| < draft-weiler-dnsext-dnssec-online-signing-00.txt | draft-weiler-dnsext-dnssec-online-signing-01.txt > | |||
|---|---|---|---|---|
| Internet-Draft S. Weiler | ||||
| SPARTA, Inc. | ||||
| J. Ihren | ||||
| Autonomica | ||||
| 30 October 2004 | ||||
| Minimally Covering NSEC Records and DNSSEC On-line Signing | Network Working Group J. Ihren | |||
| draft-weiler-dnsext-dnssec-online-signing-00.txt | Internet-Draft Autonomica AB | |||
| Updates: [-records] (if approved) S. Weiler | ||||
| Expires: August 24, 2005 SPARTA, Inc | ||||
| February 20, 2005 | ||||
| Minimally Covering NSEC Records and DNSSEC On-line Signing | ||||
| draft-weiler-dnsext-dnssec-online-signing-01 | ||||
| Status of this Memo | Status of this Memo | |||
| This document is an Internet-Draft and is subject to all provisions | This document is an Internet-Draft and is subject to all provisions | |||
| of section 3 of RFC 3667. By submitting this Internet-Draft, each | of Section 3 of RFC 3667. By submitting this Internet-Draft, each | |||
| author represents that any applicable patent or other IPR claims of | author represents that any applicable patent or other IPR claims of | |||
| which he or she is aware have been or will be disclosed, and any of | which he or she is aware have been or will be disclosed, and any of | |||
| which he or she become aware will be disclosed, in accordance with | which he or she become aware will be disclosed, in accordance with | |||
| RFC 3668. | RFC 3668. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF), its areas, and its working groups. Note that | Task Force (IETF), its areas, and its working groups. Note that | |||
| other groups may also distribute working documents as | other groups may also distribute working documents as | |||
| Internet-Drafts. | Internet-Drafts. | |||
| Internet-Drafts are draft documents valid for a maximum of six | Internet-Drafts are draft documents valid for a maximum of six months | |||
| months and may be updated, replaced, or obsoleted by other | and may be updated, replaced, or obsoleted by other documents at any | |||
| documents at any time. It is inappropriate to use Internet-Drafts | time. It is inappropriate to use Internet-Drafts as reference | |||
| as reference material or to cite them other than as "work in | material or to cite them other than as "work in progress." | |||
| progress." | ||||
| The list of current Internet-Drafts can be accessed at | The list of current Internet-Drafts can be accessed at | |||
| http://www.ietf.org/ietf/1id-abstracts.txt. | http://www.ietf.org/ietf/1id-abstracts.txt. | |||
| The list of Internet-Draft Shadow Directories can be accessed at | The list of Internet-Draft Shadow Directories can be accessed at | |||
| http://www.ietf.org/shadow.html. | http://www.ietf.org/shadow.html. | |||
| This Internet-Draft will expire on 30 April 2005. | This Internet-Draft will expire on August 24, 2005. | |||
| Copyright Notice | ||||
| Copyright (C) The Internet Society (2005). | ||||
| Abstract | Abstract | |||
| This document describes how to construct DNSSEC NSEC resource | This document describes how to construct DNSSEC NSEC resource records | |||
| records that cover a smaller range of names than called for by | that cover a smaller range of names than called for by [-records]. | |||
| [-records]. By generating and signing these records on demand, | By generating and signing these records on demand, authoritative name | |||
| authoritative name servers can effectively stop the disclosure of | servers can effectively stop the disclosure of zone contents | |||
| zone contents otherwise made possible by walking the chain of NSEC | otherwise made possible by walking the chain of NSEC records in a | |||
| records in a signed zone. | signed zone. | |||
| Introduction and Terminology | Changes -00 to -01 | |||
| With DNSSEC [-records], an NSEC record lists the next instantiated | Clarified that this updates -records by relaxing requirements on the | |||
| name in its zone, proving that no names exist in the "span" between | next name field. | |||
| the NSEC's owner name and the name in the "next name" field. In | ||||
| this document, an NSEC record is said to "cover" the names between | ||||
| its owner name and next name. | ||||
| Through repeated queries that return NSEC records, it is possible | Added examples covering wildcard names. | |||
| to retrieve all of the names in the zone, a process commonly called | ||||
| "walking" the zone. Some zones have policies forbidding zone | ||||
| transfers by arbitrary clients; this side-effect of the NSEC | ||||
| architecture subverts those policies. | ||||
| This document presents a way to prevent zone walking by | In the 'better functions' section, reiterated that perfect functions | |||
| constructing NSEC records that cover fewer names. These records | aren't needed. | |||
| can make zone walking take approximately as many queries as simply | ||||
| asking for all possible names in a zone, making zone walking | ||||
| impractical. Some of these records must be created and signed on | ||||
| demand, which requires on-line private keys. Anyone contemplating | ||||
| use of this technique is strongly encouraged to review the | ||||
| discussion of the risks of on-line signing in section [Security | ||||
| Considerations]. | ||||
| The technique presented here may be useful to a zone that wants to | Added a reference to 2119. | |||
| use DNSSEC, is concerned about exposure of its zone contents via | ||||
| zone walking, and is willing to bear the costs of on-line signing. | ||||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | 1. Introduction and Terminology | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in | ||||
| this document are to be interpreted as described in RFC 2119. | ||||
| [RFC2119]. | ||||
| Minimally Covering NSEC Records | With DNSSEC [1], an NSEC record lists the next instantiated name in | |||
| its zone, proving that no names exist in the "span" between the | ||||
| NSEC's owner name and the name in the "next name" field. In this | ||||
| document, an NSEC record is said to "cover" the names between its | ||||
| owner name and next name. | ||||
| This mechanism involves both changes to NSEC records for | Through repeated queries that return NSEC records, it is possible to | |||
| instantiated names, which can still be generated and signed in | retrieve all of the names in the zone, a process commonly called | |||
| advance, as well as the on-demand generation and signing of new | "walking" the zone. Some zone owners have policies forbidding zone | |||
| NSEC records whenever a name must be proven not to exist. | transfers by arbitrary clients; this side-effect of the NSEC | |||
| architecture subverts those policies. | ||||
| In the 'next name' field of instantiated names' NSEC records, | This document presents a way to prevent zone walking by constructing | |||
| rather than list the next instantiated name in the zone, list any | NSEC records that cover fewer names. These records can make zone | |||
| name that falls lexically after the NSEC's owner name and before | walking take approximately as many queries as simply asking for all | |||
| the next instantiated name in the zone, according to the ordering | possible names in a zone, making zone walking impractical. Some of | |||
| function in [-records] section 6.2. These NSEC records are | these records must be created and signed on demand, which requires | |||
| returned whenever proving something specifically about the owner | on-line private keys. Anyone contemplating use of this technique is | |||
| name (e.g. that no resource records of a given type appear at that | strongly encouraged to review the discussion of the risks of on-line | |||
| name). | signing in Section 5. | |||
| Whenever an NSEC record is needed to prove the non-existence of a | The technique presented here may be useful to a zone owner that wants | |||
| name, a new NSEC record is produced and signed. The new NSEC | to use DNSSEC, is concerned about exposure of its zone contents via | |||
| record has an owner name lexically before the QNAME but lexically | zone walking, and is willing to bear the costs of on-line signing. | |||
| following any existing name and a "next name" lexically following | ||||
| the QNAME but before any existing name. | ||||
| The functions to generate the lexically following and proceeding | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| names need not be perfect nor consistent, but the generated NSEC | "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | |||
| records must not cover any existing names. Furthermore, this | document are to be interpreted as described in RFC 2119 [4]. | |||
| technique works better when the generated NSEC records cover very | ||||
| little of the zone's namespace. | ||||
| For example, a query for the non-instantiated name example.com | 2. Minimally Covering NSEC Records | |||
| might produce the following NSEC record: | ||||
| exampld.com 3600 IN NSEC example-.com ( RRSIG NSEC ) | This mechanism involves changes to NSEC records for instantiated | |||
| names, which can still be generated and signed in advance, as well as | ||||
| the on-demand generation and signing of new NSEC records whenever a | ||||
| name must be proven not to exist. | ||||
| Before answering a query with this record, an authoritative server | In the 'next name' field of instantiated names' NSEC records, rather | |||
| must test for the existence of names between these endpoints. If | than list the next instantiated name in the zone, list any name that | |||
| the generated NSEC would cover existing names (e.g. exampldd.com), | falls lexically after the NSEC's owner name and before the next | |||
| a better increment or decrement function may be used or the covered | instantiated name in the zone, according to the ordering function in | |||
| name closest to the QNAME could be used as the NSEC owner name or | [-records] [2] section 6.2. This relaxes the requirement in section | |||
| next name, as appropriate. If an existing name is used as the NSEC | 4.1.1 of [-records] that the 'next name' field contains the next | |||
| owner name, that name's real NSEC record MUST be returned. Using | owner name in the zone. This change is expected to be fully | |||
| the same example, assuming an exampldd.com delegation exists, this | compatible with all existing DNSSEC validators. These NSEC records | |||
| record might be returned from the parent: | are returned whenever proving something specifically about the owner | |||
| name (e.g. that no resource records of a given type appear at that | ||||
| name). | ||||
| exampldd.com 3600 IN NSEC example-.com ( NS DS RRSIG NSEC ) | Whenever an NSEC record is needed to prove the non-existence of a | |||
| name, a new NSEC record is dynamically produced and signed. The new | ||||
| NSEC record has an owner name lexically before the QNAME but | ||||
| lexically following any existing name and a 'next name' lexically | ||||
| following the QNAME but before any existing name. | ||||
| Like every authoritative record in the zone, each generated NSEC | The functions to generate the lexically following and proceeding | |||
| record MUST have corresponding RRSIGs generated using each | names need not be perfect nor consistent, but the generated NSEC | |||
| algorithm (but not necessarily each DNSKEY) in the zone's DNSKEY | records must not cover any existing names. Furthermore, this | |||
| RRset, as described in [-protocol] section 2.2. To minimize the | technique works best when the generated NSEC records cover as few | |||
| number of signatures that must be generated, a zone may wish to | names as possible. | |||
| limit the number of algorithms in its DNSKEY RRset. | ||||
| Better Increment & Decrement Functions | An NSEC record denying the existence of a wildcard may be generated | |||
| in the same way. Since the NSEC record covering a non-existent | ||||
| wildcard is likely to be used in response to many queries, | ||||
| authoritative name servers using the techniques described here may | ||||
| want to pregenerate or cache that record and its corresponding RRSIG. | ||||
| Section 6.2 of [-records] defines a strict ordering of DNS names. | For example, a query for the non-instantiated name example.com might | |||
| Working backwards from that definition, it should be possible to | produce the following NSEC record: For example, a query for an A | |||
| define increment and decrement functions that generate the | record at the non-instantiated name example.com might produce the | |||
| immediately following and preceeding names, respectively. This | following two NSEC records, the first denying the existence of the | |||
| document does not define such functions. Instead, this section | name example.com and the second denying the existence of a wildcard: | |||
| presents functions that come reasonably close to the perfect ones. | ||||
| As described above, an authoritative server MUST ensure than no | ||||
| generated NSEC covers any existing name. | ||||
| To increment a name, add a leading label with a single null octet. | exampld.com 3600 IN NSEC example-.com ( RRSIG NSEC ) | |||
| ).com 3600 IN NSEC +.com ( RRSIG NSEC ) | ||||
| To decrement a name, decrement the last character of the leftmost | Before answering a query with these records, an authoritative server | |||
| label, then fill that label to a length of 63 octets with octets of | must test for the existence of names between these endpoints. If the | |||
| value 255. To decrement a null octet, remove the octet -- if an | generated NSEC would cover existing names (e.g. exampldd.com or | |||
| empty label is left, remove the label. Defining this function | *bizarre.example.com), a better increment or decrement function may | |||
| numerically: fill the left-most label to its maximum length with | be used or the covered name closest to the QNAME could be used as the | |||
| zeros (numeric, not ASCII zeros) and subtract one. | NSEC owner name or next name, as appropriate. If an existing name is | |||
| used as the NSEC owner name, that name's real NSEC record MUST be | ||||
| returned. Using the same example, assuming an exampldd.com | ||||
| delegation exists, this record might be returned from the parent: | ||||
| In response to a query for the non-existent name foo.example.com, | exampldd.com 3600 IN NSEC example-.com ( NS DS RRSIG NSEC ) | |||
| these functions produce an NSEC record of: | ||||
| Like every authoritative record in the zone, each generated NSEC | ||||
| record MUST have corresponding RRSIGs generated using each algorithm | ||||
| (but not necessarily each DNSKEY) in the zone's DNSKEY RRset, as | ||||
| described in [-protocol] [3] section 2.2. To minimize the number of | ||||
| signatures that must be generated, a zone may wish to limit the | ||||
| number of algorithms in its DNSKEY RRset. | ||||
| 3. Better Increment & Decrement Functions | ||||
| Section 6.2 of [-records] defines a strict ordering of DNS names. | ||||
| Working backwards from that definition, it should be possible to | ||||
| define increment and decrement functions that generate the | ||||
| immediately following and preceding names, respectively. This | ||||
| document does not define such functions. Instead, this section | ||||
| presents functions that come reasonably close to the perfect ones. | ||||
| As described above, an authoritative server should still ensure than | ||||
| no generated NSEC covers any existing name. | ||||
| To increment a name, add a leading label with a single null | ||||
| (zero-value) octet. | ||||
| To decrement a name, decrement the last character of the leftmost | ||||
| label, then fill that label to a length of 63 octets with octets of | ||||
| value 255. To decrement a null (zero-value) octet, remove the octet | ||||
| -- if an empty label is left, remove the label. Defining this | ||||
| function numerically: fill the left-most label to its maximum length | ||||
| with zeros (numeric, not ASCII zeros) and subtract one. | ||||
| In response to a query for the non-existent name foo.example.com, | ||||
| these functions produce NSEC records of: | ||||
| fon\255\255\255\255\255\255\255\255\255\255\255\255\255\255 | fon\255\255\255\255\255\255\255\255\255\255\255\255\255\255 | |||
| \255\255\255\255\255\255\255\255\255\255\255\255\255\255\255 | \255\255\255\255\255\255\255\255\255\255\255\255\255\255\255 | |||
| \255\255\255\255\255\255\255\255\255\255\255\255\255\255\255 | ||||
| \255\255\255\255\255\255\255\255\255\255\255\255\255\255\255 | ||||
| \255\255\255\255\255\255\255\255\255\255\255\255\255\255\255 | \255\255\255\255\255\255\255\255\255\255\255\255\255\255\255 | |||
| \255.example.com 3600 IN NSEC \000.foo.example.com ( NSEC RRSIG ) | \255.example.com 3600 IN NSEC \000.foo.example.com ( NSEC RRSIG ) | |||
| Both of these functions are imperfect: they don't take into account | )\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255 | |||
| constraints on number of labels in a name nor total length of a | \255\255\255\255\255\255\255\255\255\255\255\255\255\255\255 | |||
| name. | \255\255\255\255\255\255\255\255\255\255\255\255\255\255\255 | |||
| \255\255\255\255\255\255\255\255\255\255\255\255\255\255\255 | ||||
| \255\255.example.com 3600 IN NSEC \000.*.example.com ( NSEC RRSIG ) | ||||
| IANA Considerations | The first of these NSEC RRs proves that no exact match for | |||
| foo.example.com exists, and the second proves that there is no | ||||
| wildcard in example.com. | ||||
| This document has no IANA Actions. | Both of these functions are imperfect: they don't take into account | |||
| constraints on number of labels in a name nor total length of a name. | ||||
| As noted in the previous section, though, this technique does not | ||||
| depend on the use of perfect increment or decrement functions: it is | ||||
| sufficient to test whether any instantiated names fall into the span | ||||
| covered by the generated NSEC and, if so, substitute those | ||||
| instantiated owner names for the NSEC owner name or next name, as | ||||
| appropriate. | ||||
| Security Considerations | 4. IANA Considerations | |||
| This approach requires on demand generation of RRSIG records. This | This document specifies no IANA Actions. | |||
| creates several new vulnerabilities. | ||||
| First, on demand signing requires that a zone's authoritative | 5. Security Considerations | |||
| servers have access to its private keys. Storing private keys on | ||||
| well-known internet-accessible servers may make them more | ||||
| vulnerable to unintended disclosure. | ||||
| Second, since generation of public key signatures tends to be | This approach requires on-demand generation of RRSIG records. This | |||
| computationally demanding, the requirement for on demand signing | creates several new vulnerabilities. | |||
| makes authoritative servers vulnerable to a denial of service | ||||
| attack. | ||||
| Lastly, if the increment and decrement functions are predictable, | First, on-demand signing requires that a zone's authoritative servers | |||
| on-demand signing may enable a chosen-plaintext attack on a zone's | have access to its private keys. Storing private keys on well-known | |||
| private keys. Zones using this approach should attempt to use | internet-accessible servers may make them more vulnerable to | |||
| cryptographic algorithms that are resistant to chosen-plaintext | unintended disclosure. | |||
| attacks. It's worth noting that while DNSSEC has a "mandatory to | ||||
| implement" algorithm, that is a requirement on resolvers and | ||||
| validators -- there is no requirement that a zone be signed with | ||||
| any given algorithm. If any "mandatory to implement" algorithm is | ||||
| found to be particularly vulnerable to chosen plaintext attack, a | ||||
| zone may which to switch to another algorithm or use less | ||||
| predictable increment and decrement function. | ||||
| The success of using minimally covering NSEC record to prevent zone | Second, since generation of public key signatures tends to be | |||
| walking depends greatly on the quality of the increment and | computationally demanding, the requirement for on-demand signing | |||
| decrement functions chosen. An increment function that chooses a | makes authoritative servers vulnerable to a denial of service attack. | |||
| name obviously derived from the next instantiated name may be | ||||
| easily reverse engineered, destroying the value of this technique. | ||||
| An increment function that always returns a name close to the next | ||||
| instantiated name is likewise a poor choice. A good choice of | ||||
| increment and decrement functions are the ones that produce the | ||||
| immediately following and preceeding names, respectively, though | ||||
| zone administrators may wish to use less perfect functions that | ||||
| return more human-friendly names than the functions described in | ||||
| section X above. | ||||
| Another obvious but misguided concern is the danger from | Lastly, if the increment and decrement functions are predictable, | |||
| synthesized NSEC records being replayed. It's possible for an | on-demand signing may enable a chosen-plaintext attack on a zone's | |||
| attacker to replay an old but still validly signed NSEC record | private keys. Zones using this approach should attempt to use | |||
| after a new name has been added in the span covered by that NSEC, | cryptographic algorithms that are resistant to chosen-plaintext | |||
| incorrectly proving that there is no record at that name. This | attacks. It's worth noting that while DNSSEC has a "mandatory to | |||
| danger exists with DNSSEC as defined in [-bis]. The techniques | implement" algorithm, that is a requirement on resolvers and | |||
| described here actually decrease the danger, since the span covered | validators -- there is no requirement that a zone be signed with any | |||
| by any NSEC record is smaller than before. Choosing better | given algorithm. | |||
| increment and decrement functions will further reduce this danger. | ||||
| Normative References | The success of using minimally covering NSEC record to prevent zone | |||
| walking depends greatly on the quality of the increment and decrement | ||||
| functions chosen. An increment function that chooses a name | ||||
| obviously derived from the next instantiated name may be easily | ||||
| reverse engineered, destroying the value of this technique. An | ||||
| increment function that always returns a name close to the next | ||||
| instantiated name is likewise a poor choice. Good choices of | ||||
| increment and decrement functions are the ones that produce the | ||||
| immediately following and preceding names, respectively, though zone | ||||
| administrators may wish to use less perfect functions that return | ||||
| more human-friendly names than the functions described in Section 3 | ||||
| above. | ||||
| (out of date versions) | Another obvious but misguided concern is the danger from synthesized | |||
| [I-D.ietf-dnsext-dnssec-intro] | NSEC records being replayed. It's possible for an attacker to replay | |||
| Arends, R., Austein, R., Larson, M., Massey, D. and S. | an old but still validly signed NSEC record after a new name has been | |||
| Rose, "DNS Security Introduction and Requirements", | added in the span covered by that NSEC, incorrectly proving that | |||
| draft-ietf-dnsext-dnssec-intro-10 (work in progress), | there is no record at that name. This danger exists with DNSSEC as | |||
| May 2004. | defined in [-bis]. The techniques described here actually decrease | |||
| the danger, since the span covered by any NSEC record is smaller than | ||||
| before. Choosing better increment and decrement functions will | ||||
| further reduce this danger. | ||||
| [I-D.ietf-dnsext-dnssec-records] | 6. Normative References | |||
| Arends, R., Austein, R., Larson, M., Massey, D. and S. | ||||
| Rose, "Resource Records for DNS Security Extensions", | ||||
| draft-ietf-dnsext-dnssec-records-08 (work in progress), | ||||
| May 2004. | ||||
| [I-D.ietf-dnsext-dnssec-protocol] | [1] Arends, R., Austein, R., Massey, D., Larson, M. and S. Rose, | |||
| Arends, R., Austein, R., Larson, M., Massey, D. and S. | "DNS Security Introduction and Requirements", | |||
| Rose, "Protocol Modifications for the DNS Security | Internet-Draft draft-ietf-dnsext-dnssec-intro-13, October 2004. | |||
| Extensions", draft-ietf-dnsext-dnssec-protocol-06 (work | ||||
| in progress), May 2004. | ||||
| Acknowledgements | [2] Arends, R., "Resource Records for the DNS Security Extensions", | |||
| Internet-Draft draft-ietf-dnsext-dnssec-records-11, October | ||||
| 2004. | ||||
| Many individuals contributed to this design. They include, in | [3] Arends, R., "Protocol Modifications for the DNS Security | |||
| addition to the authors of this document, Olaf Kolkman, Ed Lewis, | Extensions", | |||
| Peter Koch, Matt Larson, David Blacka, Suzanne Woolf, Jaap | Internet-Draft draft-ietf-dnsext-dnssec-protocol-09, October | |||
| Akkerhuis, Jakob Schlyter, Bill Manning, and Joao Damas. | 2004. | |||
| [4] Bradner, S., "Key words for use in RFCs to Indicate Requirement | ||||
| Levels", BCP 14, RFC 2119, March 1997. | ||||
| Authors' Addresses | Authors' Addresses | |||
| Samuel Weiler | Johan Ihren | |||
| SPARTA, Inc. | Autonomica AB | |||
| 7075 Samuel Morse Drive | Bellmansgatan 30 | |||
| Columbia, MD 21046 | Stockholm SE-118 47 | |||
| USA | Sweden | |||
| EMail: weiler@tislabs.com | Email: johani@autonomica.se | |||
| Samuel Weiler | ||||
| SPARTA, Inc | ||||
| 7075 Samuel Morse Drive | ||||
| Columbia, Maryland 21046 | ||||
| US | ||||
| Johan Ihren | Email: weiler@tislabs.com | |||
| Autonomica | ||||
| Bellmansgatan 30 | ||||
| SE-118 47 Stockholm, Sweden | ||||
| Mail: johani@autonomica.se | ||||
| Copyright Notice | Appendix A. Acknowledgments | |||
| Copyright (C) The Internet Society (2004). This document is subject | Many individuals contributed to this design. They include, in | |||
| to the rights, licenses and restrictions contained in BCP 78, and | addition to the authors of this document, Olaf Kolkman, Ed Lewis, | |||
| except as set forth therein, the authors retain all their rights. | Peter Koch, Matt Larson, David Blacka, Suzanne Woolf, Jaap Akkerhuis, | |||
| Jacob Schlyter, Bill Manning, and Joao Damas. | ||||
| This document and the information contained herein are provided on | The key innovation of this document, namely that perfect increment | |||
| an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE | and decrement functions are not necessary, arose during a discussion | |||
| REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND | among the above-listed people at the RIPE49 meeting in September | |||
| THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, | 2004. | |||
| EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT | ||||
| THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR | Intellectual Property Statement | |||
| ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A | ||||
| PARTICULAR PURPOSE. | The IETF takes no position regarding the validity or scope of any | |||
| Intellectual Property Rights or other rights that might be claimed to | ||||
| pertain to the implementation or use of the technology described in | ||||
| this document or the extent to which any license under such rights | ||||
| might or might not be available; nor does it represent that it has | ||||
| made any independent effort to identify any such rights. Information | ||||
| on the procedures with respect to rights in RFC documents can be | ||||
| found in BCP 78 and BCP 79. | ||||
| Copies of IPR disclosures made to the IETF Secretariat and any | ||||
| assurances of licenses to be made available, or the result of an | ||||
| attempt made to obtain a general license or permission for the use of | ||||
| such proprietary rights by implementers or users of this | ||||
| specification can be obtained from the IETF on-line IPR repository at | ||||
| http://www.ietf.org/ipr. | ||||
| The IETF invites any interested party to bring to its attention any | ||||
| copyrights, patents or patent applications, or other proprietary | ||||
| rights that may cover technology that may be required to implement | ||||
| this standard. Please address the information to the IETF at | ||||
| ietf-ipr@ietf.org. | ||||
| Disclaimer of Validity | ||||
| This document and the information contained herein are provided on an | ||||
| "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS | ||||
| OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET | ||||
| ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, | ||||
| INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE | ||||
| INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED | ||||
| WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. | ||||
| Copyright Statement | ||||
| Copyright (C) The Internet Society (2005). This document is subject | ||||
| to the rights, licenses and restrictions contained in BCP 78, and | ||||
| except as set forth therein, the authors retain all their rights. | ||||
| Acknowledgment | ||||
| Funding for the RFC Editor function is currently provided by the | ||||
| Internet Society. | ||||
| End of changes. 53 change blocks. | ||||
| 207 lines changed or deleted | 237 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||