idnits 2.17.1 draft-boucadair-opsawg-add-encrypted-dns-02.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- == There are 6 instances of lines with non-RFC2606-compliant FQDNs in the document. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 535 has weird spacing: '...Address ipv6...' == Line 536 has weird spacing: '...Address ipv4...' -- The document date (June 17, 2021) is 1016 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: 'RFC2131' is defined on line 606, but no explicit reference was found in the text == Outdated reference: A later version (-16) exists of draft-ietf-add-dnr-00 == Outdated reference: A later version (-12) exists of draft-ietf-dnsop-svcb-https-05 == Outdated reference: A later version (-12) exists of draft-ietf-dprive-dnsoquic-02 -- Obsolete informational reference (is this intentional?): RFC 8499 (Obsoleted by RFC 9499) Summary: 0 errors (**), 0 flaws (~~), 8 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 opsawg M. Boucadair 3 Internet-Draft Orange 4 Intended status: Standards Track T. Reddy 5 Expires: December 19, 2021 McAfee 6 June 17, 2021 8 RADIUS Extensions for Encrypted DNS 9 draft-boucadair-opsawg-add-encrypted-dns-02 11 Abstract 13 This document specifies new Remote Authentication Dial-In User 14 Service (RADIUS) attributes that carry an authentication domain name, 15 a list of IP addresses, and a set of service parameters of encrypted 16 DNS resolvers. 18 Status of This Memo 20 This Internet-Draft is submitted in full conformance with the 21 provisions of BCP 78 and BCP 79. 23 Internet-Drafts are working documents of the Internet Engineering 24 Task Force (IETF). Note that other groups may also distribute 25 working documents as Internet-Drafts. The list of current Internet- 26 Drafts is at https://datatracker.ietf.org/drafts/current/. 28 Internet-Drafts are draft documents valid for a maximum of six months 29 and may be updated, replaced, or obsoleted by other documents at any 30 time. It is inappropriate to use Internet-Drafts as reference 31 material or to cite them other than as "work in progress." 33 This Internet-Draft will expire on December 19, 2021. 35 Copyright Notice 37 Copyright (c) 2021 IETF Trust and the persons identified as the 38 document authors. All rights reserved. 40 This document is subject to BCP 78 and the IETF Trust's Legal 41 Provisions Relating to IETF Documents 42 (https://trustee.ietf.org/license-info) in effect on the date of 43 publication of this document. Please review these documents 44 carefully, as they describe your rights and restrictions with respect 45 to this document. Code Components extracted from this document must 46 include Simplified BSD License text as described in Section 4.e of 47 the Trust Legal Provisions and are provided without warranty as 48 described in the Simplified BSD License. 50 Table of Contents 52 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 53 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 5 54 3. Encrypted DNS RADIUS Attributes . . . . . . . . . . . . . . . 5 55 3.1. IPv6-Encrypted-DNS Attribute . . . . . . . . . . . . . . 6 56 3.2. IPv4-Encrypted-DNS Attribute . . . . . . . . . . . . . . 7 57 3.3. RADIUS TLVs for Encrypted DNS . . . . . . . . . . . . . . 8 58 3.3.1. Encrypted-DNS-ADN TLV . . . . . . . . . . . . . . . . 8 59 3.3.2. Encrypted-DNS-IPv6-Address TLV . . . . . . . . . . . 9 60 3.3.3. Encrypted-DNS-IPv4-Address TLV . . . . . . . . . . . 9 61 3.3.4. Encrypted-DNS-SvcParams TLV . . . . . . . . . . . . . 10 62 4. Security Considerations . . . . . . . . . . . . . . . . . . . 11 63 5. Table of Attributes . . . . . . . . . . . . . . . . . . . . . 11 64 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11 65 6.1. New RADIUS Attributes . . . . . . . . . . . . . . . . . . 11 66 6.2. New RADIUS TLVs . . . . . . . . . . . . . . . . . . . . . 12 67 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 12 68 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 12 69 8.1. Normative References . . . . . . . . . . . . . . . . . . 12 70 8.2. Informative References . . . . . . . . . . . . . . . . . 13 71 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 14 73 1. Introduction 75 In the context of broadband services, ISPs traditionally provide DNS 76 resolvers to their customers. To that aim, ISPs deploy dedicated 77 mechanisms to advertise a list of DNS Recursive DNS server(s) to 78 their customers (e.g., DHCP, IPv6 Router Advertisement). The 79 information used to populate DHCP messages and/or IPv6 Router 80 Advertisements relies upon specific Remote Authentication Dial-In 81 User Service (RADIUS) [RFC2865] attributes such as the DNS-Server- 82 IPv6-Address Attribute specified in [RFC6911]. 84 With the advent of Encrypted DNS (e.g., DNS-over-HTTPS (DoH) 85 [RFC8484], DNS-over-TLS (DoT) [RFC7858], or DNS-over-QUIC (DoQ) 86 [I-D.ietf-dprive-dnsoquic]), additional means are required to 87 provision hosts with network-designated Encrypted DNS. To fill that 88 void, [I-D.ietf-add-dnr] leverages existing protocols such as DHCP 89 and IPv6 Router Advertisement to provide hosts with the required 90 information to connect to an Encrypted DNS server. However, there 91 are no RADIUS attributes that can be used to populate the discovery 92 messages discussed in [I-D.ietf-add-dnr]. 94 This document specifies two new RADIUS attributes: IPv6-Encrypted-DNS 95 (Section 3.1) and IPv4-Encrypted-DNS (Section 3.2) Attributes. Note 96 that two attributes are specified in order to accommodate both IPv4 97 and IPv6 deployment contexts while taking into account the 98 constraints in Section 3.4 of [RFC6158]. 100 Typical deployment scenarios are similar to those described, for 101 instance, in Section 2 of [RFC6911]. Some of these deployments may 102 rely upon the mechanisms defined in [RFC4014] or [RFC7037], which 103 allows a Network Access Server (NAS) to pass attributes obtained from 104 a RADIUS server to a DHCP server. For illustration purposes, 105 Figure 1 shows an example where a Customer Premises Equipment (CPE) 106 is provided with an Encrypted DNS server. This example assumes that 107 the NAS embeds both RADIUS client and DHCPv6 server capabilities. 109 +-------------+ +-------------+ +-------+ 110 | CPE | | NAS | | AAA | 111 |DHCPv6 client| |DHCPv6 server| |Server | 112 +------+------+ +------+------+ +---+---+ 113 | | | 114 o-----DHCPv6 Solicit----->| | 115 | o----Access-Request ---->| 116 | | | 117 | |<----Access-Accept------o 118 | | IPv6-Encrypted-DNS | 119 |<--DHCPv6 Advertisement--o | 120 | (OPTION_V6_DNR) | | 121 | | | 122 o-----DHCPv6 Request----->| | 123 | | | 124 |<------DHCPv6 Reply------o | 125 | (OPTION_V6_DNR) | | 126 | | | 128 DHCPv6 RADIUS 130 Figure 1: Example of RADIUS IPv6 Encrypted DNS 132 Upon receipt of the DHCPv6 Solicit message from a CPE, the NAS sends 133 a RADIUS Access-Request message to the AAA server. Once the AAA 134 server receives the request, it replies with an Access-Accept message 135 (possibly after having sent a RADIUS Access-Challenge message and 136 assuming the CPE is entitled to connect to the network) that carries 137 a list of parameters to be used for this session, and which include 138 the Encrypted DNS information. The content of the IPv6-Encrypted-DNS 139 Attribute is then used by the NAS to complete the DHCPv6 procedure 140 that the CPE initiated to retrieve information about the encrypted 141 DNS service to use. The procedure defined in [I-D.ietf-add-dnr] is 142 thus followed between the DHCPv6 client and the DHCPv6 server. The 143 same procedure is followed between the DHCPv6 client on endpoints 144 serviced by the CPE and the DHCPv6 server on CPE. 146 Upon change of the any Encrypted DNS-related information (e.g., ADN, 147 IPv6 address), the RADIUS server sends a RADIUS CoA message [RFC5176] 148 that carries the RADIUS IPv6-Encrypted-DNS Attributed to the NAS. 149 Once that message is accepted by the NAS, it replies with a RADIUS 150 CoA ACK message. The NAS replaces the old Encrypted DNS server 151 information with the new one and sends a DHCPv6 Reconfigure message 152 to cause the DHCPv6 client to initiate a Renew/Reply message exchange 153 with the DHCPv6 server. 155 Figure 2 shows another example where a CPE is provided an Encrypted 156 DNS server, but the CPE uses DHCPv4 to retrieve its encrypted DNS 157 server. 159 +-------------+ +-------------+ +-------+ 160 | CPE | | NAS | | AAA | 161 |DHCPv4 client| |DHCPv4 server| |Server | 162 +------+------+ +------+------+ +---+---+ 163 | | | 164 o------DHCPDISCOVER------>| | 165 | o----Access-Request ---->| 166 | | | 167 | |<----Access-Accept------o 168 | | IPv4-Encrypted-DNS | 169 |<-----DHCPOFFER----------o | 170 | (OPTION_V4_DNR) | | 171 | | | 172 o-----DHCPREQUEST-------->| | 173 | (OPTION_V4_DNR) | | 174 | | | 175 |<-------DHCPACK----------o | 176 | (OPTION_V4_DNR) | | 177 | | | 179 DHCPv4 RADIUS 181 Figure 2: Example of RADIUS IPv4 Encrypted DNS 183 Other deployment scenarios can be envisaged such as returning 184 customized service parameters (e.g., different DoH URI) as a function 185 of the service/policies/preferences that are set by a home network 186 admin. How an admin indicates its service/policies/preferences to an 187 AAA server is out of scope. 189 This document adheres to [RFC8044] for defining the new attributes. 191 2. Terminology 193 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 194 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 195 "OPTIONAL" in this document are to be interpreted as described in BCP 196 14 [RFC2119][RFC8174] when, and only when, they appear in all 197 capitals, as shown here. 199 This document makes use of the terms defined in [RFC8499]. The 200 following additional terms are used: 202 Encrypted DNS: refers to a scheme where DNS exchanges are 203 transported over an encrypted channel. Examples of encrypted DNS 204 are DNS-over-TLS (DoT) [RFC7858], DNS-over-HTTPS (DoH) [RFC8484], 205 or DNS-over-QUIC (DoQ) [I-D.ietf-dprive-dnsoquic]. 207 *-Encrypted-DNS refers to IPv6-Encrypted-DNS and IPv4-Encrypted-DNS 208 Attributes. 210 Encrypted-DNS-* refers to any of these attributes: Encrypted-DNS- 211 ADN, Encrypted-DNS-IPv6-Address, Encrypted-DNS-IPv4-Address, and 212 Encrypted-DNS-SvcParams. 214 3. Encrypted DNS RADIUS Attributes 216 Both IPv6-Encrypted-DNS and IPv4-Encrypted-DNS have the same format 217 shown in Figure 3. The description of the fields is provided in 218 Sections 3.1 and 3.2. 220 These attributes and their embedded TLVs (Section 3.3) are defined 221 with globally unique names and follow the guidelines in Section 2.7.1 222 of [RFC6929]. 224 0 1 2 3 225 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 226 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 227 | Type | Length | Extended-Type | Value ... 228 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 230 Figure 3: Format of IPv6-Encrypted-DNS and IPv4-Encrypted-DNS 231 Attributes 233 The value field of *-Encrypted-DNS and Encrypted-DNS-* Attributes is 234 encoded in clear and not encrypted as, for example, Tunnel-Password 235 Attribute [RFC2868]. 237 3.1. IPv6-Encrypted-DNS Attribute 239 This attribute is of type "tlv" as defined in Section 2.3 of 240 [RFC6929]. 242 The IPv6-Encrypted-DNS Attribute includes the authentication domain 243 name, a list of IPv6 addresses, and a set of service parameters of an 244 encrypted DNS resolver [I-D.ietf-add-dnr]. 246 Because multiple IPv6-Encrypted-DNS Attributes may be provisioned to 247 a requesting host, multiple instances of the IPv6-Encrypted-DNS 248 attribute MAY be included; each instance of the attribute carries a 249 distinct Encrypted DNS server. 251 The IPv6-Encrypted-DNS Attribute MAY appear in a RADIUS Access-Accept 252 packet. It MAY also appear in a RADIUS Access-Request packet as a 253 hint to the RADIUS server to indicate a preference. However, the 254 server is not required to honor such a preference. 256 The IPv6-Encrypted-DNS Attribute MAY appear in a RADIUS CoA-Request 257 packet. 259 The IPv6-Encrypted-DNS Attribute MAY appear in a RADIUS Accounting- 260 Request packet. 262 The IPv6-Encrypted-DNS Attribute MUST NOT appear in any other RADIUS 263 packet. 265 The IPv6-Encrypted-DNS Attribute is structured as follows: 267 Type 269 241 271 Length 273 This field indicates the total length, in octets, of all fields of 274 this attribute, including the Type, Length, Extended-Type, and the 275 entire length of the embedded TLVs. 277 Extended-Type 279 TBA1 (see Section 6.1). 281 Value 283 This field contains a set of TLVs as follows: 285 Encrypted-DNS-ADN TLV: The IPv6-Encrypted-DNS Attribute MUST 286 include exactly one instance of Encrypted-DNS-ADN TLV 287 (Section 3.3.1). 289 Encrypted-DNS-IPv6-Address TLV: The IPv6-Encrypted-DNS Attribute 290 MUST include one or multiple instances of Encrypted-DNS- 291 IPv6-Address TLV (Section 3.3.2). 293 Encrypted-DNS-SvcParams TLV: The IPv6-Encrypted-DNS Attribute 294 SHOULD include one instance of Encrypted-DNS-SvcParams TLV 295 (Section 3.3.4). 297 The IPv6-Encrypted-DNS Attribute is associated with the following 298 identifier: 241.TBA1. 300 3.2. IPv4-Encrypted-DNS Attribute 302 This attribute is of type "tlv" as defined in Section 2.3 of 303 [RFC6929]. 305 The IPv4-Encrypted-DNS Attribute includes the authentication domain 306 name, a list of IPv4 addresses, and a set of service parameters of an 307 encrypted DNS resolver [I-D.ietf-add-dnr]. 309 Because multiple IPv4-Encrypted-DNS attributes may be provisioned to 310 a requesting host, multiple instances of the IPv4-Encrypted-DNS 311 attribute MAY be included; each instance of the attribute carries a 312 distinct Encrypted DNS server. 314 The IPv4-Encrypted-DNS Attribute MAY appear in a RADIUS Access-Accept 315 packet. It MAY also appear in a RADIUS Access-Request packet as a 316 hint to the RADIUS server to indicate a preference. However, the 317 server is not required to honor such a preference. 319 The IPv4-Encrypted-DNS Attribute MAY appear in a RADIUS CoA-Request 320 packet. 322 The IPv4-Encrypted-DNS Attribute MAY appear in a RADIUS Accounting- 323 Request packet. 325 The IPv4-Encrypted-DNS Attribute MUST NOT appear in any other RADIUS 326 packet. 328 The IPv4-Encrypted-DNS Attribute is structured as follows: 330 Type 332 241 334 Length 336 This field indicates the total length, in octets, of all fields of 337 this attribute, including the Type, Length, Extended-Type, and the 338 entire length of the embedded TLVs. 340 Extended-Type 342 TBA2 (see Section 6.1). 344 Value 346 This field contains a set of TLVs as follows: 348 Encrypted-DNS-ADN TLV: The IPv4-Encrypted-DNS Attribute MUST 349 include exactly one instance of Encrypted-DNS-ADN TLV 350 (Section 3.3.1). 352 Encrypted-DNS-IPv4-Address TLV: The IPv4-Encrypted-DNS Attribute 353 MUST include one or multiple instances of Encrypted-DNS- 354 IPv4-Address TLV (Section 3.3.3). 356 Encrypted-DNS-SvcParams TLV: The IPv4-Encrypted-DNS Attribute 357 SHOULD include one instance of Encrypted-DNS-SvcParams TLV 358 (Section 3.3.4). 360 The IPv4-Encrypted-DNS Attribute is associated with the following 361 identifier: 241.TBA2. 363 3.3. RADIUS TLVs for Encrypted DNS 365 The TLVs defined in the following subsections use the format defined 366 in [RFC6929]. These TLVs have the same name and number when 367 encapsulated in any of the parent attributes defined in Sections 3.1 368 and 3.2. 370 The encoding of the "Value" field of these TLVs follows the 371 recommendation of [RFC6158]. 373 3.3.1. Encrypted-DNS-ADN TLV 375 TLV-Type 377 TBA3 (see Section 6.2). 379 TLV-Length 381 Length of included ADN + 2 octets. 383 Data Type 385 The Encrypted-DNS-ADN TLV is of type text (Section 3.4 of 386 [RFC8044]). 388 TLV-Value 390 This field includes a fully qualified domain name of the Encrypted 391 DNS server. This field is formatted as specified in Section 10 of 392 [RFC8415]. 394 This TLV is identified as 241.TBA1.TBA3 when included in the IPv6- 395 Encrypted-DNS Attribute (Section 3.1) and as 241.TBA2.TBA3 when 396 included in the IPv4-Encrypted-DNS Attribute (Section 3.2). 398 3.3.2. Encrypted-DNS-IPv6-Address TLV 400 TLV-Type 402 TBA4 (see Section 6.2). 404 TLV-Length 406 18 408 Data Type 410 The Encrypted-DNS-IPv6-Address TLV is of type ip6addr (Section 3.9 411 of [RFC8044]). 413 TLV-Value 415 This field includes an IPv6 address (128 bits) of the Encrypted 416 DNS server. 418 The Encrypted-DNS-IPv6-Address attribute MUST NOT include 419 multicast and host loopback addresses [RFC6890]. 421 This TLV is identified as 241.TBA1.TBA4 as part of the IPv6- 422 Encrypted-DNS Attribute (Section 3.1). 424 3.3.3. Encrypted-DNS-IPv4-Address TLV 426 TLV-Type 428 TBA5 (see Section 6.2). 430 TLV-Length 431 6 433 Data Type 435 The Encrypted-DNS-IPv4-Address TLV is of type ip4addr (Section 3.8 436 of [RFC8044]). 438 TLV-Value 440 This field includes an IPv4 address (32 bits) of the Encrypted DNS 441 server. 443 The Encrypted-DNS-IPv4-Address attribute MUST NOT include 444 multicast and host loopback addresses. 446 This TLV is identified as 241.TBA1.TBA5 as part of the IPv4- 447 Encrypted-DNS Attribute (Section 3.2). 449 3.3.4. Encrypted-DNS-SvcParams TLV 451 TLV-Type 453 TBA6 (see Section 6.2). 455 TLV-Length 457 Length of included service parameters + 2 octets. 459 Data Type 461 The Encrypted-DNS-SvcParams TLV is of type text (Section 3.4 of 462 [RFC8044]). 464 TLV-Value 466 Specifies a set of service parameters that are encoded following 467 the rules in [I-D.ietf-dnsop-svcb-https]. Service parameters may 468 include, for example, a list of ALPN protocol identifiers or 469 alternate port numbers. 471 The service parameters MUST NOT include "ipv4hint" or "ipv6hint" 472 SvcParams as they are superseded by the included IP addresses. 474 This TLV is identified as 241.TBA1.TBA6 when included in the IPv6- 475 Encrypted-DNS Attribute (Section 3.1) and as 241.TBA2.TBA6 when 476 included in the IPv4-Encrypted-DNS Attribute (Section 3.2). 478 4. Security Considerations 480 RADIUS-related security considerations are discussed in [RFC2865]. 482 This document targets deployments where a trusted relationship is in 483 place between the RADIUS client and server with communication 484 optionally secured by IPsec or Transport Layer Security (TLS) 485 [RFC6614]. 487 Security considerations (including traffic theft) are discussed in 488 [I-D.ietf-add-dnr]. 490 5. Table of Attributes 492 The following table provides a guide as what type of RADIUS packets 493 that may contain these attributes, and in what quantity. 495 Access- Access- Access- Challenge Acct. # Attribute 496 Request Accept Reject Request 497 0+ 0+ 0 0 0+ TBA1 IPv6-Encrypted-DNS 498 0+ 0+ 0 0 0+ TBA2 IPv4-Encrypted-DNS 500 CoA-Request CoA-ACK CoA-NACK # Attribute 501 0+ 0 0 TBA1 IPv6-Encrypted-DNS 502 0+ 0 0 TBA1 IPv4-Encrypted-DNS 504 The following table defines the meaning of the above table entries: 506 0 This attribute MUST NOT be present in packet. 507 0+ Zero or more instances of this attribute MAY be present in packet. 509 6. IANA Considerations 511 6.1. New RADIUS Attributes 513 IANA is requested to assign two new RADIUS attribute types from the 514 IANA registry "Radius Attribute Types" located at 515 http://www.iana.org/assignments/radius-types: 517 IPv6-Encrypted-DNS (241.TBA1) 519 IPv4-Encrypted-DNS (241.TBA2) 521 Type Description Data Type Reference 522 -------- ------------------ --------- ------------- 523 241.TBA1 IPv6-Encrypted-DNS tlv This-Document 524 241.TBA2 IPv4-Encrypted-DNS tlv This-Document 526 6.2. New RADIUS TLVs 528 IANA is requested to create a new registry called "RADIUS Encrypted 529 DNS TLVs". The registry is initially populated as follows: 531 Value Description Data Type Reference 532 ----- ------------------------- --------- ------------- 533 0 Reserved 534 1 Encrypted-DNS-ADN text Section 3.3.1 535 2 Encrypted-DNS-IPv6-Address ipv6addr Section 3.3.2 536 3 Encrypted-DNS-IPv4-Address ipv4addr Section 3.3.3 537 4 Encrypted-DNS-SvcParams text Section 3.3.4 538 5-255 Unassigned 540 7. Acknowledgements 542 Thanks to Christian Jacquenet, Neil Cook, and Alan Dekok for the 543 review and suggestions. 545 8. References 547 8.1. Normative References 549 [I-D.ietf-add-dnr] 550 Boucadair, M., Reddy, T., Wing, D., Cook, N., and T. 551 Jensen, "DHCP and Router Advertisement Options for the 552 Discovery of Network-designated Resolvers (DNR)", draft- 553 ietf-add-dnr-00 (work in progress), February 2021. 555 [I-D.ietf-dnsop-svcb-https] 556 Schwartz, B., Bishop, M., and E. Nygren, "Service binding 557 and parameter specification via the DNS (DNS SVCB and 558 HTTPS RRs)", draft-ietf-dnsop-svcb-https-05 (work in 559 progress), April 2021. 561 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 562 Requirement Levels", BCP 14, RFC 2119, 563 DOI 10.17487/RFC2119, March 1997, 564 . 566 [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, 567 "Remote Authentication Dial In User Service (RADIUS)", 568 RFC 2865, DOI 10.17487/RFC2865, June 2000, 569 . 571 [RFC6158] DeKok, A., Ed. and G. Weber, "RADIUS Design Guidelines", 572 BCP 158, RFC 6158, DOI 10.17487/RFC6158, March 2011, 573 . 575 [RFC6890] Cotton, M., Vegoda, L., Bonica, R., Ed., and B. Haberman, 576 "Special-Purpose IP Address Registries", BCP 153, 577 RFC 6890, DOI 10.17487/RFC6890, April 2013, 578 . 580 [RFC6929] DeKok, A. and A. Lior, "Remote Authentication Dial In User 581 Service (RADIUS) Protocol Extensions", RFC 6929, 582 DOI 10.17487/RFC6929, April 2013, 583 . 585 [RFC8044] DeKok, A., "Data Types in RADIUS", RFC 8044, 586 DOI 10.17487/RFC8044, January 2017, 587 . 589 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 590 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 591 May 2017, . 593 [RFC8415] Mrugalski, T., Siodelski, M., Volz, B., Yourtchenko, A., 594 Richardson, M., Jiang, S., Lemon, T., and T. Winters, 595 "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)", 596 RFC 8415, DOI 10.17487/RFC8415, November 2018, 597 . 599 8.2. Informative References 601 [I-D.ietf-dprive-dnsoquic] 602 Huitema, C., Mankin, A., and S. Dickinson, "Specification 603 of DNS over Dedicated QUIC Connections", draft-ietf- 604 dprive-dnsoquic-02 (work in progress), February 2021. 606 [RFC2131] Droms, R., "Dynamic Host Configuration Protocol", 607 RFC 2131, DOI 10.17487/RFC2131, March 1997, 608 . 610 [RFC2868] Zorn, G., Leifer, D., Rubens, A., Shriver, J., Holdrege, 611 M., and I. Goyret, "RADIUS Attributes for Tunnel Protocol 612 Support", RFC 2868, DOI 10.17487/RFC2868, June 2000, 613 . 615 [RFC4014] Droms, R. and J. Schnizlein, "Remote Authentication Dial- 616 In User Service (RADIUS) Attributes Suboption for the 617 Dynamic Host Configuration Protocol (DHCP) Relay Agent 618 Information Option", RFC 4014, DOI 10.17487/RFC4014, 619 February 2005, . 621 [RFC5176] Chiba, M., Dommety, G., Eklund, M., Mitton, D., and B. 622 Aboba, "Dynamic Authorization Extensions to Remote 623 Authentication Dial In User Service (RADIUS)", RFC 5176, 624 DOI 10.17487/RFC5176, January 2008, 625 . 627 [RFC6614] Winter, S., McCauley, M., Venaas, S., and K. Wierenga, 628 "Transport Layer Security (TLS) Encryption for RADIUS", 629 RFC 6614, DOI 10.17487/RFC6614, May 2012, 630 . 632 [RFC6911] Dec, W., Ed., Sarikaya, B., Zorn, G., Ed., Miles, D., and 633 B. Lourdelet, "RADIUS Attributes for IPv6 Access 634 Networks", RFC 6911, DOI 10.17487/RFC6911, April 2013, 635 . 637 [RFC7037] Yeh, L. and M. Boucadair, "RADIUS Option for the DHCPv6 638 Relay Agent", RFC 7037, DOI 10.17487/RFC7037, October 639 2013, . 641 [RFC7858] Hu, Z., Zhu, L., Heidemann, J., Mankin, A., Wessels, D., 642 and P. Hoffman, "Specification for DNS over Transport 643 Layer Security (TLS)", RFC 7858, DOI 10.17487/RFC7858, May 644 2016, . 646 [RFC8484] Hoffman, P. and P. McManus, "DNS Queries over HTTPS 647 (DoH)", RFC 8484, DOI 10.17487/RFC8484, October 2018, 648 . 650 [RFC8499] Hoffman, P., Sullivan, A., and K. Fujiwara, "DNS 651 Terminology", BCP 219, RFC 8499, DOI 10.17487/RFC8499, 652 January 2019, . 654 Authors' Addresses 656 Mohamed Boucadair 657 Orange 658 Rennes 35000 659 France 661 Email: mohamed.boucadair@orange.com 662 Tirumaleswar Reddy 663 McAfee, Inc. 664 Embassy Golf Link Business Park 665 Bangalore, Karnataka 560071 666 India 668 Email: kondtir@gmail.com