| < draft-ietf-ipsecme-split-dns-02.txt | draft-ietf-ipsecme-split-dns-03.txt > | |||
|---|---|---|---|---|
| Network T. Pauly | Network T. Pauly | |||
| Internet-Draft Apple Inc. | Internet-Draft Apple Inc. | |||
| Intended status: Standards Track P. Wouters | Intended status: Standards Track P. Wouters | |||
| Expires: January 30, 2018 Red Hat | Expires: May 16, 2018 Red Hat | |||
| July 29, 2017 | November 12, 2017 | |||
| Split DNS Configuration for IKEv2 | Split DNS Configuration for IKEv2 | |||
| draft-ietf-ipsecme-split-dns-02 | draft-ietf-ipsecme-split-dns-03 | |||
| Abstract | Abstract | |||
| This document defines two Configuration Payload Attribute Types for | This document defines two Configuration Payload Attribute Types for | |||
| the IKEv2 protocol that add support for private DNS domains. These | the IKEv2 protocol that add support for private DNS domains. These | |||
| domains should be resolved using DNS servers reachable through an | domains should be resolved using DNS servers reachable through an | |||
| IPsec connection, while leaving all other DNS resolution unchanged. | IPsec connection, while leaving all other DNS resolution unchanged. | |||
| This approach of resolving a subset of domains using non-public DNS | This approach of resolving a subset of domains using non-public DNS | |||
| servers is referred to as "Split DNS". | servers is referred to as "Split DNS". | |||
| skipping to change at page 1, line 36 ¶ | skipping to change at page 1, line 36 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on January 30, 2018. | This Internet-Draft will expire on May 16, 2018. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2017 IETF Trust and the persons identified as the | Copyright (c) 2017 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 4, line 8 ¶ | skipping to change at page 4, line 8 ¶ | |||
| IKEv2 tunnel, initiators indicate support for Split DNS in their | IKEv2 tunnel, initiators indicate support for Split DNS in their | |||
| CFG_REQUEST payloads, and responders assign internal domains (and | CFG_REQUEST payloads, and responders assign internal domains (and | |||
| DNSSEC trust anchors) in their CFG_REPLY payloads. When Split DNS | DNSSEC trust anchors) in their CFG_REPLY payloads. When Split DNS | |||
| has been negotiated, the existing DNS server configuration attributes | has been negotiated, the existing DNS server configuration attributes | |||
| will be interpreted as internal DNS servers that can resolve | will be interpreted as internal DNS servers that can resolve | |||
| hostnames within the internal domains. | hostnames within the internal domains. | |||
| 3.1. Configuration Request | 3.1. Configuration Request | |||
| To indicate support for Split DNS, an initiator includes one more | To indicate support for Split DNS, an initiator includes one more | |||
| more INTERNAL_DNS_DOMAIN attributes as defined in Section 4 as part | INTERNAL_DNS_DOMAIN attributes as defined in Section 4 as part of the | |||
| of the CFG_REQUEST payload. If an INTERNAL_DNS_DOMAIN attribute is | CFG_REQUEST payload. If an INTERNAL_DNS_DOMAIN attribute is included | |||
| included in the CFG_REQUEST, the initiator SHOULD also include one or | in the CFG_REQUEST, the initiator SHOULD also include one or more | |||
| more INTERNAL_IP4_DNS and INTERNAL_IP6_DNS attributes in the | INTERNAL_IP4_DNS and INTERNAL_IP6_DNS attributes in the CFG_REQUEST. | |||
| CFG_REQUEST. | ||||
| The INTERNAL_DNS_DOMAIN attribute sent by the initiator is usually | The INTERNAL_DNS_DOMAIN attribute sent by the initiator is usually | |||
| empty but MAY contain a suggested domain name. | empty but MAY contain a suggested domain name. | |||
| The absence of INTERNAL_DNS_DOMAIN attributes in the CFG_REQUEST | The absence of INTERNAL_DNS_DOMAIN attributes in the CFG_REQUEST | |||
| payload indicates that the initiator does not support or is unwilling | payload indicates that the initiator does not support or is unwilling | |||
| to accept Split DNS configuration. | to accept Split DNS configuration. | |||
| To indicate support for DNSSEC, an initiator includes one or more | To indicate support for DNSSEC, an initiator includes one or more | |||
| INTERNAL_DNS_TA attributes as defined in Section 4 as part of the | INTERNAL_DNSSEC_TA attributes as defined in Section 4 as part of the | |||
| CFG_REQUEST payload. If an INTERNAL_DNS_TA attriute is included in | CFG_REQUEST payload. If an INTERNAL_DNSSEC_TA attriute is included | |||
| the CFG_REQUEST, the initiator SHOULD also include one or more | in the CFG_REQUEST, the initiator SHOULD also include one or more | |||
| INTERNAL_DNS_DOMAIN attributes in the CFG_REQUEST. | INTERNAL_DNS_DOMAIN attributes in the CFG_REQUEST. | |||
| An initiator MAY convey its current DNSSEC trust anchors for the | An initiator MAY convey its current DNSSEC trust anchors for the | |||
| domain specified in the INTERNAL_DNS_DOMAIN attribute. If it does | domain specified in the INTERNAL_DNS_DOMAIN attribute. If it does | |||
| not wish to convey this information, it MUST use a length of 0. | not wish to convey this information, it MUST use a length of 0. | |||
| The absence of INTERNAL_DNS_TA attributes in the CFG_REQUEST payload | The absence of INTERNAL_DNSSEC_TA attributes in the CFG_REQUEST | |||
| indicates that the initiator does not support or is unwilling to | payload indicates that the initiator does not support or is unwilling | |||
| accept DNSSEC trust anchor configuration. | to accept DNSSEC trust anchor configuration. | |||
| 3.2. Configuration Reply | 3.2. Configuration Reply | |||
| Responders MAY send one or more INTERNAL_DNS_DOMAIN attributes in | Responders MAY send one or more INTERNAL_DNS_DOMAIN attributes in | |||
| their CFG_REPLY payload. If an INTERNAL_DNS_DOMAIN attribute is | their CFG_REPLY payload. If an INTERNAL_DNS_DOMAIN attribute is | |||
| included in the CFG_REPLY, the responder MUST also include one or | included in the CFG_REPLY, the responder MUST also include one or | |||
| both of the INTERNAL_IP4_DNS and INTERNAL_IP6_DNS attributes in the | both of the INTERNAL_IP4_DNS and INTERNAL_IP6_DNS attributes in the | |||
| CFG_REPLY. These DNS server configurations are necessary to define | CFG_REPLY. These DNS server configurations are necessary to define | |||
| which servers should receive queries for hostnames in internal | which servers should receive queries for hostnames in internal | |||
| domains. If the CFG_REQUEST included an INTERNAL_DNS_DOMAIN | domains. If the CFG_REQUEST included an INTERNAL_DNS_DOMAIN | |||
| skipping to change at page 6, line 8 ¶ | skipping to change at page 6, line 8 ¶ | |||
| CP(CFG_REPLY) = | CP(CFG_REPLY) = | |||
| INTERNAL_IP4_ADDRESS(198.51.100.234) | INTERNAL_IP4_ADDRESS(198.51.100.234) | |||
| INTERNAL_IP4_DNS(198.51.100.2) | INTERNAL_IP4_DNS(198.51.100.2) | |||
| INTERNAL_IP4_DNS(198.51.100.4) | INTERNAL_IP4_DNS(198.51.100.4) | |||
| INTERNAL_DNS_DOMAIN(example.com) | INTERNAL_DNS_DOMAIN(example.com) | |||
| INTERNAL_DNS_DOMAIN(city.other.com) | INTERNAL_DNS_DOMAIN(city.other.com) | |||
| 3.4.2. Requesting Domains and DNSSEC trust anchors | 3.4.2. Requesting Domains and DNSSEC trust anchors | |||
| In this example exchange, the initiator requests INTERNAL_IP4_DNS, | In this example exchange, the initiator requests INTERNAL_IP4_DNS, | |||
| INTERNAL_DNS_DOMAIN and INTERNAL_DNS_TA attributess in the | INTERNAL_DNS_DOMAIN and INTERNAL_DNSSEC_TA attributess in the | |||
| CFG_REQUEST | CFG_REQUEST | |||
| Any subsequent DNS queries from the initiator for domains such as | Any subsequent DNS queries from the initiator for domains such as | |||
| "www.example.com" or "city.other.com" would be DNSSEC validated using | "www.example.com" or "city.other.com" would be DNSSEC validated using | |||
| the DNSSEC trust anchor received in the CFG_REPLY | the DNSSEC trust anchor received in the CFG_REPLY | |||
| In this example, the initiator has no existing DNSSEC trust anchors | In this example, the initiator has no existing DNSSEC trust anchors | |||
| would the requested domain. the "example.com" dommain has DNSSEC | would the requested domain. the "example.com" dommain has DNSSEC | |||
| trust anchors that are returned, while the "other.com" domain has no | trust anchors that are returned, while the "other.com" domain has no | |||
| DNSSEC trust anchors | DNSSEC trust anchors | |||
| CP(CFG_REQUEST) = | CP(CFG_REQUEST) = | |||
| INTERNAL_IP4_ADDRESS() | INTERNAL_IP4_ADDRESS() | |||
| INTERNAL_IP4_DNS() | INTERNAL_IP4_DNS() | |||
| INTERNAL_DNS_DOMAIN() | INTERNAL_DNS_DOMAIN() | |||
| INTERNAL_DNS_TA() | INTERNAL_DNSSEC_TA() | |||
| CP(CFG_REPLY) = | CP(CFG_REPLY) = | |||
| INTERNAL_IP4_ADDRESS(198.51.100.234) | INTERNAL_IP4_ADDRESS(198.51.100.234) | |||
| INTERNAL_IP4_DNS(198.51.100.2) | INTERNAL_IP4_DNS(198.51.100.2) | |||
| INTERNAL_IP4_DNS(198.51.100.4) | INTERNAL_IP4_DNS(198.51.100.4) | |||
| INTERNAL_DNS_DOMAIN(example.com) | INTERNAL_DNS_DOMAIN(example.com) | |||
| INTERNAL_DNS_TA(43547,8,1,B6225AB2CC613E0DCA7962BDC2342EA4F1B56083) | INTERNAL_DNSSEC_TA(43547,8,1,B6225AB2CC613E0DCA7962BDC2342EA4F1B56083) | |||
| INTERNAL_DNS_TA(31406,8,2,F78CF3344F72137235098ECBBD08947C2C90....) | INTERNAL_DNSSEC_TA(31406,8,2,F78CF3344F72137235098ECBBD08947C2C90....) | |||
| INTERNAL_DNS_DOMAIN(city.other.com) | INTERNAL_DNS_DOMAIN(city.other.com) | |||
| 4. Payload Formats | 4. Payload Formats | |||
| 4.1. INTERNAL_DNS_DOMAIN Configuration Attribute Type | 4.1. INTERNAL_DNS_DOMAIN Configuration Attribute Type | |||
| 1 2 3 | 1 2 3 | |||
| 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | |||
| +-+-----------------------------+-------------------------------+ | +-+-----------------------------+-------------------------------+ | |||
| |R| Attribute Type | Length | | |R| Attribute Type | Length | | |||
| +-+-----------------------------+-------------------------------+ | +-+-----------------------------+-------------------------------+ | |||
| skipping to change at page 7, line 10 ¶ | skipping to change at page 7, line 10 ¶ | |||
| o Reserved (1 bit) - Defined in IKEv2 RFC [RFC7296]. | o Reserved (1 bit) - Defined in IKEv2 RFC [RFC7296]. | |||
| o Attribute Type (15 bits) 25 - INTERNAL_DNS_DOMAIN. | o Attribute Type (15 bits) 25 - INTERNAL_DNS_DOMAIN. | |||
| o Length (2 octets, unsigned integer) - Length of domain name. | o Length (2 octets, unsigned integer) - Length of domain name. | |||
| o Domain Name (0 or more octets) - A Fully Qualified Domain Name | o Domain Name (0 or more octets) - A Fully Qualified Domain Name | |||
| used for Split DNS rules, such as example.com, in DNS presentation | used for Split DNS rules, such as example.com, in DNS presentation | |||
| format and optionally using IDNA [RFC5890] for Internationalized | format and optionally using IDNA [RFC5890] for Internationalized | |||
| Domain Names. The value is NOT null-terminated. | Domain Names. Implementors need to be careful that this value is | |||
| not null-terminated. | ||||
| 4.2. INTERNAL_DNSSEC_TA Configuration Attribute | 4.2. INTERNAL_DNSSEC_TA Configuration Attribute | |||
| 1 2 3 | 1 2 3 | |||
| 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | |||
| +-+-----------------------------+-------------------------------+ | +-+-----------------------------+-------------------------------+ | |||
| |R| Attribute Type | Length | | |R| Attribute Type | Length | | |||
| +-+-----------------------------+---------------+---------------+ | +-+-----------------------------+---------------+---------------+ | |||
| | Key Tag | Algorithm | Digest Type | | | Key Tag | Algorithm | Digest Type | | |||
| +-------------------------------+---------------+---------------+ | +-------------------------------+---------------+---------------+ | |||
| skipping to change at page 7, line 36 ¶ | skipping to change at page 7, line 37 ¶ | |||
| o Reserved (1 bit) - Defined in IKEv2 RFC [RFC7296]. | o Reserved (1 bit) - Defined in IKEv2 RFC [RFC7296]. | |||
| o Attribute Type (15 bits) [TBD IANA] - INTERNAL_DNSSEC_TA. | o Attribute Type (15 bits) [TBD IANA] - INTERNAL_DNSSEC_TA. | |||
| o Length (2 octets, unsigned integer) - Length of DNSSEC Trust | o Length (2 octets, unsigned integer) - Length of DNSSEC Trust | |||
| Anchor data. | Anchor data. | |||
| o Key Tag value (0 or 2 octets, unsigned integer) - Key Tag as | o Key Tag value (0 or 2 octets, unsigned integer) - Key Tag as | |||
| specified in [RFC4034] Section 5.1 | specified in [RFC4034] Section 5.1 | |||
| o DNSKEY algorithm (0 or 1 octet) - Value from the IANA DNS Security | o Algorithm (0 or 1 octet) - DNSKEY algorithm value from the IANA | |||
| Algorithm Numbers Registry | DNS Security Algorithm Numbers Registry | |||
| o DS algorithm (0 or 1 octet) - Value from the IANA Delegation | o DS algorithm (0 or 1 octet) - DS algorithm value from the IANA | |||
| Signer (DS) Resource Record (RR) Type Digest Algorithms Registry | Delegation Signer (DS) Resource Record (RR) Type Digest Algorithms | |||
| Registry | ||||
| o Digest (0 or more octets) - The digest as specified in [RFC4034] | o Digest (0 or more octets) - The DNSKEY digest as specified in | |||
| Section 5.1 in presentation format. | [RFC4034] Section 5.1 in presentation format. | |||
| 5. Split DNS Usage Guidelines | 5. Split DNS Usage Guidelines | |||
| If a CFG_REPLY payload contains no INTERNAL_DNS_DOMAIN attributes, | If a CFG_REPLY payload contains no INTERNAL_DNS_DOMAIN attributes, | |||
| the client MAY use the provided INTERNAL_IP4_DNS or INTERNAL_IP6_DNS | the client MAY use the provided INTERNAL_IP4_DNS or INTERNAL_IP6_DNS | |||
| servers as the default DNS server(s) for all queries. | servers as the default DNS server(s) for all queries. | |||
| If a client is configured by local policy to only accept a limited | If a client is configured by local policy to only accept a limited | |||
| number of INTERNAL_DNS_DOMAIN values, the client MUST ignore any | number of INTERNAL_DNS_DOMAIN values, the client MUST ignore any | |||
| other INTERNAL_DNS_DOMAIN values. | other INTERNAL_DNS_DOMAIN values. | |||
| skipping to change at page 9, line 23 ¶ | skipping to change at page 9, line 23 ¶ | |||
| initiator MUST ignore Split DNS configurations assigned by the | initiator MUST ignore Split DNS configurations assigned by the | |||
| responder. | responder. | |||
| If a host connected to an authenticated IKE peer is connecting to | If a host connected to an authenticated IKE peer is connecting to | |||
| another IKE peer that attempts to claim the same domain via the | another IKE peer that attempts to claim the same domain via the | |||
| INTERNAL_DNS_DOMAIN attribute, the IKE connection should only process | INTERNAL_DNS_DOMAIN attribute, the IKE connection should only process | |||
| the DNS information if the two connections are part of the same | the DNS information if the two connections are part of the same | |||
| logical entity. Otherwise, the client should refuse the DNS | logical entity. Otherwise, the client should refuse the DNS | |||
| information and potentially warn the enduser. | information and potentially warn the enduser. | |||
| INTERNAL_DNSSEC_TA directives MUST immediately follow an | INTERNAL_DNSSEC_TA payloads MUST immediately follow an | |||
| INTERNAL_DNS_DOMAIN directive. As the INTERNAL_DNSSEC_TA format | INTERNAL_DNS_DOMAIN payload. As the INTERNAL_DNSSEC_TA format itself | |||
| itself does not contain the domain name, it relies on the preceding | does not contain the domain name, it relies on the preceding | |||
| INTERNAL_DNS_DOMAIN to provide the domain for which it specifies the | INTERNAL_DNS_DOMAIN to provide the domain for which it specifies the | |||
| trust anchor. | trust anchor. | |||
| If the initiator is using DNSSEC validation for a domain in its | If the initiator is using DNSSEC validation for a domain in its | |||
| public DNS view, and it requests and receives an INTERNAL_DNS_DOMAIN | public DNS view, and it requests and receives an INTERNAL_DNS_DOMAIN | |||
| attribute without an INTERNAL_DNSSEC_TA, it will need to reconfigure | attribute without an INTERNAL_DNSSEC_TA, it will need to reconfigure | |||
| its DNS resolver to allow for an insecure delegation. It SHOULD NOT | its DNS resolver to allow for an insecure delegation. It SHOULD NOT | |||
| accept insecure delegations for domains that are DNSSEC signed in the | accept insecure delegations for domains that are DNSSEC signed in the | |||
| public DNS view, for which it has not explicitely requested such | public DNS view, for which it has not explicitely requested such | |||
| deletation by specifying the domain specifically using a | deletation by specifying the domain specifically using a | |||
| skipping to change at page 10, line 26 ¶ | skipping to change at page 10, line 26 ¶ | |||
| Figure 1 | Figure 1 | |||
| 8. References | 8. References | |||
| 8.1. Normative References | 8.1. Normative References | |||
| [RFC1918] Rekhter, Y., Moskowitz, B., Karrenberg, D., de Groot, G., | [RFC1918] Rekhter, Y., Moskowitz, B., Karrenberg, D., de Groot, G., | |||
| and E. Lear, "Address Allocation for Private Internets", | and E. Lear, "Address Allocation for Private Internets", | |||
| BCP 5, RFC 1918, DOI 10.17487/RFC1918, February 1996, | BCP 5, RFC 1918, DOI 10.17487/RFC1918, February 1996, | |||
| <http://www.rfc-editor.org/info/rfc1918>. | <https://www.rfc-editor.org/info/rfc1918>. | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, | Requirement Levels", BCP 14, RFC 2119, | |||
| DOI 10.17487/RFC2119, March 1997, | DOI 10.17487/RFC2119, March 1997, <https://www.rfc- | |||
| <http://www.rfc-editor.org/info/rfc2119>. | editor.org/info/rfc2119>. | |||
| [RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S. | [RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S. | |||
| Rose, "Resource Records for the DNS Security Extensions", | Rose, "Resource Records for the DNS Security Extensions", | |||
| RFC 4034, DOI 10.17487/RFC4034, March 2005, | RFC 4034, DOI 10.17487/RFC4034, March 2005, | |||
| <http://www.rfc-editor.org/info/rfc4034>. | <https://www.rfc-editor.org/info/rfc4034>. | |||
| [RFC5890] Klensin, J., "Internationalized Domain Names for | [RFC5890] Klensin, J., "Internationalized Domain Names for | |||
| Applications (IDNA): Definitions and Document Framework", | Applications (IDNA): Definitions and Document Framework", | |||
| RFC 5890, DOI 10.17487/RFC5890, August 2010, | RFC 5890, DOI 10.17487/RFC5890, August 2010, | |||
| <http://www.rfc-editor.org/info/rfc5890>. | <https://www.rfc-editor.org/info/rfc5890>. | |||
| [RFC7296] Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., and T. | [RFC7296] Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., and T. | |||
| Kivinen, "Internet Key Exchange Protocol Version 2 | Kivinen, "Internet Key Exchange Protocol Version 2 | |||
| (IKEv2)", STD 79, RFC 7296, DOI 10.17487/RFC7296, October | (IKEv2)", STD 79, RFC 7296, DOI 10.17487/RFC7296, October | |||
| 2014, <http://www.rfc-editor.org/info/rfc7296>. | 2014, <https://www.rfc-editor.org/info/rfc7296>. | |||
| 8.2. Informative References | 8.2. Informative References | |||
| [RFC2775] Carpenter, B., "Internet Transparency", RFC 2775, | [RFC2775] Carpenter, B., "Internet Transparency", RFC 2775, | |||
| DOI 10.17487/RFC2775, February 2000, | DOI 10.17487/RFC2775, February 2000, <https://www.rfc- | |||
| <http://www.rfc-editor.org/info/rfc2775>. | editor.org/info/rfc2775>. | |||
| [RFC6761] Cheshire, S. and M. Krochmal, "Special-Use Domain Names", | [RFC6761] Cheshire, S. and M. Krochmal, "Special-Use Domain Names", | |||
| RFC 6761, DOI 10.17487/RFC6761, February 2013, | RFC 6761, DOI 10.17487/RFC6761, February 2013, | |||
| <http://www.rfc-editor.org/info/rfc6761>. | <https://www.rfc-editor.org/info/rfc6761>. | |||
| [RFC7435] Dukhovni, V., "Opportunistic Security: Some Protection | [RFC7435] Dukhovni, V., "Opportunistic Security: Some Protection | |||
| Most of the Time", RFC 7435, DOI 10.17487/RFC7435, | Most of the Time", RFC 7435, DOI 10.17487/RFC7435, | |||
| December 2014, <http://www.rfc-editor.org/info/rfc7435>. | December 2014, <https://www.rfc-editor.org/info/rfc7435>. | |||
| Authors' Addresses | Authors' Addresses | |||
| Tommy Pauly | Tommy Pauly | |||
| Apple Inc. | Apple Inc. | |||
| 1 Infinite Loop | 1 Infinite Loop | |||
| Cupertino, California 95014 | Cupertino, California 95014 | |||
| US | US | |||
| Email: tpauly@apple.com | Email: tpauly@apple.com | |||
| End of changes. 22 change blocks. | ||||
| 49 lines changed or deleted | 50 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||