idnits 2.17.1 draft-ietf-ipsecme-split-dns-07.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document seems to lack the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords -- however, there's a paragraph with a matching beginning. Boilerplate error? (The document does seem to have the reference to RFC 2119 which the ID-Checklist requires). -- The document date (February 27, 2018) is 2248 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) No issues found here. Summary: 0 errors (**), 0 flaws (~~), 2 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network T. Pauly 3 Internet-Draft Apple Inc. 4 Intended status: Standards Track P. Wouters 5 Expires: August 31, 2018 Red Hat 6 February 27, 2018 8 Split DNS Configuration for IKEv2 9 draft-ietf-ipsecme-split-dns-07 11 Abstract 13 This document defines two Configuration Payload Attribute Types for 14 the IKEv2 protocol that add support for private DNS domains. These 15 domains are intended to be resolved using DNS servers reachable 16 through an IPsec connection, while leaving all other DNS resolution 17 unchanged. This approach of resolving a subset of domains using non- 18 public DNS servers is referred to as "Split DNS". 20 Status of This Memo 22 This Internet-Draft is submitted in full conformance with the 23 provisions of BCP 78 and BCP 79. 25 Internet-Drafts are working documents of the Internet Engineering 26 Task Force (IETF). Note that other groups may also distribute 27 working documents as Internet-Drafts. The list of current Internet- 28 Drafts is at https://datatracker.ietf.org/drafts/current/. 30 Internet-Drafts are draft documents valid for a maximum of six months 31 and may be updated, replaced, or obsoleted by other documents at any 32 time. It is inappropriate to use Internet-Drafts as reference 33 material or to cite them other than as "work in progress." 35 This Internet-Draft will expire on August 31, 2018. 37 Copyright Notice 39 Copyright (c) 2018 IETF Trust and the persons identified as the 40 document authors. All rights reserved. 42 This document is subject to BCP 78 and the IETF Trust's Legal 43 Provisions Relating to IETF Documents 44 (https://trustee.ietf.org/license-info) in effect on the date of 45 publication of this document. Please review these documents 46 carefully, as they describe your rights and restrictions with respect 47 to this document. Code Components extracted from this document must 48 include Simplified BSD License text as described in Section 4.e of 49 the Trust Legal Provisions and are provided without warranty as 50 described in the Simplified BSD License. 52 Table of Contents 54 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 55 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 56 2. Background . . . . . . . . . . . . . . . . . . . . . . . . . 3 57 3. Protocol Exchange . . . . . . . . . . . . . . . . . . . . . . 3 58 3.1. Configuration Request . . . . . . . . . . . . . . . . . . 4 59 3.2. Configuration Reply . . . . . . . . . . . . . . . . . . . 4 60 3.3. Mapping DNS Servers to Domains . . . . . . . . . . . . . 5 61 3.4. Example Exchanges . . . . . . . . . . . . . . . . . . . . 5 62 3.4.1. Simple Case . . . . . . . . . . . . . . . . . . . . . 5 63 3.4.2. Requesting Domains and DNSSEC trust anchors . . . . . 6 64 4. Payload Formats . . . . . . . . . . . . . . . . . . . . . . . 6 65 4.1. INTERNAL_DNS_DOMAIN Configuration Attribute Type Request 66 and Reply . . . . . . . . . . . . . . . . . . . . . . . . 7 67 4.2. INTERNAL_DNSSEC_TA Configuration Attribute . . . . . . . 7 68 5. Split DNS Usage Guidelines . . . . . . . . . . . . . . . . . 8 69 6. Security Considerations . . . . . . . . . . . . . . . . . . . 10 70 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 71 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 11 72 8.1. Normative References . . . . . . . . . . . . . . . . . . 11 73 8.2. Informative References . . . . . . . . . . . . . . . . . 11 74 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 12 76 1. Introduction 78 Split DNS is a common configuration for secure tunnels, such as 79 Virtual Private Networks in which host machines private to an 80 organization can only be resolved using internal DNS resolvers 81 [RFC2775]. In such configurations, it is often desirable to only 82 resolve hosts within a set of private domains using the tunnel, while 83 letting resolutions for public hosts be handled by a device's default 84 DNS configuration. 86 The Internet Key Exchange protocol version 2 [RFC7296] negotiates 87 configuration parameters using Configuration Payload Attribute Types. 88 This document defines two Configuration Payload Attribute Types that 89 add support for trusted Split DNS domains. 91 The INTERNAL_DNS_DOMAIN attribute type is used to convey one or more 92 DNS domains that SHOULD be resolved only using the provided DNS 93 nameserver IP addresses, causing these requests to use the IPsec 94 connection. 96 The INTERNAL_DNSSEC_TA attribute type is used to convey DNSSEC trust 97 anchors for those domains. 99 When only a subset of traffic is routed into a private network using 100 an IPsec SA, these Configuration Payload options can be used to 101 define which private domains are intended to be resolved through the 102 IPsec connection without affecting the client's global DNS 103 resolution. 105 For the purposes of this document, DNS resolution servers accessible 106 through an IPsec connection will be referred to as "internal DNS 107 servers", and other DNS servers will be referred to as "external DNS 108 servers". 110 A client using these configuration payloads will be able to request 111 and receive Split DNS configurations using the INTERNAL_DNS_DOMAIN 112 and INTERNAL_DNSSEC_TA configuration attributes. The client device 113 can use the internal DNS server(s) for any DNS queries within the 114 assigned domains. DNS queries for other domains SHOULD be sent to 115 the regular external DNS server. 117 1.1. Requirements Language 119 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 120 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 121 "OPTIONAL" in this document are to be interpreted as described in BCP 122 14 [RFC2119] [RFC8174] when, and only when, they appear in all 123 captials, as shown here. 125 2. Background 127 Split DNS is a common configuration for enterprise VPN deployments, 128 in which only one or a few private DNS domains are accessible and 129 resolvable via an IPsec based VPN connection. 131 Other tunnel-establishment protocols already support the assignment 132 of Split DNS domains. For example, there are proprietary extensions 133 to IKEv1 that allow a server to assign Split DNS domains to a client. 134 However, the IKEv2 standard does not include a method to configure 135 this option. This document defines a standard way to negotiate this 136 option for IKEv2. 138 3. Protocol Exchange 140 In order to negotiate which domains are considered internal to an 141 IKEv2 tunnel, initiators indicate support for Split DNS in their 142 CFG_REQUEST payloads, and responders assign internal domains (and 143 DNSSEC trust anchors) in their CFG_REPLY payloads. When Split DNS 144 has been negotiated, the existing DNS server configuration attributes 145 will be interpreted as internal DNS servers that can resolve 146 hostnames within the internal domains. 148 3.1. Configuration Request 150 To indicate support for Split DNS, an initiator includes one more 151 INTERNAL_DNS_DOMAIN attributes as defined in Section 4 as part of the 152 CFG_REQUEST payload. If an INTERNAL_DNS_DOMAIN attribute is included 153 in the CFG_REQUEST, the initiator SHOULD also include one or more 154 INTERNAL_IP4_DNS and INTERNAL_IP6_DNS attributes in the CFG_REQUEST. 156 The INTERNAL_DNS_DOMAIN attribute sent by the initiator is usually 157 empty but MAY contain a suggested domain name. 159 The absence of INTERNAL_DNS_DOMAIN attributes in the CFG_REQUEST 160 payload indicates that the initiator does not support or is unwilling 161 to accept Split DNS configuration. 163 To indicate support for DNSSEC, an initiator includes one or more 164 INTERNAL_DNSSEC_TA attributes as defined in Section 4 as part of the 165 CFG_REQUEST payload. If an INTERNAL_DNSSEC_TA attribute is included 166 in the CFG_REQUEST, the initiator SHOULD also include one or more 167 INTERNAL_DNS_DOMAIN attributes in the CFG_REQUEST. If the initiator 168 includes an INTERNAL_DNSSEC_TA attribute, but does not inclue an 169 INTERNAL_DNS_DOMAIN attribute, the responder MAY still respond with 170 both INTERNAL_DNSSEC_TA and INTERNAL_DNS_DOMAIN attributes. 172 An initiator MAY convey its current DNSSEC trust anchors for the 173 domain specified in the INTERNAL_DNS_DOMAIN attribute. If it does 174 not wish to convey this information, it MUST use a length of 0. 176 The absence of INTERNAL_DNSSEC_TA attributes in the CFG_REQUEST 177 payload indicates that the initiator does not support or is unwilling 178 to accept DNSSEC trust anchor configuration. 180 3.2. Configuration Reply 182 Responders MAY send one or more INTERNAL_DNS_DOMAIN attributes in 183 their CFG_REPLY payload. If an INTERNAL_DNS_DOMAIN attribute is 184 included in the CFG_REPLY, the responder MUST also include one or 185 both of the INTERNAL_IP4_DNS and INTERNAL_IP6_DNS attributes in the 186 CFG_REPLY. These DNS server configurations are necessary to define 187 which servers can receive queries for hostnames in internal domains. 188 If the CFG_REQUEST included an INTERNAL_DNS_DOMAIN attribute, but the 189 CFG_REPLY does not include an INTERNAL_DNS_DOMAIN attribute, the 190 initiator SHOULD behave as if Split DNS configurations are not 191 supported by the server. 193 Each INTERNAL_DNS_DOMAIN represents a domain that the DNS servers 194 address listed in INTERNAL_IP4_DNS and INTERNAL_IP6_DNS can resolve. 196 If the CFG_REQUEST included INTERNAL_DNS_DOMAIN attributes with non- 197 zero lengths, the content MAY be ignored or be interpreted as a 198 suggestion by the responder. 200 For each DNS domain specified in an INTERNAL_DNS_DOMAIN attribute, 201 one or more INTERNAL_DNSSEC_TA attributes MAY be included by the 202 responder. This attribute lists the corresponding internal DNSSEC 203 trust anchor in the DNS presentation format of a DS record as 204 specified in [RFC4034]. The INTERNAL_DNSSEC_TA attribute MUST 205 immediately follow the INTERNAL_DNS_DOMAIN attribute that it applies 206 to. 208 3.3. Mapping DNS Servers to Domains 210 All DNS servers provided in the CFG_REPLY MUST support resolving 211 hostnames within all INTERNAL_DNS_DOMAIN domains. In other words, 212 the INTERNAL_DNS_DOMAIN attributes in a CFG_REPLY payload form a 213 single list of Split DNS domains that applies to the entire list of 214 INTERNAL_IP4_DNS and INTERNAL_IP6_DNS attributes. 216 3.4. Example Exchanges 218 3.4.1. Simple Case 220 In this example exchange, the initiator requests INTERNAL_IP4_DNS and 221 INTERNAL_DNS_DOMAIN attributes in the CFG_REQUEST, but does not 222 specify any value for either. This indicates that it supports Split 223 DNS, but has no preference for which DNS requests will be routed 224 through the tunnel. 226 The responder replies with two DNS server addresses, and two internal 227 domains, "example.com" and "city.other.com". 229 Any subsequent DNS queries from the initiator for domains such as 230 "www.example.com" SHOULD use 198.51.100.2 or 198.51.100.4 to resolve. 232 CP(CFG_REQUEST) = 233 INTERNAL_IP4_ADDRESS() 234 INTERNAL_IP4_DNS() 235 INTERNAL_DNS_DOMAIN() 237 CP(CFG_REPLY) = 238 INTERNAL_IP4_ADDRESS(198.51.100.234) 239 INTERNAL_IP4_DNS(198.51.100.2) 240 INTERNAL_IP4_DNS(198.51.100.4) 241 INTERNAL_DNS_DOMAIN(example.com) 242 INTERNAL_DNS_DOMAIN(city.other.com) 244 3.4.2. Requesting Domains and DNSSEC trust anchors 246 In this example exchange, the initiator requests INTERNAL_IP4_DNS, 247 INTERNAL_DNS_DOMAIN and INTERNAL_DNSSEC_TA attributes in the 248 CFG_REQUEST. 250 Any subsequent DNS queries from the initiator for domains such as 251 "www.example.com" or "city.other.com" would be DNSSEC validated using 252 the DNSSEC trust anchor received in the CFG_REPLY. 254 In this example, the initiator has no existing DNSSEC trust anchors 255 would the requested domain. the "example.com" dommain has DNSSEC 256 trust anchors that are returned, while the "other.com" domain has no 257 DNSSEC trust anchors. 259 CP(CFG_REQUEST) = 260 INTERNAL_IP4_ADDRESS() 261 INTERNAL_IP4_DNS() 262 INTERNAL_DNS_DOMAIN() 263 INTERNAL_DNSSEC_TA() 265 CP(CFG_REPLY) = 266 INTERNAL_IP4_ADDRESS(198.51.100.234) 267 INTERNAL_IP4_DNS(198.51.100.2) 268 INTERNAL_IP4_DNS(198.51.100.4) 269 INTERNAL_DNS_DOMAIN(example.com) 270 INTERNAL_DNSSEC_TA(43547,8,1,B6225AB2CC613E0DCA7962BDC2342EA4...) 271 INTERNAL_DNSSEC_TA(31406,8,2,F78CF3344F72137235098ECBBD08947C...) 272 INTERNAL_DNS_DOMAIN(city.other.com) 274 4. Payload Formats 276 All multi-octet fields representing integers are laid out in big 277 endian order (also known as "most significant byte first", or 278 "network byte order"). 280 4.1. INTERNAL_DNS_DOMAIN Configuration Attribute Type Request and Reply 282 1 2 3 283 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 284 +-+-----------------------------+-------------------------------+ 285 |R| Attribute Type | Length | 286 +-+-----------------------------+-------------------------------+ 287 | | 288 ~ Domain Name in DNS presentation format ~ 289 | | 290 +---------------------------------------------------------------+ 292 o Reserved (1 bit) - Defined in IKEv2 RFC [RFC7296]. 294 o Attribute Type (15 bits) set to value 25 for INTERNAL_DNS_DOMAIN. 296 o Length (2 octets) - Length of domain name. 298 o Domain Name (0 or more octets) - A Fully Qualified Domain Name 299 used for Split DNS rules, such as "example.com", in DNS 300 presentation format and optionally using IDNA [RFC5890] for 301 Internationalized Domain Names. Implementors need to be careful 302 that this value is not null-terminated. 304 4.2. INTERNAL_DNSSEC_TA Configuration Attribute 306 An INTERNAL_DNSSEC_TA Configuration Attribute can either be empty, or 307 it can contain one Trust Anchor by containing a non-zero Length with 308 a DNSKEY Key Tag, DNSKEY Algorithm, Digest Type and Digest Data 309 fields. 311 An empty INTERNAL_DNSSEC_TA CFG attribute: 313 1 2 3 314 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 315 +-+-----------------------------+-------------------------------+ 316 |R| Attribute Type | Length (set to 0) | 317 +-+-----------------------------+-------------------------------+ 319 A non-empty INTERNAL_DNSSEC_TA CFG attribute: 321 1 2 3 322 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 323 +-+-----------------------------+-------------------------------+ 324 |R| Attribute Type | Length | 325 +-+-----------------------------+---------------+---------------+ 326 | DNSKEY Key Tag | DNSKEY Alg | Digest Type | 327 +-------------------------------+---------------+---------------+ 328 | | 329 ~ Digest Data ~ 330 | | 331 +---------------------------------------------------------------+ 333 o Reserved (1 bit) - Defined in IKEv2 RFC [RFC7296]. 335 o Attribute Type (15 bits) set to value 26 for INTERNAL_DNSSEC_TA. 337 o Length (0 or 2 octets) - Length of DNSSEC Trust Anchor data (4 338 octets plus the length of the Digest Data). 340 o DNSKEY Key Tag value (0 or 2 octets) - Delegation Signer (DS) Key 341 Tag as specified in [RFC4034] Section 5.1. 343 o DNSKEY Algorithm (0 or 1 octet) - DNSKEY algorithm value from the 344 IANA DNS Security Algorithm Numbers Registry. 346 o Digest Type (0 or 1 octet) - DS algorithm value from the IANA 347 Delegation Signer (DS) Resource Record (RR) Type Digest Algorithms 348 Registry. 350 o Digest Data (0 or more octets) - The DNSKEY digest as specified in 351 [RFC4034] Section 5.1 in presentation format. 353 5. Split DNS Usage Guidelines 355 If a CFG_REPLY payload contains no INTERNAL_DNS_DOMAIN attributes, 356 the client MAY use the provided INTERNAL_IP4_DNS or INTERNAL_IP6_DNS 357 servers as the default DNS server(s) for all queries. 359 If a client is configured by local policy to only accept a limited 360 number of INTERNAL_DNS_DOMAIN values, the client MUST ignore any 361 other INTERNAL_DNS_DOMAIN values. 363 For each INTERNAL_DNS_DOMAIN entry in a CFG_REPLY payload that is not 364 prohibited by local policy, the client MUST use the provided 365 INTERNAL_IP4_DNS or INTERNAL_IP6_DNS DNS servers as the only 366 resolvers for the listed domains and its sub-domains and it MUST NOT 367 attempt to resolve the provided DNS domains using its external DNS 368 servers. 370 If the initiator host is configured to block DNS answers containing 371 IP addresses from special IP address ranges such as those of 372 [RFC1918], the initiator SHOULD allow the DNS domains listed in the 373 INTERNAL_DNS_DOMAIN attributes to contain those Special IP addresses. 375 If a CFG_REPLY contains one or more INTERNAL_DNS_DOMAIN attributes 376 and its local policy does not forbid these values, the client MUST 377 configure its DNS resolver to resolve those domains and all their 378 subdomains using only the DNS resolver(s) listed in that CFG_REPLY 379 message. If those resolvers fail, those names MUST NOT be resolved 380 using any other DNS resolvers. Other domain names SHOULD be resolved 381 using some other external DNS resolver(s), configured independently 382 from IKE. Queries for these other domains MAY be sent to the 383 internal DNS resolver(s) listed in that CFG_REPLY message, but have 384 no guarantee of being answered. For example, if the 385 INTERNAL_DNS_DOMAIN attribute specifies "example.com", then 386 "example.com", "www.example.com" and "mail.eng.example.com" MUST be 387 resolved using the internal DNS resolver(s), but "anotherexample.com" 388 and "ample.com" SHOULD NOT be resolved using the internal resolver 389 and SHOULD use the system's external DNS resolver(s). 391 When an IKE SA is terminated, the DNS forwarding MUST be 392 unconfigured. This includes deleting the DNS forwarding rules; 393 flushing all cached data for DNS domains provided by the 394 INTERNAL_DNS_DOMAIN attribute, including negative cache entries; 395 removing any obtained DNSSEC trust anchors from the list of trust 396 anchors; and clearing the outstanding DNS request queue. 398 INTERNAL_DNS_DOMAIN and INTERNAL_DNSSEC_TA attributes SHOULD only be 399 used on split tunnel configurations where only a subset of traffic is 400 routed into a private remote network using the IPsec connection. If 401 all traffic is routed over the IPsec connection, the existing global 402 INTERNAL_IP4_DNS and INTERNAL_IP6_DNS can be used without creating 403 specific DNS exemptions. 405 6. Security Considerations 407 The use of Split DNS configurations assigned by an IKEv2 responder is 408 predicated on the trust established during IKE SA authentication. 409 However, if IKEv2 is being negotiated with an anonymous or unknown 410 endpoint (such as for Opportunistic Security [RFC7435]), the 411 initiator MUST ignore Split DNS configurations assigned by the 412 responder. 414 If a host connected to an authenticated IKE peer is connecting to 415 another IKE peer that attempts to claim the same domain via the 416 INTERNAL_DNS_DOMAIN attribute, the IKE connection SHOULD only process 417 the DNS information if the two connections are part of the same 418 logical entity. Otherwise, the client SHOULD refuse the DNS 419 information and potentially warn the end-user. 421 INTERNAL_DNSSEC_TA payloads MUST immediately follow an 422 INTERNAL_DNS_DOMAIN payload. As the INTERNAL_DNSSEC_TA format itself 423 does not contain the domain name, it relies on the preceding 424 INTERNAL_DNS_DOMAIN to provide the domain for which it specifies the 425 trust anchor. 427 If the initiator is using DNSSEC validation for a domain in its 428 public DNS view, and it requests and receives an INTERNAL_DNS_DOMAIN 429 attribute without an INTERNAL_DNSSEC_TA, it will need to reconfigure 430 its DNS resolver to allow for an insecure delegation. It SHOULD NOT 431 accept insecure delegations for domains that are DNSSEC signed in the 432 public DNS view, for which it has not explicitely requested such 433 deletation by specifying the domain specifically using a 434 INTERNAL_DNS_DOMAIN(domain) request. 436 Deployments that configure INTERNAL_DNS_DOMAIN domains should pay 437 close attention to their use of indirect reference RRtypes such as 438 CNAME, DNAME, MX or SRV records so that resolving works as intended 439 when all, some, or none of the IPsec connections are established. 441 The content of INTERNAL_DNS_DOMAIN and INTERNAL_DNSSEC_TA may be 442 passed to another (DNS) program for processing. As with any network 443 input, the content SHOULD be considered untrusted and handled 444 accordingly. 446 7. IANA Considerations 448 This document defines two new IKEv2 Configuration Payload Attribute 449 Types, which are allocated from the "IKEv2 Configuration Payload 450 Attribute Types" namespace. 452 Multi- 453 Value Attribute Type Valued Length Reference 454 ------ ------------------- ------ ---------- --------------- 455 25 INTERNAL_DNS_DOMAIN YES 0 or more [this document] 456 26 INTERNAL_DNSSEC_TA YES 0 or more [this document] 458 Figure 1 460 8. References 462 8.1. Normative References 464 [RFC1918] Rekhter, Y., Moskowitz, B., Karrenberg, D., de Groot, G., 465 and E. Lear, "Address Allocation for Private Internets", 466 BCP 5, RFC 1918, DOI 10.17487/RFC1918, February 1996, 467 . 469 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 470 Requirement Levels", BCP 14, RFC 2119, 471 DOI 10.17487/RFC2119, March 1997, 472 . 474 [RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S. 475 Rose, "Resource Records for the DNS Security Extensions", 476 RFC 4034, DOI 10.17487/RFC4034, March 2005, 477 . 479 [RFC5890] Klensin, J., "Internationalized Domain Names for 480 Applications (IDNA): Definitions and Document Framework", 481 RFC 5890, DOI 10.17487/RFC5890, August 2010, 482 . 484 [RFC7296] Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., and T. 485 Kivinen, "Internet Key Exchange Protocol Version 2 486 (IKEv2)", STD 79, RFC 7296, DOI 10.17487/RFC7296, October 487 2014, . 489 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 490 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 491 May 2017, . 493 8.2. Informative References 495 [RFC2775] Carpenter, B., "Internet Transparency", RFC 2775, 496 DOI 10.17487/RFC2775, February 2000, 497 . 499 [RFC7435] Dukhovni, V., "Opportunistic Security: Some Protection 500 Most of the Time", RFC 7435, DOI 10.17487/RFC7435, 501 December 2014, . 503 Authors' Addresses 505 Tommy Pauly 506 Apple Inc. 507 One Apple Park Way 508 Cupertino, California 95014 509 US 511 Email: tpauly@apple.com 513 Paul Wouters 514 Red Hat 516 Email: pwouters@redhat.com