idnits 2.17.1 draft-reddy-add-iot-byod-bootstrap-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (July 26, 2020) is 1367 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'ThisDocument' is mentioned on line 599, but not defined == Outdated reference: A later version (-45) exists of draft-ietf-anima-bootstrapping-keyinfra-41 ** Obsolete normative reference: RFC 6125 (Obsoleted by RFC 9525) ** Downref: Normative reference to an Experimental RFC: RFC 8121 ** Obsolete normative reference: RFC 8499 (Obsoleted by RFC 9499) == Outdated reference: A later version (-12) exists of draft-btw-add-home-07 == Outdated reference: A later version (-02) exists of draft-ietf-dnsop-terminology-ter-01 == Outdated reference: A later version (-09) exists of draft-reddy-add-server-policy-selection-03 -- Obsolete informational reference (is this intentional?): RFC 7626 (Obsoleted by RFC 9076) Summary: 3 errors (**), 0 flaws (~~), 6 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 ADD WG T. Reddy 3 Internet-Draft McAfee 4 Intended status: Standards Track D. Wing 5 Expires: January 27, 2021 Citrix 6 M. Richardson 7 Sandelman Software Works 8 M. Boucadair 9 Orange 10 July 26, 2020 12 A Bootstrapping Procedure to Discover and Authenticate DNS-over-TLS and 13 DNS-over-HTTPS Servers for IoT and BYOD Devices 14 draft-reddy-add-iot-byod-bootstrap-01 16 Abstract 18 This document specifies mechanisms to bootstrap endpoints (e.g., 19 hosts, IoT devices) to discover and authenticate DNS-over-TLS and 20 DNS-over-HTTPS servers provided by a local network for IoT/BYOD 21 devices in Enterprise networks. 23 Status of This Memo 25 This Internet-Draft is submitted in full conformance with the 26 provisions of BCP 78 and BCP 79. 28 Internet-Drafts are working documents of the Internet Engineering 29 Task Force (IETF). Note that other groups may also distribute 30 working documents as Internet-Drafts. The list of current Internet- 31 Drafts is at https://datatracker.ietf.org/drafts/current/. 33 Internet-Drafts are draft documents valid for a maximum of six months 34 and may be updated, replaced, or obsoleted by other documents at any 35 time. It is inappropriate to use Internet-Drafts as reference 36 material or to cite them other than as "work in progress." 38 This Internet-Draft will expire on January 27, 2021. 40 Copyright Notice 42 Copyright (c) 2020 IETF Trust and the persons identified as the 43 document authors. All rights reserved. 45 This document is subject to BCP 78 and the IETF Trust's Legal 46 Provisions Relating to IETF Documents 47 (https://trustee.ietf.org/license-info) in effect on the date of 48 publication of this document. Please review these documents 49 carefully, as they describe your rights and restrictions with respect 50 to this document. Code Components extracted from this document must 51 include Simplified BSD License text as described in Section 4.e of 52 the Trust Legal Provisions and are provided without warranty as 53 described in the Simplified BSD License. 55 Table of Contents 57 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 58 2. Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 59 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 5 60 4. Bootstrapping Endpoint Devices . . . . . . . . . . . . . . . 6 61 4.1. Bootstrapping BYOD . . . . . . . . . . . . . . . . . . . 6 62 5. Bootstrapping IoT Devices . . . . . . . . . . . . . . . . . . 8 63 6. Connection Handshake and Service Invocation . . . . . . . . . 9 64 7. EST Service Discovery Procedure . . . . . . . . . . . . . . . 10 65 8. Network Reattachment . . . . . . . . . . . . . . . . . . . . 10 66 9. Privacy Considerations . . . . . . . . . . . . . . . . . . . 12 67 10. Security Considerations . . . . . . . . . . . . . . . . . . . 12 68 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13 69 11.1. Service Name for EST . . . . . . . . . . . . . . . . . . 13 70 11.2. Service Name for DoH . . . . . . . . . . . . . . . . . . 13 71 12. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 13 72 13. References . . . . . . . . . . . . . . . . . . . . . . . . . 13 73 13.1. Normative References . . . . . . . . . . . . . . . . . . 13 74 13.2. Informative References . . . . . . . . . . . . . . . . . 15 75 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 18 77 1. Introduction 79 Traditionally a caching DNS server has been provided by local 80 networks. This provides benefits such as low latency to reach that 81 DNS server (owing to its network proximity to the endpoint). 82 However, if an endpoint is configured to use Internet-hosted or 83 public DNS-over-TLS (DoT) [RFC7858] or DNS-over-HTTPS (DoH) [RFC8484] 84 servers, any available local DNS server cannot serve DNS requests 85 from local endpoints. If public DNS servers are used instead of 86 using local DNS servers, some operational problems can occur such as 87 those listed below: 89 o "Split DNS" [RFC2775] to use the special internal-only domain 90 names (e.g., "internal.example.com") in enterprise networks will 91 not work, and ".local" and "home.arpa" names cannot be locally 92 resolved in home networks. 94 o Content Delivery Networks (CDNs) that map traffic based on DNS may 95 lose the ability to direct end-user traffic to a nearby service- 96 specific cluster in cases where a DNS service is being used that 97 is not affiliated with the local network and which does not send 98 "EDNS Client Subnet" (ECS) information [RFC7871] to the CDN's DNS 99 authorities [CDN]. 101 If public DNS servers are used instead of local DNS servers, the 102 following discusses the impacts on network-based security: 104 o Various network security services are provided by Enterprise 105 networks to protect endpoints (e.g,. Hosts, IoT devices). 106 Network-based security solutions such as firewalls (FW) and 107 Intrusion Prevention Systems (IPS) rely on network traffic 108 inspection to implement perimeter-based security policies. The 109 network security services may for example prevent malware 110 download, block known malicious URLs, enforce use of strong 111 ciphers, stop data exfiltration, etc. These network security 112 services act on DNS requests originating from endpoints. However, 113 if an endpoint is configured to use public DoH/DoT servers, 114 network security services cannot act on DNS requests from these 115 endpoints. 117 o In order to act on DNS requests from endpoints, network security 118 services can block DoT traffic by dropping outgoing packets to 119 destination port 853. Identifying DoH traffic is far more 120 challenging than DoT traffic. Network security services may try 121 to identify the domains offering DoH servers, and DoH traffic can 122 be blocked by dropping outgoing packets to these domains. If an 123 endpoint has enabled strict privacy profile (Section 5 of 124 [RFC8310]), and the network security service blocks the traffic to 125 the public DNS server, the DNS service won't be available to the 126 endpoint and ultimately the endpoint cannot access Internet- 127 reachable services. 129 o If an endpoint has enabled opportunistic privacy profile 130 (Section 5 of [RFC8310]), and the network security service blocks 131 traffic to the public DNS server, the endpoint will either 132 fallback to an encrypted connection without authenticating the DNS 133 server provided by the local network or fallback to clear text 134 DNS, and cannot exchange encrypted DNS messages. 136 If the network security service fails to block DoH/DoT traffic, this 137 can compromise the endpoint security; some of the potential security 138 threats are listed below: 140 o The network security service cannot prevent an endpoint from 141 accessing malicious domains. 143 o If the endpoint is an IoT device which is configured to use public 144 DoH/DoT servers, and if a policy enforcement point in the local 145 network is programmed using, for example, a Manufacturer Usage 146 Description (MUD) file [RFC8520] by a MUD manager to only allow 147 intended communications to and from the IoT device, the policy 148 enforcement point cannot enforce the network Access Control List 149 (ACL) rules based on domain names (Section 8 of [RFC8520]). 151 If the network security service successfully blocks DoT and DoH 152 traffic, this can still compromise the endpoint security and privacy; 153 some of the potential security threats are listed below: 155 o Networks are susceptible to internal attacks as discussed in 156 Section 3.2 of [I-D.arkko-farrell-arch-model-t]. An internal 157 attacker can modify the DNS responses to re-direct the client to 158 malicious servers. 160 o Pervasive monitoring of DNS traffic. 162 In addition, the local network's DNS server is advertised using DHCP/ 163 RA which is insecure and also provides no mechanism to securely 164 authenticate the DNS server. To overcome the above threats, this 165 document specifies a mechanism to bootstrap endpoints to discover and 166 authenticate the DoT and DoH servers provided by their local network. 167 The overall procedure can be structured into the following steps: 169 o Bootstrapping (Section 4) is necessary only when connecting to a 170 new network or when the network's DNS certificate has changed. 171 Bootstrapping procedure authenticates the Enrollment over Secure 172 Transport (EST) [RFC7030] server to the endpoint. After 173 authenticating the EST server, DNS server certificate used by the 174 local network is downloaded to the endpoint. This DNS server 175 certificate enables subsequent authenticated encrypted 176 communication with the local DNS server (e.g., DoH) during in the 177 connection phase. 179 o Connection handshake and service invocation (Section 6): The DNS 180 client initiates a TLS handshake with the DNS server learned in 181 the discovery phase, and validates the DNS server's identity using 182 the credentials obtained in the bootstrapping phase. 184 Note: The strict and opportunistic privacy profiles as defined in 185 [RFC8310] only applies to DoT protocol, there has been no such 186 distinction made for DoH protocol. 188 2. Scope 190 The problems discussed in Section 1 will be encountered in Enterprise 191 networks. Typically Enterprise networks do not assume that all 192 devices in their network are managed by the IT team or Mobile Device 193 Management (MDM) devices, especially in the quite common BYOD ("Bring 194 Your Own Device") scenario. The mechanisms specified in this 195 document can be used by BYOD devices to discover and authenticate DoT 196 and DoH servers provided by the Enterprise network. This mechanism 197 can also be used by IoT devices (managed by IT team) after onboarding 198 to discover and authenticate DoT and DoH servers provided by the 199 Enterprise network. 201 Wireless LAN as frequently deployed is vulnerable to various attacks 202 ([Evil-Twin],[Krack] and [Dragonblood]). Because of these attacks, 203 only cryptographically authenticated communications are trusted on 204 Wireless LAN networks. This means information provided by such 205 networks via DHCP, DHCPv6, or RA (e.g., NTP server, DNS server, 206 default domain) are untrusted because DHCP and RA are not 207 authenticated. [I-D.btw-add-home] discusses DoH/DoT server discovery 208 using DHCP/RA but requires the DoH/DoT server to be pre-configured in 209 the endpoint (OS or Browser) or the DNS client must be able 210 cryptographically identify it is connecting to a DoT/DoH server 211 hosted by a specific organization (e.g., ISP or Enterprise) (see 212 [I-D.reddy-add-server-policy-selection]) to prevent the client from 213 connecting to a attackers server. 215 Users have to indicate to their system in some way that they desire 216 bootstrapping to be performed only when connecting to a specific 217 network (e.g., organization for which a user works or a user works 218 temporarily within another corporation), similar to the way users 219 disable VPN connection in specific network (e.g., Enterprise network) 220 and enable VPN connection by default in other networks. If the 221 discovered DNS server meets the privacy preserving data policy 222 requirements of the user, the user can select to use the discovered 223 DoT and DoH servers. 225 3. Terminology 227 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 228 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 229 "OPTIONAL" in this document are to be interpreted as described in BCP 230 14 [RFC2119][RFC8174] when, and only when, they appear in all 231 capitals, as shown here. 233 This document makes use of the terms defined in [RFC8499] and 234 [I-D.ietf-dnsop-terminology-ter]. 236 'DoH/DoT' refers to DNS-over-HTTPS and/or DNS-over-TLS. 238 4. Bootstrapping Endpoint Devices 240 If a device is managed by an enterprise's IT department, the device 241 can be configured to use Enterprise-provided DoH/DoT servers. This 242 configuration might be manual or rely upon whatever deployed device 243 management tool in an Enterprise. For example, customizing Firefox 244 using Group Policy to use the Enterprise DoH server is discussed in 245 [Firefox-Policy] for Windows and MacOS, and setting Chrome policies 246 is discussed in [Chrome-Policy] and [Chrome-DoH]. 248 If mobile device management (MDM) (e.g, [MDM-Apple]) is used to 249 secure endpoint, MDM can be used to configure OS/browser with the 250 Enterprise provided DoH/DoT server. If an endpoint is on-boarded, 251 for example, using Over-The-Air (OTA) enrollment [OTA] to provision 252 the device with a certificate and configuration profile, the 253 configuration profile can include the authentication domain name 254 (ADN) of the DoH/DoT server. The OS/Browser can use the 255 configuration profile to use the Enterprise provided DoH/DoT server. 256 In this case, MDM is not installed on the device. 258 4.1. Bootstrapping BYOD 260 This section focuses on bootstrapping Bring your own device (BYOD) to 261 discover and authenticate DoH/DoT server provided by the enterprise 262 network but without MDM or configuration profile on the endpoint. If 263 an endpoint uses the credentials (username and password) provided by 264 the IT admin to mutually authenticate to the Enterprise WLAN Access 265 Point (e.g., PEAP-MSCHAPv2 [PEAP], EAP-pwd [RFC8146], EAP-PSK 266 [RFC4764]), the following steps can be used to securely bootstrap the 267 endpoint with the authentication domain name (ADN, defined in 268 [RFC8310]) and DNS server certificate of the local network's DoH/DoT 269 server: 271 1. The endpoint authenticates to the local network and discovers the 272 Enrollment over Secure Transport (EST) [RFC7030] server using the 273 procedure discussed in Section 7. 275 2. The endpoint establishes provisional TLS connection with that EST 276 server, i.e., the endpoint provisionally accepts the unverified 277 TLS server certificate. However, the endpoint MUST authenticate 278 the EST server before it accepts the DNS server certificate. The 279 endpoint either uses password-based authenticated key exchange 280 (PAKE) with TLS 1.3 [I-D.barnes-tls-pake] as an authentication 281 method or uses the mutual authentication protocol for HTTP 282 [RFC8120] to authenticate the discovered EST server. 284 As a reminder, PAKE is an authentication method that allows the 285 use of usernames and passwords over unencrypted channels without 286 revealing the passwords to an eavesdropper. Similarly, the 287 mutual authentication for HTTP is based on PAKE and provides 288 mutual authentication between an HTTP client and an HTTP server 289 using username and password as credentials. The cryptographic 290 algorithms to use with the mutual authentication protocol for 291 HTTP are defined in [RFC8121]. 293 Note that the Crypto Forum Research Group (cfrg) has selected 294 draft-haase-cpace and draft-krawczyk-cfrg-opaque drafts to 295 recommend for balanced and augmented password-based authenticated 296 key establishment in IETF protocols. This step will be further 297 updated. 299 3. The endpoint needs to use PAKE scheme to perform authentication 300 the first time it connects to an EST server. If the EST server 301 authentication is successful, the server's identity can be used 302 to authenticate subsequent TLS connections to that EST server. 303 The endpoint configures the reference identifier for the EST 304 server using the DNS-ID identifier type in the EST server 305 certificate. On subsequent connections to the EST server, the 306 endpoint MUST validate the EST server certificate using the 307 Implict Trust Anchor database (i.e, the EST server certificate 308 must pass PKIX certification path validation [RFC6125]) and match 309 the reference identifier against the EST server's identity 310 according to the rules specified in Section 6.4 of [RFC6125]. 312 4. The endpoint learns the End-Entity certificates [RFC8295] from 313 the EST server. The certificate provisioned to the DNS server in 314 the local network will be treated as a End-Entity certificate. 315 As a reminder, the End-Entity certificates must be validated by 316 the endpoint using an authorized trust anchor (Section 3.2 of 317 [RFC8295]). The endpoint needs to identify the certificate 318 provisioned to the DNS server. The SRV-ID identifier type 319 [RFC6125] within subjectAltName entry MUST be used to identify 320 the DNS server certificate. 322 For example, DNS server certificate will include SRV-ID "_domain- 323 s.example.net" along with DNS-ID "example.net". The SRV service 324 label "domain-s" is defined in Section 6 of [RFC7858] for DoT 325 protocol. The SRV service label "doh" is defined in Section 11 326 for DoH protocol. 328 5. The endpoint configures the authentication domain name (ADN) 329 (defined in [RFC8310]) for the DNS server from the DNS-ID 330 identifier type within subjectAltName entry in the DNS server 331 certificate. The DNS server certificate is associated with the 332 ADN to be matched with the certificate given by the DNS server in 333 TLS. To some extent, this approach is similar to certificate 334 usage PKIX-EE(1) defined in [RFC7671]. 336 Figure 1 illustrates a sequence diagram for bootstrapping an endpoint 337 with the local network's ADN and DNS server certificate. 339 +----------+ +--------+ +--------+ 340 | Endpoint | | EST | | DNS | 341 | | | Server | | Server | 342 +----------+ +--------+ +--------+ 343 | DNS-SD query to discover the EST server | | 344 |-------------------------------------------------------->| 345 | | | 346 | optional: mDNS query to | | 347 | discover the EST server | | 348 |--------------------------------------------->| | 349 | | | 350 | Establish provisional TLS connection | | 351 |<-------------------------------------------->| | 352 | | | 353 | PAKE scheme to authenticate the EST server | | 354 |<-------------------------------------------->| | 355 | | | 356 [Generate reference identifier for the EST server | | 357 to compare with the EST server certificate | | 358 in subsequent TLS connections] | | 359 | | | 360 | Get EE certificates | | 361 |--------------------------------------------->| | 362 | | | 363 [Identify the DNS server certificate in EE | | 364 certificates to match with the certificate | | 365 by the DNS server in TLS handshake] | | 366 | | 367 [Configure ADN and associate DNS server certificate] | | 368 | | | 370 Figure 1: Bootstrapping Endpoint Devices 372 5. Bootstrapping IoT Devices 374 The following steps explain the mechanism to bootstrap IoT devices 375 supporting Bootstrapping Remote Secure Key Infrastructures (BRSKI) 376 discussed in [I-D.ietf-anima-bootstrapping-keyinfra] with local 377 network's CA certificates, ADN and DNS server certificate: 379 o Bootstrapping Remote Secure Key Infrastructures (BRSKI) discussed 380 in [I-D.ietf-anima-bootstrapping-keyinfra] provides a solution for 381 secure automated bootstrap of devices. BRSKI specifies means to 382 provision credentials on devices to be used to operationally 383 access networks. In addition, BRSKI provides an automated 384 mechanism for the bootstrap distribution of CA certificates from 385 the EST server. The IoT device can use BRSKI to bootstrap the IoT 386 device using the IoT manufacturer provisioned X.509 certificate, 387 in combination with a registrar provided by the local network and 388 IoT device manufacturer's authorizing service (MASA): 390 1. The IoT device authenticates to the local network using the 391 IoT manufacturer provisioned X.509 certificate. The IoT 392 device can request and get a voucher from the MASA service via 393 the registrar. The voucher is signed by the MASA service and 394 includes the local network's CA public key. 396 2. The IoT device validates the signed voucher using the 397 manufacturer installed trust anchor associated with the MASA, 398 stores the CA's public key and validates the provisional TLS 399 connection to the registrar. 401 3. The IoT device requests the full EST distribution of current 402 CA certificates (Section 5.9.1 in 403 [I-D.ietf-anima-bootstrapping-keyinfra]) from the registrar 404 operating as a BRSKI-EST server. The IoT devices stores the 405 CA certificates as Explicit Trust Anchor database entries. 406 The IoT device uses the Explicit Trust Anchor database to 407 validate the DNS server certificate. 409 4. The IoT device learns the End-Entity certificates from the 410 BRSKI-EST server. The certificate provisioned to the DNS 411 server in the local network will be treated as an End-Entity 412 certificate. The IoT device needs to identify the certificate 413 provisioned to the DNS server. The SRV-ID identifier type 414 within subjectAltName entry MUST be used to identify the DNS 415 server certificate (see Step 4 in Section 4.1). 417 5. The endpoint configures the ADN for the DNS server from the 418 DNS-ID identifier type within subjectAltName entry in the DNS 419 server certificate. The DNS server certificate is associated 420 with the ADN to be matched with the certificate given by the 421 DNS server in TLS. 423 6. Connection Handshake and Service Invocation 425 The DNS client resolves the ADN using the mechanism discussed in 426 Section 7.2 of [RFC8310]. The DNS client initiates TLS handshake 427 with the DNS server, the DNS server presents its certificate in 428 ServerHello message, and the DNS client MUST match the DNS server 429 certificate downloaded in Step 4 in Section 4.1 or Section 5 with the 430 certificate provided by the DNS server in TLS handshake. If the 431 match is successful, the DNS client MUST validate the server 432 certificate using an authorized trust anchor. 434 If the match is successful and server certificate is successfully 435 validated, the client continues with the connection as normal. 436 Otherwise, the client MUST treat the server certificate validation 437 failure as a non-recoverable error. If the DNS client cannot reach 438 or establish an authenticated and encrypted connection with the 439 privacy-enabling DNS server provided by the local network, the DNS 440 client can fallback to a privacy-enabling public DNS server. 442 The DoH client contacts the DoH resolver to retrieve the list of 443 supported DoH services using the well-known URI defined in 444 [I-D.btw-add-rfc8484-clarification]. 446 7. EST Service Discovery Procedure 448 An EST client discovers the EST server in the local network by using 449 DNS-based Service Discovery (DNS-SD) [RFC6763] or Multicast DNS 450 (mDNS) [RFC6762]. The portion specifies the DNS sub-domain 451 where the service instance is registered. It may be "local.", 452 indicating the mDNS local domain, or it may be a conventional domain 453 name such as "example.com.". The portion of the EST 454 service instance name MUST be "_est._tcp". 456 A EST client application can proactively discover an EST server being 457 advertised in the site by multicasting a PTR query to the following: 459 "_est._tcp.local" 461 An EST server can send out gratuitous multicast DNS answer packets 462 whenever it starts up, wakes from sleep, or detects a change in EST 463 server configuration. EST client application can receive these 464 gratuitous packets and cache information contained in them. 466 8. Network Reattachment 468 On subsequent attachments to the network, the endpoint initiates TLS 469 handshake with the DoH/DoT server (configured in Step 5 of 470 Section 4.1 or Section 5) and follows the mechanism discussed in 471 Section 6 to validate the DNS server certificate. 473 If the DNS server certificate is invalid (e.g., revoked or expired), 474 the endpoint discovers and initiates TLS handshake with the EST 475 server, and uses the validation techniques described in [RFC6125] to 476 compare the reference identifier (created in Step 2 of Section 4.1 in 477 this document) to the EST server certificate and verifies the entire 478 certification path as per [RFC5280]. The endpoint then gets the DNS 479 server certificate from the EST server. If the DNS-ID identifier 480 type within subjectAltName entry in the DNS server certificate does 481 not match the configured ADN, the ADN is replaced with the DNS-ID 482 identifier type. The DNS server certificate associated with the ADN 483 is replaced with the one provided by the EST server. The endpoint 484 initiates TLS handshake with the newly discovered ADN and follows the 485 mechanism discussed in Section 6 to validate the DNS server 486 certificate. 488 Figure 2 illustrates a sequence diagram for re-configuring an 489 endpoint with ADN and local network's DNS server certificate on 490 subsequent attachments to the network. 492 +----------+ +--------+ +--------+ 493 | Endpoint | | EST | | DNS | 494 | | | Server | | Server | 495 +----------+ +--------+ +--------+ 496 | DNS-SD query to discover the EST server | | 497 |-------------------------------------------------------->| 498 | | | 499 | optional: mDNS query to | | 500 | discover the EST server | | 501 |--------------------------------------------->| | 502 | | | 503 | Establish TLS connection | | 504 | and validate EST server certificate | | 505 |<-------------------------------------------->| | 506 | | | 507 | Get EE certificates | | 508 |<-------------------------------------------->| | 509 | | | 510 [Identify the DNS server certificate in EE | | 511 certificates to match with the certificate | | 512 by the DNS server in TLS handshake] | | 513 | | 514 [Re-configure ADN and associate DNS server certificate]| | 515 | | | 517 Figure 2: Bootstrapping Endpoint Devices on subsequent attachments to 518 the network 520 9. Privacy Considerations 522 [RFC7626] discusses DNS privacy considerations in both "on the wire" 523 (Section 2.4 of [RFC7626]) and "in the server" (Section 2.5 of 524 [RFC7626] contexts. The mechanism defined in 525 [I-D.reddy-add-server-policy-selection] can be used by the DNS server 526 to communicate its privacy statement URL and filtering policy to a 527 DNS client. This communication is cryptographically signed to attest 528 to its authenticity. By evaluating the DNS privacy statement, 529 filtering policy and the signatory, the client can use the discovered 530 DNS server if it meets privacy preserving data policy and filtering 531 requirements of the user. 533 10. Security Considerations 535 The bootstrapping procedure to obtain the certificate of the local 536 network's DNS server uses a client identity and password to 537 authenticate the EST server using PAKE schemes. Security 538 considerations such as those discussed in [I-D.barnes-tls-pake] or 539 [RFC8120] and [RFC8121] need to be taken into consideration. 541 Users cannot be expected to enable or disable the bootstrapping or 542 the discovery procedure as they switch networks. Thus, it is 543 RECOMMENDED that users indicate to their system in some way that they 544 desire bootstrapping to be performed when connecting to a specific 545 network, similar to the way users disable VPN connection in specific 546 network (e.g., Enterprise network) and enable VPN connection by 547 default in other networks. 549 If an endpoint has enabled strict privacy profile, and the network 550 security service blocks the traffic to the privacy-enabling public 551 DNS server, a hard failure occurs and the user is notified. The user 552 has a choice to switch to another network or if the user trusts the 553 network, the user can enable strict privacy profile with the DoH/DoT 554 server discovered in the network instead of downgrading to 555 opportunistic privacy profile. 557 The primary attacks against the methods described in Section 7 are 558 the ones that would lead to impersonation of a EST server and 559 spoofing the DNS response to indicate that the network does not 560 support any EST server. To protect against DNS-vectored attacks, 561 secured DNS (DNSSEC) can be used to ensure the validity of the DNS 562 records received. Impersonation of the EST server is prevented by 563 authenticating the EST server using the PAKE scheme. The PAKE scheme 564 is only used once to configure the reference identifier of the EST 565 server and the server certificate is validated for subsequent TLS 566 connections to the EST server. 568 Security considerations in [I-D.ietf-anima-bootstrapping-keyinfra] 569 need to be taken into consideration for IoT devices. 571 11. IANA Considerations 573 11.1. Service Name for EST 575 IANA is requested to allocate the following service name from the 576 registry available at: https://www.iana.org/assignments/service- 577 names-port-numbers/service-names-port-numbers.xhtml. 579 Service Name: est 580 Port Number: N/A 581 Transport Protocol(s): TCP 582 Description: Enrollment over Secure Transport (EST) 583 Assignee: IESG 584 Contact: IETF Chair 585 Reference: [ThisDocument] 587 11.2. Service Name for DoH 589 IANA is requested to allocate the following service name from the 590 registry available at: https://www.iana.org/assignments/service- 591 names-port-numbers/service-names-port-numbers.xhtml. 593 Service Name: doh 594 Port Number: N/A 595 Transport Protocol(s): TCP 596 Description: DNS-over-HTTPS 597 Assignee: IESG 598 Contact: IETF Chair 599 Reference: [ThisDocument] 601 12. Acknowledgments 603 Thanks to Joe Hildebrand, Harsha Joshi, Shashank Jain, Patrick 604 McManus, Bob Harold, Livingood Jason, Winfield Alister, Eliot Lear, 605 Stephane Bortzmeyer, Ted Lemon and Sara Dickinson for the discussion 606 and comments. 608 13. References 610 13.1. Normative References 612 [I-D.ietf-anima-bootstrapping-keyinfra] 613 Pritikin, M., Richardson, M., Eckert, T., Behringer, M., 614 and K. Watsen, "Bootstrapping Remote Secure Key 615 Infrastructures (BRSKI)", draft-ietf-anima-bootstrapping- 616 keyinfra-41 (work in progress), April 2020. 618 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 619 Requirement Levels", BCP 14, RFC 2119, 620 DOI 10.17487/RFC2119, March 1997, 621 . 623 [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., 624 Housley, R., and W. Polk, "Internet X.509 Public Key 625 Infrastructure Certificate and Certificate Revocation List 626 (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008, 627 . 629 [RFC6125] Saint-Andre, P. and J. Hodges, "Representation and 630 Verification of Domain-Based Application Service Identity 631 within Internet Public Key Infrastructure Using X.509 632 (PKIX) Certificates in the Context of Transport Layer 633 Security (TLS)", RFC 6125, DOI 10.17487/RFC6125, March 634 2011, . 636 [RFC6762] Cheshire, S. and M. Krochmal, "Multicast DNS", RFC 6762, 637 DOI 10.17487/RFC6762, February 2013, 638 . 640 [RFC6763] Cheshire, S. and M. Krochmal, "DNS-Based Service 641 Discovery", RFC 6763, DOI 10.17487/RFC6763, February 2013, 642 . 644 [RFC7030] Pritikin, M., Ed., Yee, P., Ed., and D. Harkins, Ed., 645 "Enrollment over Secure Transport", RFC 7030, 646 DOI 10.17487/RFC7030, October 2013, 647 . 649 [RFC7858] Hu, Z., Zhu, L., Heidemann, J., Mankin, A., Wessels, D., 650 and P. Hoffman, "Specification for DNS over Transport 651 Layer Security (TLS)", RFC 7858, DOI 10.17487/RFC7858, May 652 2016, . 654 [RFC8121] Oiwa, Y., Watanabe, H., Takagi, H., Maeda, K., Hayashi, 655 T., and Y. Ioku, "Mutual Authentication Protocol for HTTP: 656 Cryptographic Algorithms Based on the Key Agreement 657 Mechanism 3 (KAM3)", RFC 8121, DOI 10.17487/RFC8121, April 658 2017, . 660 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 661 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 662 May 2017, . 664 [RFC8295] Turner, S., "EST (Enrollment over Secure Transport) 665 Extensions", RFC 8295, DOI 10.17487/RFC8295, January 2018, 666 . 668 [RFC8484] Hoffman, P. and P. McManus, "DNS Queries over HTTPS 669 (DoH)", RFC 8484, DOI 10.17487/RFC8484, October 2018, 670 . 672 [RFC8499] Hoffman, P., Sullivan, A., and K. Fujiwara, "DNS 673 Terminology", BCP 219, RFC 8499, DOI 10.17487/RFC8499, 674 January 2019, . 676 13.2. Informative References 678 [CDN] "End-User Mapping: Next Generation Request Routing for 679 Content Delivery", 2015, 680 . 683 [Chrome-DoH] 684 The Unicode Consortium, "Chrome DNS over HTTPS (aka DoH)", 685 . 687 [Chrome-Policy] 688 The Unicode Consortium, "Chrome policies for users or 689 browsers", . 692 [Dragonblood] 693 The Unicode Consortium, "Dragonblood: Analyzing the 694 Dragonfly Handshake of WPA3 and EAP-pwd", 695 . 697 [Evil-Twin] 698 The Unicode Consortium, "Evil twin (wireless networks)", 699 . 702 [Firefox-Policy] 703 "Policy templates for Firefox", 704 . 707 [I-D.arkko-farrell-arch-model-t] 708 Arkko, J. and S. Farrell, "Challenges and Changes in the 709 Internet Threat Model", draft-arkko-farrell-arch-model- 710 t-04 (work in progress), July 2020. 712 [I-D.barnes-tls-pake] 713 Barnes, R. and O. Friel, "Usage of PAKE with TLS 1.3", 714 draft-barnes-tls-pake-04 (work in progress), July 2018. 716 [I-D.btw-add-home] 717 Boucadair, M., Reddy.K, T., Wing, D., and N. Cook, 718 "Encrypted DNS Discovery and Deployment Considerations for 719 Home Networks", draft-btw-add-home-07 (work in progress), 720 July 2020. 722 [I-D.btw-add-rfc8484-clarification] 723 Boucadair, M., Cook, N., Reddy.K, T., and D. Wing, 724 "Supporting Redirection for DNS Queries over HTTPS (DoH)", 725 draft-btw-add-rfc8484-clarification-02 (work in progress), 726 July 2020. 728 [I-D.ietf-dnsop-terminology-ter] 729 Hoffman, P., "Terminology for DNS Transports and 730 Location", draft-ietf-dnsop-terminology-ter-01 (work in 731 progress), February 2020. 733 [I-D.reddy-add-server-policy-selection] 734 Reddy.K, T., Wing, D., Richardson, M., and M. Boucadair, 735 "DNS Server Selection: DNS Server Information with 736 Assertion Token", draft-reddy-add-server-policy- 737 selection-03 (work in progress), June 2020. 739 [Krack] The Unicode Consortium, "Key Reinstallation Attacks", 740 2017, . 742 [MDM-Apple] 743 Apple, "Mobile Device Management", 744 . 747 [OTA] Apple, "Over-the-Air Profile Delivery Concepts", . 752 [PEAP] Microsoft, "[MS-PEAP]: Protected Extensible Authentication 753 Protocol (PEAP)", . 757 [RFC2775] Carpenter, B., "Internet Transparency", RFC 2775, 758 DOI 10.17487/RFC2775, February 2000, 759 . 761 [RFC4764] Bersani, F. and H. Tschofenig, "The EAP-PSK Protocol: A 762 Pre-Shared Key Extensible Authentication Protocol (EAP) 763 Method", RFC 4764, DOI 10.17487/RFC4764, January 2007, 764 . 766 [RFC7626] Bortzmeyer, S., "DNS Privacy Considerations", RFC 7626, 767 DOI 10.17487/RFC7626, August 2015, 768 . 770 [RFC7671] Dukhovni, V. and W. Hardaker, "The DNS-Based 771 Authentication of Named Entities (DANE) Protocol: Updates 772 and Operational Guidance", RFC 7671, DOI 10.17487/RFC7671, 773 October 2015, . 775 [RFC7871] Contavalli, C., van der Gaast, W., Lawrence, D., and W. 776 Kumari, "Client Subnet in DNS Queries", RFC 7871, 777 DOI 10.17487/RFC7871, May 2016, 778 . 780 [RFC8120] Oiwa, Y., Watanabe, H., Takagi, H., Maeda, K., Hayashi, 781 T., and Y. Ioku, "Mutual Authentication Protocol for 782 HTTP", RFC 8120, DOI 10.17487/RFC8120, April 2017, 783 . 785 [RFC8146] Harkins, D., "Adding Support for Salted Password Databases 786 to EAP-pwd", RFC 8146, DOI 10.17487/RFC8146, April 2017, 787 . 789 [RFC8310] Dickinson, S., Gillmor, D., and T. Reddy, "Usage Profiles 790 for DNS over TLS and DNS over DTLS", RFC 8310, 791 DOI 10.17487/RFC8310, March 2018, 792 . 794 [RFC8520] Lear, E., Droms, R., and D. Romascanu, "Manufacturer Usage 795 Description Specification", RFC 8520, 796 DOI 10.17487/RFC8520, March 2019, 797 . 799 Authors' Addresses 801 Tirumaleswar Reddy 802 McAfee, Inc. 803 Embassy Golf Link Business Park 804 Bangalore, Karnataka 560071 805 India 807 Email: kondtir@gmail.com 809 Dan Wing 810 Citrix Systems, Inc. 811 USA 813 Email: dwing-ietf@fuggles.com 815 Michael C. Richardson 816 Sandelman Software Works 817 USA 819 Email: mcr+ietf@sandelman.ca 821 Mohamed Boucadair 822 Orange 823 Rennes 35000 824 France 826 Email: mohamed.boucadair@orange.com