber=7056899>.
[RFC1033] Lottor, M., "Domain Administrators Operations Guide",
RFC 1033, DOI 10.17487/RFC1033, November 1987,
<https://www.rfc-editor.org/info/rfc1033>.
[RFC1034] Mockapetris, P., "Domain names - concepts and facilities",
STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987,
<https://www.rfc-editor.org/info/rfc1034>.
[RFC1035] Mockapetris, P., "Domain names - implementation and
specification", STD 13, RFC 1035, DOI 10.17487/RFC1035,
November 1987, <https://www.rfc-editor.org/info/rfc1035>.
[RFC2782] Gulbrandsen, A., Vixie, P., and L. Esibov, "A DNS RR for
specifying the location of services (DNS SRV)", RFC 2782,
DOI 10.17487/RFC2782, February 2000,
<https://www.rfc-editor.org/info/rfc2782>.
[RFC3927] Cheshire, S., Aboba, B., and E. Guttman, "Dynamic
Configuration of IPv4 Link-Local Addresses", RFC 3927,
DOI 10.17487/RFC3927, May 2005,
<https://www.rfc-editor.org/info/rfc3927>.
[RFC4291] Hinden, R. and S. Deering, "IP Version 6 Addressing
Architecture", RFC 4291, DOI 10.17487/RFC4291, February
2006, <https://www.rfc-editor.org/info/rfc4291>.
[RFC5054] Taylor, D., Wu, T., Mavrogiannopoulos, N., and T. Perrin,
"Using the Secure Remote Password (SRP) Protocol for TLS
Authentication", RFC 5054, DOI 10.17487/RFC5054, November
2007, <https://www.rfc-editor.org/info/rfc5054>.
[RFC7558] Lynn, K., Cheshire, S., Blanchet, M., and D. Migault,
"Requirements for Scalable DNS-Based Service Discovery
(DNS-SD) / Multicast DNS (mDNS) Extensions", RFC 7558,
DOI 10.17487/RFC7558, July 2015,
<https://www.rfc-editor.org/info/rfc7558>.
[RFC7844] Huitema, C., Mrugalski, T., and S. Krishnan, "Anonymity
Profiles for DHCP Clients", RFC 7844,
DOI 10.17487/RFC7844, May 2016,
<https://www.rfc-editor.org/info/rfc7844>.
[RFC8117] Huitema, C., Thaler, D., and R. Winter, "Current Hostname
Practice Considered Harmful", RFC 8117,
DOI 10.17487/RFC8117, March 2017,
<https://www.rfc-editor.org/info/rfc8117>.
[RFC8235] Hao, F., Ed., "Schnorr Non-interactive Zero-Knowledge
Proof", RFC 8235, DOI 10.17487/RFC8235, September 2017,
<https://www.rfc-editor.org/info/rfc8235>.
[RFC8236] Hao, F., Ed., "J-PAKE: Password-Authenticated Key Exchange
by Juggling", RFC 8236, DOI 10.17487/RFC8236, September
2017, <https://www.rfc-editor.org/info/rfc8236>.
[SLEEP-PROXY]
Cheshire, S., "Understanding Sleep Proxy Service",
December 2009,
<http://stuartcheshire.org/SleepProxy/index.html>.
[SRP] Lemon, T. and S. Cheshire, "Service Registration Protocol
for DNS-Based Service Discovery", Work in Progress,
Internet-Draft, draft-ietf-dnssd-srp-04, July 13, 2020,
<https://tools.ietf.org/html/draft-ietf-dnssd-srp-04>.
Acknowledgments
This document incorporates many contributions from Stuart Cheshire
and Chris Wood. Thanks to Florian Adamsky for extensive review and
suggestions on the organization of the threat model. Thanks to Barry
Leiba for an extensive review. Thanks to Roman Danyliw, Ben Kaduk,
Adam Roach, and Alissa Cooper for their comments during IESG review.
Authors' Addresses
Christian Huitema
Private Octopus Inc.
Friday Harbor, WA 98250
United States of America
Email: huitema@huitema.net
URI: http://privateoctopus.com/
Daniel Kaiser
University of Luxembourg
6, avenue de la Fonte
L-4364 Esch-sur-Alzette
Luxembourg
Email: daniel.kaiser@uni.lu
URI: https://secan-lab.uni.lu/
Bierman, et al. Expires April 19, 2018 [Page 30]