| < draft-ietf-ipsecme-add-ike-01.txt | draft-ietf-ipsecme-add-ike-02.txt > | |||
|---|---|---|---|---|
| ipsecme M. Boucadair | ipsecme M. Boucadair | |||
| Internet-Draft Orange | Internet-Draft Orange | |||
| Intended status: Standards Track T. Reddy | Intended status: Standards Track T. Reddy | |||
| Expires: 23 September 2022 Akamai | Expires: 28 October 2022 Akamai | |||
| D. Wing | D. Wing | |||
| Citrix | Citrix | |||
| V. Smyslov | V. Smyslov | |||
| ELVIS-PLUS | ELVIS-PLUS | |||
| 22 March 2022 | 26 April 2022 | |||
| Internet Key Exchange Protocol Version 2 (IKEv2) Configuration for | Internet Key Exchange Protocol Version 2 (IKEv2) Configuration for | |||
| Encrypted DNS | Encrypted DNS | |||
| draft-ietf-ipsecme-add-ike-01 | draft-ietf-ipsecme-add-ike-02 | |||
| Abstract | Abstract | |||
| This document specifies new Internet Key Exchange Protocol Version 2 | This document specifies new Internet Key Exchange Protocol Version 2 | |||
| (IKEv2) Configuration Payload Attribute Types for encrypted DNS | (IKEv2) Configuration Payload Attribute Types for encrypted DNS | |||
| protocols such as DNS-over-HTTPS (DoH), DNS-over-TLS (DoT), and DNS- | protocols such as DNS-over-HTTPS (DoH), DNS-over-TLS (DoT), and DNS- | |||
| over-QUIC (DoQ). | over-QUIC (DoQ). | |||
| Status of This Memo | Status of This Memo | |||
| skipping to change at page 1, line 39 ¶ | skipping to change at page 1, line 39 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on 23 September 2022. | This Internet-Draft will expire on 28 October 2022. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2022 IETF Trust and the persons identified as the | Copyright (c) 2022 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents (https://trustee.ietf.org/ | Provisions Relating to IETF Documents (https://trustee.ietf.org/ | |||
| license-info) in effect on the date of publication of this document. | license-info) in effect on the date of publication of this document. | |||
| Please review these documents carefully, as they describe your rights | Please review these documents carefully, as they describe your rights | |||
| skipping to change at page 2, line 16 ¶ | skipping to change at page 2, line 16 ¶ | |||
| described in Section 4.e of the Trust Legal Provisions and are | described in Section 4.e of the Trust Legal Provisions and are | |||
| provided without warranty as described in the Revised BSD License. | provided without warranty as described in the Revised BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 3. IKEv2 Configuration Payload Attribute Types for Encrypted | 3. IKEv2 Configuration Payload Attribute Types for Encrypted | |||
| DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 | DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 3.1. ENCDNS_IP* Configuration Payload Attributes . . . . . . . 3 | 3.1. ENCDNS_IP* Configuration Payload Attributes . . . . . . . 3 | |||
| 3.2. ENCDNS_DIGEST_INFO Configuration Payload Attribute . . . 5 | 3.2. ENCDNS_DIGEST_INFO Configuration Payload Attribute . . . 6 | |||
| 4. IKEv2 Protocol Exchange . . . . . . . . . . . . . . . . . . . 7 | 4. IKEv2 Protocol Exchange . . . . . . . . . . . . . . . . . . . 7 | |||
| 5. Security Considerations . . . . . . . . . . . . . . . . . . . 8 | 5. Security Considerations . . . . . . . . . . . . . . . . . . . 9 | |||
| 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 | 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 | |||
| 6.1. Configuration Payload Attribute Types . . . . . . . . . . 9 | 6.1. Configuration Payload Attribute Types . . . . . . . . . . 9 | |||
| 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 9 | 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 9 | |||
| 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 10 | 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 10 | |||
| 8.1. Normative References . . . . . . . . . . . . . . . . . . 10 | 8.1. Normative References . . . . . . . . . . . . . . . . . . 10 | |||
| 8.2. Informative References . . . . . . . . . . . . . . . . . 10 | 8.2. Informative References . . . . . . . . . . . . . . . . . 11 | |||
| Appendix A. Sample Deployment Scenarios . . . . . . . . . . . . 11 | Appendix A. Sample Deployment Scenarios . . . . . . . . . . . . 12 | |||
| A.1. Roaming Enterprise Users . . . . . . . . . . . . . . . . 11 | A.1. Roaming Enterprise Users . . . . . . . . . . . . . . . . 12 | |||
| A.2. VPN Service Provider . . . . . . . . . . . . . . . . . . 12 | A.2. VPN Service Provider . . . . . . . . . . . . . . . . . . 12 | |||
| A.3. DNS Offload . . . . . . . . . . . . . . . . . . . . . . . 12 | A.3. DNS Offload . . . . . . . . . . . . . . . . . . . . . . . 13 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 12 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 13 | |||
| 1. Introduction | 1. Introduction | |||
| This document specifies encrypted DNS configuration for an Internet | This document specifies encrypted DNS configuration for an Internet | |||
| Key Exchange Protocol Version 2 (IKEv2) [RFC7296] initiator, | Key Exchange Protocol Version 2 (IKEv2) [RFC7296] initiator, | |||
| particularly the Authentication Domain Name (ADN) of DNS servers that | particularly the Authentication Domain Name (ADN) of DNS servers that | |||
| support encrypted DNS protocols such as DNS-over-HTTPS (DoH) | support encrypted DNS protocols such as DNS-over-HTTPS (DoH) | |||
| [RFC8484], DNS-over-TLS (DoT) [RFC7858], or DNS-over-QUIC (DoQ) | [RFC8484], DNS-over-TLS (DoT) [RFC7858], or DNS-over-QUIC (DoQ) | |||
| [I-D.ietf-dprive-dnsoquic]. | [I-D.ietf-dprive-dnsoquic]. | |||
| This document introduces new IKEv2 Configuration Payload Attribute | This document introduces new IKEv2 Configuration Payload Attribute | |||
| Types (Section 3) for the support of encrypted DNS servers. These | Types (Section 3) for the support of encrypted DNS servers. These | |||
| attributes can be used to provision ADNs, a list of IP addresses, and | attributes can be used to provision ADNs, a list of IP addresses, and | |||
| a set of service parameters. | a set of service parameters. | |||
| Sample use cases are discussed in Appendix A. The Configuration | Sample use cases are described in Appendix A. The Configuration | |||
| Payload Attribute Types defined in this document are not specific to | Payload Attribute Types defined in this document are not specific to | |||
| these deployments, but can also be used in other deployment contexts. | these deployments, but can also be used in other deployment contexts. | |||
| It is out of the scope of this document to provide a comprehensive | It is out of the scope of this document to provide a comprehensive | |||
| list of deployment contexts. | list of deployment contexts. | |||
| The encrypted DNS server hosted by a VPN provider can get a domain- | The encrypted DNS server hosted by a VPN provider can get a domain- | |||
| validate certificate from a public Certificate Authority (CA). The | validate certificate from a public Certificate Authority (CA). The | |||
| VPN client does not need to be provisioned with the root certificate | VPN client does not need to be provisioned with the root certificate | |||
| of a private CA to authenticate the certificate of the encrypted DNS | of a private CA to authenticate the certificate of the encrypted DNS | |||
| server. The encrypted DNS server can run on private IP addresses and | server. The encrypted DNS server can run on private IP addresses and | |||
| skipping to change at page 5, line 15 ¶ | skipping to change at page 5, line 15 ¶ | |||
| AliasMode (Section 2.4.2 of [I-D.ietf-dnsop-svcb-https]) is not | AliasMode (Section 2.4.2 of [I-D.ietf-dnsop-svcb-https]) is not | |||
| supported because such a mode will trigger additional Do53 queries | supported because such a mode will trigger additional Do53 queries | |||
| while the data can be supplied directly in the IKE response. As | while the data can be supplied directly in the IKE response. As | |||
| such, this field MUST NOT be set to 0. | such, this field MUST NOT be set to 0. | |||
| * Num Addresses (1 octet) - Indicates the number of enclosed IPv4 | * Num Addresses (1 octet) - Indicates the number of enclosed IPv4 | |||
| (for ENCDNS_IP4 attribute type) or IPv6 (for ENCDNS_IP6 attribute | (for ENCDNS_IP4 attribute type) or IPv6 (for ENCDNS_IP6 attribute | |||
| type) addresses. It MUST NOT be set to 0 if the Configuration | type) addresses. It MUST NOT be set to 0 if the Configuration | |||
| payload has types CFG_REPLY or CFG_SET. | payload has types CFG_REPLY or CFG_SET. | |||
| * ADN Length (1 octet) - Indicates the length of the authentication- | * ADN Length (1 octet) - Indicates the length of the "Authentication | |||
| domain-name field in octets. | Domain Name" field in octets. | |||
| * IP Address(es) (variable) - One or more IPv4 or IPv6 addresses to | * IP Address(es) (variable) - One or more IPv4 or IPv6 addresses to | |||
| be used to reach the encrypted DNS server that is identified by | be used to reach the encrypted DNS server that is identified by | |||
| the name in the Authentication Domain Name. | the name in the Authentication Domain Name. | |||
| * Authentication Domain Name (variable) - A fully qualified domain | * Authentication Domain Name (variable) - A fully qualified domain | |||
| name of the encrypted DNS server following the syntax defined in | name of the encrypted DNS server following the syntax defined in | |||
| [RFC5890]. The name MUST NOT contain any terminators (e.g., NULL, | [RFC5890]. The name MUST NOT contain any terminators (e.g., NULL, | |||
| CR). | CR). | |||
| An example of a valid ADN for DoH server is "doh1.example.com". | An example of a valid ADN for DoH server is "doh1.example.com". | |||
| * Service Parameters (SvcParams) (variable) - Specifies a set of | * Service Parameters (SvcParams) (variable) - Specifies a set of | |||
| service parameters that are encoded following the rules in | service parameters that are encoded following the rules in | |||
| Section 2.1 of [I-D.ietf-dnsop-svcb-https]. Service parameters | Section 2.1 of [I-D.ietf-dnsop-svcb-https]. The following service | |||
| may include, for example, a list of ALPN protocol identifiers or | parameters are RECOMMENDED to be supported by an implementation: | |||
| alternate port numbers. The service parameters MUST NOT include | ||||
| "ipv4hint" or "ipv6hint" SvcParams as they are superseded by the | alpn: Used to indicate the set of supported protocols | |||
| included IP addresses. | (Section 7.1 of [I-D.ietf-dnsop-svcb-https]). | |||
| port: Used to indicate the target port number for the encrypted | ||||
| DNS connection (Section 7.2 of [I-D.ietf-dnsop-svcb-https]). | ||||
| ech: Used to enable Encrypted ClientHello (ECH) (Section 7.3 of | ||||
| [I-D.ietf-dnsop-svcb-https]). | ||||
| dohpath: Used to supply a relative DoH URI Template (Section 5.1 | ||||
| of [I-D.ietf-add-svcb-dns]). | ||||
| The service parameters MUST NOT include "ipv4hint" or "ipv6hint" | ||||
| SvcParams as they are superseded by the included IP addresses. | ||||
| If no port service parameter is included, this indicates that | If no port service parameter is included, this indicates that | |||
| default port numbers should be used. As a reminder, the default | default port numbers should be used. As a reminder, the default | |||
| port number is 853 for DoT, 443 for DoH, and 853 for DoQ. | port number is 853 for DoT, 443 for DoH, and 853 for DoQ. | |||
| The service parameters apply to all IP addresses in the ENCDNS_IP* | The service parameters apply to all IP addresses in the ENCDNS_IP* | |||
| Configuration Payload Attribute. | Configuration Payload Attribute. | |||
| 3.2. ENCDNS_DIGEST_INFO Configuration Payload Attribute | 3.2. ENCDNS_DIGEST_INFO Configuration Payload Attribute | |||
| skipping to change at page 6, line 34 ¶ | skipping to change at page 6, line 42 ¶ | |||
| * Attribute Type (15 bits) - Identifier for Configuration Attribute | * Attribute Type (15 bits) - Identifier for Configuration Attribute | |||
| Type; is set to TBA3 value listed in Section 6.1. | Type; is set to TBA3 value listed in Section 6.1. | |||
| * Length (2 octets, unsigned integer) - Length of the data in | * Length (2 octets, unsigned integer) - Length of the data in | |||
| octets. | octets. | |||
| * RESERVED (3 octets) - These bits are reserved for future use. | * RESERVED (3 octets) - These bits are reserved for future use. | |||
| These bits MUST be set to zero by the sender and MUST be ignored | These bits MUST be set to zero by the sender and MUST be ignored | |||
| by the receiver. | by the receiver. | |||
| * ADN Length (1 octet) - Indicates the length of the authentication- | * ADN Length (1 octet) - Indicates the length of the "Authentication | |||
| domain-name field in octets. When set to '0', this means that the | Domain Name" field in octets. When set to '0', this means that | |||
| digest applies on the ADN conveyed in the ENCDNS_IP* Configuration | the digest applies on the ADN conveyed in the ENCDNS_IP* | |||
| Payload Attribute(s). | Configuration Payload Attribute(s). | |||
| * Authentication Domain Name (variable) - A fully qualified domain | * Authentication Domain Name (variable) - A fully qualified domain | |||
| name of the encrypted DNS server following the syntax defined in | name of the encrypted DNS server following the syntax defined in | |||
| [RFC5890]. The name MUST NOT contain any terminators (e.g., NULL, | [RFC5890]. The name MUST NOT contain any terminators (e.g., NULL, | |||
| CR). A name is included only when multiple ADNs are included in | CR). A name is included only when multiple ADNs are included in | |||
| the ENCDNS_IP* Configuration Payload Attributes. | the ENCDNS_IP* Configuration Payload Attributes. | |||
| * Hash Algorithm Identifiers (variable) - In a request, this field | * Hash Algorithm Identifiers (variable) - In a request, this field | |||
| specifies a list of 16-bit hash algorithm identifiers that are | specifies a list of 16-bit hash algorithm identifiers that are | |||
| supported by the encrypted DNS client. In a response, this field | supported by the encrypted DNS client. In a response, this field | |||
| skipping to change at page 7, line 15 ¶ | skipping to change at page 7, line 21 ¶ | |||
| The values of this field are taken from the Hash Algorithm | The values of this field are taken from the Hash Algorithm | |||
| Identifiers of IANA's "Internet Key Exchange Version 2 (IKEv2) | Identifiers of IANA's "Internet Key Exchange Version 2 (IKEv2) | |||
| Parameters" registry [Hash]. | Parameters" registry [Hash]. | |||
| There is no padding between the hash algorithm identifiers. | There is no padding between the hash algorithm identifiers. | |||
| Note that SHA2-256 is mandatory to implement. | Note that SHA2-256 is mandatory to implement. | |||
| * Certificate Digest (variable) - MUST only be present in a | * Certificate Digest (variable) - MUST only be present in a | |||
| response. This field includes the digest of the encrypted DNS | response. This field includes the digest of the encrypted DNS | |||
| server certificate using the algorthm identified in the 'Hash | server certificate using the algorithm identified in the 'Hash | |||
| Algorithm Identifiers' field. | Algorithm Identifiers' field. | |||
| 4. IKEv2 Protocol Exchange | 4. IKEv2 Protocol Exchange | |||
| This section describes how an initiator can be configured with an | This section describes how an initiator can be configured with an | |||
| encrypted DNS server (e.g., DoH, DoT) using IKEv2. | encrypted DNS server (e.g., DoH, DoT) using IKEv2. | |||
| Initiators indicate the support of an encrypted DNS in the | Initiators indicate the support of an encrypted DNS in the | |||
| CFG_REQUEST payloads by including one or two ENCDNS_IP* attributes, | CFG_REQUEST payloads by including one or two ENCDNS_IP* attributes, | |||
| while responders supply the encrypted DNS configuration in the | while responders supply the encrypted DNS configuration in the | |||
| skipping to change at page 8, line 52 ¶ | skipping to change at page 9, line 13 ¶ | |||
| INTERNAL_IP4_DNS) attributes. | INTERNAL_IP4_DNS) attributes. | |||
| 5. Security Considerations | 5. Security Considerations | |||
| This document adheres to the security considerations defined in | This document adheres to the security considerations defined in | |||
| [RFC7296]. In particular, this document does not alter the trust on | [RFC7296]. In particular, this document does not alter the trust on | |||
| the DNS configuration provided by a responder. | the DNS configuration provided by a responder. | |||
| Networks are susceptible to internal attacks as discussed in | Networks are susceptible to internal attacks as discussed in | |||
| Section 3.2 of [I-D.arkko-farrell-arch-model-t]. Hosting encrypted | Section 3.2 of [I-D.arkko-farrell-arch-model-t]. Hosting encrypted | |||
| DNS server even in case of split-VPN configuration minimizes the | DNS servers even in case of split-VPN configuration minimizes the | |||
| attack vector (e.g., a compromised network device cannot monitor/ | attack vector (e.g., a compromised network device cannot monitor/ | |||
| modify DNS traffic). This specification describes a mechanism to | modify DNS traffic). This specification describes a mechanism to | |||
| restrict access to the DNS messages to only the parties that need to | restrict access to the DNS messages to only the parties that need to | |||
| know. | know. | |||
| The initiator may trust the encrypted DNS servers supplied by means | The initiator may trust the encrypted DNS servers supplied by means | |||
| of IKEv2 from a trusted responder more than the locally provided DNS | of IKEv2 from a trusted responder more than the locally provided DNS | |||
| servers, especially in the case of connecting to unknown or untrusted | servers, especially in the case of connecting to unknown or untrusted | |||
| networks (e.g., coffee shops or hotel networks). | networks (e.g., coffee shops or hotel networks). | |||
| If IKEv2 responder has used NULL Authentication method [RFC7619] to | If the IKEv2 responder has used NULL Authentication method [RFC7619] | |||
| authenticate itself, the initiator MUST NOT use returned ENCDNS_IP* | to authenticate itself, the initiator MUST NOT use returned | |||
| servers configuration unless it is pre-configured in the OS or the | ENCDNS_IP* servers configuration unless it is pre-configured, e.g., | |||
| browser. | in the OS or the browser. | |||
| This specification does not extend the scope of accepting DNSSEC | This specification does not extend the scope of accepting DNSSEC | |||
| trust anchors beyond the usage guidelines defined in Section 6 of | trust anchors beyond the usage guidelines defined in Section 6 of | |||
| [RFC8598]. | [RFC8598]. | |||
| 6. IANA Considerations | 6. IANA Considerations | |||
| 6.1. Configuration Payload Attribute Types | 6.1. Configuration Payload Attribute Types | |||
| This document requests IANA to assign the following new IKEv2 | This document requests IANA to assign the following new IKEv2 | |||
| Configuration Payload Attribute Types from the "IKEv2 Configuration | Configuration Payload Attribute Types from the "IKEv2 Configuration | |||
| Payload Attribute Types" namespace available at | Payload Attribute Types" namespace available at [IANA-IKE]. | |||
| https://www.iana.org/assignments/ikev2-parameters/ | ||||
| ikev2-parameters.xhtml#ikev2-parameters-21. | ||||
| Multi- | Multi- | |||
| Value Attribute Type Valued Length Reference | Value Attribute Type Valued Length Reference | |||
| ------ ------------------ ----- --------- --------- | ------ ------------------ ----- --------- --------- | |||
| TBA1 ENCDNS_IP4 YES 0 or more RFC XXXX | TBA1 ENCDNS_IP4 YES 0 or more RFC XXXX | |||
| TBA2 ENCDNS_IP6 YES 0 or more RFC XXXX | TBA2 ENCDNS_IP6 YES 0 or more RFC XXXX | |||
| TBA3 ENCDNS_ENCDNS_DIGEST_INFO YES 0 or more RFC XXXX | TBA3 ENCDNS_ENCDNS_DIGEST_INFO YES 0 or more RFC XXXX | |||
| 7. Acknowledgements | 7. Acknowledgements | |||
| Many thanks to Yoav Nir, Christian Jacquenet, Paul Wouters, and Tommy | Many thanks to Yoav Nir, Christian Jacquenet, Paul Wouters, and Tommy | |||
| Pauly for the review and comments. | Pauly for the review and comments. | |||
| Yoav and Paul suggested the use of one single attribute carrying both | Yoav and Paul suggested the use of one single attribute carrying both | |||
| the name and an IP address instead of depending on the existing | the name and an IP address instead of depending on the existing | |||
| INTERNAL_IP6_DNS and INTERNAL_IP4_DNS attributes. | INTERNAL_IP6_DNS and INTERNAL_IP4_DNS attributes. | |||
| Christian Huitema suggested to return a port number in the | ||||
| attributes. | ||||
| 8. References | 8. References | |||
| 8.1. Normative References | 8.1. Normative References | |||
| [Hash] "IKEv2 Hash Algorithms", | [Hash] "IKEv2 Hash Algorithms", | |||
| <https://www.iana.org/assignments/ikev2-parameters/ikev2- | <https://www.iana.org/assignments/ikev2-parameters/ikev2- | |||
| parameters.xhtml#hash-algorithms>. | parameters.xhtml#hash-algorithms>. | |||
| [I-D.ietf-add-svcb-dns] | ||||
| Schwartz, B., "Service Binding Mapping for DNS Servers", | ||||
| Work in Progress, Internet-Draft, draft-ietf-add-svcb-dns- | ||||
| 03, 22 April 2022, <https://www.ietf.org/archive/id/draft- | ||||
| ietf-add-svcb-dns-03.txt>. | ||||
| [I-D.ietf-dnsop-svcb-https] | [I-D.ietf-dnsop-svcb-https] | |||
| Schwartz, B., Bishop, M., and E. Nygren, "Service binding | Schwartz, B., Bishop, M., and E. Nygren, "Service binding | |||
| and parameter specification via the DNS (DNS SVCB and | and parameter specification via the DNS (DNS SVCB and | |||
| HTTPS RRs)", Work in Progress, Internet-Draft, draft-ietf- | HTTPS RRs)", Work in Progress, Internet-Draft, draft-ietf- | |||
| dnsop-svcb-https-08, 12 October 2021, | dnsop-svcb-https-08, 12 October 2021, | |||
| <https://www.ietf.org/archive/id/draft-ietf-dnsop-svcb- | <https://www.ietf.org/archive/id/draft-ietf-dnsop-svcb- | |||
| https-08.txt>. | https-08.txt>. | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, | Requirement Levels", BCP 14, RFC 2119, | |||
| skipping to change at page 11, line 8 ¶ | skipping to change at page 11, line 22 ¶ | |||
| [I-D.arkko-farrell-arch-model-t] | [I-D.arkko-farrell-arch-model-t] | |||
| Arkko, J. and S. Farrell, "Challenges and Changes in the | Arkko, J. and S. Farrell, "Challenges and Changes in the | |||
| Internet Threat Model", Work in Progress, Internet-Draft, | Internet Threat Model", Work in Progress, Internet-Draft, | |||
| draft-arkko-farrell-arch-model-t-04, 13 July 2020, | draft-arkko-farrell-arch-model-t-04, 13 July 2020, | |||
| <https://www.ietf.org/archive/id/draft-arkko-farrell-arch- | <https://www.ietf.org/archive/id/draft-arkko-farrell-arch- | |||
| model-t-04.txt>. | model-t-04.txt>. | |||
| [I-D.ietf-dprive-dnsoquic] | [I-D.ietf-dprive-dnsoquic] | |||
| Huitema, C., Dickinson, S., and A. Mankin, "DNS over | Huitema, C., Dickinson, S., and A. Mankin, "DNS over | |||
| Dedicated QUIC Connections", Work in Progress, Internet- | Dedicated QUIC Connections", Work in Progress, Internet- | |||
| Draft, draft-ietf-dprive-dnsoquic-11, 21 March 2022, | Draft, draft-ietf-dprive-dnsoquic-12, 20 April 2022, | |||
| <https://www.ietf.org/archive/id/draft-ietf-dprive- | <https://www.ietf.org/archive/id/draft-ietf-dprive- | |||
| dnsoquic-11.txt>. | dnsoquic-12.txt>. | |||
| [IANA-IKE] "IKEv2 Configuration Payload Attribute Types", | ||||
| <https://www.iana.org/assignments/ikev2-parameters/ | ||||
| ikev2-parameters.xhtml#ikev2-parameters-21>. | ||||
| [RFC7619] Smyslov, V. and P. Wouters, "The NULL Authentication | [RFC7619] Smyslov, V. and P. Wouters, "The NULL Authentication | |||
| Method in the Internet Key Exchange Protocol Version 2 | Method in the Internet Key Exchange Protocol Version 2 | |||
| (IKEv2)", RFC 7619, DOI 10.17487/RFC7619, August 2015, | (IKEv2)", RFC 7619, DOI 10.17487/RFC7619, August 2015, | |||
| <https://www.rfc-editor.org/info/rfc7619>. | <https://www.rfc-editor.org/info/rfc7619>. | |||
| [RFC7671] Dukhovni, V. and W. Hardaker, "The DNS-Based | [RFC7671] Dukhovni, V. and W. Hardaker, "The DNS-Based | |||
| Authentication of Named Entities (DANE) Protocol: Updates | Authentication of Named Entities (DANE) Protocol: Updates | |||
| and Operational Guidance", RFC 7671, DOI 10.17487/RFC7671, | and Operational Guidance", RFC 7671, DOI 10.17487/RFC7671, | |||
| October 2015, <https://www.rfc-editor.org/info/rfc7671>. | October 2015, <https://www.rfc-editor.org/info/rfc7671>. | |||
| End of changes. 20 change blocks. | ||||
| 37 lines changed or deleted | 54 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||