]> Ericsson

8275 Trans Canada Route Saint Laurent, QC 4S 0B6 Canada daniel.migault@ericsson.com

Akamai

ralf.weber@akamai.com

Internet Systems Consortium, Inc.

950 Charter Street Redwood City 94063 US tomasz.mrugalski@gmail.com

Internet Homenet Internet-Draft This document defines DHCPv6 options so a Homenet Naming Authority (HNA) can automatically proceed to the appropriate configuration and outsource the authoritative naming service for the home network. In most cases, the outsourcing mechanism is transparent for the end user.

The key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”, “SHOULD NOT”, “RECOMMENDED”, “NOT RECOMMENDED”, “MAY”, and “OPTIONAL” in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here. The reader should be familiar with .

specifies how an entity designated as the Homenet Naming Authority (HNA) outsources a Public Homenet Zone to an DNS Outsourcing Infrastructure (DOI). This document describes how a network can provision the HNA with a specific DOI. This could be particularly useful for a DOI partly managed by an ISP, or to make home networks resilient to HNA replacement. The ISP delegates an IP prefix to the home network as well as the associated reverse zone. The ISP is thus aware of the owner of that IP prefix, and as such becomes a natural candidate for hosting the Homenet Reverse Zone - that is the Reverse Distribution Manager (RDM) and potentially the Reverse Public Authoritative Servers. In addition, ISPs often identify the line of the home network with a name. Such name is used for their internal network management operations and is not a name the home network owner has registered to. ISPs may leverage such infrastructure and provide the home network with a specific domain name designated as per a Homenet Registered Domain. Similarly to the reverse zone, ISPs are aware of who owns that domain name and may become a natural candidate for hosting the Homenet Zone - that is the Distribution Manager (DM) and the Public Authoritative Servers. This document describes DHCPv6 options that enable an ISP to provide the necessary parameters to the HNA, to proceed. More specifically, the ISP provides the Registered Homenet Domain, necessary information on the DM and the RDM so the HNA can manage and upload the Public Homenet Zone and the Reverse Public Homenet Zone as described in . The use of DHCPv6 options may make the configuration completely transparent to the end user and provides a similar level of trust as the one used to provide the IP prefix - when provisioned via DHCP.

This section illustrates how a HNA receives the necessary information via DHCPv6 options to outsource its authoritative naming service to the DOI. For the sake of simplicity, and similarly to , this section assumes that the HNA and the home network DHCPv6 client are colocated on the Customer Edge (CPE) router . Note also that this is not mandatory and the DHCPv6 client may instruct remotely the HNA with a protocol that will be standardized in the future. In addition, this section assumes the responsible entity for the DHCPv6 server is provisioned with the DM and RDM information - associated with the requested Registered Homenet Domain . This means a Registered Homenet Domain can be associated with the DHCPv6 client. This scenario is believed to be the most popular scenario. This document does not ignore scenarios where the DHCPv6 server does not have privileged relations with the DM or RDM. These cases are discussed in . Such scenarios do not necessarily require configuration for the end user and can also be zero-config. The scenario considered in this section is as follows: The HNA is willing to outsource the Public Homenet Zone or Homenet Reverse Zone. The DHCPv6 client is configured to include in its Option Request Option (ORO) the Registered Homenet Domain Option (OPTION_REGISTERED_DOMAIN), the Forward Distribution Manager Option (OPTION_FORWARD_DIST_MANAGER) and the Reverse Distribution Manager Option (OPTION_REVERSE_DIST_MANAGER) option codes. The DHCPv6 server responds to the DHCPv6 client with the requested DHCPv6 options based on the identified homenet. The DHCPv6 client passes the information to the HNA. The HNA is authenticated (see Section “Securing the Control Channel” of ) by the DM and the RDM. The HNA builds the Homenet Zone (or the Homenet Reverse Zone) and proceed as described in . The DHCPv6 options provide the necessary non optional parameters described in Appendix B of . The HNA may complement the configurations with additional parameters via means not yet defined. Appendix B of describes such parameters that may take some specific non default value.

This section details the payload of the DHCPv6 options following the guidelines of .

The Registered Domain Option (OPTION_REGISTERED_DOMAIN) indicates the FQDN associated with the home network.

option-code (16 bits): OPTION_REGISTERED_DOMAIN, the option code for the Registered Homenet Domain (TBD1). option-len (16 bits): length in octets of the Registered Homenet Domain field as described in . Registered Homenet Domain (variable): the FQDN registered for the homenet encoded as described in Section 10 of .

The Forward Distributed Manager Option (OPTION_FORWARD_DIST_MANAGER) provides the HNA with the FQDN of the DM as well as the transport protocols for the communication between the HNA and the DM. As opposed to IP addresses, the FQDN requires a DNS resolution before establishing the communication between the HNA and the DM. However, the use of a FQDN provides multiple advantages over IP addresses. Firstly, it makes the DHCPv6 Option easier to parse and smaller - especially when IPv4 and IPv6 addresses are expected to be provided. Then the FQDN can reasonably be seen as a more stable identifier than IP addresses, as well as a pointer to additional information that may be useful, in the future, to establish the communication between the HNA and the DM.

option-code (16 bits): OPTION_FORWARD_DIST_MANAGER, the option code for the Forward Distribution Manager Option (TBD2). option-len (16 bits): length in octets of the enclosed data as described in . Supported Transport (16 bits): defines the supported transport by the DM (see ). Each bit represents a supported transport, and a DM MAY indicate the support of multiple modes. The left most bit for DNS over TLS MUST be set. Distribution Manager FQDN (variable): the FQDN of the DM encoded as described in Section 10 of . It is worth noticing that the DHCP Option specifies the Supported Transport without specifying any explicit port. Unless the HNA and the DM have agreed on using a specific port - for example by configuration, or any out of band mechanism -, the default port is used and must be specified. The specification of such default port may be defined in the specification of the designated Supported Transport or in any other document. In the case of DNS over TLS , the default port is defined by with the following value: 853. The need to associate in the DHCP Option the port value to each Supported Transport has been balanced with the difficulty of handling a list of tuples ( transport, port ) as well as the possibility to use a dedicated IP address for the DM in case the default port was already in use.

The Reverse Distribution Manager Option (OPTION_REVERSE_DIST_MANAGER) provides the HNA with the FQDN of the DM as well as the transport protocols for the communication between the HNA and the DM.

option-code (16 bits): OPTION_REVERSE_DIST_MANAGER, the option code for the Reverse Distribution Manager Option (TBD3). option-len (16 bits): length in octets of the option-data field as described in . Supported Transport (16 bits): defines the supported transport by the RDM (see ). Each bit represents a supported transport, and a RDM MAY indicate the support of multiple modes. The bit for DNS over TLS MUST be set. Reverse Distribution Manager FQDN (variable): the FQDN of the RDM encoded as described in section 10 of . For the port number associated to the SUpported Transport, the same considerations as described in holds.

The Supported Transport field of the DHCPv6 option indicates the supported transport protocols. Each bit represents a specific transport mechanism. A bit sets to 1 indicates the associated transport protocol is supported. The corresponding bits are assigned as described in and .

DNS over TLS: indicates the support of DNS over TLS as described in and .

Sections 17.2.2 and 18.2 of govern server operation regarding option assignment. As a convenience to the reader, we mention here that the server will send option foo only if configured with specific values for foo and if the client requested it. In particular, when configured the DHCPv6 server sends the Registered Homenet Domain Option, Distribution Manager Option, the Reverse Distribution Manager Option when requested by the DHCPv6 client by including necessary option codes in its ORO.

The DHCPv6 client includes Registered Homenet Domain Option, Distribution Manager Option, the Reverse Distribution Manager Option in an ORO as specified in Sections 18.2.1, 18.2.2, 18.2.4, 18.2.5, 18.2.6, and 21.7 of . Upon receiving a DHCPv6 option described in this document in the Reply message, the HNA SHOULD proceed as described in .

There are no additional requirements for the DHCPv6 Relay agents.

IANA is requested to assign the following new DHCPv6 Option Codes in the registry maintained in: https://www.iana.org/assignments/dhcpv6-parameters/dhcpv6-parameters.xhtml#dhcpv6-parameters-2.

IANA is requested to maintain a new registry of Supported Transport parameter in the Distributed Manager Option (OPTION_FORWARD_DIST_MANAGER) or the Reverse Distribution Manager Option (OPTION_REVERSE_DIST_MANAGER). The different parameters are defined in in . The Name of the registry is: Supported Transport parameter The registry description is: The Supported Transport field of the DHCPv6 option is a two octet field that indicates the supported transport protocols. Each bit represents a specific transport mechanism. The parent grouping is Dynamic Host Configuration Protocol for IPv6 (DHCPv6) at https://www.iana.org/assignments/dhcpv6-parameters/dhcpv6-parameters.xhtml#dhcpv6-parameters-2. New entry MUST specify the bit position, the Transport Protocol Description a Mnemonic and a Reference as defined in . The initial registry is as specified in . Changes of the format or policies of the registry is left to the IETF via the IESG. Future code points are assigned under RFC Required as per .

The security considerations in are to be considered. The trust associated with the information carried by the DHCPv6 Options described in this document is similar to the one associated with the IP prefix - when configured via DHCPv6. In some cases, the ISP MAY identify the HNA by its wire line, that is to say physically which may not require to rely on TLS to authenticate the HNA. As TLS is mandatory to be used, it is expected the HNA is provisioned with a certificate. In some cases, the HNA may use a self signed certificate.

We would like to thank Marcin Siodelski, Bernie Volz and Ted Lemon for their comments on the design of the DHCPv6 options. We would also like to thank Mark Andrews, Andrew Sullivan and Lorenzo Colliti for their remarks on the architecture design. The designed solution has been largely been inspired by Mark Andrews’s document as well as discussions with Mark. We also thank Ray Hunter and Michael Richardson for its reviews, its comments and for suggesting an appropriated terminology.

The co-authors would like to thank Chris Griffiths and Wouter Cloetens that provided a significant contribution in the early versions of the document.

&RFC2119; &RFC8174; &I-D.ietf-homenet-front-end-naming-delegation; &RFC8415; &RFC7858; &RFC8126; &RFC7368; &RFC7227; &RFC9103; &I-D.andrews-dnsop-pd-reverse; &RFC2181; &RFC1034; &RFC6672; &I-D.sury-dnsext-cname-dname;

This appendix details various scenarios and discuss their impact on the end user. This appendix is not normative and limits the description of a limited scope of scenarios that are assumed to be representative. Many other scenarios may be derived from these.

The base scenario is the one described in in which an ISP manages the DHCPv6 server, the DM and RDM. The end user subscribes to the ISP (foo), and at subscription time registers for foo.example as its Registered Homenet Domain foo.example. In this scenario, the DHCPv6 server, DM and RDM are managed by the ISP so the DHCPv6 server and as such can provide authentication credentials of the HNA to enable secure authenticated transaction with the DM and the Reverse DM. The main advantage of this scenario is that the naming architecture is configured automatically and transparently for the end user. The drawbacks are that the end user uses a Registered Homenet Domain managed by the ISP and that it relies on the ISP naming infrastructure.

This appendix considers the case when the end user wants its home network to use example.com not managed by her ISP (foo) as a Registered Homenet Domain. This appendix still considers the ISP manages the home network and still provides foo.example as a Registered Homenet Domain. When the end user buys the domain name example.com, it may request to redirect the name example.com to foo.example using static redirection with CNAME , , DNAME or CNAME+DNAME . The only information the end user needs to know is the domain name assigned by the ISP. Once the redirection has been configured, the HNA may be changed, the zone can be updated as in without any additional configuration from the end user. The main advantage of this scenario is that the end user benefits from the Zero Configuration of the Base Scenario . Then, the end user is able to register for its home network an unlimited number of domain names provided by an unlimited number of different third party providers. The drawback of this scenario may be that the end user still rely on the ISP naming infrastructure. Note that the only case this may be inconvenient is when the DNS servers provided by the ISPs results in high latency.

This scenario considers that the end user uses example.com as a Registered Homenet Domain, and does not want to rely on the authoritative servers provided by the ISP. In this appendix we limit the outsourcing to the DM and Public Authoritative Server(s) to a third party. The Reverse Public Authoritative Server(s) and the RDM remain managed by the ISP as the IP prefix is managed by the ISP. Outsourcing to a third party DM can be performed in the following ways: Updating the DHCPv6 server Information. One can imagine a GUI interface that enables the end user to modify its profile parameters. Again, this configuration update is done once-for-ever. Upload the configuration of the DM to the HNA. In some cases, the provider of the CPE router hosting the HNA may be the registrar and provide the CPE router already configured. In other cases, the CPE router may request the end user to log into the registrar to validate the ownership of the Registered Homenet Domain and agree on the necessary credentials to secure the communication between the HNA and the DM. As described in , such settings could be performed in an almost automatic way as to limit the necessary interactions with the end user.

This scenario considers a HNA connected to multiple ISPs. Suppose the HNA has been configured each of its interfaces independently with each ISPS as described in . Each ISP provides a different Registered Homenet Domain. The protocol and DHCPv6 options described in this document are fully compatible with a HNA connected to multiple ISPs with multiple Registered Homenet Domains. However, the HNA should be able to handle different Registered Homenet Domains. This is an implementation issue which is outside the scope of the current document. If a HNA is not able to handle multiple Registered Homenet Domains, the HNA may remain connected to multiple ISP with a single Registered Homenet Domain. In this case, one entity is chosen to host the Registered Homenet Domain. This entity may be one of the ISP or a third party. Note that having multiple ISPs can be motivated for bandwidth aggregation, or connectivity fail-over. In the case of connectivity fail-over, the fail-over concerns the access network and a failure of the access network may not impact the core network where the DM and Public Authoritative Primaries are hosted. In that sense, choosing one of the ISP even in a scenario of multiple ISPs may make sense. However, for sake of simplicity, this scenario assumes that a third party has been chosen to host the Registered Homenet Domain. Configuration is performed as described in and . With the configuration described in , the HNA is expected to be able to handle multiple Homenet Registered Domain, as the third party redirect to one of the ISPs servers. With the configuration described in , DNS zone are hosted and maintained by the third party. A single DNS(SEC) Homenet Zone is built and maintained by the HNA. This latter configuration is likely to match most HNA implementations. The protocol and DHCPv6 options described in this document are fully compatible with a HNA connected to multiple ISPs. To configure or not and how to configure the HNA depends on the HNA facilities. and require the HNA to handle multiple Registered Homenet Domain, whereas does not have such requirement.