< draft-ietf-ipsecme-add-ike-01.txt   draft-ietf-ipsecme-add-ike-02.txt >
ipsecme M. Boucadair ipsecme M. Boucadair
Internet-Draft Orange Internet-Draft Orange
Intended status: Standards Track T. Reddy Intended status: Standards Track T. Reddy
Expires: 23 September 2022 Akamai Expires: 28 October 2022 Akamai
D. Wing D. Wing
Citrix Citrix
V. Smyslov V. Smyslov
ELVIS-PLUS ELVIS-PLUS
22 March 2022 26 April 2022
Internet Key Exchange Protocol Version 2 (IKEv2) Configuration for Internet Key Exchange Protocol Version 2 (IKEv2) Configuration for
Encrypted DNS Encrypted DNS
draft-ietf-ipsecme-add-ike-01 draft-ietf-ipsecme-add-ike-02
Abstract Abstract
This document specifies new Internet Key Exchange Protocol Version 2 This document specifies new Internet Key Exchange Protocol Version 2
(IKEv2) Configuration Payload Attribute Types for encrypted DNS (IKEv2) Configuration Payload Attribute Types for encrypted DNS
protocols such as DNS-over-HTTPS (DoH), DNS-over-TLS (DoT), and DNS- protocols such as DNS-over-HTTPS (DoH), DNS-over-TLS (DoT), and DNS-
over-QUIC (DoQ). over-QUIC (DoQ).
Status of This Memo Status of This Memo
skipping to change at page 1, line 39 skipping to change at page 1, line 39
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on 23 September 2022. This Internet-Draft will expire on 28 October 2022.
Copyright Notice Copyright Notice
Copyright (c) 2022 IETF Trust and the persons identified as the Copyright (c) 2022 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/ Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document. license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights Please review these documents carefully, as they describe your rights
skipping to change at page 2, line 16 skipping to change at page 2, line 16
described in Section 4.e of the Trust Legal Provisions and are described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Revised BSD License. provided without warranty as described in the Revised BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. IKEv2 Configuration Payload Attribute Types for Encrypted 3. IKEv2 Configuration Payload Attribute Types for Encrypted
DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
3.1. ENCDNS_IP* Configuration Payload Attributes . . . . . . . 3 3.1. ENCDNS_IP* Configuration Payload Attributes . . . . . . . 3
3.2. ENCDNS_DIGEST_INFO Configuration Payload Attribute . . . 5 3.2. ENCDNS_DIGEST_INFO Configuration Payload Attribute . . . 6
4. IKEv2 Protocol Exchange . . . . . . . . . . . . . . . . . . . 7 4. IKEv2 Protocol Exchange . . . . . . . . . . . . . . . . . . . 7
5. Security Considerations . . . . . . . . . . . . . . . . . . . 8 5. Security Considerations . . . . . . . . . . . . . . . . . . . 9
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9
6.1. Configuration Payload Attribute Types . . . . . . . . . . 9 6.1. Configuration Payload Attribute Types . . . . . . . . . . 9
7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 9 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 9
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 10 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 10
8.1. Normative References . . . . . . . . . . . . . . . . . . 10 8.1. Normative References . . . . . . . . . . . . . . . . . . 10
8.2. Informative References . . . . . . . . . . . . . . . . . 10 8.2. Informative References . . . . . . . . . . . . . . . . . 11
Appendix A. Sample Deployment Scenarios . . . . . . . . . . . . 11 Appendix A. Sample Deployment Scenarios . . . . . . . . . . . . 12
A.1. Roaming Enterprise Users . . . . . . . . . . . . . . . . 11 A.1. Roaming Enterprise Users . . . . . . . . . . . . . . . . 12
A.2. VPN Service Provider . . . . . . . . . . . . . . . . . . 12 A.2. VPN Service Provider . . . . . . . . . . . . . . . . . . 12
A.3. DNS Offload . . . . . . . . . . . . . . . . . . . . . . . 12 A.3. DNS Offload . . . . . . . . . . . . . . . . . . . . . . . 13
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 12 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 13
1. Introduction 1. Introduction
This document specifies encrypted DNS configuration for an Internet This document specifies encrypted DNS configuration for an Internet
Key Exchange Protocol Version 2 (IKEv2) [RFC7296] initiator, Key Exchange Protocol Version 2 (IKEv2) [RFC7296] initiator,
particularly the Authentication Domain Name (ADN) of DNS servers that particularly the Authentication Domain Name (ADN) of DNS servers that
support encrypted DNS protocols such as DNS-over-HTTPS (DoH) support encrypted DNS protocols such as DNS-over-HTTPS (DoH)
[RFC8484], DNS-over-TLS (DoT) [RFC7858], or DNS-over-QUIC (DoQ) [RFC8484], DNS-over-TLS (DoT) [RFC7858], or DNS-over-QUIC (DoQ)
[I-D.ietf-dprive-dnsoquic]. [I-D.ietf-dprive-dnsoquic].
This document introduces new IKEv2 Configuration Payload Attribute This document introduces new IKEv2 Configuration Payload Attribute
Types (Section 3) for the support of encrypted DNS servers. These Types (Section 3) for the support of encrypted DNS servers. These
attributes can be used to provision ADNs, a list of IP addresses, and attributes can be used to provision ADNs, a list of IP addresses, and
a set of service parameters. a set of service parameters.
Sample use cases are discussed in Appendix A. The Configuration Sample use cases are described in Appendix A. The Configuration
Payload Attribute Types defined in this document are not specific to Payload Attribute Types defined in this document are not specific to
these deployments, but can also be used in other deployment contexts. these deployments, but can also be used in other deployment contexts.
It is out of the scope of this document to provide a comprehensive It is out of the scope of this document to provide a comprehensive
list of deployment contexts. list of deployment contexts.
The encrypted DNS server hosted by a VPN provider can get a domain- The encrypted DNS server hosted by a VPN provider can get a domain-
validate certificate from a public Certificate Authority (CA). The validate certificate from a public Certificate Authority (CA). The
VPN client does not need to be provisioned with the root certificate VPN client does not need to be provisioned with the root certificate
of a private CA to authenticate the certificate of the encrypted DNS of a private CA to authenticate the certificate of the encrypted DNS
server. The encrypted DNS server can run on private IP addresses and server. The encrypted DNS server can run on private IP addresses and
skipping to change at page 5, line 15 skipping to change at page 5, line 15
AliasMode (Section 2.4.2 of [I-D.ietf-dnsop-svcb-https]) is not AliasMode (Section 2.4.2 of [I-D.ietf-dnsop-svcb-https]) is not
supported because such a mode will trigger additional Do53 queries supported because such a mode will trigger additional Do53 queries
while the data can be supplied directly in the IKE response. As while the data can be supplied directly in the IKE response. As
such, this field MUST NOT be set to 0. such, this field MUST NOT be set to 0.
* Num Addresses (1 octet) - Indicates the number of enclosed IPv4 * Num Addresses (1 octet) - Indicates the number of enclosed IPv4
(for ENCDNS_IP4 attribute type) or IPv6 (for ENCDNS_IP6 attribute (for ENCDNS_IP4 attribute type) or IPv6 (for ENCDNS_IP6 attribute
type) addresses. It MUST NOT be set to 0 if the Configuration type) addresses. It MUST NOT be set to 0 if the Configuration
payload has types CFG_REPLY or CFG_SET. payload has types CFG_REPLY or CFG_SET.
* ADN Length (1 octet) - Indicates the length of the authentication- * ADN Length (1 octet) - Indicates the length of the "Authentication
domain-name field in octets. Domain Name" field in octets.
* IP Address(es) (variable) - One or more IPv4 or IPv6 addresses to * IP Address(es) (variable) - One or more IPv4 or IPv6 addresses to
be used to reach the encrypted DNS server that is identified by be used to reach the encrypted DNS server that is identified by
the name in the Authentication Domain Name. the name in the Authentication Domain Name.
* Authentication Domain Name (variable) - A fully qualified domain * Authentication Domain Name (variable) - A fully qualified domain
name of the encrypted DNS server following the syntax defined in name of the encrypted DNS server following the syntax defined in
[RFC5890]. The name MUST NOT contain any terminators (e.g., NULL, [RFC5890]. The name MUST NOT contain any terminators (e.g., NULL,
CR). CR).
An example of a valid ADN for DoH server is "doh1.example.com". An example of a valid ADN for DoH server is "doh1.example.com".
* Service Parameters (SvcParams) (variable) - Specifies a set of * Service Parameters (SvcParams) (variable) - Specifies a set of
service parameters that are encoded following the rules in service parameters that are encoded following the rules in
Section 2.1 of [I-D.ietf-dnsop-svcb-https]. Service parameters Section 2.1 of [I-D.ietf-dnsop-svcb-https]. The following service
may include, for example, a list of ALPN protocol identifiers or parameters are RECOMMENDED to be supported by an implementation:
alternate port numbers. The service parameters MUST NOT include
"ipv4hint" or "ipv6hint" SvcParams as they are superseded by the alpn: Used to indicate the set of supported protocols
included IP addresses. (Section 7.1 of [I-D.ietf-dnsop-svcb-https]).
port: Used to indicate the target port number for the encrypted
DNS connection (Section 7.2 of [I-D.ietf-dnsop-svcb-https]).
ech: Used to enable Encrypted ClientHello (ECH) (Section 7.3 of
[I-D.ietf-dnsop-svcb-https]).
dohpath: Used to supply a relative DoH URI Template (Section 5.1
of [I-D.ietf-add-svcb-dns]).
The service parameters MUST NOT include "ipv4hint" or "ipv6hint"
SvcParams as they are superseded by the included IP addresses.
If no port service parameter is included, this indicates that If no port service parameter is included, this indicates that
default port numbers should be used. As a reminder, the default default port numbers should be used. As a reminder, the default
port number is 853 for DoT, 443 for DoH, and 853 for DoQ. port number is 853 for DoT, 443 for DoH, and 853 for DoQ.
The service parameters apply to all IP addresses in the ENCDNS_IP* The service parameters apply to all IP addresses in the ENCDNS_IP*
Configuration Payload Attribute. Configuration Payload Attribute.
3.2. ENCDNS_DIGEST_INFO Configuration Payload Attribute 3.2. ENCDNS_DIGEST_INFO Configuration Payload Attribute
skipping to change at page 6, line 34 skipping to change at page 6, line 42
* Attribute Type (15 bits) - Identifier for Configuration Attribute * Attribute Type (15 bits) - Identifier for Configuration Attribute
Type; is set to TBA3 value listed in Section 6.1. Type; is set to TBA3 value listed in Section 6.1.
* Length (2 octets, unsigned integer) - Length of the data in * Length (2 octets, unsigned integer) - Length of the data in
octets. octets.
* RESERVED (3 octets) - These bits are reserved for future use. * RESERVED (3 octets) - These bits are reserved for future use.
These bits MUST be set to zero by the sender and MUST be ignored These bits MUST be set to zero by the sender and MUST be ignored
by the receiver. by the receiver.
* ADN Length (1 octet) - Indicates the length of the authentication- * ADN Length (1 octet) - Indicates the length of the "Authentication
domain-name field in octets. When set to '0', this means that the Domain Name" field in octets. When set to '0', this means that
digest applies on the ADN conveyed in the ENCDNS_IP* Configuration the digest applies on the ADN conveyed in the ENCDNS_IP*
Payload Attribute(s). Configuration Payload Attribute(s).
* Authentication Domain Name (variable) - A fully qualified domain * Authentication Domain Name (variable) - A fully qualified domain
name of the encrypted DNS server following the syntax defined in name of the encrypted DNS server following the syntax defined in
[RFC5890]. The name MUST NOT contain any terminators (e.g., NULL, [RFC5890]. The name MUST NOT contain any terminators (e.g., NULL,
CR). A name is included only when multiple ADNs are included in CR). A name is included only when multiple ADNs are included in
the ENCDNS_IP* Configuration Payload Attributes. the ENCDNS_IP* Configuration Payload Attributes.
* Hash Algorithm Identifiers (variable) - In a request, this field * Hash Algorithm Identifiers (variable) - In a request, this field
specifies a list of 16-bit hash algorithm identifiers that are specifies a list of 16-bit hash algorithm identifiers that are
supported by the encrypted DNS client. In a response, this field supported by the encrypted DNS client. In a response, this field
skipping to change at page 7, line 15 skipping to change at page 7, line 21
The values of this field are taken from the Hash Algorithm The values of this field are taken from the Hash Algorithm
Identifiers of IANA's "Internet Key Exchange Version 2 (IKEv2) Identifiers of IANA's "Internet Key Exchange Version 2 (IKEv2)
Parameters" registry [Hash]. Parameters" registry [Hash].
There is no padding between the hash algorithm identifiers. There is no padding between the hash algorithm identifiers.
Note that SHA2-256 is mandatory to implement. Note that SHA2-256 is mandatory to implement.
* Certificate Digest (variable) - MUST only be present in a * Certificate Digest (variable) - MUST only be present in a
response. This field includes the digest of the encrypted DNS response. This field includes the digest of the encrypted DNS
server certificate using the algorthm identified in the 'Hash server certificate using the algorithm identified in the 'Hash
Algorithm Identifiers' field. Algorithm Identifiers' field.
4. IKEv2 Protocol Exchange 4. IKEv2 Protocol Exchange
This section describes how an initiator can be configured with an This section describes how an initiator can be configured with an
encrypted DNS server (e.g., DoH, DoT) using IKEv2. encrypted DNS server (e.g., DoH, DoT) using IKEv2.
Initiators indicate the support of an encrypted DNS in the Initiators indicate the support of an encrypted DNS in the
CFG_REQUEST payloads by including one or two ENCDNS_IP* attributes, CFG_REQUEST payloads by including one or two ENCDNS_IP* attributes,
while responders supply the encrypted DNS configuration in the while responders supply the encrypted DNS configuration in the
skipping to change at page 8, line 52 skipping to change at page 9, line 13
INTERNAL_IP4_DNS) attributes. INTERNAL_IP4_DNS) attributes.
5. Security Considerations 5. Security Considerations
This document adheres to the security considerations defined in This document adheres to the security considerations defined in
[RFC7296]. In particular, this document does not alter the trust on [RFC7296]. In particular, this document does not alter the trust on
the DNS configuration provided by a responder. the DNS configuration provided by a responder.
Networks are susceptible to internal attacks as discussed in Networks are susceptible to internal attacks as discussed in
Section 3.2 of [I-D.arkko-farrell-arch-model-t]. Hosting encrypted Section 3.2 of [I-D.arkko-farrell-arch-model-t]. Hosting encrypted
DNS server even in case of split-VPN configuration minimizes the DNS servers even in case of split-VPN configuration minimizes the
attack vector (e.g., a compromised network device cannot monitor/ attack vector (e.g., a compromised network device cannot monitor/
modify DNS traffic). This specification describes a mechanism to modify DNS traffic). This specification describes a mechanism to
restrict access to the DNS messages to only the parties that need to restrict access to the DNS messages to only the parties that need to
know. know.
The initiator may trust the encrypted DNS servers supplied by means The initiator may trust the encrypted DNS servers supplied by means
of IKEv2 from a trusted responder more than the locally provided DNS of IKEv2 from a trusted responder more than the locally provided DNS
servers, especially in the case of connecting to unknown or untrusted servers, especially in the case of connecting to unknown or untrusted
networks (e.g., coffee shops or hotel networks). networks (e.g., coffee shops or hotel networks).
If IKEv2 responder has used NULL Authentication method [RFC7619] to If the IKEv2 responder has used NULL Authentication method [RFC7619]
authenticate itself, the initiator MUST NOT use returned ENCDNS_IP* to authenticate itself, the initiator MUST NOT use returned
servers configuration unless it is pre-configured in the OS or the ENCDNS_IP* servers configuration unless it is pre-configured, e.g.,
browser. in the OS or the browser.
This specification does not extend the scope of accepting DNSSEC This specification does not extend the scope of accepting DNSSEC
trust anchors beyond the usage guidelines defined in Section 6 of trust anchors beyond the usage guidelines defined in Section 6 of
[RFC8598]. [RFC8598].
6. IANA Considerations 6. IANA Considerations
6.1. Configuration Payload Attribute Types 6.1. Configuration Payload Attribute Types
This document requests IANA to assign the following new IKEv2 This document requests IANA to assign the following new IKEv2
Configuration Payload Attribute Types from the "IKEv2 Configuration Configuration Payload Attribute Types from the "IKEv2 Configuration
Payload Attribute Types" namespace available at Payload Attribute Types" namespace available at [IANA-IKE].
https://www.iana.org/assignments/ikev2-parameters/
ikev2-parameters.xhtml#ikev2-parameters-21.
Multi- Multi-
Value Attribute Type Valued Length Reference Value Attribute Type Valued Length Reference
------ ------------------ ----- --------- --------- ------ ------------------ ----- --------- ---------
TBA1 ENCDNS_IP4 YES 0 or more RFC XXXX TBA1 ENCDNS_IP4 YES 0 or more RFC XXXX
TBA2 ENCDNS_IP6 YES 0 or more RFC XXXX TBA2 ENCDNS_IP6 YES 0 or more RFC XXXX
TBA3 ENCDNS_ENCDNS_DIGEST_INFO YES 0 or more RFC XXXX TBA3 ENCDNS_ENCDNS_DIGEST_INFO YES 0 or more RFC XXXX
7. Acknowledgements 7. Acknowledgements
Many thanks to Yoav Nir, Christian Jacquenet, Paul Wouters, and Tommy Many thanks to Yoav Nir, Christian Jacquenet, Paul Wouters, and Tommy
Pauly for the review and comments. Pauly for the review and comments.
Yoav and Paul suggested the use of one single attribute carrying both Yoav and Paul suggested the use of one single attribute carrying both
the name and an IP address instead of depending on the existing the name and an IP address instead of depending on the existing
INTERNAL_IP6_DNS and INTERNAL_IP4_DNS attributes. INTERNAL_IP6_DNS and INTERNAL_IP4_DNS attributes.
Christian Huitema suggested to return a port number in the
attributes.
8. References 8. References
8.1. Normative References 8.1. Normative References
[Hash] "IKEv2 Hash Algorithms", [Hash] "IKEv2 Hash Algorithms",
<https://www.iana.org/assignments/ikev2-parameters/ikev2- <https://www.iana.org/assignments/ikev2-parameters/ikev2-
parameters.xhtml#hash-algorithms>. parameters.xhtml#hash-algorithms>.
[I-D.ietf-add-svcb-dns]
Schwartz, B., "Service Binding Mapping for DNS Servers",
Work in Progress, Internet-Draft, draft-ietf-add-svcb-dns-
03, 22 April 2022, <https://www.ietf.org/archive/id/draft-
ietf-add-svcb-dns-03.txt>.
[I-D.ietf-dnsop-svcb-https] [I-D.ietf-dnsop-svcb-https]
Schwartz, B., Bishop, M., and E. Nygren, "Service binding Schwartz, B., Bishop, M., and E. Nygren, "Service binding
and parameter specification via the DNS (DNS SVCB and and parameter specification via the DNS (DNS SVCB and
HTTPS RRs)", Work in Progress, Internet-Draft, draft-ietf- HTTPS RRs)", Work in Progress, Internet-Draft, draft-ietf-
dnsop-svcb-https-08, 12 October 2021, dnsop-svcb-https-08, 12 October 2021,
<https://www.ietf.org/archive/id/draft-ietf-dnsop-svcb- <https://www.ietf.org/archive/id/draft-ietf-dnsop-svcb-
https-08.txt>. https-08.txt>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
skipping to change at page 11, line 8 skipping to change at page 11, line 22
[I-D.arkko-farrell-arch-model-t] [I-D.arkko-farrell-arch-model-t]
Arkko, J. and S. Farrell, "Challenges and Changes in the Arkko, J. and S. Farrell, "Challenges and Changes in the
Internet Threat Model", Work in Progress, Internet-Draft, Internet Threat Model", Work in Progress, Internet-Draft,
draft-arkko-farrell-arch-model-t-04, 13 July 2020, draft-arkko-farrell-arch-model-t-04, 13 July 2020,
<https://www.ietf.org/archive/id/draft-arkko-farrell-arch- <https://www.ietf.org/archive/id/draft-arkko-farrell-arch-
model-t-04.txt>. model-t-04.txt>.
[I-D.ietf-dprive-dnsoquic] [I-D.ietf-dprive-dnsoquic]
Huitema, C., Dickinson, S., and A. Mankin, "DNS over Huitema, C., Dickinson, S., and A. Mankin, "DNS over
Dedicated QUIC Connections", Work in Progress, Internet- Dedicated QUIC Connections", Work in Progress, Internet-
Draft, draft-ietf-dprive-dnsoquic-11, 21 March 2022, Draft, draft-ietf-dprive-dnsoquic-12, 20 April 2022,
<https://www.ietf.org/archive/id/draft-ietf-dprive- <https://www.ietf.org/archive/id/draft-ietf-dprive-
dnsoquic-11.txt>. dnsoquic-12.txt>.
[IANA-IKE] "IKEv2 Configuration Payload Attribute Types",
<https://www.iana.org/assignments/ikev2-parameters/
ikev2-parameters.xhtml#ikev2-parameters-21>.
[RFC7619] Smyslov, V. and P. Wouters, "The NULL Authentication [RFC7619] Smyslov, V. and P. Wouters, "The NULL Authentication
Method in the Internet Key Exchange Protocol Version 2 Method in the Internet Key Exchange Protocol Version 2
(IKEv2)", RFC 7619, DOI 10.17487/RFC7619, August 2015, (IKEv2)", RFC 7619, DOI 10.17487/RFC7619, August 2015,
<https://www.rfc-editor.org/info/rfc7619>. <https://www.rfc-editor.org/info/rfc7619>.
[RFC7671] Dukhovni, V. and W. Hardaker, "The DNS-Based [RFC7671] Dukhovni, V. and W. Hardaker, "The DNS-Based
Authentication of Named Entities (DANE) Protocol: Updates Authentication of Named Entities (DANE) Protocol: Updates
and Operational Guidance", RFC 7671, DOI 10.17487/RFC7671, and Operational Guidance", RFC 7671, DOI 10.17487/RFC7671,
October 2015, <https://www.rfc-editor.org/info/rfc7671>. October 2015, <https://www.rfc-editor.org/info/rfc7671>.
 End of changes. 20 change blocks. 
37 lines changed or deleted 54 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/