<?xml version="1.0" encoding="UTF-8"?><?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd" [
<!ENTITY rfc1033 PUBLIC ''
'http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.1033.xml'>
<!ENTITY rfc1034 PUBLIC ''
'http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.1034.xml'>
<!ENTITY rfc1035 PUBLIC ''
'http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.1035.xml'>
<!ENTITY rfc2045 PUBLIC ''
'http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.2045.xml'>
<!ENTITY rfc2119 PUBLIC ''
'http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml'>
<!ENTITY rfc2782 PUBLIC ''
'http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.2782.xml'>
<!ENTITY rfc3927 PUBLIC ''
'http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.3927.xml'>
<!ENTITY rfc4055 PUBLIC ''
'http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.4055.xml'>
<!ENTITY rfc4075 PUBLIC ''
'http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.4075.xml'>
<!ENTITY rfc4279 PUBLIC ''
'http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.4279.xml'>
<!ENTITY rfc4291 PUBLIC ''
'http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.4291.xml'>
<!ENTITY rfc4648 PUBLIC ''
'http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.4648.xml'>
<!ENTITY rfc5054 PUBLIC ''
'http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.5054.xml'>
<!ENTITY rfc5246 PUBLIC ''
'http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.5246.xml'>
<!ENTITY rfc6762 PUBLIC ''
'http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.6762.xml'>
<!ENTITY rfc6763 PUBLIC ''
'http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.6763.xml'>
<!ENTITY rfc7558 PUBLIC ''
'http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.7558.xml'>
<!ENTITY rfc7626 PUBLIC ''
'http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.7626.xml'>
<!ENTITY rfc7844 PUBLIC ''
'http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.7844.xml'>
<!ENTITY rfc7858 PUBLIC ''
'http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.7858.xml'>
<!ENTITY rfc8117 PUBLIC ''
'http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8117.xml'>
<!ENTITY rfc8094 PUBLIC ''
'http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8094.xml'>
<!ENTITY rfc8235 PUBLIC ''
'http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8235.xml'>
<!ENTITY rfc8236 PUBLIC ''
'http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8236.xml'>
<!ENTITY rfc8446 PUBLIC ''
'http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8446.xml'>
<!ENTITY I-D.ietf-dnssd-push PUBLIC ''
"http://xml2rfc.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-dnssd-push">
<!ENTITY I-D.ietf-dnssd-srp PUBLIC ''
"http://xml2rfc.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-dnssd-srp">
<!ENTITY I-D.ietf-tls-esni PUBLIC ''
"http://xml2rfc.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-tls-esni">
<!ENTITY kw14a PUBLIC ''
"references/reference.kw14a.xml">
<!ENTITY kw14b PUBLIC ''
"references/reference.kw14b.xml">
]>
<?xml-stylesheet type='text/xsl' href='rfc2629.xslt' ?>
<?rfc compact="yes"?>
<?rfc toc="yes"?>
<?rfc symrefs="yes"?>
<?rfc sortrefs="yes"?>
<!-- Expand crefs and put them inline -->
<?rfc comments='yes' ?>
<?rfc inline='yes' ?> "rfc2629-xhtml.ent">
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" category="info"
docName="draft-ietf-dnssd-prireq-08"
ipr="trust200902"> ipr="trust200902" obsoletes=""
updates="" submissionType="IETF" xml:lang="en" tocInclude="true"
symRefs="true" sortRefs="true" version="3" number="8882" consensus="true">
<!-- xml2rfc v2v3 conversion 2.42.0 -->
<front>
<title abbrev="DNS-SD Privacy Requirements">
DNS-SD
DNS-Based Service Discovery (DNS-SD) Privacy and Security Requirements
</title>
<seriesInfo name="RFC" value="8882"/>
<author fullname="Christian Huitema" initials="C." surname="Huitema">
<organization>Private Octopus Inc.</organization>
<address>
<postal>
<street></street>
<street/>
<city>Friday Harbor</city>
<code>98250</code>
<region>WA</region>
<country>U.S.A.</country>
<country>United States of America</country>
</postal>
<email>huitema@huitema.net</email>
<uri>http://privateoctopus.com/</uri>
</address>
</author>
<author fullname="Daniel Kaiser" initials="D." surname="Kaiser">
<organization>University of Luxembourg</organization>
<address>
<postal>
<street>6, avenue de la Fonte</street>
<city>Esch-sur-Alzette</city>
<code>4364</code>
<region></region>
<region/>
<country>Luxembourg</country>
</postal>
<email>daniel.kaiser@uni.lu</email>
<uri>https://secan-lab.uni.lu/</uri>
</address>
</author>
<date year="2020" /> month="September" year="2020"/>
<keyword>Multicast DNS</keyword>
<keyword>mDNS</keyword>
<abstract>
<t>
DNS-SD (DNS
<t>DNS-SD (DNS-based Service Discovery) normally discloses information about
devices offering and requesting services. This information includes host names,
hostnames, network parameters, and possibly a further description of the
corresponding service instance. Especially when mobile devices engage in DNS
DNS-based Service Discovery at a public hotspot, serious privacy problems
arise. We analyze the requirements of a privacy-respecting discovery service.
</t>
service.</t>
</abstract>
</front>
<middle>
<section title="Introduction">
<t>
DNS numbered="true" toc="default">
<name>Introduction</name>
<t>DNS-Based Service Discovery (DNS-SD) <xref target="RFC6763" />
format="default"/> over Multicast DNS (mDNS) <xref target="RFC6762" />
format="default"/> enables zero-configuration service discovery in local
networks. It is very convenient for users, but it requires the public
exposure of the offering and requesting identities along with
information about the offered and requested services. Parts of the
published information can seriously breach the user's privacy. These
privacy issues and potential solutions are discussed in <xref
target="KW14a" />, format="default"/>, <xref target="KW14b" />
format="default"/>, and <xref target="K17" />. format="default"/>. While the
multicast nature of mDNS makes these risks obvious, most risks derive
from the observability of transactions. These risks also need to be
mitigated when using server-based variants of DNS-SD.
</t>
<t>
There DNS-SD.</t>
<t>There are cases when nodes connected to a network want to provide or
consume services without exposing their identities to the other parties
connected to the same network. Consider, for example, a traveler wanting
to upload pictures from a phone to a laptop when both are connected to
the Wi-Fi network of an Internet cafe, or two travelers who want to
share files between their laptops when waiting for their plane in an
airport lounge.
</t>
<t>
We lounge.</t>
<t>We expect that these exchanges will start with a discovery procedure
using DNS-SD over mDNS. One of the devices will publish the availability
of a service, such as a picture library or a file store in our
examples. The user of the other device will discover this service, service and
then connect to it.
</t>
<t>
When it.</t>
<t>When analyzing these scenarios in <xref target="scenarios"/>, target="scenarios"
format="default"/>, we find that the DNS-SD messages leak identifying information
information, such as the service instance name, Service Instance Name, the host name, hostname, or service
properties. We use the following definitions:
<list style="hanging">
<t hangText="Identity">
In definitions:</t>
<dl newline="true" spacing="normal">
<dt>Identity</dt>
<dd>In this document, the term "identity" refers to the identity of
the entity (legal person) operating a device.
</t>
<t hangText="Disclosing device.</dd>
<dt>Disclosing an Identity">
In Identity</dt>
<dd>In this document document, "disclosing an identity" means showing the
identity of operating entities to devices external to the discovery process;
process, e.g., devices on the same network link that are listening to
the network traffic but are not actually involved in the discovery
process. This document focuses on identity disclosure by data conveyed
via messages on the service discovery protocol layer. Still, identity
leaks on deeper layers, e.g., the IP layer, are mentioned.
</t>
<t hangText="Disclosing Information">
In mentioned.</dd>
<dt>Disclosing Information</dt>
<dd>In this document document, "disclosing information" is also focused on
disclosure of data conveyed via messages on the service discovery
protocol layer,
such as generic non-identity but including both identity-revealing information and
other still potentially sensitive data.
</t>
</list>
</t> data.</dd>
</dl>
</section>
<section title="Threat Model" anchor="threatmodel">
<t>
This anchor="threatmodel" numbered="true" toc="default">
<name>Threat Model</name>
<t>This document considers the following attacker types sorted by
increasing power. All these attackers can either be passive (they just
listen to network traffic they have access to) or active (they
additionally can craft and send malicious packets).
</t>
<t>
<list style="hanging">
<t hangText="external">
An packets).</t>
<dl newline="true" spacing="normal">
<dt>external</dt>
<dd>An external attacker is not on the same network link as victim
devices engaging in service discovery; thus, the external attacker is
in a different multicast domain.
</t>
<t hangText="on-link">
An domain.</dd>
<dt>on-link</dt>
<dd>An on-link attacker is on the same network link as victim devices
engaging in service discovery; thus, the on-link attacker is in the
same multicast domain. This attacker can also mount all attacks an
external attacker can mount.
</t>
<t hangText="MITM">
A Man in the Middle mount.</dd>
<dt>MITM</dt>
<dd>A Man-in-the-Middle (MITM) attacker either controls (parts of) a
network link or can trick two parties to send traffic via the
attacker; thus, the MITM attacker has access to unicast traffic
between devices engaging in service discovery. This attacker can also
mount all attacks an on-link attacker can mount.
</t>
</list>
</t> mount.</dd>
</dl>
</section>
<section title="Threat Analysis" anchor="threatanalysis">
<t>
In anchor="threatanalysis" numbered="true" toc="default">
<name>Threat Analysis</name>
<t>In this section section, we analyse analyze how the attackers described in the
previous section might threaten the privacy of entities operating
devices engaging in service discovery. We focus on attacks leveraging
data transmitted in service discovery protocol messages.
</t> messages.</t>
<section title="Service anchor="scenarios" numbered="true" toc="default">
<name>Service Discovery Scenarios" anchor="scenarios"> Scenarios</name>
<t>In this section, we review common service discovery scenarios and
discuss privacy threats and their privacy requirements. In all three
of these common scenarios scenarios, the attacker is of the type passive
on-link.</t>
<section title="Private anchor="privclipubserv" numbered="true" toc="default">
<name>Private Client and Public Server" anchor="privclipubserv" >
<t>
Perhaps Server</name>
<t>Perhaps the simplest private discovery scenario involves a single
client connecting to a public server through a public network. A
common example would be a traveler using a publicly available
printer in a business center, in an a hotel, or at an airport.
</t>
<t>
<figure>
<artwork> airport.</t>
<artwork name="" type="" align="left" alt=""><![CDATA[
( Taking notes:
( David is printing
( a document document.
~~~~~~~~~~~
o
___ o ___
/ \ _|___|_
| | client server |* *|
\_/ __ \_/
| / / Discovery +----------+ |
/|\ /_/ <-----------> <-----------> | +----+ | /|\
/ | \__/ +--| |--+ / | \
/ | |____/ / | \
/ | / | \
/ \ / \
/ \ / \
/ \ / \
/ \ / \
/ \ / \
David adversary
</artwork>
</figure>
</t>
<t>
In Adversary
]]></artwork>
<t>In that scenario, the server is public and wants to be
discovered, but the client is private. The adversary will be
listening to the network traffic, trying to identify the visitors'
devices and their activity. Identifying devices leads to identifying
people, either for surveillance of these individuals in the physical
world or as a preliminary step for a targeted cyber attack.
</t>
<t>
The attack.</t>
<t>The requirement in that scenario is that the discovery activity
should not disclose the identity of the client.
</t> client.</t>
</section>
<section title="Private anchor="privcliprivserv" numbered="true" toc="default">
<name>Private Client and Private Server" anchor="privcliprivserv" >
<t>
The Server</name>
<t>The second private discovery scenario involves a private client
connecting to a private server. A common example would be two people
engaging in a collaborative application in a public place, such as
an airport's lounge.
</t>
<t>
<figure>
<artwork> lounge.</t>
<artwork name="" type="" align="left" alt=""><![CDATA[
( Taking notes:
( David is meeting
( with Stuart Stuart.
~~~~~~~~~~~
o
___ ___ o ___
/ \ / \ _|___|_
| | server client | | |* *|
\_/ __ __ \_/ \_/
| / / Discovery \ \ | |
/|\ /_/ <-----------> <-----------> \_\ /|\ /|\
/ | \__/ \__/ | \ / | \
/ | | \ / | \
/ | | \ / | \
/ \ / \ / \
/ \ / \ / \
/ \ / \ / \
/ \ / \ / \
/ \ / \ / \
David Stuart Adversary
</artwork>
</figure>
</t>
<t>
In
]]></artwork>
<t>In that scenario, the collaborative application on one of the
devices will act as a server, and the application on the other
device will act as a client. The server wants to be discovered by
the client, client but has no desire to be discovered by anyone else. The
adversary will be listening to network traffic, attempting to
discover the identity of devices as in the first scenario, scenario and also
attempting to discover the patterns of traffic, as these patterns
reveal the business and social interactions between the owners of
the devices.
</t>
<t>
The devices.</t>
<t>The requirement in that scenario is that the discovery activity
should not disclose the identity of either the client or the server, server
nor reveal the business and social interactions between the owners
of the devices.
</t> devices.</t>
</section>
<section title="Wearable anchor="wearcliserv" numbered="true" toc="default">
<name>Wearable Client and Server" anchor="wearcliserv" >
<t>
The Server</name>
<t>The third private discovery scenario involves wearable devices. A
typical example would be the watch on someone's wrist connecting to
the phone in their pocket.
</t>
<t>
<figure>
<artwork> pocket.</t>
<artwork name="" type="" align="left" alt=""><![CDATA[
( Taking notes:
( David is here. His watch is
( talking to his phone phone.
~~~~~~~~~~~
o
___ o ___
/ \ _|___|_
| | client |* *|
\_/ \_/
| _/ |
/|\ // /|\
/ | \__/ ^ / | \
/ |__ | Discovery / | \
/ |\ \ v / | \
/ \\_\ / \
/ \ server / \
/ \ / \
/ \ / \
/ \ / \
David Adversary
</artwork>
</figure>
</t>
<t>
This
]]></artwork>
<t>This third scenario is in many ways similar to the second
scenario. It involves two devices, one acting as server and the
other acting as client, and it leads to the same requirement of the
discovery traffic not disclosing the identity of either the client
or the server. The main difference is that the devices are managed
by a single owner, which can lead to different methods for
establishing secure relations between the devices. There is also an
added emphasis on hiding the type of devices that the person
wears.
</t>
<t>
In
wears.</t>
<t>In addition to tracking the identity of the owner of the devices,
the adversary is interested in the characteristics of the devices,
such as type, brand, and model. Identifying the type of device can
lead to further attacks, from theft to device-specific hacking. The
combination of devices worn by the same person will also provide a
"fingerprint" of the person, risking identification.
</t>
<t>
This identification.</t>
<t>This scenario also represents the general case of bringing
private IoT Internet-of-Things (IoT) devices into public places. A
wearable IoT device might
act as a DNS-SD/mDNS client client, which allows attackers to infer
information about devices' owners. While the attacker might be a person
person, as in the example figure, this could also be abused for large scale
large-scale data collection installing stationary
IoT-device-tracking
servers in frequented public places.
</t>
<t>
The places.</t>
<t>The issues described in <xref target="privclipubserv" />
format="default"/>, such as identifying people or using the
information for targeted attacks attacks, apply here too.
</t> too.</t>
</section>
</section>
<section title="DNS-SD anchor="analysis" numbered="true" toc="default">
<name>DNS-SD Privacy Considerations" anchor="analysis">
<t>
While Considerations</name>
<t>While the discovery process illustrated in the scenarios in <xref target="scenarios"/>
target="scenarios" format="default"/> most likely would be based on
<xref target="RFC6762" /> format="default"/> as a means for making
service information available, this document considers all kinds of
means for making DNS-SD resource records available. These means
comprise of but are not limited to mDNS <xref target="RFC6762" />,
format="default"/>, DNS servers (<xref target="RFC1033"/> target="RFC1033"
format="default"/>, <xref target="RFC1034"/>, target="RFC1034" format="default"/>, and <xref target="RFC1035"/>),
using SRP
target="RFC1035" format="default"/>), the use of Service Registration
Protocol (SRP) <xref target="I-D.ietf-dnssd-srp"/>,
target="I-D.ietf-dnssd-srp" format="default"/>, and multi-link <xref target="RFC7558"/> networks.
</t>
target="RFC7558" format="default"/> networks.</t>
<t>The discovery scenarios in <xref target="scenarios"/> target="scenarios"
format="default"/> illustrate three separate abstract privacy
requirements that vary based on the use case. These are not limited to mDNS.
<list style="numbers">
<t>Client
mDNS.</t>
<ol spacing="normal" type="1">
<li>Client identity privacy: Client identities are not leaked during
service discovery or use.</t>
<t>Multi-entity, use.</li>
<li>Multi-entity, mutual client and server identity privacy: Neither
client nor server identities are leaked during service discovery or use.</t>
<t>Single-entity,
use.</li>
<li>Single-entity, mutual client and server identity privacy:
Identities of clients and servers owned and managed by the same
legal person are not leaked during service discovery or use.</t>
</list>
</t>
<t>
In use.</li>
</ol>
<t>In this section, we describe aspects of DNS-SD that make these
requirements difficult to achieve in practice. While it is intended to
be thorough, it is not possible to be exhaustive.
</t>
<t>
Client exhaustive.</t>
<t>Client identity privacy, if not addressed properly, can be thwarted
by a passive attacker (see <xref target="threatmodel"/>). target="threatmodel"
format="default"/>). The type of passive attacker necessary depends on
the means of making service information available. Information
conveyed via multicast messages can be obtained by an on-link
attacker. Unicast messages are
easy harder to access access,
but if the transmission is not encrypted, but encrypted they could still be accessed by
an attacker with access to network routers or bridges. Using multi-link service discovery
solutions <xref target="RFC7558"/>, target="RFC7558" format="default"/>, external
attackers have to be taken into consideration as well, e.g., when
relaying multicast messages to other links.
</t>
<t>
Server links.</t>
<t>Server identity privacy can be thwarted by a passive attacker in
the same way as client identity privacy. Additionally, active
attackers querying for information have to be taken into consideration
as well. This is mainly relevant for unicast-based discovery, where
listening to discovery traffic requires a MITM attacker; however, an
external active attacker might be able to learn the server identity by
just querying for service information, e.g. e.g., via DNS.
</t> DNS.</t>
<section title="Information made available via anchor="RRs" numbered="true" toc="default">
<name>Information Made Available Via DNS-SD Resource Records" anchor="RRs">
<t>
DNS-Based Records</name>
<t>DNS-Based Service Discovery (DNS-SD) is defined in <xref
target="RFC6763" />. format="default"/>. It allows nodes to publish the
availability of an instance of a service by inserting specific
records in the DNS (<xref target="RFC1033"/>, target="RFC1033" format="default"/>, <xref target="RFC1034"/>,
target="RFC1034" format="default"/>, and <xref target="RFC1035"/>) target="RFC1035"
format="default"/>) or by publishing these records locally using
multicast DNS (mDNS) <xref target="RFC6762"/>. target="RFC6762"
format="default"/>. Available services are described using three
types of records:
</t>
<t>
<list style="hanging">
<t hangText="PTR Record:">Associates records:</t>
<dl newline="true" spacing="normal">
<dt>PTR Record</dt>
<dd>Associates a service type in the domain with an "instance"
name of this service type.
</t>
<t hangText="SRV Record:">Provides type.</dd>
<dt>SRV Record</dt>
<dd>Provides the node name, port number, priority and weight
associated with the service instance, in conformance with <xref
target="RFC2782" />.
</t>
<t hangText="TXT Record:">Provides format="default"/>.</dd>
<dt>TXT Record</dt>
<dd>Provides a set of attribute-value pairs describing specific
properties of the service instance.
</t>
</list>
</t> instance.</dd>
</dl>
</section>
<section title="Privacy anchor="instanceLeak" numbered="true" toc="default">
<name>Privacy Implication of Publishing Service Instance Names" anchor="instanceLeak" >
<t>
In Names</name>
<t>In the first phase of discovery, clients obtain all PTR records
associated with a service type in a given naming domain. Each PTR
record contains a Service Instance Name defined in Section
4 of
<xref target="RFC6763" />:
</t>
<t>
<figure>
<artwork> sectionFormat="of" section="4"/>:</t>
<sourcecode><![CDATA[
Service Instance Name = <Instance> <Instance> . <Service> <Service> . <Domain>
</artwork>
</figure>
</t>
<t>
The <Domain>
]]></sourcecode>
<t>The <Instance> portion of the Service Instance Name is
meant to convey enough information for users of discovery clients to
easily select the desired service instance. Nodes that use DNS-SD
over mDNS <xref target="RFC6762" /> format="default"/> in a mobile
environment will rely on the specificity of the instance name to
identify the desired service instance. In our example of users
wanting to upload pictures to a laptop in an Internet Cafe, cafe, the list
of available service instances may look like:
</t>
<t>
<figure>
<artwork> like:</t>
<sourcecode>
Alice's Images . _imageStore._tcp . local
Alice's Mobile Phone . _presence._tcp . local
Alice's Notebook . _presence._tcp . local
Bob's Notebook . _presence._tcp . local
Carol's Notebook . _presence._tcp . local
</artwork>
</figure>
</t>
<t>
Alice
</sourcecode>
<t>Alice will see the list on her phone and understand intuitively
that she should pick the first item. The discovery will "just
work". (Note that our examples of service names conform to the
specification in section 4.1 of <xref target="RFC6763" />, sectionFormat="of"
section="4.1"/> but may require some character escaping when
entered in conventional DNS software.)
</t>
<t>
However, software.)</t>
<t>However, DNS-SD/mDNS will reveal to anybody that Alice is
currently visiting the Internet Cafe. cafe. It further discloses the fact
that she uses two devices, shares an image store, and uses a chat
application supporting the _presence protocol on both of her
devices. She might currently chat with Bob or Carol, as they are
also using a _presence supporting chat application. This information
is not just available to devices actively browsing for and offering
services,
services but to anybody passively listening to the network traffic, i.e.
i.e., a passive on-link attacker.
</t>
<t>
There attacker.</t>
<t>There is, of course, also no authentication requirement to claim
a particular instance name, so an active attacker can provide
resources that claim to be Alice's but are not.
</t> not.</t>
</section>
<section title="Privacy numbered="true" toc="default">
<name>Privacy Implication of Publishing Node Names">
<t>
The Names</name>
<t>The SRV records contain the DNS name of the node publishing the
service. Typical implementations construct this DNS name by
concatenating the "host name" "hostname" of the node with the name of the local
domain. The privacy implications of this practice are reviewed in
<xref target="RFC8117" />. format="default"/>. Depending on naming
practices, the host name hostname is either a strong identifier of the device, or
device or, at a minimum minimum, a partial identifier. It enables tracking of
both the device, device and, by extension, the device's owner.
</t> owner.</t>
</section>
<section title="Privacy numbered="true" toc="default">
<name>Privacy Implication of Publishing Service Attributes">
<t>
The Attributes</name>
<t>The TXT record's attribute-value pairs contain information on the
characteristics of the corresponding service instance. This in turn
reveals information about the devices that publish services. The
amount of information varies widely with the particular service and
its implementation:
</t>
<t>
<list style="symbols">
<t>
Some implementation:</t>
<ul spacing="normal">
<li>Some attributes, such as the paper size available in a
printer, are the same on many devices, devices and thus only provide
limited information to a tracker.
</t>
<t>
Attributes tracker.</li>
<li>Attributes that have freeform free-form values, such as the name of a
directory, may reveal much more information.
</t>
</list>
</t>
<t>
Combinations information.</li>
</ul>
<t>Combinations of individual attributes have more information power
than specific attributes, attributes and can potentially be used for
"fingerprinting" a specific device.
</t>
<t>
Information device.</t>
<t>Information contained in TXT records not only breaches privacy by
making devices
trackable, trackable but might directly contain private
information about the user. For instance instance, the _presence service
reveals the "chat status" to everyone in the same network. Users
might not be aware of that.
</t>
<t>
Further, that.</t>
<t>Further, TXT records often contain version information about
services, allowing potential attackers to identify devices running
exploit-prone versions of a certain service.
</t> service.</t>
</section>
<section title="Device Fingerprinting" anchor="serverFingerprint">
<t>
The anchor="serverFingerprint" numbered="true" toc="default">
<name>Device Fingerprinting</name>
<t>The combination of information published in DNS-SD has the
potential to provide a "fingerprint" of a specific device. Such
information includes:
</t>
<t>
<list style="symbols">
<t>
List includes:</t>
<ul spacing="normal">
<li>A list of services published by the device, which can be
retrieved because the SRV records will point to the same host name.
</t>
<t>
Specific
hostname.</li>
<li>Specific attributes describing these services.
</t>
<t>
Port services.</li>
<li>Port numbers used by the services.
</t>
<t>
Priority services.</li>
<li>Priority and weight attributes in the SRV records.
</t>
</list>
</t>
<t>
This records.</li>
</ul>
<t>This combination of services and attributes will often be
sufficient to identify the version of the software running on a
device. If a device publishes many services with rich sets of
attributes, the combination may be sufficient to identify the
specific device and track its owner.
</t>
<t>
An owner.</t>
<t>An argument is sometimes made that devices providing services can
be identified by observing the local traffic, traffic and that trying to
hide the presence of the service is futile. However, there are good
reasons for the discovery service layer to avoid unnecessary exposure:
<list style="numbers">
<t>
Providing
exposure:</t>
<ol spacing="normal" type="1">
<li>Providing privacy at the discovery layer is of the essence for
enabling automatically configured privacy-preserving network
applications. Application layer protocols are not forced to
leverage the offered privacy, but if device tracking is not
prevented at the deeper layers, including the service discovery
layer, obfuscating a certain service's protocol at the application
layer is futile.
</t>
<t>
Further, futile.</li>
<li>Further, in the case of mDNS based mDNS-based discovery, even if the
application layer does not protect privacy,
typically services are typically
provided via unicast unicast, which requires a MITM attacker,
while whereas
identifying services based on multicast discovery messages just
requires an on-link attacker.
</t>
</list>
The attacker.</li>
</ol>
<t>The same argument can be extended to say that the pattern of
services offered by a device allows for fingerprinting the
device. This may or may not be true, since we can expect that
services will be designed or updated to avoid leaking
fingerprints. In any case, the design of the discovery service
should avoid making a bad situation worse, worse and should should, as much as
possible
possible, avoid providing new fingerprinting information.
</t> information.</t>
</section>
<section title="Privacy anchor="clientPrivacy" numbered="true" toc="default">
<name>Privacy Implication of Discovering Services" anchor="clientPrivacy" >
<t>
The Services</name>
<t>The consumers of services engage in discovery, discovery and in doing so
reveal some information information, such as the list of services they are
interested in and the domains in which they are looking for the
services. When the clients select specific instances of services,
they reveal their preference for these instances. This can be benign
if the service type is very common, but it could be more problematic
for sensitive services, such as some private messaging services.
</t>
<t>
One services.</t>
<t>One way to protect clients would be to somehow encrypt the
requested service types. Of course, just as we noted in <xref target="serverFingerprint"/>,
target="serverFingerprint" format="default"/>, traffic analysis can
often reveal the service.
</t> service.</t>
</section>
</section>
<section title="Security Considerations"> numbered="true" toc="default">
<name>Security Considerations</name>
<t>For each of the operations described above, we must also consider
security threats we are concerned about.</t>
<section title="Authenticity, Integrity & Freshness"> numbered="true" toc="default">
<name>Authenticity, Integrity, and Freshness</name>
<t>Can devices (both servers and clients) trust the information they
receive? Has it been modified in flight by an adversary? Can
devices trust the source of the information? Is the source of
information fresh, i.e., not replayed? Freshness may or may not be
required depending on whether the discovery process is meant to be
online. In some cases, publishing discovery information to a shared
directory or registry, rather than to each online recipient through
a broadcast channel, may suffice.</t>
</section>
<section title="Confidentiality"> numbered="true" toc="default">
<name>Confidentiality</name>
<t>Confidentiality is about restricting information access to only
authorized individuals. Ideally Ideally, this should only be the appropriate
trusted parties, though it can be challenging to define who are "the
appropriate trusted parties." In some use cases, this may mean that
only mutually authenticated and trusting clients and servers can
read messages sent for one another. The process of service discovery
in particular is often used to discover new entities that the device
did not previously know about. It may be tricky to work out how a
device can have an established trust relationship with a new entity
it has never previously communicated with.
</t> with.</t>
</section>
<section title="Resistance numbered="true" toc="default">
<name>Resistance to Dictionary Attacks"> Attacks</name>
<t>It can be tempting to use (publicly computable) hash functions to
obscure sensitive identifiers. This transforms a sensitive unique identifier
identifier, such as an email address address, into a "scrambled" but still
unique identifier. Unfortunately Unfortunately, simple solutions may be vulnerable
to offline dictionary attacks.</t>
</section>
<section title="Resistance numbered="true" toc="default">
<name>Resistance to Denial-of-Service Attacks"> Attacks</name>
<t>In any protocol where the receiver of messages has to perform
cryptographic operations on those messages, there is a risk of a
brute-force flooding attack causing the receiver to expend excessive
amounts of CPU time and, where appliciable, applicable, battery power just
processing and discarding those messages.</t>
<t>
Also,
<t>Also, amplification attacks have to be taken into
consideration. Messages with larger payloads should only be sent as
an answer to a query sent by a verified client.
</t> client.</t>
</section>
<section title="Resistance numbered="true" toc="default">
<name>Resistance to Sender Impersonation"> Impersonation</name>
<t>Sender impersonation is an attack wherein messages messages, such as
service offers offers, are forged by entities who do not possess the
corresponding secret key material. These attacks may be used to
learn the identity of a communicating party, actively or
passively.</t>
</section>
<section title="Sender Deniability"> numbered="true" toc="default">
<name>Sender Deniability</name>
<t>Deniability of sender activity, e.g., of broadcasting a discovery
request, may be desirable or necessary in some use cases. This
property ensures that eavesdroppers cannot prove senders issued a
specific message destined for one or more peers. </t>
</section>
</section>
<section title="Operational Considerations"> numbered="true" toc="default">
<name>Operational Considerations</name>
<section title="Power Management"> numbered="true" toc="default">
<name>Power Management</name>
<t>Many modern devices, especially battery-powered devices, use
power management techniques to conserve energy. One such technique
is for a device to transfer information about itself to a proxy,
which will act on behalf of the device for some functions, functions while the
device itself goes to sleep to reduce power consumption. When the
proxy determines that some action is required required, which only the device
itself can perform, the proxy may have some way to wake the device,
as described for example in <xref target="SLEEP-PROXY" />.</t>
format="default"/>.</t>
<t>In many cases, the device may not trust the network proxy
sufficiently to share all its confidential key material with the
proxy. This poses challenges for combining private discovery that
relies on per-query cryptographic operations, operations with energy-saving
techniques that rely on having (somewhat untrusted) network proxies
answer queries on behalf of sleeping devices.</t>
</section>
<section title="Protocol Efficiency"> numbered="true" toc="default">
<name>Protocol Efficiency</name>
<t>Creating a discovery protocol that has the desired security
properties may result in a design that is not efficient. To perform
the necessary operations operations, the protocol may need to send and receive a
large number of network packets, packets or require an inordinate amount of
multicast transmissions. This may consume an unreasonable amount of
network capacity, particularly problematic when it is a shared
wireless spectrum. Further, it may cause an unnecessary level of
power consumption consumption, which is particularly problematic on battery devices,
devices and may result in the discovery process being slow.</t>
<t>It is a difficult challenge to design a discovery protocol that
has the property of obscuring the details of what it is doing from
unauthorized
observers, observers while also managing to perform
efficiently.</t>
</section>
<section title="Secure numbered="true" toc="default">
<name>Secure Initialization and Trust Models"> Models</name>
<t>One of the challenges implicit in the preceding discussions is
that whenever we discuss "trusted entities" versus "untrusted
entities", there needs to be some way that trust is initially established,
established to convert an "untrusted entity" into a "trusted
entity".</t>
<t>The purpose of this document is not to define the specific way in
which trust can be established. Protocol designers may rely on a
number of existing technologies, including PKI, Trust On First Use
(TOFU), or using the use of a short passphrase or PIN with cryptographic algorithms
algorithms, such as
<xref target="RFC5054">Secure Secure Remote Password (SRP)</xref> (SRP) <xref
target="RFC5054" format="default"></xref> or a Password Authenticated
Password-Authenticated Key
Exchange like J-PAKE <xref target="RFC8236">J-PAKE</xref> target="RFC8236"
format="default"></xref> using a
<xref target="RFC8235">Schnorr Schnorr Non-interactive
Zero-Knowledge Proof</xref>.
</t> Proof <xref target="RFC8235"
format="default"></xref>.</t>
<t>Protocol designers should consider a specific usability pitfall
when trust is established immediately prior to performing
discovery. Users will have a tendency to "click OK" in order to
achieve their task. This implicit vulnerability is avoided if the
trust establishment requires more significant participation of the
user, such as entering a password or PIN.
</t> PIN.</t>
</section>
<section title="External Dependencies"> numbered="true" toc="default">
<name>External Dependencies</name>
<t>Trust establishment may depend on external parties. Optionally,
this might involve synchronous communication. Systems which that have
such a dependency may be attacked by interfering with communication
to external dependencies. Where possible, such dependencies should
be minimized. Local trust models are best for secure initialization
in the presence of active attackers.</t>
</section>
</section>
</section>
<section title="Requirements numbered="true" toc="default">
<name>Requirements for a DNS-SD Privacy Extension">
<t>
Given Extension</name>
<t>Given the considerations discussed in the previous sections, we state
requirements for privacy preserving DNS-SD in the following subsections.
</t>
<t>
Defining
subsections.</t>
<t>Defining a solution according to these requirements is intended to
lead to a solution that does not transmit privacy-violating DNS-SD
messages and further does not open pathways to new attacks against the
operation of DNS-SD.
</t>
<t>
However, DNS-SD.</t>
<t>However, while this document gives advice on which privacy protecting
mechanisms should be used on deeper-layer network protocols and on how
to actually connect to services in a privacy-preserving way, stating
corresponding requirements is out of the scope of this document. To
mitigate attacks against privacy on lower layers, both servers and
clients must use privacy options available at lower layers,
and layers and, for example
example, avoid publishing static IPv4 or IPv6 addresses, addresses or static IEEE
802 MAC Media Access Control (MAC) addresses. For services advertised on a
single network link, link local
link-local IP addresses should be used; see <xref target="RFC3927" />
format="default"/> and <xref target="RFC4291" /> format="default"/> for
IPv4 and IPv6, respectively. Static servers advertising services
globally via DNS can hide their IP addresses from unauthorized clients
using the split mode topology shown in Encrypted Server Name Indication
<xref target="I-D.ietf-tls-esni"/>. target="I-D.ietf-tls-esni"
format="default"/>. Hiding static MAC addresses can be achieved via MAC
address randomization (see <xref target="RFC7844" />).
</t>
format="default"/>).</t>
<section title="Private numbered="true" toc="default">
<name>Private Client Requirements">
<t>
For Requirements</name>
<t>For all three scenarios described in <xref target="scenarios" />,
format="default"/>, client privacy requires DNS-SD messages to:
<list style="numbers">
<t>
Avoid to:</t>
<ol spacing="normal" type="1">
<li>Avoid disclosure of the client's identity, either directly or
via inference, to nodes other than select servers.
</t>
<t>
Avoid servers.</li>
<li>Avoid exposure of linkable identifiers that allow tracing client devices.
</t>
<t>
Avoid devices.</li>
<li>Avoid disclosure of the client's interest in specific service
instances or service types to nodes other than select servers.
</t>
</list>
</t>
<t>
When servers.</li>
</ol>
<t>When listing and resolving services via current DNS-SD deployments,
clients typically disclose their interest in specific services types
and specific instances of these types, respectively.
</t>
<t>
In respectively.</t>
<t>In addition to the exposure and disclosure risks noted above,
protocols and implementations will have to consider fingerprinting
attacks (see <xref target="serverFingerprint"/>) target="serverFingerprint" format="default"/>) that
could retrieve similar information.
</t> information.</t>
</section>
<section title="Private numbered="true" toc="default">
<name>Private Server Requirements">
<t>
Servers Requirements</name>
<t>Servers like the "printer" discussed in scenario 1 <xref
target="privclipubserv" format="default"/> are public, but
the servers discussed in scenarios 2 Sections <xref target="privcliprivserv"
format="counter"/> and 3 are <xref target="wearcliserv" format="counter"/>
are, by essence essence, private.
Server privacy requires DNS-SD messages to:
</t>
<t>
<list style="numbers">
<t>
to:</t>
<ol spacing="normal" type="1">
<li> Avoid disclosure of the server's identity, either directly or
via inference, to nodes other than authorized clients. In
particular, Servers servers must avoid publishing static identifiers identifiers, such as host names
hostnames or service names. When those fields are required by the
protocol, servers should publish randomized values. (See <xref
target="RFC8117" /> format="default"/> for a discussion of host names.)
</t>
<t>
Avoid hostnames.)</li>
<li>Avoid exposure of linkable identifiers that allow tracing servers.
</t>
<t>
Avoid servers.</li>
<li>Avoid disclosure to unauthorized clients of service instance names Service Instance
Names or service types of offered services.
</t>
<t>
Avoid services.</li>
<li>Avoid disclosure to unauthorized clients of information about
the services they offer.
</t>
<t>
Avoid </li>
<li>Avoid disclosure of static IPv4 or IPv6 addresses.
</t>
</list>
</t>
<t>
When addresses.</li>
</ol>
<t>When offering services via current DNS-SD deployments, servers
typically disclose their hostnames (SRV, A/AAAA), instance names of
offered services (PRT, (PTR, SRV), and information about services
(TXT). Heeding these requirements protects a server's privacy on the
DNS-SD level.
</t>
<t>
The level.</t>
<t>The current DNS-SD user interfaces present the list of discovered
service names to the users, users and let them pick a service from the
list. Using random identifiers for service names renders that UI flow
unusable. Privacy-respecting discovery protocols will have to solve
this issue, for example example, by presenting authenticated or decrypted
service names instead of the randomized values.
</t> values.</t>
</section>
<section title="Security numbered="true" toc="default">
<name>Security and Operation">
<t>
In Operation</name>
<t>In order to be secure and feasible, a DNS-SD privacy extension
needs to consider security and operational requirements including:
<list style="numbers">
<t>
Avoiding including:</t>
<ol spacing="normal" type="1">
<li>Avoiding significant CPU overhead on nodes or significantly
higher network load. Such overhead or load would make nodes
vulnerable to denial of service denial-of-service attacks. Further, it would increase
power consumption consumption, which is damaging for IoT devices.
</t>
<t>
Avoiding devices.</li>
<li>Avoiding designs in which a small message can trigger a large
amount of traffic towards an unverified address, as this could be
exploited in amplification attacks.
</t>
</list>
</t> attacks.</li>
</ol>
</section>
</section>
<section title="IANA Considerations" anchor="iana">
<t>
This draft does not require any IANA action.
</t>
</section>
<section title="Acknowledgments"> anchor="iana" numbered="true" toc="default">
<name>IANA Considerations</name>
<t>This draft incorporates many contributions from Stuart Cheshire and Chris Wood. Thanks to
Florian Adamsky for extensive review and suggestions on the organization of the threat
model. Thanks to Barry Leiba for an extensive review. Thanks to Roman Danyliw, Ben Kaduk,
Adam Roach and Alissa Cooper for their comments during IESG review.
</t> document has no IANA actions.</t>
</section>
</middle>
<back>
<references title="Normative References">
&rfc6762;
&rfc6763;
<displayreference target="I-D.ietf-dnssd-srp" to="SRP"/>
<displayreference target="I-D.ietf-tls-esni" to="ESNI"/>
<references>
<name>References</name>
<references>
<name>Normative References</name>
<xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.6762.xml"/>
<xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.6763.xml"/>
</references>
<references title="Informative References">
&rfc1033;
&rfc1034;
&rfc1035;
&rfc2782;
&rfc3927;
&rfc4291;
&rfc5054;
&rfc7558;
&rfc7844;
&rfc8117;
&rfc8235;
&rfc8236;
&I-D.ietf-dnssd-srp;
&I-D.ietf-tls-esni;
<references>
<name>Informative References</name>
<xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.1033.xml"/>
<xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.1034.xml"/>
<xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.1035.xml"/>
<xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.2782.xml"/>
<xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.3927.xml"/>
<xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.4291.xml"/>
<xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.5054.xml"/>
<xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.7558.xml"/>
<xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.7844.xml"/>
<xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.8117.xml"/>
<xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.8235.xml"/>
<xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.8236.xml"/>
<xi:include href="https://datatracker.ietf.org/doc/bibxml3/reference.I-D.ietf-dnssd-srp.xml"/>
<xi:include href="https://datatracker.ietf.org/doc/bibxml3/reference.I-D.ietf-tls-esni.xml"/>
<reference anchor="KW14a" target="http://ieeexplore.ieee.org/xpl/articleDetails.jsp?arnumber=7011331"> target="https://ieeexplore.ieee.org/xpl/articleDetails.jsp?arnumber=7011331">
<front>
<title>Adding Privacy to Multicast DNS Service Discovery</title>
<author initials="D." surname="Kaiser" fullname="Daniel Kaiser">
<organization/>
</author>
<author initials="M." surname="Waldvogel" fullname="Marcel Waldvogel">
<organization/>
</author>
<date month="September" year="2014"/>
</front>
<seriesInfo name="DOI" value="10.1109/TrustCom.2014.107"/>
</reference>
<reference anchor="KW14b" target="http://ieeexplore.ieee.org/xpl/articleDetails.jsp?arnumber=7056899"> target="https://ieeexplore.ieee.org/xpl/articleDetails.jsp?arnumber=7056899">
<front>
<title>Efficient Privacy Preserving Multicast DNS Service Discovery</title>
<author initials="D." surname="Kaiser" fullname="Daniel Kaiser">
<organization/>
</author>
<author initials="M." surname="Waldvogel" fullname="Marcel Waldvogel">
<organization/>
</author>
<date month="August" year="2014"/>
</front>
<seriesInfo name="DOI" value="10.1109/HPCC.2014.141"/>
</reference>
<reference anchor="K17" target="http://nbn-resolving.de/urn:nbn:de:bsz:352-0-422757"> target="https://nbn-resolving.de/urn:nbn:de:bsz:352-0-422757">
<front>
<title>Efficient Privacy-Preserving Configurationless Service Discovery Supporting Multi-Link Networks</title>
<author initials="D." surname="Kaiser" fullname="Daniel Kaiser">
<organization/>
</author>
<date month="August" year="2017"/>
</front>
</reference>
<reference anchor="SLEEP-PROXY" target="http://stuartcheshire.org/SleepProxy/index.html">
<front>
<title>Understanding Sleep Proxy Service</title>
<author initials="S." surname="Cheshire" fullname="Stuart Cheshire">
<organization/>
</author>
<date month="December" year="2009"/>
</front>
</reference>
</references>
</references>
<section numbered="false" toc="default">
<name>Acknowledgments</name>
<t>This document incorporates many contributions from <contact
fullname="Stuart Cheshire"/> and <contact fullname="Chris
Wood"/>. Thanks to <contact fullname="Florian Adamsky"/> for extensive
review and suggestions on the organization of the threat model. Thanks
to <contact fullname="Barry Leiba"/> for an extensive review. Thanks to
<contact fullname="Roman Danyliw"/>, <contact fullname="Ben Kaduk"/>,
<contact fullname="Adam Roach"/>, and <contact fullname="Alissa Cooper"/>
for their comments during IESG review.</t>
</section>
</back>
</rfc>