RADIUS Extensions for Encrypted
DNSOrangeRennes35000Francemohamed.boucadair@orange.comNokiaIndiakondtir@gmail.comopsawgredirectionsubscriber policiesdifferentiated serviceDNSDoHDoTDoQQUICEncryptionService deliveryService provisioningservice activationpoliciesconnectivityThis document specifies new Remote Authentication Dial-In User
Service (RADIUS) attributes that carry an authentication domain name, a
list of IP addresses, and a set of service parameters of encrypted DNS
resolvers.In the context of broadband services, Internet Service Providers
(ISPs) usually provide DNS resolvers to their customers. To that aim,
ISPs deploy dedicated mechanisms (e.g., DHCP , IPv6 Router
Advertisement ) to advertise a list of DNS
recursive servers to their customers. Typically, the information used to
populate DHCP messages and/or IPv6 Router Advertisements relies upon
specific Remote Authentication Dial-In User Service (RADIUS) attributes, such as the DNS-Server-IPv6-Address
Attribute specified in .With the advent of encrypted DNS (e.g., DNS-over-HTTPS (DoH) , DNS-over-TLS (DoT) , or DNS-over-QUIC (DoQ) ), additional means are required to provision
hosts with network-designated encrypted DNS. To fill that void, leverages existing protocols such as
DHCP and IPv6 Router Advertisement to provide hosts with the required
information to connect to an encrypted DNS resolver. However, there are
no RADIUS attributes that can be used to populate the discovery messages
discussed in .This document specifies two new RADIUS attributes: IPv6-Encrypted-DNS
() and IPv4-Encrypted-DNS () Attributes. These two attributes are specified in
order to accommodate both IPv4 and IPv6 deployment contexts while taking
into account the constraints in .Typical deployment scenarios are similar to those described, for
instance, in . Some of these
deployments may rely upon the mechanisms defined in or , which allows
a Network Access Server (NAS) to pass attributes obtained from a RADIUS
server to a DHCP server. For illustration purposes, shows an example where a Customer Premises Equipment
(CPE) is provided with an encrypted DNS resolver. This example assumes
that the NAS embeds both RADIUS client and DHCPv6 server
capabilities.Upon receipt of the DHCPv6 Solicit message from a CPE, the NAS sends
a RADIUS Access-Request message to the Authentication, Authorization,
and Accounting (AAA) server. Once the AAA server receives the request,
it replies with an Access-Accept message (possibly after having sent a
RADIUS Access-Challenge message and assuming the CPE is entitled to
connect to the network) that carries a list of parameters to be used for
this session, and which include the encrypted DNS information. The
content of the IPv6-Encrypted-DNS Attribute is then used by the NAS to
complete the DHCPv6 procedure that the CPE initiated to retrieve
information about the encrypted DNS service to use. The Discovery of
Network-designated Resolvers (DNR) procedure defined in is then followed between the DHCPv6
client and the DHCPv6 server. describes
the DNR to RADIUS field mappings.Should any encrypted DNS-related information (e.g., Authentication
Domain Name (ADN), IPv6 address) change, the RADIUS server sends a
RADIUS Change-of-Authorization (CoA) message that carries the RADIUS IPv6-Encrypted-DNS
Attributes to the NAS. Once that message is received and validated by
the NAS, it replies with a RADIUS CoA ACK message. The NAS replaces the
old encrypted DNS resolver information with the new one and sends a
DHCPv6 Reconfigure message which leads the DHCPv6 client to initiate a
Renew/Reply message exchange with the DHCPv6 server.In deployments where the NAS behaves as a DHCPv6 relay agent, the
procedure discussed in can be
followed. To that aim, updates the "RADIUS
Attributes Permitted in DHCPv6 RADIUS Option" registry (). shows another example where a CPE is
provided with an encrypted DNS resolver, but the CPE uses DHCPv4 to
retrieve its encrypted DNS resolver.Other deployment scenarios can be envisaged, such as returning
customized service parameters (e.g., different DoH URI Templates) as a
function of the service/policies/preferences that are set by a network
administrator. How an administrator indicates its
service/policies/preferences to an AAA server is out of scope.This document adheres to for defining
the new attributes.The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP 14
when, and
only when, they appear in all capitals, as shown here.This document makes use of the terms defined in . The following additional terms are used: refers to both DHCPv4 and DHCPv6 .refers to a scheme where DNS exchanges
are transported over an encrypted channel. Examples of encrypted DNS
are DoT, DoH, and DoQ.refers to a resolver () that supports encrypted
DNS.refers to IPv6-Encrypted-DNS and
IPv4-Encrypted-DNS Attributes.refers to any of the following
attributes: Encrypted-DNS-ADN, Encrypted-DNS-IPv6-Address,
Encrypted-DNS-IPv4-Address, Encrypted-DNS-SvcParams, and
Encrypted-DNS-SvcPriority.Both IPv6-Encrypted-DNS and IPv4-Encrypted-DNS have the same format
shown in . The description of the
fields is provided in Sections and .These attributes and their embedded TLVs ()
are defined with globally unique names. The definition of the attributes
follows the guidelines in Section 2.7.1 of .The value fields of *-Encrypted-DNS and Encrypted-DNS-* Attributes
are encoded in clear and not encrypted as, for example, Tunnel-Password
Attribute .This attribute is of type "tlv" as defined in .The IPv6-Encrypted-DNS Attribute includes the authentication domain
name, a list of IPv6 addresses, and a set of service parameters of an
encrypted DNS resolver ().Because multiple IPv6-Encrypted-DNS Attributes may be provisioned
to a requesting host, multiple instances of the IPv6-Encrypted-DNS
attribute MAY be included; each instance of the attribute carries a
distinct encrypted DNS resolver. These TLVs SHOULD be processed
following their service priority (i.e., smaller service priority
indicates a higher preference).The IPv6-Encrypted-DNS Attribute MAY appear in a RADIUS
Access-Accept packet. It MAY also appear in a RADIUS Access-Request
packet as a hint to the RADIUS server to indicate a preference.
However, the server is not required to honor such a preference.The IPv6-Encrypted-DNS Attribute MAY appear in a RADIUS CoA-Request
packet.The IPv6-Encrypted-DNS Attribute MAY appear in a RADIUS
Accounting-Request packet.The IPv6-Encrypted-DNS Attribute MUST NOT appear in any other
RADIUS packet.The IPv6-Encrypted-DNS Attribute is structured as follows:Type241LengthThis field indicates the total length, in octets, of all fields
of this attribute, including the Type, Length, Extended-Type, and
the entire length of the embedded TLVs.Extended-TypeTBA1 (see ).ValueThis field contains a set of TLVs as follows:The IPv6-Encrypted-DNS
Attribute MUST include exactly one instance of
Encrypted-DNS-ADN TLV ().The
IPv6-Encrypted-DNS Attribute SHOULD include one or multiple
instances of Encrypted-DNS-IPv6-Address TLV (). If multiple instances are
included, they are ordered in the preference for use. In
contexts where putting additional complexity on requesting
hosts is acceptable, returning an ADN only (that is, no
Encrypted-DNS-IPv6-Address TLV is returned) can be
considered.The
IPv6-Encrypted-DNS Attribute SHOULD include one instance of
Encrypted-DNS-SvcParams TLV ().The
IPv6-Encrypted-DNS Attribute SHOULD include one instance of
Encrypted-DNS-SvcPriority TLV ().The IPv6-Encrypted-DNS Attribute is associated with the following
identifier: 241.TBA1.This attribute is of type "tlv" as defined in .The IPv4-Encrypted-DNS Attribute includes the authentication domain
name, a list of IPv4 addresses, and a set of service parameters of an
encrypted DNS resolver ().Because multiple IPv4-Encrypted-DNS attributes may be provisioned
to a requesting host, multiple instances of the IPv4-Encrypted-DNS
attribute MAY be included; each instance of the attribute carries a
distinct encrypted DNS resolver. These TLVs SHOULD be processed
following their service priority (i.e., smaller service priority
indicates a higher preference).The IPv4-Encrypted-DNS Attribute MAY appear in a RADIUS
Access-Accept packet. It MAY also appear in a RADIUS Access-Request
packet as a hint to the RADIUS server to indicate a preference.
However, the server is not required to honor such a preference.The IPv4-Encrypted-DNS Attribute MAY appear in a RADIUS CoA-Request
packet.The IPv4-Encrypted-DNS Attribute MAY appear in a RADIUS
Accounting-Request packet.The IPv4-Encrypted-DNS Attribute MUST NOT appear in any other
RADIUS packet.The IPv4-Encrypted-DNS Attribute is structured as follows:Type241LengthThis field indicates the total length, in octets, of all fields
of this attribute, including the Type, Length, Extended-Type, and
the entire length of the embedded TLVs.Extended-TypeTBA2 (see ).ValueThis field contains a set of TLVs as follows:The IPv4-Encrypted-DNS
Attribute MUST include exactly one instance of
Encrypted-DNS-ADN TLV ().The
IPv4-Encrypted-DNS Attribute SHOULD include one or multiple
instances of Encrypted-DNS-IPv4-Address TLV (). In contexts where putting
additional complexity on requesting hosts is acceptable,
returning an ADN only (that is, no Encrypted-DNS-IPv4-Address
TLV is returned) can be considered.The
IPv4-Encrypted-DNS Attribute SHOULD include one instance of
Encrypted-DNS-SvcParams TLV ().The
IPv4-Encrypted-DNS Attribute SHOULD include one instance of
Encrypted-DNS-SvcPriority TLV ().The IPv4-Encrypted-DNS Attribute is associated with the
following identifier: 241.TBA2.The TLVs defined in the following subsections use the format
defined in .These TLVs have the same name and number when encapsulated in any
of the parent attributes defined in Sections and .The encoding of the "Value" field of these TLVs follows the
recommendation of .TLV-TypeTBA3 (see ).TLV-LengthLength of included ADN + 2 octets.Data TypeThe Encrypted-DNS-ADN TLV is of type string ().TLV-ValueThis field includes a fully qualified domain name of the
encrypted DNS resolver. This field is formatted as specified in
.This TLV is identified as 241.TBA1.TBA3 when included in the
IPv6-Encrypted-DNS Attribute () and as
241.TBA2.TBA3 when included in the IPv4-Encrypted-DNS Attribute
().TLV-TypeTBA4 (see ).TLV-LengthEighteen octets.Data TypeThe Encrypted-DNS-IPv6-Address TLV is of type ip6addr ().TLV-ValueThis field includes an IPv6 address (128 bits) of the
encrypted DNS resolver. The
Encrypted-DNS-IPv6-Address attribute MUST NOT include multicast
() and loopback
addresses .This TLV is identified as 241.TBA1.TBA4 as part of the
IPv6-Encrypted-DNS Attribute ().TLV-TypeTBA5 (see ).TLV-LengthSix octets.Data TypeThe Encrypted-DNS-IPv4-Address TLV is of type ip4addr ().TLV-ValueThis field includes an IPv4 address (32 bits) of the
encrypted DNS resolver. The
Encrypted-DNS-IPv4-Address attribute MUST NOT include multicast
() and loopback
addresses .This TLV is identified as 241.TBA2.TBA5 as part of the
IPv4-Encrypted-DNS Attribute ().TLV-TypeTBA6 (see ).TLV-LengthLength of included service parameters + 2 octets.Data TypeThe Encrypted-DNS-SvcParams TLV is of type string ().TLV-ValueSpecifies a set of service parameters that are encoded
following the rules in . lists a set of
service parameters that are recommended to be supported by
implementations. The service parameters
MUST include at least "alpn" SvcParam (). The service parameters
MUST NOT include "ipv4hint" or "ipv6hint" SvcParams as they are
superseded by the included IP addresses.This TLV is identified as 241.TBA1.TBA6 when included in the
IPv6-Encrypted-DNS Attribute () and as
241.TBA2.TBA6 when included in the IPv4-Encrypted-DNS Attribute
().TLV-TypeTBA7 (see ).TLV-LengthSix octets.Data TypeThe Encrypted-DNS-SvcPriority TLV is of type integer ().TLV-ValueSpecifies the priority (unsigned16) of this *-Encrypted-DNS
instance compared to other instances, right justified, and the
unused bits in this field MUST be set to zero. The value is
interpreted following the rules specified in .This TLV is identified as 241.TBA1.TBA7 when included in the
IPv6-Encrypted-DNS Attribute () and as
241.TBA2.TBA7 when included in the IPv4-Encrypted-DNS Attribute
().RADIUS-related security considerations are discussed in .This document targets deployments where a trusted relationship is in
place between the RADIUS client and server with communication optionally
secured by IPsec or Transport Layer Security (TLS) .Security considerations (including traffic theft) are discussed in
.The following table provides a guide as what type of RADIUS packets
that may contain these attributes, and in what quantity.The following table defines the meaning of the above table
entries:IANA is requested to assign two new RADIUS attribute types from the
IANA registry "Radius Attribute Types" :ValueDescriptionData TypeReference241.TBA1IPv6-Encrypted-DNStlvThis-Document241.TBA2IPv4-Encrypted-DNStlvThis-DocumentIANA is requested to create a new subregistry called "RADIUS
Encrypted DNS TLVs" under the "Radius Attribute Types" registry .The registration procedure for this subregistry is "Standards
Action" as defined in ().The subregistry is initially populated as follows:Note to the RFC Editor: Please replace TBA3-TBA7 with the
corresponding values assigned from the 1-5 range.ValueDescriptionData TypeReference0ReservedThis-DocumentTBA3Encrypted-DNS-ADNstringThis-Document, Section 3.3.1TBA4Encrypted-DNS-IPv6-Addressipv6addrThis-Document, Section 3.3.2TBA5Encrypted-DNS-IPv4-Addressipv4addrThis-Document, Section 3.3.3TBA6Encrypted-DNS-SvcParamsstringThis-Document, Section 3.3.4TBA7Encrypted-DNS-SvcPriorityintegerThis-Document, Section 3.3.56-255UnassignedIANA is requested to add the following entry to the "RADIUS
Attributes Permitted in DHCPv6 RADIUS Option" subregistry in the
"Dynamic Host Configuration Protocol for IPv6 (DHCPv6)" registry :Type CodeAttributeReference241.TBA1IPv6-Encrypted-DNSThis-DocumentThanks to Christian Jacquenet, Neil Cook, Alan Dekok, Joe Clarke, Qin
Wu, Dirk von-Hugo, Tom Petch, and Chongfeng Xie for the review and
suggestions.Thanks to Ben Schwartz and Bernie Volz for the comments.RADIUS TypesIANADynamic Host Configuration Protocol for IPv6 (DHCPv6)IANAEach IPv6-Encrypted-DNS Attribute is mapped to an IPv6 DNR instance
(i.e., OPTION_V6_DNR(144) or IPv6 Neighbor Discovery Option(144)) as
shown in .DNR FieldValue Field of RADIUS TLVService PriorityEncrypted-DNS-SvcPriorityauthentication-domain-nameEncrypted-DNS-ADNipv6-address(es)One or multiple Encrypted-DNS-IPv6-AddressService Parameters (SvcParams)Encrypted-DNS-SvcParamsLikewise, each IPv4-Encrypted-DNS Attribute is mapped to an IPv4 DNR
instance (i.e., OPTION_V4_DNR(162)) as shown in .DNR FieldValue Field of RADIUS TLVService PriorityEncrypted-DNS-SvcPriorityauthentication-domain-nameEncrypted-DNS-ADNIPv4 Address(es)One or multiple Encrypted-DNS-IPv4-AddressService Parameters (SvcParams)Encrypted-DNS-SvcParamsADN Length, Addr Length, and SvcParams Length fields are set as a
function of the enclosed data in the corresponding fields.