draft-ietf-dnssd-prireq-08.txt   rfc8882.txt 
Network Working Group C. Huitema Internet Engineering Task Force (IETF) C. Huitema
Internet-Draft Private Octopus Inc. Request for Comments: 8882 Private Octopus Inc.
Intended status: Informational D. Kaiser Category: Informational D. Kaiser
Expires: September 13, 2020 University of Luxembourg ISSN: 2070-1721 University of Luxembourg
March 12, 2020 September 2020
DNS-SD Privacy and Security Requirements DNS-Based Service Discovery (DNS-SD) Privacy and Security Requirements
draft-ietf-dnssd-prireq-08
Abstract Abstract
DNS-SD (DNS Service Discovery) normally discloses information about DNS-SD (DNS-based Service Discovery) normally discloses information
devices offering and requesting services. This information includes about devices offering and requesting services. This information
host names, network parameters, and possibly a further description of includes hostnames, network parameters, and possibly a further
the corresponding service instance. Especially when mobile devices description of the corresponding service instance. Especially when
engage in DNS Service Discovery at a public hotspot, serious privacy mobile devices engage in DNS-based Service Discovery at a public
problems arise. We analyze the requirements of a privacy-respecting hotspot, serious privacy problems arise. We analyze the requirements
discovery service. of a privacy-respecting discovery service.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This document is not an Internet Standards Track specification; it is
provisions of BCP 78 and BCP 79. published for informational purposes.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months This document is a product of the Internet Engineering Task Force
and may be updated, replaced, or obsoleted by other documents at any (IETF). It represents the consensus of the IETF community. It has
time. It is inappropriate to use Internet-Drafts as reference received public review and has been approved for publication by the
material or to cite them other than as "work in progress." Internet Engineering Steering Group (IESG). Not all documents
approved by the IESG are candidates for any level of Internet
Standard; see Section 2 of RFC 7841.
This Internet-Draft will expire on September 13, 2020. Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
https://www.rfc-editor.org/info/rfc8882.
Copyright Notice Copyright Notice
Copyright (c) 2020 IETF Trust and the persons identified as the Copyright (c) 2020 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction
2. Threat Model . . . . . . . . . . . . . . . . . . . . . . . . 4 2. Threat Model
3. Threat Analysis . . . . . . . . . . . . . . . . . . . . . . . 4 3. Threat Analysis
3.1. Service Discovery Scenarios . . . . . . . . . . . . . . . 4 3.1. Service Discovery Scenarios
3.1.1. Private Client and Public Server . . . . . . . . . . 4 3.1.1. Private Client and Public Server
3.1.2. Private Client and Private Server . . . . . . . . . . 5 3.1.2. Private Client and Private Server
3.1.3. Wearable Client and Server . . . . . . . . . . . . . 6 3.1.3. Wearable Client and Server
3.2. DNS-SD Privacy Considerations . . . . . . . . . . . . . . 8 3.2. DNS-SD Privacy Considerations
3.2.1. Information made available via DNS-SD Resource 3.2.1. Information Made Available Via DNS-SD Resource Records
Records . . . . . . . . . . . . . . . . . . . . . . . 9
3.2.2. Privacy Implication of Publishing Service Instance 3.2.2. Privacy Implication of Publishing Service Instance
Names . . . . . . . . . . . . . . . . . . . . . . . . 9 Names
3.2.3. Privacy Implication of Publishing Node Names . . . . 10 3.2.3. Privacy Implication of Publishing Node Names
3.2.4. Privacy Implication of Publishing Service Attributes 10 3.2.4. Privacy Implication of Publishing Service Attributes
3.2.5. Device Fingerprinting . . . . . . . . . . . . . . . . 11 3.2.5. Device Fingerprinting
3.2.6. Privacy Implication of Discovering Services . . . . . 12 3.2.6. Privacy Implication of Discovering Services
3.3. Security Considerations . . . . . . . . . . . . . . . . . 12 3.3. Security Considerations
3.3.1. Authenticity, Integrity & Freshness . . . . . . . . . 12 3.3.1. Authenticity, Integrity, and Freshness
3.3.2. Confidentiality . . . . . . . . . . . . . . . . . . . 12 3.3.2. Confidentiality
3.3.3. Resistance to Dictionary Attacks . . . . . . . . . . 13 3.3.3. Resistance to Dictionary Attacks
3.3.4. Resistance to Denial-of-Service Attacks . . . . . . . 13 3.3.4. Resistance to Denial-of-Service Attacks
3.3.5. Resistance to Sender Impersonation . . . . . . . . . 13 3.3.5. Resistance to Sender Impersonation
3.3.6. Sender Deniability . . . . . . . . . . . . . . . . . 13 3.3.6. Sender Deniability
3.4. Operational Considerations . . . . . . . . . . . . . . . 13 3.4. Operational Considerations
3.4.1. Power Management . . . . . . . . . . . . . . . . . . 13 3.4.1. Power Management
3.4.2. Protocol Efficiency . . . . . . . . . . . . . . . . . 14 3.4.2. Protocol Efficiency
3.4.3. Secure Initialization and Trust Models . . . . . . . 14 3.4.3. Secure Initialization and Trust Models
3.4.4. External Dependencies . . . . . . . . . . . . . . . . 15 3.4.4. External Dependencies
4. Requirements for a DNS-SD Privacy Extension . . . . . . . . . 15 4. Requirements for a DNS-SD Privacy Extension
4.1. Private Client Requirements . . . . . . . . . . . . . . . 15 4.1. Private Client Requirements
4.2. Private Server Requirements . . . . . . . . . . . . . . . 16 4.2. Private Server Requirements
4.3. Security and Operation . . . . . . . . . . . . . . . . . 17 4.3. Security and Operation
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 17 5. IANA Considerations
6. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 17 6. References
7. References . . . . . . . . . . . . . . . . . . . . . . . . . 17 6.1. Normative References
7.1. Normative References . . . . . . . . . . . . . . . . . . 17 6.2. Informative References
7.2. Informative References . . . . . . . . . . . . . . . . . 17 Acknowledgments
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 19 Authors' Addresses
1. Introduction 1. Introduction
DNS Service Discovery (DNS-SD) [RFC6763] over Multicast DNS (mDNS) DNS-Based Service Discovery (DNS-SD) [RFC6763] over Multicast DNS
[RFC6762] enables zero-configuration service discovery in local (mDNS) [RFC6762] enables zero-configuration service discovery in
networks. It is very convenient for users, but it requires the local networks. It is very convenient for users, but it requires the
public exposure of the offering and requesting identities along with public exposure of the offering and requesting identities along with
information about the offered and requested services. Parts of the information about the offered and requested services. Parts of the
published information can seriously breach the user's privacy. These published information can seriously breach the user's privacy. These
privacy issues and potential solutions are discussed in [KW14a], privacy issues and potential solutions are discussed in [KW14a],
[KW14b] and [K17]. While the multicast nature of mDNS makes these [KW14b], and [K17]. While the multicast nature of mDNS makes these
risks obvious, most risks derive from the observability of risks obvious, most risks derive from the observability of
transactions. These risks also need to be mitigated when using transactions. These risks also need to be mitigated when using
server-based variants of DNS-SD. server-based variants of DNS-SD.
There are cases when nodes connected to a network want to provide or There are cases when nodes connected to a network want to provide or
consume services without exposing their identities to the other consume services without exposing their identities to the other
parties connected to the same network. Consider, for example, a parties connected to the same network. Consider, for example, a
traveler wanting to upload pictures from a phone to a laptop when traveler wanting to upload pictures from a phone to a laptop when
both are connected to the Wi-Fi network of an Internet cafe, or two both are connected to the Wi-Fi network of an Internet cafe, or two
travelers who want to share files between their laptops when waiting travelers who want to share files between their laptops when waiting
for their plane in an airport lounge. for their plane in an airport lounge.
We expect that these exchanges will start with a discovery procedure We expect that these exchanges will start with a discovery procedure
using DNS-SD over mDNS. One of the devices will publish the using DNS-SD over mDNS. One of the devices will publish the
availability of a service, such as a picture library or a file store availability of a service, such as a picture library or a file store
in our examples. The user of the other device will discover this in our examples. The user of the other device will discover this
service, and then connect to it. service and then connect to it.
When analyzing these scenarios in Section 3.1, we find that the DNS- When analyzing these scenarios in Section 3.1, we find that the DNS-
SD messages leak identifying information such as the service instance SD messages leak identifying information, such as the Service
name, the host name, or service properties. We use the following Instance Name, the hostname, or service properties. We use the
definitions: following definitions:
Identity In this document, the term "identity" refers to the Identity
identity of the entity (legal person) operating a device. In this document, the term "identity" refers to the identity of
the entity (legal person) operating a device.
Disclosing an Identity In this document "disclosing an identity" Disclosing an Identity
means showing the identity of operating entities to devices In this document, "disclosing an identity" means showing the
external to the discovery process; e.g., devices on the same identity of operating entities to devices external to the
network link that are listening to the network traffic but are not discovery process, e.g., devices on the same network link that are
actually involved in the discovery process. This document focuses listening to the network traffic but are not actually involved in
on identity disclosure by data conveyed via messages on the the discovery process. This document focuses on identity
service discovery protocol layer. Still, identity leaks on deeper disclosure by data conveyed via messages on the service discovery
layers, e.g., the IP layer, are mentioned. protocol layer. Still, identity leaks on deeper layers, e.g., the
IP layer, are mentioned.
Disclosing Information In this document "disclosing information" is Disclosing Information
also focused on disclosure of data conveyed via messages on the In this document, "disclosing information" is also focused on
service discovery protocol layer, such as generic non-identity but disclosure of data conveyed via messages on the service discovery
still potentially sensitive data. protocol layer, including both identity-revealing information and
other still potentially sensitive data.
2. Threat Model 2. Threat Model
This document considers the following attacker types sorted by This document considers the following attacker types sorted by
increasing power. All these attackers can either be passive (they increasing power. All these attackers can either be passive (they
just listen to network traffic they have access to) or active (they just listen to network traffic they have access to) or active (they
additionally can craft and send malicious packets). additionally can craft and send malicious packets).
external An external attacker is not on the same network link as external
victim devices engaging in service discovery; thus, the external An external attacker is not on the same network link as victim
attacker is in a different multicast domain. devices engaging in service discovery; thus, the external attacker
is in a different multicast domain.
on-link An on-link attacker is on the same network link as victim on-link
devices engaging in service discovery; thus, the on-link attacker An on-link attacker is on the same network link as victim devices
is in the same multicast domain. This attacker can also mount all engaging in service discovery; thus, the on-link attacker is in
the same multicast domain. This attacker can also mount all
attacks an external attacker can mount. attacks an external attacker can mount.
MITM A Man in the Middle (MITM) attacker either controls (parts of) MITM
a network link or can trick two parties to send traffic via the A Man-in-the-Middle (MITM) attacker either controls (parts of) a
network link or can trick two parties to send traffic via the
attacker; thus, the MITM attacker has access to unicast traffic attacker; thus, the MITM attacker has access to unicast traffic
between devices engaging in service discovery. This attacker can between devices engaging in service discovery. This attacker can
also mount all attacks an on-link attacker can mount. also mount all attacks an on-link attacker can mount.
3. Threat Analysis 3. Threat Analysis
In this section we analyse how the attackers described in the In this section, we analyze how the attackers described in the
previous section might threaten the privacy of entities operating previous section might threaten the privacy of entities operating
devices engaging in service discovery. We focus on attacks devices engaging in service discovery. We focus on attacks
leveraging data transmitted in service discovery protocol messages. leveraging data transmitted in service discovery protocol messages.
3.1. Service Discovery Scenarios 3.1. Service Discovery Scenarios
In this section, we review common service discovery scenarios and In this section, we review common service discovery scenarios and
discuss privacy threats and their privacy requirements. In all three discuss privacy threats and their privacy requirements. In all three
of these common scenarios the attacker is of the type passive on- of these common scenarios, the attacker is of the type passive on-
link. link.
3.1.1. Private Client and Public Server 3.1.1. Private Client and Public Server
Perhaps the simplest private discovery scenario involves a single Perhaps the simplest private discovery scenario involves a single
client connecting to a public server through a public network. A client connecting to a public server through a public network. A
common example would be a traveler using a publicly available printer common example would be a traveler using a publicly available printer
in a business center, in an hotel, or at an airport. in a business center, in a hotel, or at an airport.
( Taking notes: ( Taking notes:
( David is printing ( David is printing
( a document ( a document.
~~~~~~~~~~~ ~~~~~~~~~~~
o o
___ o ___ ___ o ___
/ \ _|___|_ / \ _|___|_
| | client server |* *| | | client server |* *|
\_/ __ \_/ \_/ __ \_/
| / / Discovery +----------+ | | / / Discovery +----------+ |
/|\ /_/ <-----------> | +----+ | /|\ /|\ /_/ <-----------> | +----+ | /|\
/ | \__/ +--| |--+ / | \ / | \__/ +--| |--+ / | \
/ | |____/ / | \ / | |____/ / | \
/ | / | \ / | / | \
/ \ / \ / \ / \
/ \ / \ / \ / \
/ \ / \ / \ / \
/ \ / \ / \ / \
/ \ / \ / \ / \
David adversary David Adversary
In that scenario, the server is public and wants to be discovered, In that scenario, the server is public and wants to be discovered,
but the client is private. The adversary will be listening to the but the client is private. The adversary will be listening to the
network traffic, trying to identify the visitors' devices and their network traffic, trying to identify the visitors' devices and their
activity. Identifying devices leads to identifying people, either activity. Identifying devices leads to identifying people, either
for surveillance of these individuals in the physical world or as a for surveillance of these individuals in the physical world or as a
preliminary step for a targeted cyber attack. preliminary step for a targeted cyber attack.
The requirement in that scenario is that the discovery activity The requirement in that scenario is that the discovery activity
should not disclose the identity of the client. should not disclose the identity of the client.
3.1.2. Private Client and Private Server 3.1.2. Private Client and Private Server
The second private discovery scenario involves a private client The second private discovery scenario involves a private client
connecting to a private server. A common example would be two people connecting to a private server. A common example would be two people
engaging in a collaborative application in a public place, such as an engaging in a collaborative application in a public place, such as an
airport's lounge. airport's lounge.
( Taking notes: ( Taking notes:
( David is meeting ( David is meeting
( with Stuart ( with Stuart.
~~~~~~~~~~~ ~~~~~~~~~~~
o o
___ ___ o ___ ___ ___ o ___
/ \ / \ _|___|_ / \ / \ _|___|_
| | server client | | |* *| | | server client | | |* *|
\_/ __ __ \_/ \_/ \_/ __ __ \_/ \_/
| / / Discovery \ \ | | | / / Discovery \ \ | |
/|\ /_/ <-----------> \_\ /|\ /|\ /|\ /_/ <-----------> \_\ /|\ /|\
/ | \__/ \__/ | \ / | \ / | \__/ \__/ | \ / | \
/ | | \ / | \ / | | \ / | \
skipping to change at page 6, line 29 skipping to change at line 253
/ \ / \ / \ / \ / \ / \
/ \ / \ / \ / \ / \ / \
/ \ / \ / \ / \ / \ / \
/ \ / \ / \ / \ / \ / \
/ \ / \ / \ / \ / \ / \
David Stuart Adversary David Stuart Adversary
In that scenario, the collaborative application on one of the devices In that scenario, the collaborative application on one of the devices
will act as a server, and the application on the other device will will act as a server, and the application on the other device will
act as a client. The server wants to be discovered by the client, act as a client. The server wants to be discovered by the client but
but has no desire to be discovered by anyone else. The adversary has no desire to be discovered by anyone else. The adversary will be
will be listening to network traffic, attempting to discover the listening to network traffic, attempting to discover the identity of
identity of devices as in the first scenario, and also attempting to devices as in the first scenario and also attempting to discover the
discover the patterns of traffic, as these patterns reveal the patterns of traffic, as these patterns reveal the business and social
business and social interactions between the owners of the devices. interactions between the owners of the devices.
The requirement in that scenario is that the discovery activity The requirement in that scenario is that the discovery activity
should not disclose the identity of either the client or the server, should not disclose the identity of either the client or the server
nor reveal the business and social interactions between the owners of nor reveal the business and social interactions between the owners of
the devices. the devices.
3.1.3. Wearable Client and Server 3.1.3. Wearable Client and Server
The third private discovery scenario involves wearable devices. A The third private discovery scenario involves wearable devices. A
typical example would be the watch on someone's wrist connecting to typical example would be the watch on someone's wrist connecting to
the phone in their pocket. the phone in their pocket.
( Taking notes: ( Taking notes:
( David is here. His watch is ( David is here. His watch is
( talking to his phone ( talking to his phone.
~~~~~~~~~~~ ~~~~~~~~~~~
o o
___ o ___ ___ o ___
/ \ _|___|_ / \ _|___|_
| | client |* *| | | client |* *|
\_/ \_/ \_/ \_/
| _/ | | _/ |
/|\ // /|\ /|\ // /|\
/ | \__/ ^ / | \ / | \__/ ^ / | \
/ |__ | Discovery / | \ / |__ | Discovery / | \
skipping to change at page 7, line 44 skipping to change at line 310
type of devices that the person wears. type of devices that the person wears.
In addition to tracking the identity of the owner of the devices, the In addition to tracking the identity of the owner of the devices, the
adversary is interested in the characteristics of the devices, such adversary is interested in the characteristics of the devices, such
as type, brand, and model. Identifying the type of device can lead as type, brand, and model. Identifying the type of device can lead
to further attacks, from theft to device-specific hacking. The to further attacks, from theft to device-specific hacking. The
combination of devices worn by the same person will also provide a combination of devices worn by the same person will also provide a
"fingerprint" of the person, risking identification. "fingerprint" of the person, risking identification.
This scenario also represents the general case of bringing private This scenario also represents the general case of bringing private
IoT devices into public places. A wearable IoT device might act as a Internet-of-Things (IoT) devices into public places. A wearable IoT
DNS-SD/mDNS client which allows attackers to infer information about device might act as a DNS-SD/mDNS client, which allows attackers to
devices' owners. While the attacker might be a person as in the infer information about devices' owners. While the attacker might be
example figure, this could also be abused for large scale data a person, as in the example figure, this could also be abused for
collection installing stationary IoT-device-tracking servers in large-scale data collection installing stationary IoT-device-tracking
frequented public places. servers in frequented public places.
The issues described in Section 3.1.1 such as identifying people or The issues described in Section 3.1.1, such as identifying people or
using the information for targeted attacks apply here too. using the information for targeted attacks, apply here too.
3.2. DNS-SD Privacy Considerations 3.2. DNS-SD Privacy Considerations
While the discovery process illustrated in the scenarios in While the discovery process illustrated in the scenarios in
Section 3.1 most likely would be based on [RFC6762] as a means for Section 3.1 most likely would be based on [RFC6762] as a means for
making service information available, this document considers all making service information available, this document considers all
kinds of means for making DNS-SD resource records available. These kinds of means for making DNS-SD resource records available. These
means comprise but are not limited to mDNS [RFC6762], DNS servers means comprise of but are not limited to mDNS [RFC6762], DNS servers
([RFC1033] [RFC1034], [RFC1035]), using SRP [I-D.ietf-dnssd-srp], and ([RFC1033], [RFC1034], and [RFC1035]), the use of Service
multi-link [RFC7558] networks. Registration Protocol (SRP) [SRP], and multi-link [RFC7558] networks.
The discovery scenarios in Section 3.1 illustrate three separate The discovery scenarios in Section 3.1 illustrate three separate
abstract privacy requirements that vary based on the use case. These abstract privacy requirements that vary based on the use case. These
are not limited to mDNS. are not limited to mDNS.
1. Client identity privacy: Client identities are not leaked during 1. Client identity privacy: Client identities are not leaked during
service discovery or use. service discovery or use.
2. Multi-entity, mutual client and server identity privacy: Neither 2. Multi-entity, mutual client and server identity privacy: Neither
client nor server identities are leaked during service discovery client nor server identities are leaked during service discovery
skipping to change at page 8, line 38 skipping to change at line 353
legal person are not leaked during service discovery or use. legal person are not leaked during service discovery or use.
In this section, we describe aspects of DNS-SD that make these In this section, we describe aspects of DNS-SD that make these
requirements difficult to achieve in practice. While it is intended requirements difficult to achieve in practice. While it is intended
to be thorough, it is not possible to be exhaustive. to be thorough, it is not possible to be exhaustive.
Client identity privacy, if not addressed properly, can be thwarted Client identity privacy, if not addressed properly, can be thwarted
by a passive attacker (see Section 2). The type of passive attacker by a passive attacker (see Section 2). The type of passive attacker
necessary depends on the means of making service information necessary depends on the means of making service information
available. Information conveyed via multicast messages can be available. Information conveyed via multicast messages can be
obtained by an on-link attacker. Unicast messages are easy to access obtained by an on-link attacker. Unicast messages are harder to
if the transmission is not encrypted, but could still be accessed by access, but if the transmission is not encrypted they could still be
an attacker with access to network routers or bridges. Using multi- accessed by an attacker with access to network routers or bridges.
link service discovery solutions [RFC7558], external attackers have Using multi-link service discovery solutions [RFC7558], external
to be taken into consideration as well, e.g., when relaying multicast attackers have to be taken into consideration as well, e.g., when
messages to other links. relaying multicast messages to other links.
Server identity privacy can be thwarted by a passive attacker in the Server identity privacy can be thwarted by a passive attacker in the
same way as client identity privacy. Additionally, active attackers same way as client identity privacy. Additionally, active attackers
querying for information have to be taken into consideration as well. querying for information have to be taken into consideration as well.
This is mainly relevant for unicast-based discovery, where listening This is mainly relevant for unicast-based discovery, where listening
to discovery traffic requires a MITM attacker; however, an external to discovery traffic requires a MITM attacker; however, an external
active attacker might be able to learn the server identity by just active attacker might be able to learn the server identity by just
querying for service information, e.g. via DNS. querying for service information, e.g., via DNS.
3.2.1. Information made available via DNS-SD Resource Records 3.2.1. Information Made Available Via DNS-SD Resource Records
DNS-Based Service Discovery (DNS-SD) is defined in [RFC6763]. It DNS-Based Service Discovery (DNS-SD) is defined in [RFC6763]. It
allows nodes to publish the availability of an instance of a service allows nodes to publish the availability of an instance of a service
by inserting specific records in the DNS ([RFC1033], [RFC1034], by inserting specific records in the DNS ([RFC1033], [RFC1034], and
[RFC1035]) or by publishing these records locally using multicast DNS [RFC1035]) or by publishing these records locally using multicast DNS
(mDNS) [RFC6762]. Available services are described using three types (mDNS) [RFC6762]. Available services are described using three types
of records: of records:
PTR Record: Associates a service type in the domain with an PTR Record
"instance" name of this service type. Associates a service type in the domain with an "instance" name of
this service type.
SRV Record: Provides the node name, port number, priority and weight SRV Record
Provides the node name, port number, priority and weight
associated with the service instance, in conformance with associated with the service instance, in conformance with
[RFC2782]. [RFC2782].
TXT Record: Provides a set of attribute-value pairs describing TXT Record
specific properties of the service instance. Provides a set of attribute-value pairs describing specific
properties of the service instance.
3.2.2. Privacy Implication of Publishing Service Instance Names 3.2.2. Privacy Implication of Publishing Service Instance Names
In the first phase of discovery, clients obtain all PTR records In the first phase of discovery, clients obtain all PTR records
associated with a service type in a given naming domain. Each PTR associated with a service type in a given naming domain. Each PTR
record contains a Service Instance Name defined in Section 4 of record contains a Service Instance Name defined in Section 4 of
[RFC6763]: [RFC6763]:
Service Instance Name = <Instance> . <Service> . <Domain> Service Instance Name = <Instance> . <Service> . <Domain>
The <Instance> portion of the Service Instance Name is meant to The <Instance> portion of the Service Instance Name is meant to
convey enough information for users of discovery clients to easily convey enough information for users of discovery clients to easily
select the desired service instance. Nodes that use DNS-SD over mDNS select the desired service instance. Nodes that use DNS-SD over mDNS
[RFC6762] in a mobile environment will rely on the specificity of the [RFC6762] in a mobile environment will rely on the specificity of the
instance name to identify the desired service instance. In our instance name to identify the desired service instance. In our
example of users wanting to upload pictures to a laptop in an example of users wanting to upload pictures to a laptop in an
Internet Cafe, the list of available service instances may look like: Internet cafe, the list of available service instances may look like:
Alice's Images . _imageStore._tcp . local Alice's Images . _imageStore._tcp . local
Alice's Mobile Phone . _presence._tcp . local Alice's Mobile Phone . _presence._tcp . local
Alice's Notebook . _presence._tcp . local Alice's Notebook . _presence._tcp . local
Bob's Notebook . _presence._tcp . local Bob's Notebook . _presence._tcp . local
Carol's Notebook . _presence._tcp . local Carol's Notebook . _presence._tcp . local
Alice will see the list on her phone and understand intuitively that Alice will see the list on her phone and understand intuitively that
she should pick the first item. The discovery will "just work". she should pick the first item. The discovery will "just work".
(Note that our examples of service names conform to the specification (Note that our examples of service names conform to the specification
in section 4.1 of [RFC6763], but may require some character escaping in Section 4.1 of [RFC6763] but may require some character escaping
when entered in conventional DNS software.) when entered in conventional DNS software.)
However, DNS-SD/mDNS will reveal to anybody that Alice is currently However, DNS-SD/mDNS will reveal to anybody that Alice is currently
visiting the Internet Cafe. It further discloses the fact that she visiting the Internet cafe. It further discloses the fact that she
uses two devices, shares an image store, and uses a chat application uses two devices, shares an image store, and uses a chat application
supporting the _presence protocol on both of her devices. She might supporting the _presence protocol on both of her devices. She might
currently chat with Bob or Carol, as they are also using a _presence currently chat with Bob or Carol, as they are also using a _presence
supporting chat application. This information is not just available supporting chat application. This information is not just available
to devices actively browsing for and offering services, but to to devices actively browsing for and offering services but to anybody
anybody passively listening to the network traffic, i.e. a passive passively listening to the network traffic, i.e., a passive on-link
on-link attacker. attacker.
There is, of course, also no authentication requirement to claim a There is, of course, also no authentication requirement to claim a
particular instance name, so an active attacker can provide resources particular instance name, so an active attacker can provide resources
that claim to be Alice's but are not. that claim to be Alice's but are not.
3.2.3. Privacy Implication of Publishing Node Names 3.2.3. Privacy Implication of Publishing Node Names
The SRV records contain the DNS name of the node publishing the The SRV records contain the DNS name of the node publishing the
service. Typical implementations construct this DNS name by service. Typical implementations construct this DNS name by
concatenating the "host name" of the node with the name of the local concatenating the "hostname" of the node with the name of the local
domain. The privacy implications of this practice are reviewed in domain. The privacy implications of this practice are reviewed in
[RFC8117]. Depending on naming practices, the host name is either a [RFC8117]. Depending on naming practices, the hostname is either a
strong identifier of the device, or at a minimum a partial strong identifier of the device or, at a minimum, a partial
identifier. It enables tracking of both the device, and, by identifier. It enables tracking of both the device and, by
extension, the device's owner. extension, the device's owner.
3.2.4. Privacy Implication of Publishing Service Attributes 3.2.4. Privacy Implication of Publishing Service Attributes
The TXT record's attribute-value pairs contain information on the The TXT record's attribute-value pairs contain information on the
characteristics of the corresponding service instance. This in turn characteristics of the corresponding service instance. This in turn
reveals information about the devices that publish services. The reveals information about the devices that publish services. The
amount of information varies widely with the particular service and amount of information varies widely with the particular service and
its implementation: its implementation:
o Some attributes, such as the paper size available in a printer, * Some attributes, such as the paper size available in a printer,
are the same on many devices, and thus only provide limited are the same on many devices and thus only provide limited
information to a tracker. information to a tracker.
o Attributes that have freeform values, such as the name of a * Attributes that have free-form values, such as the name of a
directory, may reveal much more information. directory, may reveal much more information.
Combinations of individual attributes have more information power Combinations of individual attributes have more information power
than specific attributes, and can potentially be used for than specific attributes and can potentially be used for
"fingerprinting" a specific device. "fingerprinting" a specific device.
Information contained in TXT records not only breaches privacy by Information contained in TXT records not only breaches privacy by
making devices trackable, but might directly contain private making devices trackable but might directly contain private
information about the user. For instance the _presence service information about the user. For instance, the _presence service
reveals the "chat status" to everyone in the same network. Users reveals the "chat status" to everyone in the same network. Users
might not be aware of that. might not be aware of that.
Further, TXT records often contain version information about Further, TXT records often contain version information about
services, allowing potential attackers to identify devices running services, allowing potential attackers to identify devices running
exploit-prone versions of a certain service. exploit-prone versions of a certain service.
3.2.5. Device Fingerprinting 3.2.5. Device Fingerprinting
The combination of information published in DNS-SD has the potential The combination of information published in DNS-SD has the potential
to provide a "fingerprint" of a specific device. Such information to provide a "fingerprint" of a specific device. Such information
includes: includes:
o List of services published by the device, which can be retrieved * A list of services published by the device, which can be retrieved
because the SRV records will point to the same host name. because the SRV records will point to the same hostname.
o Specific attributes describing these services. * Specific attributes describing these services.
o Port numbers used by the services. * Port numbers used by the services.
o Priority and weight attributes in the SRV records. * Priority and weight attributes in the SRV records.
This combination of services and attributes will often be sufficient This combination of services and attributes will often be sufficient
to identify the version of the software running on a device. If a to identify the version of the software running on a device. If a
device publishes many services with rich sets of attributes, the device publishes many services with rich sets of attributes, the
combination may be sufficient to identify the specific device and combination may be sufficient to identify the specific device and
track its owner. track its owner.
An argument is sometimes made that devices providing services can be An argument is sometimes made that devices providing services can be
identified by observing the local traffic, and that trying to hide identified by observing the local traffic and that trying to hide the
the presence of the service is futile. However, there are good presence of the service is futile. However, there are good reasons
reasons for the discovery service layer to avoid unnecessary for the discovery service layer to avoid unnecessary exposure:
exposure:
1. Providing privacy at the discovery layer is of the essence for 1. Providing privacy at the discovery layer is of the essence for
enabling automatically configured privacy-preserving network enabling automatically configured privacy-preserving network
applications. Application layer protocols are not forced to applications. Application layer protocols are not forced to
leverage the offered privacy, but if device tracking is not leverage the offered privacy, but if device tracking is not
prevented at the deeper layers, including the service discovery prevented at the deeper layers, including the service discovery
layer, obfuscating a certain service's protocol at the layer, obfuscating a certain service's protocol at the
application layer is futile. application layer is futile.
2. Further, in the case of mDNS based discovery, even if the 2. Further, in the case of mDNS-based discovery, even if the
application layer does not protect privacy, typically services application layer does not protect privacy, services are
are provided via unicast which requires a MITM attacker, while typically provided via unicast, which requires a MITM attacker,
identifying services based on multicast discovery messages just whereas identifying services based on multicast discovery
requires an on-link attacker. messages just requires an on-link attacker.
The same argument can be extended to say that the pattern of services The same argument can be extended to say that the pattern of services
offered by a device allows for fingerprinting the device. This may offered by a device allows for fingerprinting the device. This may
or may not be true, since we can expect that services will be or may not be true, since we can expect that services will be
designed or updated to avoid leaking fingerprints. In any case, the designed or updated to avoid leaking fingerprints. In any case, the
design of the discovery service should avoid making a bad situation design of the discovery service should avoid making a bad situation
worse, and should as much as possible avoid providing new worse and should, as much as possible, avoid providing new
fingerprinting information. fingerprinting information.
3.2.6. Privacy Implication of Discovering Services 3.2.6. Privacy Implication of Discovering Services
The consumers of services engage in discovery, and in doing so reveal The consumers of services engage in discovery and in doing so reveal
some information such as the list of services they are interested in some information, such as the list of services they are interested in
and the domains in which they are looking for the services. When the and the domains in which they are looking for the services. When the
clients select specific instances of services, they reveal their clients select specific instances of services, they reveal their
preference for these instances. This can be benign if the service preference for these instances. This can be benign if the service
type is very common, but it could be more problematic for sensitive type is very common, but it could be more problematic for sensitive
services, such as some private messaging services. services, such as some private messaging services.
One way to protect clients would be to somehow encrypt the requested One way to protect clients would be to somehow encrypt the requested
service types. Of course, just as we noted in Section 3.2.5, traffic service types. Of course, just as we noted in Section 3.2.5, traffic
analysis can often reveal the service. analysis can often reveal the service.
3.3. Security Considerations 3.3. Security Considerations
For each of the operations described above, we must also consider For each of the operations described above, we must also consider
security threats we are concerned about. security threats we are concerned about.
3.3.1. Authenticity, Integrity & Freshness 3.3.1. Authenticity, Integrity, and Freshness
Can devices (both servers and clients) trust the information they Can devices (both servers and clients) trust the information they
receive? Has it been modified in flight by an adversary? Can receive? Has it been modified in flight by an adversary? Can
devices trust the source of the information? Is the source of devices trust the source of the information? Is the source of
information fresh, i.e., not replayed? Freshness may or may not be information fresh, i.e., not replayed? Freshness may or may not be
required depending on whether the discovery process is meant to be required depending on whether the discovery process is meant to be
online. In some cases, publishing discovery information to a shared online. In some cases, publishing discovery information to a shared
directory or registry, rather than to each online recipient through a directory or registry, rather than to each online recipient through a
broadcast channel, may suffice. broadcast channel, may suffice.
3.3.2. Confidentiality 3.3.2. Confidentiality
Confidentiality is about restricting information access to only Confidentiality is about restricting information access to only
authorized individuals. Ideally this should only be the appropriate authorized individuals. Ideally, this should only be the appropriate
trusted parties, though it can be challenging to define who are "the trusted parties, though it can be challenging to define who are "the
appropriate trusted parties." In some use cases, this may mean that appropriate trusted parties." In some use cases, this may mean that
only mutually authenticated and trusting clients and servers can read only mutually authenticated and trusting clients and servers can read
messages sent for one another. The process of service discovery in messages sent for one another. The process of service discovery in
particular is often used to discover new entities that the device did particular is often used to discover new entities that the device did
not previously know about. It may be tricky to work out how a device not previously know about. It may be tricky to work out how a device
can have an established trust relationship with a new entity it has can have an established trust relationship with a new entity it has
never previously communicated with. never previously communicated with.
3.3.3. Resistance to Dictionary Attacks 3.3.3. Resistance to Dictionary Attacks
It can be tempting to use (publicly computable) hash functions to It can be tempting to use (publicly computable) hash functions to
obscure sensitive identifiers. This transforms a sensitive unique obscure sensitive identifiers. This transforms a sensitive unique
identifier such as an email address into a "scrambled" but still identifier, such as an email address, into a "scrambled" but still
unique identifier. Unfortunately simple solutions may be vulnerable unique identifier. Unfortunately, simple solutions may be vulnerable
to offline dictionary attacks. to offline dictionary attacks.
3.3.4. Resistance to Denial-of-Service Attacks 3.3.4. Resistance to Denial-of-Service Attacks
In any protocol where the receiver of messages has to perform In any protocol where the receiver of messages has to perform
cryptographic operations on those messages, there is a risk of a cryptographic operations on those messages, there is a risk of a
brute-force flooding attack causing the receiver to expend excessive brute-force flooding attack causing the receiver to expend excessive
amounts of CPU time and, where appliciable, battery power just amounts of CPU time and, where applicable, battery power just
processing and discarding those messages. processing and discarding those messages.
Also, amplification attacks have to be taken into consideration. Also, amplification attacks have to be taken into consideration.
Messages with larger payloads should only be sent as an answer to a Messages with larger payloads should only be sent as an answer to a
query sent by a verified client. query sent by a verified client.
3.3.5. Resistance to Sender Impersonation 3.3.5. Resistance to Sender Impersonation
Sender impersonation is an attack wherein messages such as service Sender impersonation is an attack wherein messages, such as service
offers are forged by entities who do not possess the corresponding offers, are forged by entities who do not possess the corresponding
secret key material. These attacks may be used to learn the identity secret key material. These attacks may be used to learn the identity
of a communicating party, actively or passively. of a communicating party, actively or passively.
3.3.6. Sender Deniability 3.3.6. Sender Deniability
Deniability of sender activity, e.g., of broadcasting a discovery Deniability of sender activity, e.g., of broadcasting a discovery
request, may be desirable or necessary in some use cases. This request, may be desirable or necessary in some use cases. This
property ensures that eavesdroppers cannot prove senders issued a property ensures that eavesdroppers cannot prove senders issued a
specific message destined for one or more peers. specific message destined for one or more peers.
3.4. Operational Considerations 3.4. Operational Considerations
3.4.1. Power Management 3.4.1. Power Management
Many modern devices, especially battery-powered devices, use power Many modern devices, especially battery-powered devices, use power
management techniques to conserve energy. One such technique is for management techniques to conserve energy. One such technique is for
a device to transfer information about itself to a proxy, which will a device to transfer information about itself to a proxy, which will
act on behalf of the device for some functions, while the device act on behalf of the device for some functions while the device
itself goes to sleep to reduce power consumption. When the proxy itself goes to sleep to reduce power consumption. When the proxy
determines that some action is required which only the device itself determines that some action is required, which only the device itself
can perform, the proxy may have some way to wake the device, as can perform, the proxy may have some way to wake the device, as
described for example in [SLEEP-PROXY]. described for example in [SLEEP-PROXY].
In many cases, the device may not trust the network proxy In many cases, the device may not trust the network proxy
sufficiently to share all its confidential key material with the sufficiently to share all its confidential key material with the
proxy. This poses challenges for combining private discovery that proxy. This poses challenges for combining private discovery that
relies on per-query cryptographic operations, with energy-saving relies on per-query cryptographic operations with energy-saving
techniques that rely on having (somewhat untrusted) network proxies techniques that rely on having (somewhat untrusted) network proxies
answer queries on behalf of sleeping devices. answer queries on behalf of sleeping devices.
3.4.2. Protocol Efficiency 3.4.2. Protocol Efficiency
Creating a discovery protocol that has the desired security Creating a discovery protocol that has the desired security
properties may result in a design that is not efficient. To perform properties may result in a design that is not efficient. To perform
the necessary operations the protocol may need to send and receive a the necessary operations, the protocol may need to send and receive a
large number of network packets, or require an inordinate amount of large number of network packets or require an inordinate amount of
multicast transmissions. This may consume an unreasonable amount of multicast transmissions. This may consume an unreasonable amount of
network capacity, particularly problematic when it is a shared network capacity, particularly problematic when it is a shared
wireless spectrum. Further, it may cause an unnecessary level of wireless spectrum. Further, it may cause an unnecessary level of
power consumption which is particularly problematic on battery power consumption, which is particularly problematic on battery
devices, and may result in the discovery process being slow. devices and may result in the discovery process being slow.
It is a difficult challenge to design a discovery protocol that has It is a difficult challenge to design a discovery protocol that has
the property of obscuring the details of what it is doing from the property of obscuring the details of what it is doing from
unauthorized observers, while also managing to perform efficiently. unauthorized observers while also managing to perform efficiently.
3.4.3. Secure Initialization and Trust Models 3.4.3. Secure Initialization and Trust Models
One of the challenges implicit in the preceding discussions is that One of the challenges implicit in the preceding discussions is that
whenever we discuss "trusted entities" versus "untrusted entities", whenever we discuss "trusted entities" versus "untrusted entities",
there needs to be some way that trust is initially established, to there needs to be some way that trust is initially established to
convert an "untrusted entity" into a "trusted entity". convert an "untrusted entity" into a "trusted entity".
The purpose of this document is not to define the specific way in The purpose of this document is not to define the specific way in
which trust can be established. Protocol designers may rely on a which trust can be established. Protocol designers may rely on a
number of existing technologies, including PKI, Trust On First Use number of existing technologies, including PKI, Trust On First Use
(TOFU), or using a short passphrase or PIN with cryptographic (TOFU), or the use of a short passphrase or PIN with cryptographic
algorithms such as Secure Remote Password (SRP) [RFC5054] or a algorithms, such as Secure Remote Password (SRP) [RFC5054] or a
Password Authenticated Key Exchange like J-PAKE [RFC8236] using a Password-Authenticated Key Exchange like J-PAKE [RFC8236] using a
Schnorr Non-interactive Zero-Knowledge Proof [RFC8235]. Schnorr Non-interactive Zero-Knowledge Proof [RFC8235].
Protocol designers should consider a specific usability pitfall when Protocol designers should consider a specific usability pitfall when
trust is established immediately prior to performing discovery. trust is established immediately prior to performing discovery.
Users will have a tendency to "click OK" in order to achieve their Users will have a tendency to "click OK" in order to achieve their
task. This implicit vulnerability is avoided if the trust task. This implicit vulnerability is avoided if the trust
establishment requires more significant participation of the user, establishment requires more significant participation of the user,
such as entering a password or PIN. such as entering a password or PIN.
3.4.4. External Dependencies 3.4.4. External Dependencies
Trust establishment may depend on external parties. Optionally, this Trust establishment may depend on external parties. Optionally, this
might involve synchronous communication. Systems which have such a might involve synchronous communication. Systems that have such a
dependency may be attacked by interfering with communication to dependency may be attacked by interfering with communication to
external dependencies. Where possible, such dependencies should be external dependencies. Where possible, such dependencies should be
minimized. Local trust models are best for secure initialization in minimized. Local trust models are best for secure initialization in
the presence of active attackers. the presence of active attackers.
4. Requirements for a DNS-SD Privacy Extension 4. Requirements for a DNS-SD Privacy Extension
Given the considerations discussed in the previous sections, we state Given the considerations discussed in the previous sections, we state
requirements for privacy preserving DNS-SD in the following requirements for privacy preserving DNS-SD in the following
subsections. subsections.
skipping to change at page 15, line 31 skipping to change at line 682
lead to a solution that does not transmit privacy-violating DNS-SD lead to a solution that does not transmit privacy-violating DNS-SD
messages and further does not open pathways to new attacks against messages and further does not open pathways to new attacks against
the operation of DNS-SD. the operation of DNS-SD.
However, while this document gives advice on which privacy protecting However, while this document gives advice on which privacy protecting
mechanisms should be used on deeper-layer network protocols and on mechanisms should be used on deeper-layer network protocols and on
how to actually connect to services in a privacy-preserving way, how to actually connect to services in a privacy-preserving way,
stating corresponding requirements is out of the scope of this stating corresponding requirements is out of the scope of this
document. To mitigate attacks against privacy on lower layers, both document. To mitigate attacks against privacy on lower layers, both
servers and clients must use privacy options available at lower servers and clients must use privacy options available at lower
layers, and for example avoid publishing static IPv4 or IPv6 layers and, for example, avoid publishing static IPv4 or IPv6
addresses, or static IEEE 802 MAC addresses. For services advertised addresses or static IEEE 802 Media Access Control (MAC) addresses.
on a single network link, link local IP addresses should be used; see For services advertised on a single network link, link-local IP
[RFC3927] and [RFC4291] for IPv4 and IPv6, respectively. Static addresses should be used; see [RFC3927] and [RFC4291] for IPv4 and
servers advertising services globally via DNS can hide their IP IPv6, respectively. Static servers advertising services globally via
addresses from unauthorized clients using the split mode topology DNS can hide their IP addresses from unauthorized clients using the
shown in [I-D.ietf-tls-esni]. Hiding static MAC addresses can be split mode topology shown in Encrypted Server Name Indication [ESNI].
achieved via MAC address randomization (see [RFC7844]). Hiding static MAC addresses can be achieved via MAC address
randomization (see [RFC7844]).
4.1. Private Client Requirements 4.1. Private Client Requirements
For all three scenarios described in Section 3.1, client privacy For all three scenarios described in Section 3.1, client privacy
requires DNS-SD messages to: requires DNS-SD messages to:
1. Avoid disclosure of the client's identity, either directly or via 1. Avoid disclosure of the client's identity, either directly or via
inference, to nodes other than select servers. inference, to nodes other than select servers.
2. Avoid exposure of linkable identifiers that allow tracing client 2. Avoid exposure of linkable identifiers that allow tracing client
skipping to change at page 16, line 15 skipping to change at line 716
When listing and resolving services via current DNS-SD deployments, When listing and resolving services via current DNS-SD deployments,
clients typically disclose their interest in specific services types clients typically disclose their interest in specific services types
and specific instances of these types, respectively. and specific instances of these types, respectively.
In addition to the exposure and disclosure risks noted above, In addition to the exposure and disclosure risks noted above,
protocols and implementations will have to consider fingerprinting protocols and implementations will have to consider fingerprinting
attacks (see Section 3.2.5) that could retrieve similar information. attacks (see Section 3.2.5) that could retrieve similar information.
4.2. Private Server Requirements 4.2. Private Server Requirements
Servers like the "printer" discussed in scenario 1 are public, but Servers like the "printer" discussed in Section 3.1.1 are public, but
the servers discussed in scenarios 2 and 3 are by essence private. the servers discussed in Sections 3.1.2 and 3.1.3 are, by essence,
Server privacy requires DNS-SD messages to: private. Server privacy requires DNS-SD messages to:
1. Avoid disclosure of the server's identity, either directly or via 1. Avoid disclosure of the server's identity, either directly or via
inference, to nodes other than authorized clients. In inference, to nodes other than authorized clients. In
particular, Servers must avoid publishing static identifiers such particular, servers must avoid publishing static identifiers,
as host names or service names. When those fields are required such as hostnames or service names. When those fields are
by the protocol, servers should publish randomized values. (See required by the protocol, servers should publish randomized
[RFC8117] for a discussion of host names.) values. (See [RFC8117] for a discussion of hostnames.)
2. Avoid exposure of linkable identifiers that allow tracing 2. Avoid exposure of linkable identifiers that allow tracing
servers. servers.
3. Avoid disclosure to unauthorized clients of service instance 3. Avoid disclosure to unauthorized clients of Service Instance
names or service types of offered services. Names or service types of offered services.
4. Avoid disclosure to unauthorized clients of information about the 4. Avoid disclosure to unauthorized clients of information about the
services they offer. services they offer.
5. Avoid disclosure of static IPv4 or IPv6 addresses. 5. Avoid disclosure of static IPv4 or IPv6 addresses.
When offering services via current DNS-SD deployments, servers When offering services via current DNS-SD deployments, servers
typically disclose their hostnames (SRV, A/AAAA), instance names of typically disclose their hostnames (SRV, A/AAAA), instance names of
offered services (PRT, SRV), and information about services (TXT). offered services (PTR, SRV), and information about services (TXT).
Heeding these requirements protects a server's privacy on the DNS-SD Heeding these requirements protects a server's privacy on the DNS-SD
level. level.
The current DNS-SD user interfaces present the list of discovered The current DNS-SD user interfaces present the list of discovered
service names to the users, and let them pick a service from the service names to the users and let them pick a service from the list.
list. Using random identifiers for service names renders that UI Using random identifiers for service names renders that UI flow
flow unusable. Privacy-respecting discovery protocols will have to unusable. Privacy-respecting discovery protocols will have to solve
solve this issue, for example by presenting authenticated or this issue, for example, by presenting authenticated or decrypted
decrypted service names instead of the randomized values. service names instead of the randomized values.
4.3. Security and Operation 4.3. Security and Operation
In order to be secure and feasible, a DNS-SD privacy extension needs In order to be secure and feasible, a DNS-SD privacy extension needs
to consider security and operational requirements including: to consider security and operational requirements including:
1. Avoiding significant CPU overhead on nodes or significantly 1. Avoiding significant CPU overhead on nodes or significantly
higher network load. Such overhead or load would make nodes higher network load. Such overhead or load would make nodes
vulnerable to denial of service attacks. Further, it would vulnerable to denial-of-service attacks. Further, it would
increase power consumption which is damaging for IoT devices. increase power consumption, which is damaging for IoT devices.
2. Avoiding designs in which a small message can trigger a large 2. Avoiding designs in which a small message can trigger a large
amount of traffic towards an unverified address, as this could be amount of traffic towards an unverified address, as this could be
exploited in amplification attacks. exploited in amplification attacks.
5. IANA Considerations 5. IANA Considerations
This draft does not require any IANA action. This document has no IANA actions.
6. Acknowledgments
This draft incorporates many contributions from Stuart Cheshire and
Chris Wood. Thanks to Florian Adamsky for extensive review and
suggestions on the organization of the threat model. Thanks to Barry
Leiba for an extensive review. Thanks to Roman Danyliw, Ben Kaduk,
Adam Roach and Alissa Cooper for their comments during IESG review.
7. References 6. References
7.1. Normative References 6.1. Normative References
[RFC6762] Cheshire, S. and M. Krochmal, "Multicast DNS", RFC 6762, [RFC6762] Cheshire, S. and M. Krochmal, "Multicast DNS", RFC 6762,
DOI 10.17487/RFC6762, February 2013, DOI 10.17487/RFC6762, February 2013,
<https://www.rfc-editor.org/info/rfc6762>. <https://www.rfc-editor.org/info/rfc6762>.
[RFC6763] Cheshire, S. and M. Krochmal, "DNS-Based Service [RFC6763] Cheshire, S. and M. Krochmal, "DNS-Based Service
Discovery", RFC 6763, DOI 10.17487/RFC6763, February 2013, Discovery", RFC 6763, DOI 10.17487/RFC6763, February 2013,
<https://www.rfc-editor.org/info/rfc6763>. <https://www.rfc-editor.org/info/rfc6763>.
7.2. Informative References 6.2. Informative References
[I-D.ietf-dnssd-srp]
Cheshire, S. and T. Lemon, "Service Registration Protocol
for DNS-Based Service Discovery", draft-ietf-dnssd-srp-02
(work in progress), July 2019.
[I-D.ietf-tls-esni] [ESNI] Rescorla, E., Oku, K., Sullivan, N., and C. A. Wood, "TLS
Rescorla, E., Oku, K., Sullivan, N., and C. Wood, Encrypted Client Hello", Work in Progress, Internet-Draft,
"Encrypted Server Name Indication for TLS 1.3", draft- draft-ietf-tls-esni-07, June 1, 2020,
ietf-tls-esni-05 (work in progress), November 2019. <https://tools.ietf.org/html/draft-ietf-tls-esni-07>.
[K17] Kaiser, D., "Efficient Privacy-Preserving [K17] Kaiser, D., "Efficient Privacy-Preserving
Configurationless Service Discovery Supporting Multi-Link Configurationless Service Discovery Supporting Multi-Link
Networks", 2017, Networks", August 2017,
<http://nbn-resolving.de/urn:nbn:de:bsz:352-0-422757>. <https://nbn-resolving.de/urn:nbn:de:bsz:352-0-422757>.
[KW14a] Kaiser, D. and M. Waldvogel, "Adding Privacy to Multicast [KW14a] Kaiser, D. and M. Waldvogel, "Adding Privacy to Multicast
DNS Service Discovery", DOI 10.1109/TrustCom.2014.107, DNS Service Discovery", DOI 10.1109/TrustCom.2014.107,
2014, <http://ieeexplore.ieee.org/xpl/ September 2014, <https://ieeexplore.ieee.org/xpl/
articleDetails.jsp?arnumber=7011331>. articleDetails.jsp?arnumber=7011331>.
[KW14b] Kaiser, D. and M. Waldvogel, "Efficient Privacy Preserving [KW14b] Kaiser, D. and M. Waldvogel, "Efficient Privacy Preserving
Multicast DNS Service Discovery", Multicast DNS Service Discovery",
DOI 10.1109/HPCC.2014.141, 2014, DOI 10.1109/HPCC.2014.141, August 2014,
<http://ieeexplore.ieee.org/xpl/ <https://ieeexplore.ieee.org/xpl/
articleDetails.jsp?arnumber=7056899>. articleDetails.jsp?arnumber=7056899>.
[RFC1033] Lottor, M., "Domain Administrators Operations Guide", [RFC1033] Lottor, M., "Domain Administrators Operations Guide",
RFC 1033, DOI 10.17487/RFC1033, November 1987, RFC 1033, DOI 10.17487/RFC1033, November 1987,
<https://www.rfc-editor.org/info/rfc1033>. <https://www.rfc-editor.org/info/rfc1033>.
[RFC1034] Mockapetris, P., "Domain names - concepts and facilities", [RFC1034] Mockapetris, P., "Domain names - concepts and facilities",
STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987, STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987,
<https://www.rfc-editor.org/info/rfc1034>. <https://www.rfc-editor.org/info/rfc1034>.
skipping to change at page 19, line 35 skipping to change at line 860
[RFC8235] Hao, F., Ed., "Schnorr Non-interactive Zero-Knowledge [RFC8235] Hao, F., Ed., "Schnorr Non-interactive Zero-Knowledge
Proof", RFC 8235, DOI 10.17487/RFC8235, September 2017, Proof", RFC 8235, DOI 10.17487/RFC8235, September 2017,
<https://www.rfc-editor.org/info/rfc8235>. <https://www.rfc-editor.org/info/rfc8235>.
[RFC8236] Hao, F., Ed., "J-PAKE: Password-Authenticated Key Exchange [RFC8236] Hao, F., Ed., "J-PAKE: Password-Authenticated Key Exchange
by Juggling", RFC 8236, DOI 10.17487/RFC8236, September by Juggling", RFC 8236, DOI 10.17487/RFC8236, September
2017, <https://www.rfc-editor.org/info/rfc8236>. 2017, <https://www.rfc-editor.org/info/rfc8236>.
[SLEEP-PROXY] [SLEEP-PROXY]
Cheshire, S., "Understanding Sleep Proxy Service", 2009, Cheshire, S., "Understanding Sleep Proxy Service",
December 2009,
<http://stuartcheshire.org/SleepProxy/index.html>. <http://stuartcheshire.org/SleepProxy/index.html>.
[SRP] Lemon, T. and S. Cheshire, "Service Registration Protocol
for DNS-Based Service Discovery", Work in Progress,
Internet-Draft, draft-ietf-dnssd-srp-04, July 13, 2020,
<https://tools.ietf.org/html/draft-ietf-dnssd-srp-04>.
Acknowledgments
This document incorporates many contributions from Stuart Cheshire
and Chris Wood. Thanks to Florian Adamsky for extensive review and
suggestions on the organization of the threat model. Thanks to Barry
Leiba for an extensive review. Thanks to Roman Danyliw, Ben Kaduk,
Adam Roach, and Alissa Cooper for their comments during IESG review.
Authors' Addresses Authors' Addresses
Christian Huitema Christian Huitema
Private Octopus Inc. Private Octopus Inc.
Friday Harbor, WA 98250 Friday Harbor, WA 98250
U.S.A. United States of America
Email: huitema@huitema.net Email: huitema@huitema.net
URI: http://privateoctopus.com/ URI: http://privateoctopus.com/
Daniel Kaiser Daniel Kaiser
University of Luxembourg University of Luxembourg
6, avenue de la Fonte 6, avenue de la Fonte
Esch-sur-Alzette 4364 L-4364 Esch-sur-Alzette
Luxembourg Luxembourg
Email: daniel.kaiser@uni.lu Email: daniel.kaiser@uni.lu
URI: https://secan-lab.uni.lu/ URI: https://secan-lab.uni.lu/
 End of changes. 90 change blocks. 
240 lines changed or deleted 249 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/