Difference between revisions of "RFC8882"
(Created page with " Internet Engineering Task Force (IETF) C. Huitema Request for Comments: 8882 Private Octopus Inc. Category: Informationa...") |
|||
| (9 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
| | ||
| − | |||
| − | |||
Internet Engineering Task Force (IETF) C. Huitema | Internet Engineering Task Force (IETF) C. Huitema | ||
| Line 7: | Line 5: | ||
Category: Informational D. Kaiser | Category: Informational D. Kaiser | ||
ISSN: 2070-1721 University of Luxembourg | ISSN: 2070-1721 University of Luxembourg | ||
| − | + | September 2020 | |
| − | |||
DNS-Based Service Discovery (DNS-SD) Privacy and Security Requirements | DNS-Based Service Discovery (DNS-SD) Privacy and Security Requirements | ||
| − | Abstract | + | '''Abstract''' |
| − | + | DNS-SD (DNS-based Service Discovery) normally discloses information | |
| − | + | about devices offering and requesting services. This information | |
| − | + | includes hostnames, network parameters, and possibly a further | |
| − | + | description of the corresponding service instance. Especially when | |
| − | + | mobile devices engage in DNS-based Service Discovery at a public | |
| − | + | hotspot, serious privacy problems arise. We analyze the requirements | |
| − | + | of a privacy-respecting discovery service. | |
| − | Status of This Memo | + | '''Status of This Memo''' |
| − | + | This document is not an Internet Standards Track specification; it is | |
| − | + | published for informational purposes. | |
| − | + | This document is a product of the Internet Engineering Task Force | |
| − | + | (IETF). It represents the consensus of the IETF community. It has | |
| − | + | received public review and has been approved for publication by the | |
| − | + | Internet Engineering Steering Group (IESG). Not all documents | |
| − | + | approved by the IESG are candidates for any level of Internet | |
| − | + | Standard; see Section 2 of [[RFC7841|RFC 7841]]. | |
| − | + | Information about the current status of this document, any errata, | |
| − | + | and how to provide feedback on it may be obtained at | |
| − | + | https://www.rfc-editor.org/info/rfc8882. | |
| − | Copyright Notice | + | '''Copyright Notice''' |
| − | + | Copyright (c) 2020 IETF Trust and the persons identified as the | |
| − | + | document authors. All rights reserved. | |
| − | + | This document is subject to [[BCP78|BCP 78]] and the IETF Trust's Legal | |
| − | + | Provisions Relating to IETF Documents | |
| − | + | (https://trustee.ietf.org/license-info) in effect on the date of | |
| − | + | publication of this document. Please review these documents | |
| − | + | carefully, as they describe your rights and restrictions with respect | |
| − | + | to this document. Code Components extracted from this document must | |
| − | + | include Simplified BSD License text as described in Section 4.e of | |
| − | + | the Trust Legal Provisions and are provided without warranty as | |
| − | + | described in the Simplified BSD License. | |
| − | + | 1. Introduction | |
| + | 2. Threat Model | ||
| + | 3. Threat Analysis | ||
| + | 3.1. Service Discovery Scenarios | ||
| + | 3.1.1. Private Client and Public Server | ||
| + | 3.1.2. Private Client and Private Server | ||
| + | 3.1.3. Wearable Client and Server | ||
| + | 3.2. DNS-SD Privacy Considerations | ||
| + | 3.2.1. Information Made Available Via DNS-SD Resource Records | ||
| + | 3.2.2. Privacy Implication of Publishing Service Instance | ||
| + | Names | ||
| + | 3.2.3. Privacy Implication of Publishing Node Names | ||
| + | 3.2.4. Privacy Implication of Publishing Service Attributes | ||
| + | 3.2.5. Device Fingerprinting | ||
| + | 3.2.6. Privacy Implication of Discovering Services | ||
| + | 3.3. Security Considerations | ||
| + | 3.3.1. Authenticity, Integrity, and Freshness | ||
| + | 3.3.2. Confidentiality | ||
| + | 3.3.3. Resistance to Dictionary Attacks | ||
| + | 3.3.4. Resistance to Denial-of-Service Attacks | ||
| + | 3.3.5. Resistance to Sender Impersonation | ||
| + | 3.3.6. Sender Deniability | ||
| + | 3.4. Operational Considerations | ||
| + | 3.4.1. Power Management | ||
| + | 3.4.2. Protocol Efficiency | ||
| + | 3.4.3. Secure Initialization and Trust Models | ||
| + | 3.4.4. External Dependencies | ||
| + | 4. Requirements for a DNS-SD Privacy Extension | ||
| + | 4.1. Private Client Requirements | ||
| + | 4.2. Private Server Requirements | ||
| + | 4.3. Security and Operation | ||
| + | 5. IANA Considerations | ||
| + | 6. References | ||
| + | 6.1. Normative References | ||
| + | 6.2. Informative References | ||
| + | Acknowledgments | ||
| + | Authors' Addresses | ||
| − | + | == Introduction == | |
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | + | DNS-Based Service Discovery (DNS-SD) [[RFC6763]] over Multicast DNS | |
| + | (mDNS) [[RFC6762]] enables zero-configuration service discovery in | ||
| + | local networks. It is very convenient for users, but it requires the | ||
| + | public exposure of the offering and requesting identities along with | ||
| + | information about the offered and requested services. Parts of the | ||
| + | published information can seriously breach the user's privacy. These | ||
| + | privacy issues and potential solutions are discussed in [KW14a], | ||
| + | [KW14b], and [K17]. While the multicast nature of mDNS makes these | ||
| + | risks obvious, most risks derive from the observability of | ||
| + | transactions. These risks also need to be mitigated when using | ||
| + | server-based variants of DNS-SD. | ||
| − | + | There are cases when nodes connected to a network want to provide or | |
| − | + | consume services without exposing their identities to the other | |
| − | + | parties connected to the same network. Consider, for example, a | |
| − | + | traveler wanting to upload pictures from a phone to a laptop when | |
| − | + | both are connected to the Wi-Fi network of an Internet cafe, or two | |
| − | + | travelers who want to share files between their laptops when waiting | |
| − | + | for their plane in an airport lounge. | |
| − | |||
| − | |||
| − | |||
| − | |||
| − | + | We expect that these exchanges will start with a discovery procedure | |
| − | + | using DNS-SD over mDNS. One of the devices will publish the | |
| − | + | availability of a service, such as a picture library or a file store | |
| − | + | in our examples. The user of the other device will discover this | |
| − | + | service and then connect to it. | |
| − | |||
| − | |||
| − | + | When analyzing these scenarios in Section 3.1, we find that the DNS- | |
| − | + | SD messages leak identifying information, such as the Service | |
| − | + | Instance Name, the hostname, or service properties. We use the | |
| − | + | following definitions: | |
| − | |||
| − | + | Identity | |
| − | + | In this document, the term "identity" refers to the identity of | |
| − | + | the entity (legal person) operating a device. | |
| − | |||
| − | + | Disclosing an Identity | |
| − | + | In this document, "disclosing an identity" means showing the | |
| − | + | identity of operating entities to devices external to the | |
| + | discovery process, e.g., devices on the same network link that are | ||
| + | listening to the network traffic but are not actually involved in | ||
| + | the discovery process. This document focuses on identity | ||
| + | disclosure by data conveyed via messages on the service discovery | ||
| + | protocol layer. Still, identity leaks on deeper layers, e.g., the | ||
| + | IP layer, are mentioned. | ||
| − | + | Disclosing Information | |
| − | + | In this document, "disclosing information" is also focused on | |
| − | + | disclosure of data conveyed via messages on the service discovery | |
| − | + | protocol layer, including both identity-revealing information and | |
| − | + | other still potentially sensitive data. | |
| − | |||
| − | |||
| − | |||
| − | |||
| − | + | == Threat Model == | |
| − | |||
| − | |||
| − | |||
| − | |||
| − | + | This document considers the following attacker types sorted by | |
| + | increasing power. All these attackers can either be passive (they | ||
| + | just listen to network traffic they have access to) or active (they | ||
| + | additionally can craft and send malicious packets). | ||
| − | + | external | |
| − | + | An external attacker is not on the same network link as victim | |
| − | + | devices engaging in service discovery; thus, the external attacker | |
| − | + | is in a different multicast domain. | |
| − | + | on-link | |
| − | + | An on-link attacker is on the same network link as victim devices | |
| − | + | engaging in service discovery; thus, the on-link attacker is in | |
| − | + | the same multicast domain. This attacker can also mount all | |
| + | attacks an external attacker can mount. | ||
| − | + | MITM | |
| − | + | A Man-in-the-Middle (MITM) attacker either controls (parts of) a | |
| − | + | network link or can trick two parties to send traffic via the | |
| − | + | attacker; thus, the MITM attacker has access to unicast traffic | |
| − | + | between devices engaging in service discovery. This attacker can | |
| + | also mount all attacks an on-link attacker can mount. | ||
| − | + | == Threat Analysis == | |
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | + | In this section, we analyze how the attackers described in the | |
| + | previous section might threaten the privacy of entities operating | ||
| + | devices engaging in service discovery. We focus on attacks | ||
| + | leveraging data transmitted in service discovery protocol messages. | ||
| − | + | === Service Discovery Scenarios === | |
| − | |||
| − | |||
| − | |||
| − | + | In this section, we review common service discovery scenarios and | |
| + | discuss privacy threats and their privacy requirements. In all three | ||
| + | of these common scenarios, the attacker is of the type passive on- | ||
| + | link. | ||
| − | + | ==== Private Client and Public Server ==== | |
| − | |||
| − | |||
| − | |||
| − | + | Perhaps the simplest private discovery scenario involves a single | |
| + | client connecting to a public server through a public network. A | ||
| + | common example would be a traveler using a publicly available printer | ||
| + | in a business center, in a hotel, or at an airport. | ||
| − | + | ( Taking notes: | |
| − | + | ( David is printing | |
| − | + | ( a document. | |
| − | + | 21:38, 5 May 2021 (UTC)21:38, 5 May 2021 (UTC)~ | |
| + | o | ||
| + | ___ o ___ | ||
| + | / \ _|___|_ | ||
| + | | | client server |* *| | ||
| + | \_/ __ \_/ | ||
| + | | / / Discovery +----------+ | | ||
| + | /|\ /_/ <-----------> | +----+ | /|\ | ||
| + | / | \__/ +--| |--+ / | \ | ||
| + | / | |____/ / | \ | ||
| + | / | / | \ | ||
| + | / \ / \ | ||
| + | / \ / \ | ||
| + | / \ / \ | ||
| + | / \ / \ | ||
| + | / \ / \ | ||
| − | + | David Adversary | |
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | + | In that scenario, the server is public and wants to be discovered, | |
| + | but the client is private. The adversary will be listening to the | ||
| + | network traffic, trying to identify the visitors' devices and their | ||
| + | activity. Identifying devices leads to identifying people, either | ||
| + | for surveillance of these individuals in the physical world or as a | ||
| + | preliminary step for a targeted cyber attack. | ||
| − | + | The requirement in that scenario is that the discovery activity | |
| − | + | should not disclose the identity of the client. | |
| − | |||
| − | |||
| − | |||
| − | |||
| − | + | ==== Private Client and Private Server ==== | |
| − | |||
| − | + | The second private discovery scenario involves a private client | |
| + | connecting to a private server. A common example would be two people | ||
| + | engaging in a collaborative application in a public place, such as an | ||
| + | airport's lounge. | ||
| − | + | ( Taking notes: | |
| − | + | ( David is meeting | |
| − | + | ( with Stuart. | |
| − | + | 21:38, 5 May 2021 (UTC)21:38, 5 May 2021 (UTC)~ | |
| + | o | ||
| + | ___ ___ o ___ | ||
| + | / \ / \ _|___|_ | ||
| + | | | server client | | |* *| | ||
| + | \_/ __ __ \_/ \_/ | ||
| + | | / / Discovery \ \ | | | ||
| + | /|\ /_/ <-----------> \_\ /|\ /|\ | ||
| + | / | \__/ \__/ | \ / | \ | ||
| + | / | | \ / | \ | ||
| + | / | | \ / | \ | ||
| + | / \ / \ / \ | ||
| + | / \ / \ / \ | ||
| + | / \ / \ / \ | ||
| + | / \ / \ / \ | ||
| + | / \ / \ / \ | ||
| − | + | David Stuart Adversary | |
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | + | In that scenario, the collaborative application on one of the devices | |
| + | will act as a server, and the application on the other device will | ||
| + | act as a client. The server wants to be discovered by the client but | ||
| + | has no desire to be discovered by anyone else. The adversary will be | ||
| + | listening to network traffic, attempting to discover the identity of | ||
| + | devices as in the first scenario and also attempting to discover the | ||
| + | patterns of traffic, as these patterns reveal the business and social | ||
| + | interactions between the owners of the devices. | ||
| − | + | The requirement in that scenario is that the discovery activity | |
| − | + | should not disclose the identity of either the client or the server | |
| − | + | nor reveal the business and social interactions between the owners of | |
| − | + | the devices. | |
| − | |||
| − | |||
| − | |||
| − | |||
| − | + | ==== Wearable Client and Server ==== | |
| − | |||
| − | |||
| − | |||
| − | + | The third private discovery scenario involves wearable devices. A | |
| + | typical example would be the watch on someone's wrist connecting to | ||
| + | the phone in their pocket. | ||
| − | + | ( Taking notes: | |
| − | + | ( David is here. His watch is | |
| − | + | ( talking to his phone. | |
| + | 21:38, 5 May 2021 (UTC)21:38, 5 May 2021 (UTC)~ | ||
| + | o | ||
| + | ___ o ___ | ||
| + | / \ _|___|_ | ||
| + | | | client |* *| | ||
| + | \_/ \_/ | ||
| + | | _/ | | ||
| + | /|\ // /|\ | ||
| + | / | \__/ ^ / | \ | ||
| + | / |__ | Discovery / | \ | ||
| + | / |\ \ v / | \ | ||
| + | / \\_\ / \ | ||
| + | / \ server / \ | ||
| + | / \ / \ | ||
| + | / \ / \ | ||
| + | / \ / \ | ||
| − | + | David Adversary | |
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | + | This third scenario is in many ways similar to the second scenario. | |
| + | It involves two devices, one acting as server and the other acting as | ||
| + | client, and it leads to the same requirement of the discovery traffic | ||
| + | not disclosing the identity of either the client or the server. The | ||
| + | main difference is that the devices are managed by a single owner, | ||
| + | which can lead to different methods for establishing secure relations | ||
| + | between the devices. There is also an added emphasis on hiding the | ||
| + | type of devices that the person wears. | ||
| − | + | In addition to tracking the identity of the owner of the devices, the | |
| − | + | adversary is interested in the characteristics of the devices, such | |
| − | + | as type, brand, and model. Identifying the type of device can lead | |
| − | + | to further attacks, from theft to device-specific hacking. The | |
| − | + | combination of devices worn by the same person will also provide a | |
| − | + | "fingerprint" of the person, risking identification. | |
| − | |||
| − | |||
| − | + | This scenario also represents the general case of bringing private | |
| − | + | Internet-of-Things (IoT) devices into public places. A wearable IoT | |
| − | + | device might act as a DNS-SD/mDNS client, which allows attackers to | |
| − | + | infer information about devices' owners. While the attacker might be | |
| − | + | a person, as in the example figure, this could also be abused for | |
| − | + | large-scale data collection installing stationary IoT-device-tracking | |
| + | servers in frequented public places. | ||
| − | + | The issues described in Section 3.1.1, such as identifying people or | |
| − | + | using the information for targeted attacks, apply here too. | |
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | + | === DNS-SD Privacy Considerations === | |
| − | |||
| − | 3. | + | While the discovery process illustrated in the scenarios in |
| + | Section 3.1 most likely would be based on [[RFC6762]] as a means for | ||
| + | making service information available, this document considers all | ||
| + | kinds of means for making DNS-SD resource records available. These | ||
| + | means comprise of but are not limited to mDNS [[RFC6762]], DNS servers | ||
| + | ([[RFC1033]], [[RFC1034]], and [[RFC1035]]), the use of Service | ||
| + | Registration Protocol (SRP) [SRP], and multi-link [[RFC7558]] networks. | ||
| − | + | The discovery scenarios in Section 3.1 illustrate three separate | |
| − | + | abstract privacy requirements that vary based on the use case. These | |
| − | + | are not limited to mDNS. | |
| − | |||
| − | |||
| − | |||
| − | |||
| − | + | 1. Client identity privacy: Client identities are not leaked during | |
| − | + | service discovery or use. | |
| − | |||
| − | + | 2. Multi-entity, mutual client and server identity privacy: Neither | |
| − | + | client nor server identities are leaked during service discovery | |
| + | or use. | ||
| − | + | 3. Single-entity, mutual client and server identity privacy: | |
| − | + | Identities of clients and servers owned and managed by the same | |
| − | + | legal person are not leaked during service discovery or use. | |
| − | + | In this section, we describe aspects of DNS-SD that make these | |
| − | + | requirements difficult to achieve in practice. While it is intended | |
| − | + | to be thorough, it is not possible to be exhaustive. | |
| − | + | Client identity privacy, if not addressed properly, can be thwarted | |
| − | + | by a passive attacker (see Section 2). The type of passive attacker | |
| − | + | necessary depends on the means of making service information | |
| + | available. Information conveyed via multicast messages can be | ||
| + | obtained by an on-link attacker. Unicast messages are harder to | ||
| + | access, but if the transmission is not encrypted they could still be | ||
| + | accessed by an attacker with access to network routers or bridges. | ||
| + | Using multi-link service discovery solutions [[RFC7558]], external | ||
| + | attackers have to be taken into consideration as well, e.g., when | ||
| + | relaying multicast messages to other links. | ||
| − | + | Server identity privacy can be thwarted by a passive attacker in the | |
| − | + | same way as client identity privacy. Additionally, active attackers | |
| − | + | querying for information have to be taken into consideration as well. | |
| − | + | This is mainly relevant for unicast-based discovery, where listening | |
| − | + | to discovery traffic requires a MITM attacker; however, an external | |
| − | + | active attacker might be able to learn the server identity by just | |
| − | + | querying for service information, e.g., via DNS. | |
| − | |||
| − | |||
| − | |||
| − | + | ==== Information Made Available Via DNS-SD Resource Records ==== | |
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | + | DNS-Based Service Discovery (DNS-SD) is defined in [[RFC6763]]. It | |
| + | allows nodes to publish the availability of an instance of a service | ||
| + | by inserting specific records in the DNS ([[RFC1033]], [[RFC1034]], and | ||
| + | [[RFC1035]]) or by publishing these records locally using multicast DNS | ||
| + | (mDNS) [[RFC6762]]. Available services are described using three types | ||
| + | of records: | ||
| − | + | PTR Record | |
| − | + | Associates a service type in the domain with an "instance" name of | |
| − | + | this service type. | |
| − | |||
| − | |||
| − | |||
| − | + | SRV Record | |
| − | + | Provides the node name, port number, priority and weight | |
| − | + | associated with the service instance, in conformance with | |
| + | [[RFC2782]]. | ||
| − | + | TXT Record | |
| − | + | Provides a set of attribute-value pairs describing specific | |
| − | + | properties of the service instance. | |
| − | |||
| − | + | ==== Privacy Implication of Publishing Service Instance Names ==== | |
| − | |||
| − | |||
| − | + | In the first phase of discovery, clients obtain all PTR records | |
| + | associated with a service type in a given naming domain. Each PTR | ||
| + | record contains a Service Instance Name defined in Section 4 of | ||
| + | [[RFC6763]]: | ||
| − | + | Service Instance Name = <Instance> . <Service> . <Domain> | |
| − | |||
| − | |||
| − | |||
| − | + | The <Instance> portion of the Service Instance Name is meant to | |
| + | convey enough information for users of discovery clients to easily | ||
| + | select the desired service instance. Nodes that use DNS-SD over mDNS | ||
| + | [[RFC6762]] in a mobile environment will rely on the specificity of the | ||
| + | instance name to identify the desired service instance. In our | ||
| + | example of users wanting to upload pictures to a laptop in an | ||
| + | Internet cafe, the list of available service instances may look like: | ||
| − | + | Alice's Images . _imageStore._tcp . local | |
| − | + | Alice's Mobile Phone . _presence._tcp . local | |
| − | + | Alice's Notebook . _presence._tcp . local | |
| − | + | Bob's Notebook . _presence._tcp . local | |
| − | + | Carol's Notebook . _presence._tcp . local | |
| − | |||
| − | |||
| − | + | Alice will see the list on her phone and understand intuitively that | |
| − | + | she should pick the first item. The discovery will "just work". | |
| − | + | (Note that our examples of service names conform to the specification | |
| − | + | in Section 4.1 of [[RFC6763]] but may require some character escaping | |
| − | + | when entered in conventional DNS software.) | |
| − | + | However, DNS-SD/mDNS will reveal to anybody that Alice is currently | |
| − | + | visiting the Internet cafe. It further discloses the fact that she | |
| − | + | uses two devices, shares an image store, and uses a chat application | |
| − | + | supporting the _presence protocol on both of her devices. She might | |
| − | + | currently chat with Bob or Carol, as they are also using a _presence | |
| + | supporting chat application. This information is not just available | ||
| + | to devices actively browsing for and offering services but to anybody | ||
| + | passively listening to the network traffic, i.e., a passive on-link | ||
| + | attacker. | ||
| − | + | There is, of course, also no authentication requirement to claim a | |
| − | + | particular instance name, so an active attacker can provide resources | |
| − | + | that claim to be Alice's but are not. | |
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | + | ==== Privacy Implication of Publishing Node Names ==== | |
| − | |||
| − | |||
| − | + | The SRV records contain the DNS name of the node publishing the | |
| + | service. Typical implementations construct this DNS name by | ||
| + | concatenating the "hostname" of the node with the name of the local | ||
| + | domain. The privacy implications of this practice are reviewed in | ||
| + | [[RFC8117]]. Depending on naming practices, the hostname is either a | ||
| + | strong identifier of the device or, at a minimum, a partial | ||
| + | identifier. It enables tracking of both the device and, by | ||
| + | extension, the device's owner. | ||
| − | + | ==== Privacy Implication of Publishing Service Attributes ==== | |
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | + | The TXT record's attribute-value pairs contain information on the | |
| + | characteristics of the corresponding service instance. This in turn | ||
| + | reveals information about the devices that publish services. The | ||
| + | amount of information varies widely with the particular service and | ||
| + | its implementation: | ||
| − | + | * Some attributes, such as the paper size available in a printer, | |
| − | + | are the same on many devices and thus only provide limited | |
| − | + | information to a tracker. | |
| − | |||
| − | |||
| − | + | * Attributes that have free-form values, such as the name of a | |
| − | + | directory, may reveal much more information. | |
| − | |||
| − | + | Combinations of individual attributes have more information power | |
| − | + | than specific attributes and can potentially be used for | |
| + | "fingerprinting" a specific device. | ||
| − | + | Information contained in TXT records not only breaches privacy by | |
| − | + | making devices trackable but might directly contain private | |
| − | + | information about the user. For instance, the _presence service | |
| + | reveals the "chat status" to everyone in the same network. Users | ||
| + | might not be aware of that. | ||
| − | + | Further, TXT records often contain version information about | |
| − | + | services, allowing potential attackers to identify devices running | |
| − | + | exploit-prone versions of a certain service. | |
| − | |||
| − | |||
| − | + | ==== Device Fingerprinting ==== | |
| − | |||
| − | |||
| − | + | The combination of information published in DNS-SD has the potential | |
| + | to provide a "fingerprint" of a specific device. Such information | ||
| + | includes: | ||
| − | + | * A list of services published by the device, which can be retrieved | |
| − | to | + | because the SRV records will point to the same hostname. |
| − | |||
| − | + | * Specific attributes describing these services. | |
| − | |||
| − | + | * Port numbers used by the services. | |
| − | + | * Priority and weight attributes in the SRV records. | |
| − | + | This combination of services and attributes will often be sufficient | |
| + | to identify the version of the software running on a device. If a | ||
| + | device publishes many services with rich sets of attributes, the | ||
| + | combination may be sufficient to identify the specific device and | ||
| + | track its owner. | ||
| − | + | An argument is sometimes made that devices providing services can be | |
| − | + | identified by observing the local traffic and that trying to hide the | |
| − | + | presence of the service is futile. However, there are good reasons | |
| − | + | for the discovery service layer to avoid unnecessary exposure: | |
| − | |||
| − | + | 1. Providing privacy at the discovery layer is of the essence for | |
| − | + | enabling automatically configured privacy-preserving network | |
| − | + | applications. Application layer protocols are not forced to | |
| − | + | leverage the offered privacy, but if device tracking is not | |
| + | prevented at the deeper layers, including the service discovery | ||
| + | layer, obfuscating a certain service's protocol at the | ||
| + | application layer is futile. | ||
| − | + | 2. Further, in the case of mDNS-based discovery, even if the | |
| − | + | application layer does not protect privacy, services are | |
| − | + | typically provided via unicast, which requires a MITM attacker, | |
| − | + | whereas identifying services based on multicast discovery | |
| − | + | messages just requires an on-link attacker. | |
| − | |||
| − | |||
| − | + | The same argument can be extended to say that the pattern of services | |
| − | + | offered by a device allows for fingerprinting the device. This may | |
| − | + | or may not be true, since we can expect that services will be | |
| − | + | designed or updated to avoid leaking fingerprints. In any case, the | |
| − | + | design of the discovery service should avoid making a bad situation | |
| + | worse and should, as much as possible, avoid providing new | ||
| + | fingerprinting information. | ||
| − | + | ==== Privacy Implication of Discovering Services ==== | |
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | + | The consumers of services engage in discovery and in doing so reveal | |
| + | some information, such as the list of services they are interested in | ||
| + | and the domains in which they are looking for the services. When the | ||
| + | clients select specific instances of services, they reveal their | ||
| + | preference for these instances. This can be benign if the service | ||
| + | type is very common, but it could be more problematic for sensitive | ||
| + | services, such as some private messaging services. | ||
| − | + | One way to protect clients would be to somehow encrypt the requested | |
| − | + | service types. Of course, just as we noted in Section 3.2.5, traffic | |
| − | + | analysis can often reveal the service. | |
| − | |||
| − | |||
| − | |||
| − | |||
| − | + | === Security Considerations === | |
| − | |||
| − | |||
| − | + | For each of the operations described above, we must also consider | |
| + | security threats we are concerned about. | ||
| − | + | ==== Authenticity, Integrity, and Freshness ==== | |
| − | |||
| − | + | Can devices (both servers and clients) trust the information they | |
| + | receive? Has it been modified in flight by an adversary? Can | ||
| + | devices trust the source of the information? Is the source of | ||
| + | information fresh, i.e., not replayed? Freshness may or may not be | ||
| + | required depending on whether the discovery process is meant to be | ||
| + | online. In some cases, publishing discovery information to a shared | ||
| + | directory or registry, rather than to each online recipient through a | ||
| + | broadcast channel, may suffice. | ||
| − | + | ==== Confidentiality ==== | |
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | + | Confidentiality is about restricting information access to only | |
| + | authorized individuals. Ideally, this should only be the appropriate | ||
| + | trusted parties, though it can be challenging to define who are "the | ||
| + | appropriate trusted parties." In some use cases, this may mean that | ||
| + | only mutually authenticated and trusting clients and servers can read | ||
| + | messages sent for one another. The process of service discovery in | ||
| + | particular is often used to discover new entities that the device did | ||
| + | not previously know about. It may be tricky to work out how a device | ||
| + | can have an established trust relationship with a new entity it has | ||
| + | never previously communicated with. | ||
| − | + | ==== Resistance to Dictionary Attacks ==== | |
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | + | It can be tempting to use (publicly computable) hash functions to | |
| + | obscure sensitive identifiers. This transforms a sensitive unique | ||
| + | identifier, such as an email address, into a "scrambled" but still | ||
| + | unique identifier. Unfortunately, simple solutions may be vulnerable | ||
| + | to offline dictionary attacks. | ||
| − | + | ==== Resistance to Denial-of-Service Attacks ==== | |
| − | |||
| − | |||
| − | |||
| − | |||
| − | + | In any protocol where the receiver of messages has to perform | |
| + | cryptographic operations on those messages, there is a risk of a | ||
| + | brute-force flooding attack causing the receiver to expend excessive | ||
| + | amounts of CPU time and, where applicable, battery power just | ||
| + | processing and discarding those messages. | ||
| − | + | Also, amplification attacks have to be taken into consideration. | |
| − | + | Messages with larger payloads should only be sent as an answer to a | |
| − | + | query sent by a verified client. | |
| − | |||
| − | |||
| − | + | ==== Resistance to Sender Impersonation ==== | |
| − | |||
| − | |||
| − | + | Sender impersonation is an attack wherein messages, such as service | |
| + | offers, are forged by entities who do not possess the corresponding | ||
| + | secret key material. These attacks may be used to learn the identity | ||
| + | of a communicating party, actively or passively. | ||
| − | + | ==== Sender Deniability ==== | |
| − | |||
| − | |||
| − | |||
| − | + | Deniability of sender activity, e.g., of broadcasting a discovery | |
| + | request, may be desirable or necessary in some use cases. This | ||
| + | property ensures that eavesdroppers cannot prove senders issued a | ||
| + | specific message destined for one or more peers. | ||
| − | + | === Operational Considerations === | |
| − | |||
| − | |||
| − | |||
| − | + | ==== Power Management ==== | |
| − | + | Many modern devices, especially battery-powered devices, use power | |
| + | management techniques to conserve energy. One such technique is for | ||
| + | a device to transfer information about itself to a proxy, which will | ||
| + | act on behalf of the device for some functions while the device | ||
| + | itself goes to sleep to reduce power consumption. When the proxy | ||
| + | determines that some action is required, which only the device itself | ||
| + | can perform, the proxy may have some way to wake the device, as | ||
| + | described for example in [SLEEP-PROXY]. | ||
| − | + | In many cases, the device may not trust the network proxy | |
| − | + | sufficiently to share all its confidential key material with the | |
| − | + | proxy. This poses challenges for combining private discovery that | |
| − | + | relies on per-query cryptographic operations with energy-saving | |
| − | + | techniques that rely on having (somewhat untrusted) network proxies | |
| − | + | answer queries on behalf of sleeping devices. | |
| − | |||
| − | |||
| − | + | ==== Protocol Efficiency ==== | |
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | + | Creating a discovery protocol that has the desired security | |
| + | properties may result in a design that is not efficient. To perform | ||
| + | the necessary operations, the protocol may need to send and receive a | ||
| + | large number of network packets or require an inordinate amount of | ||
| + | multicast transmissions. This may consume an unreasonable amount of | ||
| + | network capacity, particularly problematic when it is a shared | ||
| + | wireless spectrum. Further, it may cause an unnecessary level of | ||
| + | power consumption, which is particularly problematic on battery | ||
| + | devices and may result in the discovery process being slow. | ||
| − | + | It is a difficult challenge to design a discovery protocol that has | |
| − | + | the property of obscuring the details of what it is doing from | |
| − | + | unauthorized observers while also managing to perform efficiently. | |
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | + | ==== Secure Initialization and Trust Models ==== | |
| − | |||
| − | |||
| − | + | One of the challenges implicit in the preceding discussions is that | |
| + | whenever we discuss "trusted entities" versus "untrusted entities", | ||
| + | there needs to be some way that trust is initially established to | ||
| + | convert an "untrusted entity" into a "trusted entity". | ||
| − | + | The purpose of this document is not to define the specific way in | |
| − | + | which trust can be established. Protocol designers may rely on a | |
| − | + | number of existing technologies, including PKI, Trust On First Use | |
| − | + | (TOFU), or the use of a short passphrase or PIN with cryptographic | |
| + | algorithms, such as Secure Remote Password (SRP) [[RFC5054]] or a | ||
| + | Password-Authenticated Key Exchange like J-PAKE [[RFC8236]] using a | ||
| + | Schnorr Non-interactive Zero-Knowledge Proof [[RFC8235]]. | ||
| − | + | Protocol designers should consider a specific usability pitfall when | |
| − | + | trust is established immediately prior to performing discovery. | |
| − | + | Users will have a tendency to "click OK" in order to achieve their | |
| − | + | task. This implicit vulnerability is avoided if the trust | |
| − | + | establishment requires more significant participation of the user, | |
| − | + | such as entering a password or PIN. | |
| − | |||
| − | + | ==== External Dependencies ==== | |
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | + | Trust establishment may depend on external parties. Optionally, this | |
| + | might involve synchronous communication. Systems that have such a | ||
| + | dependency may be attacked by interfering with communication to | ||
| + | external dependencies. Where possible, such dependencies should be | ||
| + | minimized. Local trust models are best for secure initialization in | ||
| + | the presence of active attackers. | ||
| − | + | == Requirements for a DNS-SD Privacy Extension == | |
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | + | Given the considerations discussed in the previous sections, we state | |
| + | requirements for privacy preserving DNS-SD in the following | ||
| + | subsections. | ||
| − | + | Defining a solution according to these requirements is intended to | |
| − | + | lead to a solution that does not transmit privacy-violating DNS-SD | |
| − | + | messages and further does not open pathways to new attacks against | |
| + | the operation of DNS-SD. | ||
| − | + | However, while this document gives advice on which privacy protecting | |
| − | + | mechanisms should be used on deeper-layer network protocols and on | |
| − | + | how to actually connect to services in a privacy-preserving way, | |
| − | + | stating corresponding requirements is out of the scope of this | |
| + | document. To mitigate attacks against privacy on lower layers, both | ||
| + | servers and clients must use privacy options available at lower | ||
| + | layers and, for example, avoid publishing static IPv4 or IPv6 | ||
| + | addresses or static IEEE 802 Media Access Control (MAC) addresses. | ||
| + | For services advertised on a single network link, link-local IP | ||
| + | addresses should be used; see [[RFC3927]] and [[RFC4291]] for IPv4 and | ||
| + | IPv6, respectively. Static servers advertising services globally via | ||
| + | DNS can hide their IP addresses from unauthorized clients using the | ||
| + | split mode topology shown in Encrypted Server Name Indication [ESNI]. | ||
| + | Hiding static MAC addresses can be achieved via MAC address | ||
| + | randomization (see [[RFC7844]]). | ||
| − | + | === Private Client Requirements === | |
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | + | For all three scenarios described in Section 3.1, client privacy | |
| + | requires DNS-SD messages to: | ||
| − | + | 1. Avoid disclosure of the client's identity, either directly or via | |
| − | + | inference, to nodes other than select servers. | |
| − | + | 2. Avoid exposure of linkable identifiers that allow tracing client | |
| − | + | devices. | |
| − | + | 3. Avoid disclosure of the client's interest in specific service | |
| − | + | instances or service types to nodes other than select servers. | |
| − | + | When listing and resolving services via current DNS-SD deployments, | |
| − | + | clients typically disclose their interest in specific services types | |
| + | and specific instances of these types, respectively. | ||
| − | + | In addition to the exposure and disclosure risks noted above, | |
| − | + | protocols and implementations will have to consider fingerprinting | |
| − | + | attacks (see Section 3.2.5) that could retrieve similar information. | |
| − | + | === Private Server Requirements === | |
| − | |||
| − | |||
| − | + | Servers like the "printer" discussed in Section 3.1.1 are public, but | |
| + | the servers discussed in Sections 3.1.2 and 3.1.3 are, by essence, | ||
| + | private. Server privacy requires DNS-SD messages to: | ||
| − | + | 1. Avoid disclosure of the server's identity, either directly or via | |
| − | + | inference, to nodes other than authorized clients. In | |
| − | + | particular, servers must avoid publishing static identifiers, | |
| + | such as hostnames or service names. When those fields are | ||
| + | required by the protocol, servers should publish randomized | ||
| + | values. (See [[RFC8117]] for a discussion of hostnames.) | ||
| − | + | 2. Avoid exposure of linkable identifiers that allow tracing | |
| − | + | servers. | |
| − | |||
| − | |||
| − | |||
| − | |||
| − | + | 3. Avoid disclosure to unauthorized clients of Service Instance | |
| − | + | Names or service types of offered services. | |
| − | + | 4. Avoid disclosure to unauthorized clients of information about the | |
| − | + | services they offer. | |
| − | + | 5. Avoid disclosure of static IPv4 or IPv6 addresses. | |
| − | |||
| − | + | When offering services via current DNS-SD deployments, servers | |
| + | typically disclose their hostnames (SRV, A/AAAA), instance names of | ||
| + | offered services (PTR, SRV), and information about services (TXT). | ||
| + | Heeding these requirements protects a server's privacy on the DNS-SD | ||
| + | level. | ||
| − | + | The current DNS-SD user interfaces present the list of discovered | |
| − | + | service names to the users and let them pick a service from the list. | |
| − | + | Using random identifiers for service names renders that UI flow | |
| − | + | unusable. Privacy-respecting discovery protocols will have to solve | |
| − | + | this issue, for example, by presenting authenticated or decrypted | |
| + | service names instead of the randomized values. | ||
| − | + | === Security and Operation === | |
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | + | In order to be secure and feasible, a DNS-SD privacy extension needs | |
| + | to consider security and operational requirements including: | ||
| − | + | 1. Avoiding significant CPU overhead on nodes or significantly | |
| − | + | higher network load. Such overhead or load would make nodes | |
| + | vulnerable to denial-of-service attacks. Further, it would | ||
| + | increase power consumption, which is damaging for IoT devices. | ||
| − | + | 2. Avoiding designs in which a small message can trigger a large | |
| − | + | amount of traffic towards an unverified address, as this could be | |
| − | + | exploited in amplification attacks. | |
| − | |||
| − | + | == IANA Considerations == | |
| − | |||
| − | |||
| − | + | This document has no IANA actions. | |
| − | + | == References == | |
| − | |||
| − | |||
| − | + | === Normative References === | |
| − | + | [[RFC6762]] Cheshire, S. and M. Krochmal, "Multicast DNS", [[RFC6762|RFC 6762]], | |
| − | + | DOI 10.17487/RFC6762, February 2013, | |
| − | + | <https://www.rfc-editor.org/info/rfc6762>. | |
| − | + | [[RFC6763]] Cheshire, S. and M. Krochmal, "DNS-Based Service | |
| − | + | Discovery", [[RFC6763|RFC 6763]], DOI 10.17487/RFC6763, February 2013, | |
| − | + | <https://www.rfc-editor.org/info/rfc6763>. | |
| − | + | === Informative References === | |
| − | + | [ESNI] Rescorla, E., Oku, K., Sullivan, N., and C. A. Wood, "TLS | |
| − | + | Encrypted Client Hello", Work in Progress, Internet-Draft, | |
| − | + | draft-ietf-tls-esni-07, June 1, 2020, | |
| − | + | <https://tools.ietf.org/html/draft-ietf-tls-esni-07>. | |
| − | + | [K17] Kaiser, D., "Efficient Privacy-Preserving | |
| − | + | Configurationless Service Discovery Supporting Multi-Link | |
| − | + | Networks", August 2017, | |
| − | + | <https://nbn-resolving.de/urn:nbn:de:bsz:352-0-422757>. | |
| − | + | [KW14a] Kaiser, D. and M. Waldvogel, "Adding Privacy to Multicast | |
| − | + | DNS Service Discovery", DOI 10.1109/TrustCom.2014.107, | |
| − | + | September 2014, <https://ieeexplore.ieee.org/xpl/ | |
| − | + | articleDetails.jsp?arnumber=7011331>. | |
| − | + | [KW14b] Kaiser, D. and M. Waldvogel, "Efficient Privacy Preserving | |
| − | + | Multicast DNS Service Discovery", | |
| − | + | DOI 10.1109/HPCC.2014.141, August 2014, | |
| − | + | <https://ieeexplore.ieee.org/xpl/ | |
| − | + | articleDetails.jsp?arnumber=7056899>. | |
| − | + | [[RFC1033]] Lottor, M., "Domain Administrators Operations Guide", | |
| − | + | [[RFC1033|RFC 1033]], DOI 10.17487/RFC1033, November 1987, | |
| − | + | <https://www.rfc-editor.org/info/rfc1033>. | |
| − | + | [[RFC1034]] Mockapetris, P., "Domain names - concepts and facilities", | |
| − | + | [[STD13|STD 13]], [[RFC1034|RFC 1034]], DOI 10.17487/RFC1034, November 1987, | |
| − | + | <https://www.rfc-editor.org/info/rfc1034>. | |
| − | + | [[RFC1035]] Mockapetris, P., "Domain names - implementation and | |
| − | + | specification", [[STD13|STD 13]], [[RFC1035|RFC 1035]], DOI 10.17487/RFC1035, | |
| − | + | November 1987, <https://www.rfc-editor.org/info/rfc1035>. | |
| − | + | [[RFC2782]] Gulbrandsen, A., Vixie, P., and L. Esibov, "A DNS RR for | |
| − | + | specifying the location of services (DNS SRV)", [[RFC2782|RFC 2782]], | |
| − | + | DOI 10.17487/RFC2782, February 2000, | |
| − | + | <https://www.rfc-editor.org/info/rfc2782>. | |
| − | + | [[RFC3927]] Cheshire, S., Aboba, B., and E. Guttman, "Dynamic | |
| − | + | Configuration of IPv4 Link-Local Addresses", [[RFC3927|RFC 3927]], | |
| − | + | DOI 10.17487/RFC3927, May 2005, | |
| − | + | <https://www.rfc-editor.org/info/rfc3927>. | |
| − | + | [[RFC4291]] Hinden, R. and S. Deering, "IP Version 6 Addressing | |
| − | + | Architecture", [[RFC4291|RFC 4291]], DOI 10.17487/RFC4291, February | |
| − | + | 2006, <https://www.rfc-editor.org/info/rfc4291>. | |
| − | + | [[RFC5054]] Taylor, D., Wu, T., Mavrogiannopoulos, N., and T. Perrin, | |
| − | + | "Using the Secure Remote Password (SRP) Protocol for TLS | |
| − | + | Authentication", [[RFC5054|RFC 5054]], DOI 10.17487/RFC5054, November | |
| − | + | 2007, <https://www.rfc-editor.org/info/rfc5054>. | |
| − | + | [[RFC7558]] Lynn, K., Cheshire, S., Blanchet, M., and D. Migault, | |
| − | + | "Requirements for Scalable DNS-Based Service Discovery | |
| − | + | (DNS-SD) / Multicast DNS (mDNS) Extensions", [[RFC7558|RFC 7558]], | |
| − | + | DOI 10.17487/RFC7558, July 2015, | |
| − | + | <https://www.rfc-editor.org/info/rfc7558>. | |
| − | + | [[RFC7844]] Huitema, C., Mrugalski, T., and S. Krishnan, "Anonymity | |
| − | + | Profiles for DHCP Clients", [[RFC7844|RFC 7844]], | |
| − | + | DOI 10.17487/RFC7844, May 2016, | |
| − | + | <https://www.rfc-editor.org/info/rfc7844>. | |
| − | + | [[RFC8117]] Huitema, C., Thaler, D., and R. Winter, "Current Hostname | |
| − | + | Practice Considered Harmful", [[RFC8117|RFC 8117]], | |
| − | + | DOI 10.17487/RFC8117, March 2017, | |
| − | + | <https://www.rfc-editor.org/info/rfc8117>. | |
| − | + | [[RFC8235]] Hao, F., Ed., "Schnorr Non-interactive Zero-Knowledge | |
| − | + | Proof", [[RFC8235|RFC 8235]], DOI 10.17487/RFC8235, September 2017, | |
| − | + | <https://www.rfc-editor.org/info/rfc8235>. | |
| − | + | [[RFC8236]] Hao, F., Ed., "J-PAKE: Password-Authenticated Key Exchange | |
| − | + | by Juggling", [[RFC8236|RFC 8236]], DOI 10.17487/RFC8236, September | |
| − | + | 2017, <https://www.rfc-editor.org/info/rfc8236>. | |
| − | + | [SLEEP-PROXY] | |
| − | + | Cheshire, S., "Understanding Sleep Proxy Service", | |
| − | + | December 2009, | |
| − | + | <http://stuartcheshire.org/SleepProxy/index.html>. | |
| − | + | [SRP] Lemon, T. and S. Cheshire, "Service Registration Protocol | |
| − | + | for DNS-Based Service Discovery", Work in Progress, | |
| − | + | Internet-Draft, draft-ietf-dnssd-srp-04, July 13, 2020, | |
| − | + | <https://tools.ietf.org/html/draft-ietf-dnssd-srp-04>. | |
Acknowledgments | Acknowledgments | ||
| − | + | This document incorporates many contributions from Stuart Cheshire | |
| − | + | and Chris Wood. Thanks to Florian Adamsky for extensive review and | |
| − | + | suggestions on the organization of the threat model. Thanks to Barry | |
| − | + | Leiba for an extensive review. Thanks to Roman Danyliw, Ben Kaduk, | |
| − | + | Adam Roach, and Alissa Cooper for their comments during IESG review. | |
Authors' Addresses | Authors' Addresses | ||
| − | + | Christian Huitema | |
| − | + | Private Octopus Inc. | |
| − | + | Friday Harbor, WA 98250 | |
| − | + | United States of America | |
| − | + | Email: [email protected] | |
| − | + | URI: http://privateoctopus.com/ | |
| + | Daniel Kaiser | ||
| + | University of Luxembourg | ||
| + | 6, avenue de la Fonte | ||
| + | L-4364 Esch-sur-Alzette | ||
| + | Luxembourg | ||
| − | + | Email: [email protected] | |
| − | + | URI: https://secan-lab.uni.lu/ | |
| − | |||
| − | |||
| − | |||
| − | + | [[Category:Informational]] | |
| − | |||
Latest revision as of 21:38, 5 May 2021
Internet Engineering Task Force (IETF) C. Huitema Request for Comments: 8882 Private Octopus Inc. Category: Informational D. Kaiser ISSN: 2070-1721 University of Luxembourg
September 2020
DNS-Based Service Discovery (DNS-SD) Privacy and Security Requirements
Abstract
DNS-SD (DNS-based Service Discovery) normally discloses information about devices offering and requesting services. This information includes hostnames, network parameters, and possibly a further description of the corresponding service instance. Especially when mobile devices engage in DNS-based Service Discovery at a public hotspot, serious privacy problems arise. We analyze the requirements of a privacy-respecting discovery service.
Status of This Memo
This document is not an Internet Standards Track specification; it is published for informational purposes.
This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Not all documents approved by the IESG are candidates for any level of Internet Standard; see Section 2 of RFC 7841.
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at https://www.rfc-editor.org/info/rfc8882.
Copyright Notice
Copyright (c) 2020 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
1. Introduction 2. Threat Model 3. Threat Analysis
3.1. Service Discovery Scenarios
3.1.1. Private Client and Public Server
3.1.2. Private Client and Private Server
3.1.3. Wearable Client and Server
3.2. DNS-SD Privacy Considerations
3.2.1. Information Made Available Via DNS-SD Resource Records
3.2.2. Privacy Implication of Publishing Service Instance
Names
3.2.3. Privacy Implication of Publishing Node Names
3.2.4. Privacy Implication of Publishing Service Attributes
3.2.5. Device Fingerprinting
3.2.6. Privacy Implication of Discovering Services
3.3. Security Considerations
3.3.1. Authenticity, Integrity, and Freshness
3.3.2. Confidentiality
3.3.3. Resistance to Dictionary Attacks
3.3.4. Resistance to Denial-of-Service Attacks
3.3.5. Resistance to Sender Impersonation
3.3.6. Sender Deniability
3.4. Operational Considerations
3.4.1. Power Management
3.4.2. Protocol Efficiency
3.4.3. Secure Initialization and Trust Models
3.4.4. External Dependencies
4. Requirements for a DNS-SD Privacy Extension
4.1. Private Client Requirements 4.2. Private Server Requirements 4.3. Security and Operation
5. IANA Considerations 6. References
6.1. Normative References 6.2. Informative References
Acknowledgments Authors' Addresses
Contents
- 1 Introduction
- 2 Threat Model
- 3 Threat Analysis
- 3.1 Service Discovery Scenarios
- 3.2 DNS-SD Privacy Considerations
- 3.2.1 Information Made Available Via DNS-SD Resource Records
- 3.2.2 Privacy Implication of Publishing Service Instance Names
- 3.2.3 Privacy Implication of Publishing Node Names
- 3.2.4 Privacy Implication of Publishing Service Attributes
- 3.2.5 Device Fingerprinting
- 3.2.6 Privacy Implication of Discovering Services
- 3.3 Security Considerations
- 3.4 Operational Considerations
- 4 Requirements for a DNS-SD Privacy Extension
- 5 IANA Considerations
- 6 References
Introduction
DNS-Based Service Discovery (DNS-SD) RFC6763 over Multicast DNS (mDNS) RFC6762 enables zero-configuration service discovery in local networks. It is very convenient for users, but it requires the public exposure of the offering and requesting identities along with information about the offered and requested services. Parts of the published information can seriously breach the user's privacy. These privacy issues and potential solutions are discussed in [KW14a], [KW14b], and [K17]. While the multicast nature of mDNS makes these risks obvious, most risks derive from the observability of transactions. These risks also need to be mitigated when using server-based variants of DNS-SD.
There are cases when nodes connected to a network want to provide or consume services without exposing their identities to the other parties connected to the same network. Consider, for example, a traveler wanting to upload pictures from a phone to a laptop when both are connected to the Wi-Fi network of an Internet cafe, or two travelers who want to share files between their laptops when waiting for their plane in an airport lounge.
We expect that these exchanges will start with a discovery procedure using DNS-SD over mDNS. One of the devices will publish the availability of a service, such as a picture library or a file store in our examples. The user of the other device will discover this service and then connect to it.
When analyzing these scenarios in Section 3.1, we find that the DNS- SD messages leak identifying information, such as the Service Instance Name, the hostname, or service properties. We use the following definitions:
Identity
In this document, the term "identity" refers to the identity of the entity (legal person) operating a device.
Disclosing an Identity
In this document, "disclosing an identity" means showing the identity of operating entities to devices external to the discovery process, e.g., devices on the same network link that are listening to the network traffic but are not actually involved in the discovery process. This document focuses on identity disclosure by data conveyed via messages on the service discovery protocol layer. Still, identity leaks on deeper layers, e.g., the IP layer, are mentioned.
Disclosing Information
In this document, "disclosing information" is also focused on disclosure of data conveyed via messages on the service discovery protocol layer, including both identity-revealing information and other still potentially sensitive data.
Threat Model
This document considers the following attacker types sorted by increasing power. All these attackers can either be passive (they just listen to network traffic they have access to) or active (they additionally can craft and send malicious packets).
external
An external attacker is not on the same network link as victim devices engaging in service discovery; thus, the external attacker is in a different multicast domain.
on-link
An on-link attacker is on the same network link as victim devices engaging in service discovery; thus, the on-link attacker is in the same multicast domain. This attacker can also mount all attacks an external attacker can mount.
MITM
A Man-in-the-Middle (MITM) attacker either controls (parts of) a network link or can trick two parties to send traffic via the attacker; thus, the MITM attacker has access to unicast traffic between devices engaging in service discovery. This attacker can also mount all attacks an on-link attacker can mount.
Threat Analysis
In this section, we analyze how the attackers described in the previous section might threaten the privacy of entities operating devices engaging in service discovery. We focus on attacks leveraging data transmitted in service discovery protocol messages.
Service Discovery Scenarios
In this section, we review common service discovery scenarios and discuss privacy threats and their privacy requirements. In all three of these common scenarios, the attacker is of the type passive on- link.
Private Client and Public Server
Perhaps the simplest private discovery scenario involves a single client connecting to a public server through a public network. A common example would be a traveler using a publicly available printer in a business center, in a hotel, or at an airport.
( Taking notes:
( David is printing
( a document.
21:38, 5 May 2021 (UTC)21:38, 5 May 2021 (UTC)~
o
___ o ___
/ \ _|___|_
| | client server |* *|
\_/ __ \_/
| / / Discovery +----------+ |
/|\ /_/ <-----------> | +----+ | /|\
/ | \__/ +--| |--+ / | \
/ | |____/ / | \
/ | / | \
/ \ / \
/ \ / \
/ \ / \
/ \ / \
/ \ / \
David Adversary
In that scenario, the server is public and wants to be discovered, but the client is private. The adversary will be listening to the network traffic, trying to identify the visitors' devices and their activity. Identifying devices leads to identifying people, either for surveillance of these individuals in the physical world or as a preliminary step for a targeted cyber attack.
The requirement in that scenario is that the discovery activity should not disclose the identity of the client.
Private Client and Private Server
The second private discovery scenario involves a private client connecting to a private server. A common example would be two people engaging in a collaborative application in a public place, such as an airport's lounge.
( Taking notes:
( David is meeting
( with Stuart.
21:38, 5 May 2021 (UTC)21:38, 5 May 2021 (UTC)~
o
___ ___ o ___
/ \ / \ _|___|_
| | server client | | |* *|
\_/ __ __ \_/ \_/
| / / Discovery \ \ | |
/|\ /_/ <-----------> \_\ /|\ /|\
/ | \__/ \__/ | \ / | \
/ | | \ / | \
/ | | \ / | \
/ \ / \ / \
/ \ / \ / \
/ \ / \ / \
/ \ / \ / \
/ \ / \ / \
David Stuart Adversary
In that scenario, the collaborative application on one of the devices will act as a server, and the application on the other device will act as a client. The server wants to be discovered by the client but has no desire to be discovered by anyone else. The adversary will be listening to network traffic, attempting to discover the identity of devices as in the first scenario and also attempting to discover the patterns of traffic, as these patterns reveal the business and social interactions between the owners of the devices.
The requirement in that scenario is that the discovery activity should not disclose the identity of either the client or the server nor reveal the business and social interactions between the owners of the devices.
Wearable Client and Server
The third private discovery scenario involves wearable devices. A typical example would be the watch on someone's wrist connecting to the phone in their pocket.
( Taking notes:
( David is here. His watch is
( talking to his phone.
21:38, 5 May 2021 (UTC)21:38, 5 May 2021 (UTC)~
o
___ o ___
/ \ _|___|_
| | client |* *|
\_/ \_/
| _/ |
/|\ // /|\
/ | \__/ ^ / | \
/ |__ | Discovery / | \
/ |\ \ v / | \
/ \\_\ / \
/ \ server / \
/ \ / \
/ \ / \
/ \ / \
David Adversary
This third scenario is in many ways similar to the second scenario. It involves two devices, one acting as server and the other acting as client, and it leads to the same requirement of the discovery traffic not disclosing the identity of either the client or the server. The main difference is that the devices are managed by a single owner, which can lead to different methods for establishing secure relations between the devices. There is also an added emphasis on hiding the type of devices that the person wears.
In addition to tracking the identity of the owner of the devices, the adversary is interested in the characteristics of the devices, such as type, brand, and model. Identifying the type of device can lead to further attacks, from theft to device-specific hacking. The combination of devices worn by the same person will also provide a "fingerprint" of the person, risking identification.
This scenario also represents the general case of bringing private Internet-of-Things (IoT) devices into public places. A wearable IoT device might act as a DNS-SD/mDNS client, which allows attackers to infer information about devices' owners. While the attacker might be a person, as in the example figure, this could also be abused for large-scale data collection installing stationary IoT-device-tracking servers in frequented public places.
The issues described in Section 3.1.1, such as identifying people or using the information for targeted attacks, apply here too.
DNS-SD Privacy Considerations
While the discovery process illustrated in the scenarios in Section 3.1 most likely would be based on RFC6762 as a means for making service information available, this document considers all kinds of means for making DNS-SD resource records available. These means comprise of but are not limited to mDNS RFC6762, DNS servers (RFC1033, RFC1034, and RFC1035), the use of Service Registration Protocol (SRP) [SRP], and multi-link RFC7558 networks.
The discovery scenarios in Section 3.1 illustrate three separate abstract privacy requirements that vary based on the use case. These are not limited to mDNS.
1. Client identity privacy: Client identities are not leaked during
service discovery or use.
2. Multi-entity, mutual client and server identity privacy: Neither
client nor server identities are leaked during service discovery or use.
3. Single-entity, mutual client and server identity privacy:
Identities of clients and servers owned and managed by the same legal person are not leaked during service discovery or use.
In this section, we describe aspects of DNS-SD that make these requirements difficult to achieve in practice. While it is intended to be thorough, it is not possible to be exhaustive.
Client identity privacy, if not addressed properly, can be thwarted by a passive attacker (see Section 2). The type of passive attacker necessary depends on the means of making service information available. Information conveyed via multicast messages can be obtained by an on-link attacker. Unicast messages are harder to access, but if the transmission is not encrypted they could still be accessed by an attacker with access to network routers or bridges. Using multi-link service discovery solutions RFC7558, external attackers have to be taken into consideration as well, e.g., when relaying multicast messages to other links.
Server identity privacy can be thwarted by a passive attacker in the same way as client identity privacy. Additionally, active attackers querying for information have to be taken into consideration as well. This is mainly relevant for unicast-based discovery, where listening to discovery traffic requires a MITM attacker; however, an external active attacker might be able to learn the server identity by just querying for service information, e.g., via DNS.
Information Made Available Via DNS-SD Resource Records
DNS-Based Service Discovery (DNS-SD) is defined in RFC6763. It allows nodes to publish the availability of an instance of a service by inserting specific records in the DNS (RFC1033, RFC1034, and RFC1035) or by publishing these records locally using multicast DNS (mDNS) RFC6762. Available services are described using three types of records:
PTR Record
Associates a service type in the domain with an "instance" name of this service type.
SRV Record
Provides the node name, port number, priority and weight associated with the service instance, in conformance with RFC2782.
TXT Record
Provides a set of attribute-value pairs describing specific properties of the service instance.
Privacy Implication of Publishing Service Instance Names
In the first phase of discovery, clients obtain all PTR records associated with a service type in a given naming domain. Each PTR record contains a Service Instance Name defined in Section 4 of RFC6763:
Service Instance Name = <Instance> . <Service> . <Domain>
The <Instance> portion of the Service Instance Name is meant to convey enough information for users of discovery clients to easily select the desired service instance. Nodes that use DNS-SD over mDNS RFC6762 in a mobile environment will rely on the specificity of the instance name to identify the desired service instance. In our example of users wanting to upload pictures to a laptop in an Internet cafe, the list of available service instances may look like:
Alice's Images . _imageStore._tcp . local Alice's Mobile Phone . _presence._tcp . local Alice's Notebook . _presence._tcp . local Bob's Notebook . _presence._tcp . local Carol's Notebook . _presence._tcp . local
Alice will see the list on her phone and understand intuitively that she should pick the first item. The discovery will "just work". (Note that our examples of service names conform to the specification in Section 4.1 of RFC6763 but may require some character escaping when entered in conventional DNS software.)
However, DNS-SD/mDNS will reveal to anybody that Alice is currently visiting the Internet cafe. It further discloses the fact that she uses two devices, shares an image store, and uses a chat application supporting the _presence protocol on both of her devices. She might currently chat with Bob or Carol, as they are also using a _presence supporting chat application. This information is not just available to devices actively browsing for and offering services but to anybody passively listening to the network traffic, i.e., a passive on-link attacker.
There is, of course, also no authentication requirement to claim a particular instance name, so an active attacker can provide resources that claim to be Alice's but are not.
Privacy Implication of Publishing Node Names
The SRV records contain the DNS name of the node publishing the service. Typical implementations construct this DNS name by concatenating the "hostname" of the node with the name of the local domain. The privacy implications of this practice are reviewed in RFC8117. Depending on naming practices, the hostname is either a strong identifier of the device or, at a minimum, a partial identifier. It enables tracking of both the device and, by extension, the device's owner.
Privacy Implication of Publishing Service Attributes
The TXT record's attribute-value pairs contain information on the characteristics of the corresponding service instance. This in turn reveals information about the devices that publish services. The amount of information varies widely with the particular service and its implementation:
- Some attributes, such as the paper size available in a printer,
are the same on many devices and thus only provide limited information to a tracker.
- Attributes that have free-form values, such as the name of a
directory, may reveal much more information.
Combinations of individual attributes have more information power than specific attributes and can potentially be used for "fingerprinting" a specific device.
Information contained in TXT records not only breaches privacy by making devices trackable but might directly contain private information about the user. For instance, the _presence service reveals the "chat status" to everyone in the same network. Users might not be aware of that.
Further, TXT records often contain version information about services, allowing potential attackers to identify devices running exploit-prone versions of a certain service.
Device Fingerprinting
The combination of information published in DNS-SD has the potential to provide a "fingerprint" of a specific device. Such information includes:
- A list of services published by the device, which can be retrieved
because the SRV records will point to the same hostname.
- Specific attributes describing these services.
- Port numbers used by the services.
- Priority and weight attributes in the SRV records.
This combination of services and attributes will often be sufficient to identify the version of the software running on a device. If a device publishes many services with rich sets of attributes, the combination may be sufficient to identify the specific device and track its owner.
An argument is sometimes made that devices providing services can be identified by observing the local traffic and that trying to hide the presence of the service is futile. However, there are good reasons for the discovery service layer to avoid unnecessary exposure:
1. Providing privacy at the discovery layer is of the essence for
enabling automatically configured privacy-preserving network applications. Application layer protocols are not forced to leverage the offered privacy, but if device tracking is not prevented at the deeper layers, including the service discovery layer, obfuscating a certain service's protocol at the application layer is futile.
2. Further, in the case of mDNS-based discovery, even if the
application layer does not protect privacy, services are typically provided via unicast, which requires a MITM attacker, whereas identifying services based on multicast discovery messages just requires an on-link attacker.
The same argument can be extended to say that the pattern of services offered by a device allows for fingerprinting the device. This may or may not be true, since we can expect that services will be designed or updated to avoid leaking fingerprints. In any case, the design of the discovery service should avoid making a bad situation worse and should, as much as possible, avoid providing new fingerprinting information.
Privacy Implication of Discovering Services
The consumers of services engage in discovery and in doing so reveal some information, such as the list of services they are interested in and the domains in which they are looking for the services. When the clients select specific instances of services, they reveal their preference for these instances. This can be benign if the service type is very common, but it could be more problematic for sensitive services, such as some private messaging services.
One way to protect clients would be to somehow encrypt the requested service types. Of course, just as we noted in Section 3.2.5, traffic analysis can often reveal the service.
Security Considerations
For each of the operations described above, we must also consider security threats we are concerned about.
Authenticity, Integrity, and Freshness
Can devices (both servers and clients) trust the information they receive? Has it been modified in flight by an adversary? Can devices trust the source of the information? Is the source of information fresh, i.e., not replayed? Freshness may or may not be required depending on whether the discovery process is meant to be online. In some cases, publishing discovery information to a shared directory or registry, rather than to each online recipient through a broadcast channel, may suffice.
Confidentiality
Confidentiality is about restricting information access to only authorized individuals. Ideally, this should only be the appropriate trusted parties, though it can be challenging to define who are "the appropriate trusted parties." In some use cases, this may mean that only mutually authenticated and trusting clients and servers can read messages sent for one another. The process of service discovery in particular is often used to discover new entities that the device did not previously know about. It may be tricky to work out how a device can have an established trust relationship with a new entity it has never previously communicated with.
Resistance to Dictionary Attacks
It can be tempting to use (publicly computable) hash functions to obscure sensitive identifiers. This transforms a sensitive unique identifier, such as an email address, into a "scrambled" but still unique identifier. Unfortunately, simple solutions may be vulnerable to offline dictionary attacks.
Resistance to Denial-of-Service Attacks
In any protocol where the receiver of messages has to perform cryptographic operations on those messages, there is a risk of a brute-force flooding attack causing the receiver to expend excessive amounts of CPU time and, where applicable, battery power just processing and discarding those messages.
Also, amplification attacks have to be taken into consideration. Messages with larger payloads should only be sent as an answer to a query sent by a verified client.
Resistance to Sender Impersonation
Sender impersonation is an attack wherein messages, such as service offers, are forged by entities who do not possess the corresponding secret key material. These attacks may be used to learn the identity of a communicating party, actively or passively.
Sender Deniability
Deniability of sender activity, e.g., of broadcasting a discovery request, may be desirable or necessary in some use cases. This property ensures that eavesdroppers cannot prove senders issued a specific message destined for one or more peers.
Operational Considerations
Power Management
Many modern devices, especially battery-powered devices, use power management techniques to conserve energy. One such technique is for a device to transfer information about itself to a proxy, which will act on behalf of the device for some functions while the device itself goes to sleep to reduce power consumption. When the proxy determines that some action is required, which only the device itself can perform, the proxy may have some way to wake the device, as described for example in [SLEEP-PROXY].
In many cases, the device may not trust the network proxy sufficiently to share all its confidential key material with the proxy. This poses challenges for combining private discovery that relies on per-query cryptographic operations with energy-saving techniques that rely on having (somewhat untrusted) network proxies answer queries on behalf of sleeping devices.
Protocol Efficiency
Creating a discovery protocol that has the desired security properties may result in a design that is not efficient. To perform the necessary operations, the protocol may need to send and receive a large number of network packets or require an inordinate amount of multicast transmissions. This may consume an unreasonable amount of network capacity, particularly problematic when it is a shared wireless spectrum. Further, it may cause an unnecessary level of power consumption, which is particularly problematic on battery devices and may result in the discovery process being slow.
It is a difficult challenge to design a discovery protocol that has the property of obscuring the details of what it is doing from unauthorized observers while also managing to perform efficiently.
Secure Initialization and Trust Models
One of the challenges implicit in the preceding discussions is that whenever we discuss "trusted entities" versus "untrusted entities", there needs to be some way that trust is initially established to convert an "untrusted entity" into a "trusted entity".
The purpose of this document is not to define the specific way in which trust can be established. Protocol designers may rely on a number of existing technologies, including PKI, Trust On First Use (TOFU), or the use of a short passphrase or PIN with cryptographic algorithms, such as Secure Remote Password (SRP) RFC5054 or a Password-Authenticated Key Exchange like J-PAKE RFC8236 using a Schnorr Non-interactive Zero-Knowledge Proof RFC8235.
Protocol designers should consider a specific usability pitfall when trust is established immediately prior to performing discovery. Users will have a tendency to "click OK" in order to achieve their task. This implicit vulnerability is avoided if the trust establishment requires more significant participation of the user, such as entering a password or PIN.
External Dependencies
Trust establishment may depend on external parties. Optionally, this might involve synchronous communication. Systems that have such a dependency may be attacked by interfering with communication to external dependencies. Where possible, such dependencies should be minimized. Local trust models are best for secure initialization in the presence of active attackers.
Requirements for a DNS-SD Privacy Extension
Given the considerations discussed in the previous sections, we state requirements for privacy preserving DNS-SD in the following subsections.
Defining a solution according to these requirements is intended to lead to a solution that does not transmit privacy-violating DNS-SD messages and further does not open pathways to new attacks against the operation of DNS-SD.
However, while this document gives advice on which privacy protecting mechanisms should be used on deeper-layer network protocols and on how to actually connect to services in a privacy-preserving way, stating corresponding requirements is out of the scope of this document. To mitigate attacks against privacy on lower layers, both servers and clients must use privacy options available at lower layers and, for example, avoid publishing static IPv4 or IPv6 addresses or static IEEE 802 Media Access Control (MAC) addresses. For services advertised on a single network link, link-local IP addresses should be used; see RFC3927 and RFC4291 for IPv4 and IPv6, respectively. Static servers advertising services globally via DNS can hide their IP addresses from unauthorized clients using the split mode topology shown in Encrypted Server Name Indication [ESNI]. Hiding static MAC addresses can be achieved via MAC address randomization (see RFC7844).
Private Client Requirements
For all three scenarios described in Section 3.1, client privacy requires DNS-SD messages to:
1. Avoid disclosure of the client's identity, either directly or via
inference, to nodes other than select servers.
2. Avoid exposure of linkable identifiers that allow tracing client
devices.
3. Avoid disclosure of the client's interest in specific service
instances or service types to nodes other than select servers.
When listing and resolving services via current DNS-SD deployments, clients typically disclose their interest in specific services types and specific instances of these types, respectively.
In addition to the exposure and disclosure risks noted above, protocols and implementations will have to consider fingerprinting attacks (see Section 3.2.5) that could retrieve similar information.
Private Server Requirements
Servers like the "printer" discussed in Section 3.1.1 are public, but the servers discussed in Sections 3.1.2 and 3.1.3 are, by essence, private. Server privacy requires DNS-SD messages to:
1. Avoid disclosure of the server's identity, either directly or via
inference, to nodes other than authorized clients. In particular, servers must avoid publishing static identifiers, such as hostnames or service names. When those fields are required by the protocol, servers should publish randomized values. (See RFC8117 for a discussion of hostnames.)
2. Avoid exposure of linkable identifiers that allow tracing
servers.
3. Avoid disclosure to unauthorized clients of Service Instance
Names or service types of offered services.
4. Avoid disclosure to unauthorized clients of information about the
services they offer.
5. Avoid disclosure of static IPv4 or IPv6 addresses.
When offering services via current DNS-SD deployments, servers typically disclose their hostnames (SRV, A/AAAA), instance names of offered services (PTR, SRV), and information about services (TXT). Heeding these requirements protects a server's privacy on the DNS-SD level.
The current DNS-SD user interfaces present the list of discovered service names to the users and let them pick a service from the list. Using random identifiers for service names renders that UI flow unusable. Privacy-respecting discovery protocols will have to solve this issue, for example, by presenting authenticated or decrypted service names instead of the randomized values.
Security and Operation
In order to be secure and feasible, a DNS-SD privacy extension needs to consider security and operational requirements including:
1. Avoiding significant CPU overhead on nodes or significantly
higher network load. Such overhead or load would make nodes vulnerable to denial-of-service attacks. Further, it would increase power consumption, which is damaging for IoT devices.
2. Avoiding designs in which a small message can trigger a large
amount of traffic towards an unverified address, as this could be exploited in amplification attacks.
IANA Considerations
This document has no IANA actions.
References
Normative References
RFC6762 Cheshire, S. and M. Krochmal, "Multicast DNS", RFC 6762,
DOI 10.17487/RFC6762, February 2013,
<https://www.rfc-editor.org/info/rfc6762>.
RFC6763 Cheshire, S. and M. Krochmal, "DNS-Based Service
Discovery", RFC 6763, DOI 10.17487/RFC6763, February 2013, <https://www.rfc-editor.org/info/rfc6763>.
Informative References
[ESNI] Rescorla, E., Oku, K., Sullivan, N., and C. A. Wood, "TLS
Encrypted Client Hello", Work in Progress, Internet-Draft,
draft-ietf-tls-esni-07, June 1, 2020,
<https://tools.ietf.org/html/draft-ietf-tls-esni-07>.
[K17] Kaiser, D., "Efficient Privacy-Preserving
Configurationless Service Discovery Supporting Multi-Link
Networks", August 2017,
<https://nbn-resolving.de/urn:nbn:de:bsz:352-0-422757>.
[KW14a] Kaiser, D. and M. Waldvogel, "Adding Privacy to Multicast
DNS Service Discovery", DOI 10.1109/TrustCom.2014.107,
September 2014, <https://ieeexplore.ieee.org/xpl/
articleDetails.jsp?arnumber=7011331>.
[KW14b] Kaiser, D. and M. Waldvogel, "Efficient Privacy Preserving
Multicast DNS Service Discovery",
DOI 10.1109/HPCC.2014.141, August 2014,
<https://ieeexplore.ieee.org/xpl/
articleDetails.jsp?arnumber=7056899>.
RFC1033 Lottor, M., "Domain Administrators Operations Guide",
RFC 1033, DOI 10.17487/RFC1033, November 1987, <https://www.rfc-editor.org/info/rfc1033>.
RFC1034 Mockapetris, P., "Domain names - concepts and facilities",
STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987, <https://www.rfc-editor.org/info/rfc1034>.
RFC1035 Mockapetris, P., "Domain names - implementation and
specification", STD 13, RFC 1035, DOI 10.17487/RFC1035, November 1987, <https://www.rfc-editor.org/info/rfc1035>.
RFC2782 Gulbrandsen, A., Vixie, P., and L. Esibov, "A DNS RR for
specifying the location of services (DNS SRV)", RFC 2782, DOI 10.17487/RFC2782, February 2000, <https://www.rfc-editor.org/info/rfc2782>.
RFC3927 Cheshire, S., Aboba, B., and E. Guttman, "Dynamic
Configuration of IPv4 Link-Local Addresses", RFC 3927, DOI 10.17487/RFC3927, May 2005, <https://www.rfc-editor.org/info/rfc3927>.
RFC4291 Hinden, R. and S. Deering, "IP Version 6 Addressing
Architecture", RFC 4291, DOI 10.17487/RFC4291, February 2006, <https://www.rfc-editor.org/info/rfc4291>.
RFC5054 Taylor, D., Wu, T., Mavrogiannopoulos, N., and T. Perrin,
"Using the Secure Remote Password (SRP) Protocol for TLS
Authentication", RFC 5054, DOI 10.17487/RFC5054, November
2007, <https://www.rfc-editor.org/info/rfc5054>.
RFC7558 Lynn, K., Cheshire, S., Blanchet, M., and D. Migault,
"Requirements for Scalable DNS-Based Service Discovery
(DNS-SD) / Multicast DNS (mDNS) Extensions", RFC 7558,
DOI 10.17487/RFC7558, July 2015,
<https://www.rfc-editor.org/info/rfc7558>.
RFC7844 Huitema, C., Mrugalski, T., and S. Krishnan, "Anonymity
Profiles for DHCP Clients", RFC 7844, DOI 10.17487/RFC7844, May 2016, <https://www.rfc-editor.org/info/rfc7844>.
RFC8117 Huitema, C., Thaler, D., and R. Winter, "Current Hostname
Practice Considered Harmful", RFC 8117, DOI 10.17487/RFC8117, March 2017, <https://www.rfc-editor.org/info/rfc8117>.
RFC8235 Hao, F., Ed., "Schnorr Non-interactive Zero-Knowledge
Proof", RFC 8235, DOI 10.17487/RFC8235, September 2017, <https://www.rfc-editor.org/info/rfc8235>.
RFC8236 Hao, F., Ed., "J-PAKE: Password-Authenticated Key Exchange
by Juggling", RFC 8236, DOI 10.17487/RFC8236, September 2017, <https://www.rfc-editor.org/info/rfc8236>.
[SLEEP-PROXY]
Cheshire, S., "Understanding Sleep Proxy Service",
December 2009,
<http://stuartcheshire.org/SleepProxy/index.html>.
[SRP] Lemon, T. and S. Cheshire, "Service Registration Protocol
for DNS-Based Service Discovery", Work in Progress,
Internet-Draft, draft-ietf-dnssd-srp-04, July 13, 2020,
<https://tools.ietf.org/html/draft-ietf-dnssd-srp-04>.
Acknowledgments
This document incorporates many contributions from Stuart Cheshire and Chris Wood. Thanks to Florian Adamsky for extensive review and suggestions on the organization of the threat model. Thanks to Barry Leiba for an extensive review. Thanks to Roman Danyliw, Ben Kaduk, Adam Roach, and Alissa Cooper for their comments during IESG review.
Authors' Addresses
Christian Huitema Private Octopus Inc. Friday Harbor, WA 98250 United States of America
Email: [email protected] URI: http://privateoctopus.com/
Daniel Kaiser University of Luxembourg 6, avenue de la Fonte L-4364 Esch-sur-Alzette Luxembourg
Email: [email protected] URI: https://secan-lab.uni.lu/
