Web Proxy Auto Discovery Next Generation

The Discovery Process

WPADNG Overview WPADNG uses a collection of pre-existing Internet resource discovery mechanisms to perform web proxy auto-discovery. The WPADNG protocol specifies the following:

how to use each mechanism for the specific purpose of web proxy auto-discovery
the order in which the mechanisms should be performed
the minimal set of mechanisms which must be attempted by a WPADNG compliant web client

The resource discovery mechanisms utilized by WPADNG, in order, are as follows.

Dynamic Host Configuration Protocol v4 or v6 depending on network.
DNS-SD

Clients only attempt mechanisms that they support. Each time the discovery attempt succeeds; the client uses the information obtained to construct a CURL. If the CURL is the URN urn:wpadng:none or if a CFILE is successfully retrieved, the process is complete. If not, the client resumes where it left of in the predefined series of resource discovery requests. If no untried mechanisms remain and a CFILE has not been successfully retrieved, the WPADNG protocol fails and the client is configured to use no proxy server. First the client tries DHCP, followed by DNSSD. If no CFILE has been retrieved the client will retry the DNSSD mechanism multiple times. Each time through the QNAME being used in the DNSSD query is made less and less specific. In this manner the client can locate the most specific configuration information possible, but can fall back on less specific information. Every DNSSD lookup has the QNAME prefixed with “_wpadng._tcp” to indicate the resource type being requested. As an example, consider a client with hostname johns- desktop.development.example.com. Assume the web client software supports all of the mechanisms listed above. This is the sequence of discovery attempts the client would perform until one succeeded in locating a valid CFILE:

DNSSD PTR lookup on QNAME=_wpadng._tcp.development.example.com.
DNSSD PTR lookup on QNAME=_wpadng._tcp.example.com.

When to Execute WPADNG Web clients need to perform the WPADNG protocol periodically to maintain correct proxy settings. This should occur on a regular basis corresponding to initialization of the client software or the networking stack below the client. As well, WPADNG will need to occur in response to expiration of existing configuration data. The following sections describe the details of these scenarios.

Periodic Discovery The web proxy auto-discovery process MUST occur at least as frequently as one of the following two options. A web client can use either option depending on which makes sense in their environment. Clients MUST use at least one of the following options. They MAY also choose to implement both options. - Upon startup of the web client. - Whenever there indication from the networking stack that the IP address of the client host either has, or could have, changed. In addition, the client MUST attempt a discovery cycle upon expiration of a previously downloaded CFILE in accordance with HTTP/1.1.

Upon Startup of the Web Client For many types of web client (like web browsers) there can be many instances of the client operating for a given user at one time. This is often to allow display of multiple web pages in different windows, for example. There is no need to re-perform WPADNG every time a new instance of the web client is opened. WPADNG MUST be performed when the number of web client instances transitions from 0 to 1. It SHOULD NOT be performed as additional instances are created.

Network Stack Events Another option for clients is to tie the execution of WPADNG to changes in the networking environment. If the client can learn about the change of the local host’s IP address, or the possible change of the IP address, it MUST re-perform the WPADNG protocol. Many operating systems provide indications of “network up” events, for example. Those types of events and system-boot events might be the triggers for WPADNG in many environments.

Expiration of the CFILE The HTTP retrieval of the CURL may return HTTP headers specifying a valid lifetime for the CFILE returned. The client MUST obey these timeouts and rerun the PAD process when it expires. A client MAY rerun the WPADNG process if it detects a failure of the currently configured proxy (which is not otherwise recoverable via the inherent mechanisms provided by the currently active Configuration File). Whenever the client decides to invalidate the current CURL or CFILE, it MUST rerun the entire WPADNG protocol to ensure it discovers the currently correct CURL. Specifically, if the valid lifetime of the CFILE ends(as specified by the HTTP headers provided when it was retrieved),the complete WPADNG protocol MUST be rerun. The client MUST NOT simply re-use the existing CURL to obtain a fresh copy of the CFILE. A number of network round trips, broadcast and/or multicast communications may be required during the WPADNG protocol. The WPADNG protocol SHOULD NOT be invoked at a more frequent rate than specified above (such as per-URL retrieval).

Discovery Mechanisms Each of the resource discovery methods will be marked as to whether the client MUST, SHOULD, MAY, or MUST NOT implement them to be compliant. Client implementers are encouraged to implement as many mechanisms as possible, to promote maximum interoperability.

Discovery Mechanism	Status
DHCP	MUST
DNS-SD	MUST

DNS Serice Discovery (DNS-SD) Client implementations MUST support discovery of proxy configuration files. To suport this, a DNS server advertising WPADNG will have the following resource records: SHOULD advertise PTR records which may return multiple advertised service instances or a single instance. MUST advertise TXT records conformant with SHOULD advertise SRV records conformant with

PTR Record Definition For example purposes, we assume a client has attached to the enterprise network at Example Coporation, which uses the dommain example.org WPADNG PTR records should have the following naming scheme: When a client queries for the PTR record, the DNS server replies will contain zero, one or more responses. These responses contain WPADNG instance names, and priorities.

Instance Name
primary._wpadng._tcp.example.org
secondary._wpadng._tcp.example.org
_wpadng._tcp.example.org

In the above example. the enterprise advertises instance names for proxy servers This allows an enterprise to provide redundancy and failover.

TXT Record Definition WPADNG DNS TXT records MUST have the following format The CURL value is a URN or the URL to retrieve a Proxy Configuration File.

DNSSD Client behavior When attempting to discover web proxy servers via , the following sequence should be used:

Query PTR records
Query TXT records
Compose Candidate URL
Retreive configuration file

DHCP v4 Client implementations MUST support DHCP. DHCP has widespread support in numerous vendor hardware and software implementations, and is widely deployed. It is also perfectly suited to this task, and is used to discover other network resources (such a time servers, printers, etc). The DHCP protocol is detailed in . We propose a new DHCP option with code 252 for use in web proxy auto-discovery. See for a list of existing DHCP options. The client should obtain the value of the DHCP option code 252 as returned by the DHCP server. If the client has already conducted DHCP protocol during its initialization, the DHCP server may already have supplied that value. If the value is not available through a client OS API, the client SHOULD use a DHCPINFORM message to query the DHCP server to obtain the value. The DHCP option code for WPAD is 252 by agreement of the DHC working group chair. This option is of type STRING. This string contains a URL which points to an appropriate config file. The STRING is of arbitrary size. Example values:

DHCP v6 (TBD)

Timeouts Implementers are encouraged to limit the time elapsed in each discovery phase. When possible, limiting each phase to 10 seconds is considered reasonable. Implementers may choose a different value which is more appropriate to their network properties. For example, a device implementation, which operated over a wireless network, may use a much larger timeout to account for low bandwidth or high latency.

Retrieving the CFILE at the CURL The client then requests the CURL via HTTP.

Content Negotiation for PVD When making the request it MUST transmit HTTP "Accept" headers indicating what CFILE formats it is capable of accepting. For PVD, the Accept header value is application/pvd_json For existing WPAD clients, the most commonly used format is Netscape's Proxy Auto Config (PAC) file, the value is 'application/x-ns-proxy-autoconfig' Clients that support PVD can use content negotiation to prefer PVD, while accepting PAC as a fallback. Clients that do not support PVD will continue to use PAC, and not include PVD in the accept header. When receiving a GET at the CURL, a proxy server can decide wether to return PVD or PAC, providing backward compatibility as well as an upgrade path. The client MUST follow HTTP redirect directives (response codes 3xx) returned by the server. The client SHOULD send a valid "User-Agent" header.

Resuming Discovery If the HTTP request fails for any reason (fails to connect, server error response, etc) the client MUST resume the search for a successful CURL where it left off. It should continue attempting other sub-steps in a specific discovery mechanism, and then move on to the next mechanism or TGTDOM iteration, etc.