]> Apple, Inc.

tpauly@apple.com

Microsoft

ddamjanovic@microsoft.com

Internet-Draft This document defines a mechanism for accessing provisioning domain information associated with a proxy, such as other proxy URIs that support different protocols and a list of DNS zones that are accessible via a proxy. Discussion Venues Source for this draft and an issue tracker can be found at .

Introduction HTTP proxies that use the CONNECT method (often referred to as "forward" proxies) allow clients to open connections to hosts via a proxy. These typically allow for TCP stream proxying, but can also support UDP proxying and IP packet proxying . Such proxies are not just defined as hostnames and ports, but can use URI templates . In order to make use of multiple related proxies, clients need a way to understand which proxies are associated with one another. Client can also benefit from learning about additional information associated with the proxy to optimize their proxy usage, such knowing that a proxy is configured to only allow access to a limited set of next hops. These improvements to client behavior can be achieved through the use of Provisioning Domains. Provisioning Domains (PvDs) are defined in as consistent sets of network configuration information, which can include proxy configuration details . defines a JSON format for describing Provisioning Domain Additional Information, which is an extensible dictionary of properties of the Provisioning Domain. This document defines several mechanisms to use PvDs to help clients understand how to use proxies:

1. A way to fetch PvD Additional Information associated with a known proxy URI ()
2. A way to list one or more proxy URIs in a PvD, allowing clients to learn about other proxy options given a known proxy ().
3. A way to define a limited set of DNS zones that are accessible through the proxy ().

Additionally, this document partly describes how these mechanisms might be used to discover proxies associated with a network ().

Background Other non-standard mechanisms for proxy configuration and discovery have been used historically, some of which are described in . Proxy Auto Configuration (PAC) files are Javascript scripts that take URLs as input and provide an output of a proxy configuration to use. Web Proxy Auto-Discovery Protocol (WPAD) allows networks to advertise proxies to use by advertising a PAC file. This solution squats on DHCP option 252. These common (but non-standard) mechanisms only support defining proxies by hostname and port, and do not support configuring a full URI template . The mechanisms defined in this document are intended to offer a standard alternative that works for URI-based proxies and avoids dependencies on executing Javascript scripts, which can open up security vulnerabilities.

Requirements The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

Fetching PvD Additional Information for proxies This document defines a way to fetch PvD Additional Information associated with a proxy. This PvD describes the properties of the network accessible through the proxy. In order to fetch PvD Additional Information associated with a proxy, a client issues an HTTP GET request for the well-known PvD URI (".well-known/pvd") and the host authority of the proxy. This is applicable for both proxies that are identified by a host and port only (such as SOCKS proxies and HTTP CONNECT proxies) and proxies that are identified by a URL. For example, a client would issue the following request for the PvD associated with "https://proxy.example.org/masque{?target_host,target_port}": For a HTTP CONNECT proxy on "proxy.example.org:8080", the client would send the following request: Note that all proxies that are colocated on the same host and port share the same PvD Additional Information. Proxy deployments that need separate PvD configuration properties SHOULD use different hosts. PvD Additional Information is required to contain the "identifier", "expires", and "prefixes" keys. For proxy PvDs as defined in this document, the "identifier" MUST match the hostname of the HTTP proxy. The "prefixes" array SHOULD be empty by default.

Enumerating proxies within a PvD This document defines a new PvD Additional Information key, proxies, that is an array of strings that is a list of proxy URIs (or URI templates ) that are available as part of a PvD. The new key is registered in . The kind of proxy is implied by the URI scheme and any template variables. For example, since UDP proxying has the URI template variables target_host and target_port, the URI "https://proxy.example.org:4443/masque{?target_host,target_port}" implies that the proxy supports UDP proxying. When a PvD that contains the proxies key is fetched from a known proxy using the method described in the proxies list describes equivalent proxies (potentially supporting other protocols) that can be used in addition to the known proxy. Such cases are useful for informing clients of related proxies as a discovery method, with the assumption that the client already is aware of one proxy. Many historical methods of configuring a proxy only allow configuring a single FQDN hostname for the proxy. A client can attempt to fetch the PvD information from the well-known URI to learn the list of complete URIs that support non-default protocols, such as and .

Example Given a known HTTP CONNECT proxy FQDN, "proxy.example.org", a client could request PvD Additional Information with the following request: If the proxy has a PvD definition for this FQDN, it would return the following response to indicate a PvD that has two related proxy URIs. The client would learn the URI template of the proxy that supports UDP using , at "https://proxy.example.org/masque{?target_host,target_port}".

Split DNS information for proxies Split DNS configurations are cases where only a subset of domains is routed through a VPN tunnel or a proxy. For example, IKEv2 defines split DNS configuration in . PvD Additional Information can be used to indicate that a proxy PvD has a split DNS configuration. defines the optional dnsZones key, which contains searchable and accessible DNS zones as an array of strings. When present in a PvD Additional Information dictionary that is retrieved for a proxy as described in , domains in the dnsZones array indicate specific zones that are accessible using the proxy. If a hostname is not included in the enumerated zones, then a client SHOULD assume that the hostname will not be accessible through the proxy. Entries listed in dnsZones MUST NOT expand the set of domains that a client is willing to send to a particular proxy. The list can only narrow the list of domains that the client is willing to send through the proxy. For example, if the client has a local policy to only send requests for "example.com" to a proxy "proxy.example.com", and the dnsZones array contains "internal.example.com" and "other.company.com", the client would end up only proxying "internal.example.com" through the proxy.

Example Given a proxy URI template "https://proxy.example.org/masque{?target_host,target_port}", which in this case is for UDP proxying, the client could request PvD additional information with the following request: If the proxy has a PvD definition for this proxy, it could return the following response to indicate a PvD that has one accessible zone, "internal.example.org". The client could then choose to use this proxy only for accessing names that fall within the "internal.example.org" zone.

Discovering proxies from network PvDs defines how PvD Additional Information is discovered based on network advertisements using Router Advertisements . A network defining its configuration via PvD information can include the proxies key () to inform clients of a list of proxies available on the network. This association of proxies with the network's PvD can be used as a mechanism to discover proxies, as an alternative to PAC files. However, client systems MUST NOT automatically send traffic over proxies advertised in this way without explicit configuration, policy, or user permission. For example, a client can use this mechanism to choose between known proxies, such as if the client was already proxying traffic and has multiple options to choose between. Further security and experience considerations are needed for these cases.

Security Considerations Configuration advertised via PvD Additional Information, such DNS zones or associated proxies, can only be safely used when fetched over a secure TLS-protected connection, and the client has validated that that the hostname of the proxy, the identifier of the PvD, and the validated hostname identity on the certificate all match.

IANA Considerations This document registers a new key in the "Additional Information PvD Keys" registry. JSON Key: proxies Description: Array of proxy URIs associated with this PvD Type: Array of strings Example: ["https://proxy.example.com", "https://proxy.example.com/masque{?target_host,target_port}"]

References Normative References The Hypertext Transfer Protocol (HTTP) is a stateless application-level protocol for distributed, collaborative, hypertext information systems. This document describes the overall architecture of HTTP, establishes common terminology, and defines aspects of the protocol that are shared by all versions. In this definition are core protocol elements, extensibility mechanisms, and the "http" and "https" Uniform Resource Identifier (URI) schemes. This document updates RFC 3864 and obsoletes RFCs 2818, 7231, 7232, 7233, 7235, 7538, 7615, 7694, and portions of 7230. This document describes how to proxy UDP in HTTP, similar to how the HTTP CONNECT method allows proxying TCP in HTTP. More specifically, this document defines a protocol that allows an HTTP client to create a tunnel for UDP communications through an HTTP server that acts as a proxy. Apple Inc. Google LLC Google LLC Ericsson Ericsson This document describes how to proxy IP packets in HTTP. This protocol is similar to UDP proxying in HTTP, but allows transmitting arbitrary IP packets. More specifically, this document defines a protocol that allows an HTTP client to create an IP tunnel through an HTTP server that acts as an IP proxy. This document updates RFC 9298. A URI Template is a compact sequence of characters for describing a range of Uniform Resource Identifiers through variable expansion. This specification defines the URI Template syntax and the process for expanding a URI Template into a URI reference, along with guidelines for the use of URI Templates on the Internet. [STANDARDS-TRACK] Provisioning Domains (PvDs) are defined as consistent sets of network configuration information. PvDs allows hosts to manage connections to multiple networks and interfaces simultaneously, such as when a home router provides connectivity through both a broadband and cellular network provider. This document defines a mechanism for explicitly identifying PvDs through a Router Advertisement (RA) option. This RA option announces a PvD identifier, which hosts can compare to differentiate between PvDs. The option can directly carry some information about a PvD and can optionally point to PvD Additional Information that can be retrieved using HTTP over TLS. JavaScript Object Notation (JSON) is a lightweight, text-based, language-independent data interchange format. It was derived from the ECMAScript Programming Language Standard. JSON defines a small set of formatting rules for the portable representation of structured data. This document removes inconsistencies with other specifications of JSON, repairs specification errors, and offers experience-based interoperability guidance. In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. Informative References This document is a product of the work of the Multiple Interfaces Architecture Design team. It outlines a solution framework for some of the issues experienced by nodes that can be attached to multiple networks simultaneously. The framework defines the concept of a Provisioning Domain (PvD), which is a consistent set of network configuration information. PvD-aware nodes learn PvD-specific information from the networks they are attached to and/or other sources. PvDs are used to enable separation and configuration consistency in the presence of multiple concurrent connections. This memo specifies standard terminology and the taxonomy of web replication and caching infrastructure as deployed today. It introduces standard concepts, and protocols used today within this application domain. This memo provides information for the Internet community. This document defines two Configuration Payload Attribute Types (INTERNAL_DNS_DOMAIN and INTERNAL_DNSSEC_TA) for the Internet Key Exchange Protocol version 2 (IKEv2). These payloads add support for private (internal-only) DNS domains. These domains are intended to be resolved using non-public DNS servers that are only reachable through the IPsec connection. DNS resolution for other domains remains unchanged. These Configuration Payloads only apply to split- tunnel configurations. This document specifies the Neighbor Discovery protocol for IP Version 6. IPv6 nodes on the same link use Neighbor Discovery to discover each other's presence, to determine each other's link-layer addresses, to find routers, and to maintain reachability information about the paths to active neighbors. [STANDARDS-TRACK]