generated from martinthomson/internet-draft-template
-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Dump references and notes from Christian & Martine meeting
- Loading branch information
Showing
1 changed file
with
85 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -49,6 +49,11 @@ author: | |
| email: [email protected] | ||
|
|
||
| normative: | ||
| RFC9460: svcb | ||
| RFC9461: svcb-for-dns | ||
| RFC9462: ddr | ||
| RFC9463: dnr | ||
| I-D.ietf-core-dns-over-coap: doc | ||
|
|
||
| informative: | ||
|
|
||
|
|
@@ -64,11 +69,90 @@ TODO Abstract | |
|
|
||
| TODO Introduction | ||
|
|
||
| ## Problems | ||
|
|
||
| # Conventions and Definitions | ||
| TODO transform into sentences: | ||
|
|
||
| - What do we need to find DoC using SvcParams {{-svcb}} {{-dnr}}? | ||
| - Do we need sepcific ALPNs? | ||
| - What should the fields in {{-dnr}} RA / DHCP options give us? | ||
| (authentication-domain-name may not matter in EDHOC/ACE-OSCORE setup, but audience value for | ||
| ACE authorization server and the servers address might) | ||
| - How do we signal ALPN-equivalent information when there is not “the one” transport layer security? | ||
| - Can we indicate the transport (CoAP over UDP/TCP/etc.) orthogonally from (object) security mechanism (EDHOC, ACE-OSCORE, ...) | ||
| - TBD but might be out-of-scope: | ||
| - replace coap+... URI schemas with hostname literals | ||
| - Increased RA size / fragmentation | ||
|
|
||
| # Terminology | ||
|
|
||
| {::boilerplate bcp14-tagged} | ||
|
|
||
| # Solution Sketches | ||
|
|
||
| What should the fields in RA / DHCP option give us? | ||
|
|
||
| ## Unencrypted DoC | ||
| TBD: Does DNR allow it? | ||
|
|
||
| ~~~~~~~~ | ||
| authenticator-domain-name: | ||
| (I'm leaving it empty b/c there is no use for it) | ||
| ipv6-address: ... | ||
| svcb-params: | ||
| coaptransport="coap-over-tcp", | ||
| docpath="/dns", | ||
| port=61616 | ||
| ~~~~~~~~ | ||
|
|
||
| ## DoC over DTLS | ||
| TBD: | ||
| - Not even a problem, just register the relevant ALPN. | ||
| - Trigger in CoRE, should be separate ALPN to “coap” (CoAP over TLS) ... and bikeshed value “co”, “COAP”, “cod”, ... | ||
| - `docpath` if not given = `""` (cmp. URI-Path option in CoAP)? | ||
| > a la ‘When using the SVCB method for obtaining a DoC server (eg. because querying _dns or | ||
| > because it comes in DNR), the server MUST set docpath unless it is empty, in which case the | ||
| > client MUST assume docpath=“”’ to avoid implying an empty docpath even in places where no DoC is | ||
| > done | ||
|
|
||
| ~~~~~~~~ | ||
| authenticator-domain-name: dns.example.com | ||
| ipv6-address: ... | ||
| svcb-params: alpn="cod"/*TBD*/,docpath="/dns" | ||
| ~~~~~~~~ | ||
|
|
||
|
|
||
| ## DoC over OSCORE using EDHOC | ||
| - In a “web-browser style” (tell the device which name to authenticate, and it’ll do the cert | ||
| validation) | ||
|
|
||
| ~~~~~~~~ | ||
| authenticator-domain-name: dns.example.com | ||
| ipv6-address: ... | ||
|
|
||
| svcb-params: | ||
| coaptransport="coap-over-tcp", | ||
| objectsecurity="edhoc", | ||
| docpath="/dns", | ||
| port=61616 | ||
| ~~~~~~~~ | ||
|
|
||
| ## DoC over ACE-OSCORE | ||
| - ACE to authenticate server (not necessarily the client) | ||
|
|
||
| ~~~~~~~~ | ||
| authenticator-domain-name: | ||
| (leaving empty b/c there is no use for it) | ||
| ipv6-address: ... | ||
| svcb-params: | ||
| coaptransport="coap-over-tcp" /* encoded as a numeric value */, | ||
| objectsecurity="edhoc"/* or ace-edhoc?, also encoded as a numeric value */, | ||
| docpath="/dns", | ||
| port=61616, | ||
| oauth-aud="dns.example.com", | ||
| oauth-scope="resolve DNS"/* should this be expressed at all? */, | ||
| oauth-as="coap://as.example.com" /* encoded as a CRI? */ | ||
| ~~~~~~~ | ||
|
|
||
| # Security Considerations | ||
|
|
||
|
|
||