summaryrefslogtreecommitdiff
path: root/doc/rfc/rfc8003.txt
diff options
context:
space:
mode:
Diffstat (limited to 'doc/rfc/rfc8003.txt')
-rw-r--r--doc/rfc/rfc8003.txt899
1 files changed, 899 insertions, 0 deletions
diff --git a/doc/rfc/rfc8003.txt b/doc/rfc/rfc8003.txt
new file mode 100644
index 0000000..6032e6b
--- /dev/null
+++ b/doc/rfc/rfc8003.txt
@@ -0,0 +1,899 @@
+
+
+
+
+
+
+Internet Engineering Task Force (IETF) J. Laganier
+Request for Comments: 8003 Luminate Wireless, Inc.
+Obsoletes: 5203 L. Eggert
+Category: Standards Track NetApp
+ISSN: 2070-1721 October 2016
+
+
+ Host Identity Protocol (HIP) Registration Extension
+
+Abstract
+
+ This document specifies a registration mechanism for the Host
+ Identity Protocol (HIP) that allows hosts to register with services,
+ such as HIP rendezvous servers or middleboxes. This document
+ obsoletes RFC 5203.
+
+Status of This Memo
+
+ This is an Internet Standards Track document.
+
+ This document is a product of the Internet Engineering Task Force
+ (IETF). It represents the consensus of the IETF community. It has
+ received public review and has been approved for publication by the
+ Internet Engineering Steering Group (IESG). Further information on
+ Internet Standards is available in Section 2 of RFC 7841.
+
+ Information about the current status of this document, any errata,
+ and how to provide feedback on it may be obtained at
+ http://www.rfc-editor.org/info/rfc8003.
+
+Copyright Notice
+
+ Copyright (c) 2016 IETF Trust and the persons identified as the
+ document authors. All rights reserved.
+
+ This document is subject to BCP 78 and the IETF Trust's Legal
+ Provisions Relating to IETF Documents
+ (http://trustee.ietf.org/license-info) in effect on the date of
+ publication of this document. Please review these documents
+ carefully, as they describe your rights and restrictions with respect
+ to this document. Code Components extracted from this document must
+ include Simplified BSD License text as described in Section 4.e of
+ the Trust Legal Provisions and are provided without warranty as
+ described in the Simplified BSD License.
+
+
+
+
+
+
+
+Laganier & Eggert Standards Track [Page 1]
+
+RFC 8003 HIP Registration Extension October 2016
+
+
+Table of Contents
+
+ 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
+ 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
+ 3. HIP Registration Extension Overview . . . . . . . . . . . . . 3
+ 3.1. Registrar Announcing Its Ability . . . . . . . . . . . . 4
+ 3.2. Requester Requesting Registration . . . . . . . . . . . . 4
+ 3.3. Registrar Granting or Refusing Service(s) Registration . 4
+ 4. Parameter Formats and Processing . . . . . . . . . . . . . . 7
+ 4.1. Encoding Registration Lifetimes with Exponents . . . . . 7
+ 4.2. REG_INFO . . . . . . . . . . . . . . . . . . . . . . . . 7
+ 4.3. REG_REQUEST . . . . . . . . . . . . . . . . . . . . . . . 8
+ 4.4. REG_RESPONSE . . . . . . . . . . . . . . . . . . . . . . 9
+ 4.5. REG_FAILED . . . . . . . . . . . . . . . . . . . . . . . 10
+ 5. Establishing and Maintaining Registrations . . . . . . . . . 11
+ 6. Security Considerations . . . . . . . . . . . . . . . . . . . 11
+ 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12
+ 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 13
+ 8.1. Normative References . . . . . . . . . . . . . . . . . . 13
+ 8.2. Informative References . . . . . . . . . . . . . . . . . 14
+ Appendix A. Changes from RFC 5203 . . . . . . . . . . . . . . . 15
+ Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 15
+ Contributors . . . . . . . . . . . . . . . . . . . . . . . . . . 15
+ Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 16
+
+1. Introduction
+
+ This document specifies an extension to the Host Identity Protocol
+ (HIP) [RFC7401]. The extension provides a generic means for a host
+ to register with a service. The service may, for example, be a HIP
+ rendezvous server [RFC8004] or a middlebox [RFC3234].
+
+ This document makes no further assumptions about the exact type of
+ service. Likewise, this document does not specify any mechanisms to
+ discover the presence of specific services or means to interact with
+ them after registration. Future documents may describe those
+ operations.
+
+ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+ "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+ document are to be interpreted as described in RFC 2119 [RFC2119].
+
+
+
+
+
+
+
+
+
+
+Laganier & Eggert Standards Track [Page 2]
+
+RFC 8003 HIP Registration Extension October 2016
+
+
+2. Terminology
+
+ In addition to the terminology defined in the HIP Architecture
+ [HIP-ARCH], the HIP specification [RFC7401], and the HIP Rendezvous
+ Extension [RFC8004], this document defines and uses the following
+ terms:
+
+ Requester:
+ a HIP node registering with a HIP registrar to request
+ registration for a service.
+
+ Registrar:
+ a HIP node offering registration for one or more services.
+
+ Service:
+ a facility that provides requesters with new capabilities or
+ functionalities operating at the HIP layer. Examples include
+ firewalls that support HIP traversal or HIP rendezvous servers.
+
+ Registration:
+ shared state stored by a requester and a registrar, allowing the
+ requester to benefit from one or more HIP services offered by the
+ registrar. Each registration has an associated finite lifetime.
+ Requesters can extend established registrations through
+ re-registration (i.e., perform a refresh).
+
+ Registration Type:
+ an 8-bit identifier for a given service in the registration
+ protocol. For example, the rendezvous service is identified by a
+ specific registration type.
+
+3. HIP Registration Extension Overview
+
+ This document does not specify the means by which a requester
+ discovers the availability of a service or how a requester locates a
+ registrar. After a requester has discovered a registrar, it either
+ initiates HIP base exchange or uses an existing HIP association with
+ the registrar. In both cases, registrars use additional parameters,
+ which the remainder of this document defines, to announce their
+ quality and grant or refuse registration. Requesters use
+ corresponding parameters to register with the service. Both the
+ registrar and the requester MAY also include in the messages
+ exchanged additional HIP parameters specific to the registration type
+ requested. Other documents will define parameters and how they shall
+ be used.
+
+
+
+
+
+
+Laganier & Eggert Standards Track [Page 3]
+
+RFC 8003 HIP Registration Extension October 2016
+
+
+ The HIP base exchange, including the definition of the HIP I1, R1,
+ I2, and R2 packets, is defined in [RFC7401]. The following sections
+ describe the differences between this registration handshake and the
+ standard HIP base exchange [RFC7401].
+
+3.1. Registrar Announcing Its Ability
+
+ A host that is capable and willing to act as a registrar vis-a-vis a
+ specific requester SHOULD include a REG_INFO parameter in the R1
+ packets it sends during all base exchanges with that requester. If
+ it is currently unable to provide services due to transient
+ conditions, it SHOULD include an empty REG_INFO, i.e., one with no
+ services listed. If services can be provided later, it SHOULD send
+ UPDATE packets indicating the current set of services available in a
+ new REG_INFO parameter to all hosts it is associated with.
+
+3.2. Requester Requesting Registration
+
+ To request registration with a service, a requester constructs and
+ includes a corresponding REG_REQUEST parameter in an I2 or UPDATE
+ packet it sends to the registrar.
+
+ If the requester has no HIP association established with the
+ registrar, it SHOULD send the REG_REQUEST at the earliest
+ possibility, i.e., in the I2 packet. This minimizes the number of
+ packets that need to be exchanged with the registrar. A registrar
+ MAY end a HIP association that does not carry a REG_REQUEST by
+ including a NOTIFY with the type REG_REQUIRED in the R2. In this
+ case, no HIP association is created between the hosts. The
+ REG_REQUIRED notification error type is 51.
+
+3.3. Registrar Granting or Refusing Service(s) Registration
+
+ Once registration has been requested, the registrar is able to
+ authenticate the requester based on the host identity included in I2.
+
+ If the registrar knows the Host Identities (HIs) of all the hosts
+ that are allowed to register for service(s), it SHOULD reject
+ registrations from unknown hosts. However, since it may be
+ infeasible to preconfigure the registrar with all the HIs, the
+ registrar SHOULD also support HIP certificates [RFC8002] to allow for
+ certificate-based authentication.
+
+ When a requester wants to register with a registrar, it SHOULD check
+ if it has a suitable certificate for authenticating with the
+ registrar. How the suitability is determined and how the
+ certificates are obtained is out of scope for this document. If the
+ requester has one or more suitable certificates, the host SHOULD
+
+
+
+Laganier & Eggert Standards Track [Page 4]
+
+RFC 8003 HIP Registration Extension October 2016
+
+
+ include them (or just the most suitable one) in a CERT parameter to
+ the HIP packet along with the REG_REQUEST parameter. If the
+ requester does not have any suitable certificates, it SHOULD send the
+ registration request without the CERT parameter to test whether the
+ registrar accepts the request based on the host's identity.
+
+ When a registrar receives a HIP packet with a REG_REQUEST parameter,
+ and it requires authentication for at least one of the registration
+ types listed in the REG_REQUEST parameter, it MUST first check
+ whether the HI of the requester is in the allowed list for all the
+ registration types in the REG_REQUEST parameter. If the requester is
+ in the allowed list (or the registrar does not require any
+ authentication), the registrar MUST proceed with the registration.
+
+ If the requester was not in the allowed list and the registrar
+ requires the requester to authenticate, the registrar MUST check
+ whether the packet also contains a CERT parameter. If the packet
+ does not contain a CERT parameter, the registrar MUST reject the
+ registrations requiring authentication with Failure Type 0 (zero)
+ (registration requires additional credentials). If the certificate
+ is valid and accepted (issued for the requester and signed by a
+ trusted issuer), the registrar MUST proceed with the registration.
+ If the certificate in the parameter is not accepted, the registrar
+ MUST reject the corresponding registrations with the appropriate
+ Failure Type:
+
+ 4 (Bad certificate): The certificate is corrupt, contains invalid
+ signatures, etc.
+
+ 5 (Unsupported certificate): The certificate is of an unsupported
+ type.
+
+ 6 (Certificate expired): The certificate is no longer valid.
+
+ 7 (Certificate other): The certificate could not be validated for
+ some unspecified reason.
+
+ 8 (Unknown CA): The issuing certification authority (CA) certificate
+ could not be located or is not trusted.
+
+ After successful authorization, the registrar includes a REG_RESPONSE
+ parameter in its response, which contains the service type(s) for
+ which it has authorized registration, and zero or more REG_FAILED
+ parameters containing the service type(s) for which it has not
+ authorized registration or registration has failed for other reasons.
+ This response can be either an R2 or an UPDATE message, respectively,
+ depending on whether the registration was requested during the base
+
+
+
+
+Laganier & Eggert Standards Track [Page 5]
+
+RFC 8003 HIP Registration Extension October 2016
+
+
+ exchange or using an existing association. In particular, REG_FAILED
+ with a Failure Type of zero indicates the service type(s) that
+ requires further credentials for registration.
+
+ If the registrar requires further authorization and the requester has
+ additional credentials available, the requester SHOULD try to
+ register again with the service after the HIP association has been
+ established.
+
+ Successful processing of a REG_RESPONSE parameter creates
+ registration state at the requester. In a similar manner, successful
+ processing of a REG_REQUEST parameter creates registration state at
+ the registrar and possibly at the service. Both the requester and
+ registrar can cancel a registration before it expires, if the
+ services afforded by a registration are no longer needed by the
+ requester or cannot be provided any longer by the registrar (for
+ instance, because its configuration has changed).
+
+ +-----+ I1 +-----+-----+
+ | |--------------------->| | S1 |
+ | |<---------------------| | |
+ | | R1(REG_INFO:S1,S2,S3)| +-----+
+ | RQ | | R | S2 |
+ | | I2(REG_REQ:S1) | | |
+ | |--------------------->| +-----+
+ | |<---------------------| | S3 |
+ | | R2(REG_RESP:S1) | | |
+ +-----+ +-----+-----+
+
+ A requester (RQ) registers for service (S1) with a registrar (R) of
+ services (S1), (S2), and (S3) with which it has no current HIP
+ association
+
+
+ +-----+ +-----+-----+
+ | | UPDATE(REG_INFO:S) | | |
+ | |<---------------------| | |
+ | RQ |--------------------->| R | S |
+ | | UPDATE(REG_REQ:S) | | |
+ | | UPDATE(REG_RESP:S) | | |
+ | |<---------------------| | |
+ +-----+ +-----+-----+
+
+ A requester (RQ) registers for service (S) with a registrar (R) of
+ services (S) with which it currently has a HIP association
+ established
+
+
+
+
+
+Laganier & Eggert Standards Track [Page 6]
+
+RFC 8003 HIP Registration Extension October 2016
+
+
+4. Parameter Formats and Processing
+
+ This section describes the format and processing of the new
+ parameters introduced by the HIP Registration Extension. The
+ encoding of these new parameters conforms to the HIPv2 TLV format
+ described in Section 5.2.1 of RFC7401 [RFC7401].
+
+4.1. Encoding Registration Lifetimes with Exponents
+
+ The HIP registration uses an exponential encoding of registration
+ lifetimes.
+
+ The special value 0 (zero) of the lifetime field MUST be interpreted
+ as representing a special lifetime duration of 0 (zero) seconds and
+ is used to request and grant cancellation of a registration.
+
+ The non-zero values of the lifetime field used throughout this
+ document MUST be interpreted as an exponent value representing a
+ lifetime duration of 2^((lifetime - 64)/8) seconds.
+
+ This allows a compact encoding of 255 different lifetime durations
+ (in addition to the special lifetime duration of zero seconds)
+ ranging from 2^(63/8) seconds (i.e., ~4 ms) to 2^(191/8) seconds
+ (i.e., ~178 days) into an 8-bit integer field.
+
+4.2. REG_INFO
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Type | Length |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Min Lifetime | Max Lifetime | Reg Type #1 | Reg Type #2 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | ... | ... | Reg Type #n | |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Padding +
+ | |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ Type 930
+ Length Length in octets, excluding Type, Length, and Padding.
+ Min Lifetime Minimum registration lifetime.
+ Max Lifetime Maximum registration lifetime.
+ Reg Type The registration types offered by the registrar.
+
+ Other documents will define specific values for registration types.
+ See Section 7 for more information.
+
+
+
+
+Laganier & Eggert Standards Track [Page 7]
+
+RFC 8003 HIP Registration Extension October 2016
+
+
+ Registrars include the parameter in R1 packets in order to announce
+ their registration capabilities. The registrar SHOULD include the
+ parameter in UPDATE packets when its service offering has changed.
+ HIP_SIGNATURE_2 protects the parameter within the R1 packets.
+
+ The registrar indicates the minimum and maximum registration lifetime
+ that it is willing to offer to a requester. A requester SHOULD NOT
+ request registration with a lifetime greater than the maximum
+ registration lifetime or smaller than the minimum registration
+ lifetime.
+
+4.3. REG_REQUEST
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Type | Length |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Lifetime | Reg Type #1 | Reg Type #2 | Reg Type #3 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | ... | ... | Reg Type #n | |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Padding +
+ | |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ Type 932
+ Length Length in octets, excluding Type, Length, and Padding.
+ Lifetime Requested registration lifetime.
+ Reg Type The preferred registration types in order of preference.
+
+ Other documents will define specific values for registration types.
+ See Section 7 for more information.
+
+ A requester includes the REG_REQUEST parameter in I2 or UPDATE
+ packets to register with a registrar's service(s). If the
+ REG_REQUEST parameter is in an UPDATE packet, the registrar MUST NOT
+ modify the registrations of registration types that are not listed in
+ the parameter. Moreover, the requester MUST NOT include the
+ parameter unless the registrar's R1 packet or latest received UPDATE
+ packet has contained a REG_INFO parameter with the requested
+ registration types.
+
+ The requester MUST NOT include more than one REG_REQUEST parameter in
+ its I2 or UPDATE packets, while the registrar MUST be able to process
+ one or more REG_REQUEST parameters in received I2 or UPDATE packets.
+
+
+
+
+
+
+Laganier & Eggert Standards Track [Page 8]
+
+RFC 8003 HIP Registration Extension October 2016
+
+
+ When the registrar receives a registration with a lifetime that is
+ either smaller or greater than the minimum or maximum lifetime,
+ respectively, then it SHOULD grant the registration for the minimum
+ or maximum lifetime, respectively.
+
+ HIP_SIGNATURE protects the parameter within the I2 and UPDATE
+ packets.
+
+4.4. REG_RESPONSE
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Type | Length |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Lifetime | Reg Type #1 | Reg Type #2 | Reg Type #3 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | ... | ... | Reg Type #n | |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Padding +
+ | |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ Type 934
+ Length Length in octets, excluding Type, Length, and Padding.
+ Lifetime Granted registration lifetime.
+ Reg Type The granted registration types in order of preference.
+
+ Other documents will define specific values for registration types.
+ See Section 7 for more information.
+
+ The registrar SHOULD include a REG_RESPONSE parameter in its R2 or
+ UPDATE packet only if a registration has successfully completed.
+
+ The registrar MUST NOT include more than one REG_RESPONSE parameter
+ in its R2 or UPDATE packets, while the requester MUST be able to
+ process one or more REG_RESPONSE parameters in received R2 or UPDATE
+ packets.
+
+ The requester MUST be prepared to receive any registration lifetime,
+ including ones beyond the minimum and maximum lifetime indicated in
+ the REG_INFO parameter. It MUST NOT expect that the returned
+ lifetime will be the requested one, even when the requested lifetime
+ falls within the announced minimum and maximum.
+
+ HIP_SIGNATURE protects the parameter within the R2 and UPDATE
+ packets.
+
+
+
+
+
+Laganier & Eggert Standards Track [Page 9]
+
+RFC 8003 HIP Registration Extension October 2016
+
+
+4.5. REG_FAILED
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Type | Length |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Failure Type | Reg Type #1 | Reg Type #2 | Reg Type #3 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | ... | ... | Reg Type #n | |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Padding +
+ | |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ Type 936
+ Length Length in octets, excluding Type, Length, and Padding.
+ Failure Type Reason for failure.
+ Reg Type The registration types that failed with the specified
+ reason.
+
+ Value Registration Failure Type
+ ---------- --------------------------------------------
+ 0 Registration requires additional credentials
+ 1 Registration type unavailable
+ 2 Insufficient resources
+ 3 Invalid certificate
+ 9-200 Unassigned
+ 201-255 Reserved for Private Use
+
+ Other documents will define specific values for registration types.
+ See Section 7 for more information.
+
+ Failure Type 0 (zero) indicates that the registrar requires
+ additional credentials to authorize a requester to register with the
+ registration types listed in the parameter. Failure Type 1 (one)
+ indicates that the requested service type is unavailable at the
+ registrar. Failure Type 2 indicates that the registrar does not
+ currently have enough resources to register the requester for the
+ service(s); when that is the case, the requester MUST NOT reattempt
+ immediately to register for the same service(s) and MAY attempt to
+ contact another registrar to register for the service(s). Failure
+ Type 3 indicates that the registrar could not validate the
+ certificate provided by the requester to register for the service(s);
+ when that is the case, the requester MUST NOT reattempt to register
+ for the same set of services while providing the same certificate and
+ MAY attempt to register for the same set of services with a different
+ certificate, or with a different set of services with the same
+ certificate.
+
+
+
+Laganier & Eggert Standards Track [Page 10]
+
+RFC 8003 HIP Registration Extension October 2016
+
+
+ The registrar SHOULD include a REG_FAILED parameter in its R2 or
+ UPDATE packet, if registration with the registration types listed has
+ not completed successfully, and a requester is asked to try again
+ with additional credentials.
+
+ HIP_SIGNATURE protects the parameter within the R2 and UPDATE
+ packets.
+
+5. Establishing and Maintaining Registrations
+
+ Establishing and/or maintaining a registration may require additional
+ information not available in the transmitted REG_REQUEST or
+ REG_RESPONSE parameters. Therefore, registration type definitions
+ MAY define dependencies for HIP parameters that are not defined in
+ this document. Their semantics are subject to the specific
+ registration type specifications.
+
+ The minimum lifetime both registrars and requesters MUST support is
+ 10 seconds, while they SHOULD support a maximum lifetime of 120
+ seconds, at least. These values define a baseline for the
+ specification of services based on the registration system. They
+ were chosen to be neither too short nor too long, and to accommodate
+ for existing timeouts of state established in middleboxes (e.g., NATs
+ and firewalls.)
+
+ A zero lifetime is reserved for canceling purposes. Requesting a
+ zero lifetime for a registration type is equal to canceling the
+ registration of that type. A requester MAY cancel a registration
+ before it expires by sending a REG_REQ to the registrar with a zero
+ lifetime. A registrar SHOULD respond and grant a registration with a
+ zero lifetime. A registrar (and an attached service) MAY cancel a
+ registration before it expires, at its own discretion. However, if
+ it does so, it SHOULD send a REG_RESPONSE with a zero lifetime to all
+ registered requesters.
+
+6. Security Considerations
+
+ This section discusses the threats on the HIP registration protocol
+ and their implications on the overall security of HIP. In
+ particular, it argues that the extensions described in this document
+ do not introduce additional threats to HIP.
+
+ The extensions described in this document rely on the HIP base
+ exchange and do not modify its security characteristics, e.g.,
+ digital signatures or Hashed Message Authentication Code (HMAC).
+ Hence, the only threat introduced by these extensions is related to
+ the creation of soft registration state at the registrar.
+
+
+
+
+Laganier & Eggert Standards Track [Page 11]
+
+RFC 8003 HIP Registration Extension October 2016
+
+
+ Registrars act on a voluntary basis and are willing to accept being a
+ Responder and then to create HIP associations with a number of
+ potentially unknown hosts. Because they have to store HIP
+ association state anyway, adding a certain amount of time-limited HIP
+ registration states should not introduce any serious additional
+ threats, especially because HIP registrars may cancel registrations
+ at any time at their own discretion, e.g., because of resource
+ constraints during an attack.
+
+7. IANA Considerations
+
+ This section is to be interpreted according to "Guidelines for
+ Writing an IANA Considerations Section in RFCs" [RFC5226].
+
+ [RFC5203], obsoleted by this document, made the following definitions
+ and reservations in the "Parameter Types" subregistry under "Host
+ Identity Protocol (HIP) Parameters":
+
+ Value Parameter Type Length
+ ----- -------------- --------
+ 930 REG_INFO variable
+ 932 REG_REQUEST variable
+ 934 REG_RESPONSE variable
+ 936 REG_FAILED variable
+
+ In the "Parameter Types" subregistry under "Host Identity Protocol
+ (HIP) Parameters", the references to the obsoleted [RFC5203] have
+ been replaced with references to this document.
+
+ [RFC5203], obsoleted by this document, requested the opening of the
+ "Registration Types" subregistry under "Host Identity Protocol (HIP)
+ Parameters", defined no registration types, but made the following
+ reservations in that subregistry:
+
+ Reg Type Service
+ -------- --------------------------------
+ 201-255 Reserved by IANA for private use
+
+ Adding a new type requires new IETF specifications.
+
+ In the "Registration Types" subregistry under "Host Identity Protocol
+ (HIP) Parameters", references to the obsoleted [RFC5203] have been
+ replaced with references to this document.
+
+ [RFC5203], obsoleted by this document, requested the opening of the
+ "Registration Failure Types" subregistry under "Host Identity
+ Protocol (HIP) Parameters" and made the following definitions and
+ reservations in that subregistry:
+
+
+
+Laganier & Eggert Standards Track [Page 12]
+
+RFC 8003 HIP Registration Extension October 2016
+
+
+ Failure Type Reason
+ ------------ --------------------------------------------
+ 0 Registration requires additional credentials
+ 1 Registration type unavailable
+ 201-255 Reserved by IANA for private use
+
+ Adding a new type requires new IETF specifications.
+
+ In the "Registration Failure Types" subregistry under "Host Identity
+ Protocol (HIP) Parameters", references to the obsoleted [RFC5203]
+ have been replaced with references to this document, and the
+ following HIP Registration Failure Types have been added:
+
+ Value Registration Failure Type
+ ------------ --------------------------------------------
+ 2 Insufficient resources
+ 3 Invalid certificate
+ 4 Bad certificate
+ 5 Unsupported certificate
+ 6 Certificate expired
+ 7 Certificate other
+ 8 Unknown CA
+ 201-255 Reserved for Private Use
+
+8. References
+
+8.1. Normative References
+
+ [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
+ Requirement Levels", BCP 14, RFC 2119,
+ DOI 10.17487/RFC2119, March 1997,
+ <http://www.rfc-editor.org/info/rfc2119>.
+
+ [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an
+ IANA Considerations Section in RFCs", BCP 26, RFC 5226,
+ DOI 10.17487/RFC5226, May 2008,
+ <http://www.rfc-editor.org/info/rfc5226>.
+
+ [RFC7401] Moskowitz, R., Ed., Heer, T., Jokela, P., and T.
+ Henderson, "Host Identity Protocol Version 2 (HIPv2)",
+ RFC 7401, DOI 10.17487/RFC7401, April 2015,
+ <http://www.rfc-editor.org/info/rfc7401>.
+
+ [RFC8002] Heer, T. and S. Varjonen, "Host Identity Protocol
+ Certificates", RFC 8002, DOI 10.17487/RFC8002, October
+ 2016, <http://www.rfc-editor.org/info/rfc8002>.
+
+
+
+
+
+Laganier & Eggert Standards Track [Page 13]
+
+RFC 8003 HIP Registration Extension October 2016
+
+
+ [RFC8004] Laganier, J. and L. Eggert, "Host Identity Protocol (HIP)
+ Rendezvous Extension", RFC 8004, DOI 10.17487/RFC8004,
+ October 2016, <http://www.rfc-editor.org/info/rfc8004>.
+
+8.2. Informative References
+
+ [HIP-ARCH]
+ Moskowitz, R. and M. Komu, "Host Identity Protocol
+ Architecture", Work in Progress, draft-ietf-hip-rfc4423-
+ bis-14, June 2016.
+
+ [HIP-NAT] Keranen, A., Melen, J., and M. Komu, "Native NAT Traversal
+ Mode for the Host Identity Protocol", Work in Progress,
+ draft-ietf-hip-native-nat-traversal-13, July 2016.
+
+ [RFC3234] Carpenter, B. and S. Brim, "Middleboxes: Taxonomy and
+ Issues", RFC 3234, DOI 10.17487/RFC3234, February 2002,
+ <http://www.rfc-editor.org/info/rfc3234>.
+
+ [RFC5203] Laganier, J., Koponen, T., and L. Eggert, "Host Identity
+ Protocol (HIP) Registration Extension", RFC 5203,
+ DOI 10.17487/RFC5203, April 2008,
+ <http://www.rfc-editor.org/info/rfc5203>.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Laganier & Eggert Standards Track [Page 14]
+
+RFC 8003 HIP Registration Extension October 2016
+
+
+Appendix A. Changes from RFC 5203
+
+ o Updated references to revised HIP specifications.
+
+ o Added a new registration Failure Type for use in case of
+ insufficient resources available at the HIP registrar.
+
+ o Added requester authorization based on certificates and new
+ registration Failure Types for invalid certificates.
+
+Acknowledgments
+
+ The following people (in alphabetical order) have provided thoughtful
+ and helpful discussions and/or suggestions that have helped to
+ improve this document: Jeffrey Ahrenholz, Miriam Esteban, Ari
+ Keranen, Mika Kousa, Pekka Nikander, and Hannes Tschofenig.
+
+ Lars Eggert has received funding from the European Union's Horizon
+ 2020 research and innovation program 2014-2018 under grant agreement
+ No. 644866. This document reflects only the authors' views, and the
+ European Commission is not responsible for any use that may be made
+ of the information it contains.
+
+ Ari Keranen suggested inclusion of the text specifying requester
+ authorization based on certificates as a direct adaption of text
+ found in the HIP native NAT traversal specification [HIP-NAT].
+
+ Thanks to Joel M. Halpern for performing the Gen-ART review of this
+ document as part of the publication process.
+
+Contributors
+
+ Teemu Koponen coauthored an earlier, experimental version of this
+ specification [RFC5203].
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Laganier & Eggert Standards Track [Page 15]
+
+RFC 8003 HIP Registration Extension October 2016
+
+
+Authors' Addresses
+
+ Julien Laganier
+ Luminate Wireless, Inc.
+ Cupertino, CA
+ United States of America
+
+ Email: julien.ietf@gmail.com
+
+
+ Lars Eggert
+ NetApp
+ Sonnenallee 1
+ Kirchheim 85551
+ Germany
+
+ Phone: +49 151 12055791
+ Email: lars@netapp.com
+ URI: http://eggert.org
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Laganier & Eggert Standards Track [Page 16]
+