Communicating Proxy Configurations in Provisioning Domains
draft-pauly-intarea-proxy-config-pvd-00
This document is an Internet-Draft (I-D).
Anyone may submit an I-D to the IETF.
This I-D is not endorsed by the IETF and has no formal standing in the
IETF standards process.
The information below is for an old version of the document.
| Document | Type |
This is an older version of an Internet-Draft whose latest revision state is "Replaced".
|
|
|---|---|---|---|
| Author | Tommy Pauly | ||
| Last updated | 2023-06-27 | ||
| Replaced by | draft-ietf-intarea-proxy-config | ||
| RFC stream | (None) | ||
| Formats | |||
| Stream | Stream state | (No stream defined) | |
| Consensus boilerplate | Unknown | ||
| RFC Editor Note | (None) | ||
| IESG | IESG state | I-D Exists | |
| Telechat date | (None) | ||
| Responsible AD | (None) | ||
| Send notices to | (None) |
draft-pauly-intarea-proxy-config-pvd-00
Network Working Group T. Pauly
Internet-Draft Apple, Inc.
Intended status: Standards Track 27 June 2023
Expires: 29 December 2023
Communicating Proxy Configurations in Provisioning Domains
draft-pauly-intarea-proxy-config-pvd-00
Abstract
This document defines a mechanism for accessing provisioning domain
information associated with a proxy, such a list of DNS zones that
are accessible via an HTTP CONNECT proxy. It also defines a way to
enumerate proxies that are associated with a known provisioning
domain.
Discussion Venues
This note is to be removed before publishing as an RFC.
Source for this draft and an issue tracker can be found at
https://github.com/tfpauly/privacy-proxy.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on 29 December 2023.
Copyright Notice
Copyright (c) 2023 IETF Trust and the persons identified as the
document authors. All rights reserved.
Pauly Expires 29 December 2023 [Page 1]
Internet-Draft Proxy Configuration PvDs June 2023
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document. Code Components
extracted from this document must include Revised BSD License text as
described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Revised BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Background . . . . . . . . . . . . . . . . . . . . . . . 3
1.2. Requirements . . . . . . . . . . . . . . . . . . . . . . 4
2. Accessing PvD Additional Information for proxies . . . . . . 4
2.1. Fetching proxy PvDs . . . . . . . . . . . . . . . . . . . 4
2.2. Proxy PvD contents . . . . . . . . . . . . . . . . . . . 4
2.2.1. Split DNS accessibility . . . . . . . . . . . . . . . 5
2.3. Example . . . . . . . . . . . . . . . . . . . . . . . . . 5
3. Enumerating proxies within a PvD . . . . . . . . . . . . . . 6
3.1. Associating proxies with known proxies . . . . . . . . . 6
3.2. Associating proxies with a PvD identifier . . . . . . . . 7
3.2.1. Proxy configuration from a FQDN . . . . . . . . . . . 7
3.2.2. Network-specified proxies . . . . . . . . . . . . . . 7
3.3. Example . . . . . . . . . . . . . . . . . . . . . . . . . 7
4. Security Considerations . . . . . . . . . . . . . . . . . . . 8
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8
6. References . . . . . . . . . . . . . . . . . . . . . . . . . 8
6.1. Normative References . . . . . . . . . . . . . . . . . . 8
6.2. Informative References . . . . . . . . . . . . . . . . . 9
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 10
1. Introduction
HTTP proxies that use the CONNECT method Section 9.3.6 of [HTTP]
(often referred to as "forward" proxies) allow clients to open
connections to hosts via a proxy. These typically allow for TCP
stream proxying, but can also support UDP proxying [CONNECTUDP] and
IP packet proxying [CONNECTIP]. Such proxies are not just defined as
hostnames and ports, but can use URI templates [URITEMPLATE].
In order to make use of multiple related proxies, clients need a way
to understand which proxies are associated with one another.
Client can also benefit from learning about additional information
associated with the proxy to optimize their proxy usage, such knowing
that a proxy is configured to only allow access to a limited set of
next hops.
Pauly Expires 29 December 2023 [Page 2]
Internet-Draft Proxy Configuration PvDs June 2023
These improvements to client behavior can be achieved through the use
of Provisioning Domains. Provisioning Domains (PvDs) are defined in
[PVD] as consistent sets of network configuration information, which
can include proxy configuration details Section 2 of [PVD].
[PVDDATA] defines a JSON [JSON] format for describing Provisioning
Domain Additional Information, which is an extensible dictionary of
properties of the Provisioning Domain.
This document defines two mechanisms to use PvDs to help clients
understand how to use proxies:
1. A way to fetch PvD Additional Information associated with a proxy
URI, which allows defining a limited set of DNS zones that are
accessible through the proxy Section 2.
2. A way to associate one or more proxy URIs with a known PvD to
allow clients to learn about other proxies when they already know
about a proxy PvD or network-provided PvD Section 3.
1.1. Background
Other non-standard mechanisms for proxy configuration and discovery
have been used historically, some of which are described in
[RFC3040].
Proxy Auto Configuration (PAC) files Section 6.2 of [RFC3040] are
Javascript scripts that take URLs as input and provide an output of a
proxy configuration to use.
Web Proxy Auto-Discovery Protocol (WPAD) Section 6.4 of [RFC3040]
allows networks to advertise proxies to use by advertising a PAC
file. This solution squats on DHCP option 252.
These common (but non-standard) mechanisms only support defining
proxies by hostname and port, and do not support configuring a full
URI template [URITEMPLATE].
The mechanisms defined in this document are intended to offer a
standard alternative that works for URI-based proxies and avoids
dependencies on executing Javascript scripts, which can open up
security vulnerabilities.
Pauly Expires 29 December 2023 [Page 3]
Internet-Draft Proxy Configuration PvDs June 2023
1.2. Requirements
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in
BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.
2. Accessing PvD Additional Information for proxies
This document defines a way to fetch PvD Additional Information
associated with a particular proxy resource. This PvD describes the
properties of the network accessible through the proxy.
2.1. Fetching proxy PvDs
Some HTTP forward proxies, like those used for UDP and IP proxying,
are identified by URI templates that contains paths, such as
"https://proxy.example.org/masque{?target_host,target_port}". For
such cases, a client can fetch the PvD Additional Information by
issuing a GET request Section 9.3.1 of [HTTP] to the proxy URI, with
template variables removed, and setting the media type "application/
pvd+json" [PVDDATA] in an Accept header.
For example, a client would issue the following request for the PvD
associated with "https://proxy.example.org/
masque{?target_host,target_port}":
:method = GET
:scheme = https
:authority = proxy.example.org
:path = /masque
accept = application/pvd+json
CONNECT forward proxies that proxy TCP streams do not contain a path.
For such cases, a client can fetch the PvD Additional Information by
issuing a GET request to the path "/". For example:
:method = GET
:scheme = https
:authority = proxy.example.org
:path = /
accept = application/pvd+json
2.2. Proxy PvD contents
PvD Additional Information is required to contain the "identifier",
"expires", and "prefixes" keys.
Pauly Expires 29 December 2023 [Page 4]
Internet-Draft Proxy Configuration PvDs June 2023
For proxy PvDs as defined in this document, the "identifier" MUST
match the hostname of the HTTP proxy. The "prefixes" array SHOULD be
empty by default.
2.2.1. Split DNS accessibility
Split DNS configurations are cases where only a subset of domains is
routed through a VPN tunnel or a proxy. For example, IKEv2 defines
split DNS configuration in [IKEV2SPLIT].
PvD Additional Information can be used to indicate that a proxy PvD
has a split DNS configuration.
Section 4.3 of [PVDDATA] defines the optional dnsZones key, which
contains searchable and accessible DNS zones as an array of strings.
When present in a PvD Additional Information dictionary that is
retrieved using a GET request to the proxy URI as described in
Section 2, domains in the dnsZones array indicate specific zones that
are accessible using the proxy. If a hostname is not included in the
enumerated zones, then a client SHOULD assume that the hostname will
not be accessible through the proxy.
Entries listed in dnsZones MUST NOT expand the set of domains that a
client is willing to send to a particular proxy. The list can only
narrow the list of domains that the client is willing to send through
the proxy. For example, if the client has a local policy to only
send requests for "example.com" to a proxy "proxy.example.com", and
the dnsZones array contains "internal.example.com" and
"other.company.com", the client would end up only proxying
"internal.example.com" through the proxy.
2.3. Example
Given a proxy URI template "https://proxy.example.org/
masque{?target_host,target_port}", which in this case is for UDP
proxying, the client could request PvD additional information with
the following request:
:method = GET
:scheme = https
:authority = proxy.example.org
:path = /masque
accept = application/pvd+json
If the proxy has a PvD definition for this proxy, it could return the
following response to indicate a PvD that has one accessible zone,
"internal.example.org".
Pauly Expires 29 December 2023 [Page 5]
Internet-Draft Proxy Configuration PvDs June 2023
:status = 200
content-type = application/pvd+json
content-length = 135
{
"identifier": "proxy.example.org.",
"expires": "2023-06-23T06:00:00Z",
"prefixes": [],
"dnsZones": ["internal.example.org"]
}
The client could then choose to use this proxy only for accessing
names that fall within the "internal.example.org" zone.
3. Enumerating proxies within a PvD
PvD Additional Information can also be used to list proxies that are
associated with a particular PvD. This association represents
availability of a proxy, but does not indicate any policy of the PvD
that requires clients to use a proxy or not.
This document defines a new PvD Additional Information key, proxies,
that is an array of strings that is a list of proxy URIs (or URI
templates [URITEMPLATE]). The new key is registered in Section 5.
The kind of proxy is implied by the URI scheme and any template
variables. For example, since UDP proxying [CONNECTUDP] has the URI
template variables target_host and target_port, the URI
"https://proxy.example.org:4443/masque{?target_host,target_port}"
implies that the proxy supports UDP proxying.
3.1. Associating proxies with known proxies
When a PvD that contains the proxies key is fetched from a known
proxy URI, using the method described in Section 2, the proxies list
describes equivalent proxies (potentially supporting other protocols)
that can be used in addition to the known proxy.
Such cases are useful for informing clients of related proxies as a
discovery method, with the assumption that the client already is
aware of one proxy.
Pauly Expires 29 December 2023 [Page 6]
Internet-Draft Proxy Configuration PvDs June 2023
3.2. Associating proxies with a PvD identifier
When a PvD that contains the proxies key is fetched from the well-
known PvD URI (".well-known/pvd"), the list allows enumeration of
proxies that apply to the entire PvD identifier. There are two use
cases this can support: configuring proxies from an FQDN and
configuring proxies from a network.
3.2.1. Proxy configuration from a FQDN
Many historical methods of configuring a proxy only allow configuring
a single FQDN hostname for the proxy. A client can attempt to fetch
the PvD information from the well-known URI to learn the list of
complete URIs that support non-default protocols, such as
[CONNECTUDP] and [CONNECTIP].
For example, if a user has configured a proxy with the name
"proxy.example.com", the client can fetch
"https://proxy.example.com/.well-known/pvd" to detect a list of
associated proxies.
3.2.2. Network-specified proxies
[PVDDATA] defines how PvD Additional Information is discovered based
on network advertisements using Router Advertisements [RFC4861]. A
network defining its configuration via PvD information can include
the proxies key to inform clients of a list of proxies available on
the network.
Policy for whether or not clients use the proxies is implementation-
specific and might depend on other keys defined in the PvD Additional
Information.
3.3. Example
Given a known FQDN "company.example.org", which was discovered from a
PvD Router Advertisement option, a client could request PvD
additional information with the following request:
:method = GET
:scheme = https
:authority = company.example.org
:path = /.well-known/pvd
accept = application/pvd+json
If the proxy has a PvD definition for this FQDN, it could return the
following response to indicate a PvD that has two related proxy URIs.
Pauly Expires 29 December 2023 [Page 7]
Internet-Draft Proxy Configuration PvDs June 2023
:status = 200
content-type = application/pvd+json
content-length = 222
{
"identifier": "company.example.org.",
"expires": "2023-06-23T06:00:00Z",
"prefixes": ["2001:db8:cafe::/48"],
"proxies": ["https://proxy.example.org","https://proxy.example.org/masque{?target_host,target_port}"]
}
The client could then choose to use the available proxies, and could
look up the PvD Additional Information files on those URIs, depending
on client policy for using proxies.
4. Security Considerations
Configuration advertised via PvD Additional Information, such DNS
zones or associated proxies, can only be safely used when fetched
over a secure TLS-protected connection, and the client has validated
that that the hostname of the proxy, the identifier of the PvD, and
the validated hostname identity on the certificate all match.
5. IANA Considerations
This document registers a new key in the "Additional Information PvD
Keys" registry.
JSON Key: proxies
Description: Array of proxy URIs associated with this PvD
Type: Array of strings
Example: ["https://proxy.example.com", "https://proxy.example.com/
masque{?target_host,tcp_port}"]
6. References
6.1. Normative References
[CONNECTIP]
Pauly, T., Schinazi, D., Chernyakhovsky, A., Kühlewind,
M., and M. Westerlund, "Proxying IP in HTTP", Work in
Progress, Internet-Draft, draft-ietf-masque-connect-ip-13,
28 April 2023, <https://datatracker.ietf.org/doc/html/
draft-ietf-masque-connect-ip-13>.
Pauly Expires 29 December 2023 [Page 8]
Internet-Draft Proxy Configuration PvDs June 2023
[CONNECTUDP]
Schinazi, D., "Proxying UDP in HTTP", RFC 9298,
DOI 10.17487/RFC9298, August 2022,
<https://www.rfc-editor.org/rfc/rfc9298>.
[HTTP] Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke,
Ed., "HTTP Semantics", STD 97, RFC 9110,
DOI 10.17487/RFC9110, June 2022,
<https://www.rfc-editor.org/rfc/rfc9110>.
[JSON] Bray, T., Ed., "The JavaScript Object Notation (JSON) Data
Interchange Format", STD 90, RFC 8259,
DOI 10.17487/RFC8259, December 2017,
<https://www.rfc-editor.org/rfc/rfc8259>.
[PVDDATA] Pfister, P., Vyncke, É., Pauly, T., Schinazi, D., and W.
Shao, "Discovering Provisioning Domain Names and Data",
RFC 8801, DOI 10.17487/RFC8801, July 2020,
<https://www.rfc-editor.org/rfc/rfc8801>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/rfc/rfc2119>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/rfc/rfc8174>.
[URITEMPLATE]
Gregorio, J., Fielding, R., Hadley, M., Nottingham, M.,
and D. Orchard, "URI Template", RFC 6570,
DOI 10.17487/RFC6570, March 2012,
<https://www.rfc-editor.org/rfc/rfc6570>.
6.2. Informative References
[IKEV2SPLIT]
Pauly, T. and P. Wouters, "Split DNS Configuration for the
Internet Key Exchange Protocol Version 2 (IKEv2)",
RFC 8598, DOI 10.17487/RFC8598, May 2019,
<https://www.rfc-editor.org/rfc/rfc8598>.
[PVD] Anipko, D., Ed., "Multiple Provisioning Domain
Architecture", RFC 7556, DOI 10.17487/RFC7556, June 2015,
<https://www.rfc-editor.org/rfc/rfc7556>.
Pauly Expires 29 December 2023 [Page 9]
Internet-Draft Proxy Configuration PvDs June 2023
[RFC3040] Cooper, I., Melve, I., and G. Tomlinson, "Internet Web
Replication and Caching Taxonomy", RFC 3040,
DOI 10.17487/RFC3040, January 2001,
<https://www.rfc-editor.org/rfc/rfc3040>.
[RFC4861] Narten, T., Nordmark, E., Simpson, W., and H. Soliman,
"Neighbor Discovery for IP version 6 (IPv6)", RFC 4861,
DOI 10.17487/RFC4861, September 2007,
<https://www.rfc-editor.org/rfc/rfc4861>.
Author's Address
Tommy Pauly
Apple, Inc.
Email: tpauly@apple.com
Pauly Expires 29 December 2023 [Page 10]