Internet-Draft Proxy Configuration PvDs October 2024
Pauly & Damjanovic Expires 24 April 2025 [Page]
Workgroup:
Network Working Group
Internet-Draft:
draft-ietf-intarea-proxy-config-02
Published:
Intended Status:
Standards Track
Expires:
Authors:
T. Pauly
Apple, Inc.
D. Damjanovic
Microsoft

Communicating Proxy Configurations in Provisioning Domains

Abstract

This document defines a mechanism for accessing provisioning domain information associated with a proxy, such as other proxy URIs that support different protocols and a list of DNS zones that are accessible via a proxy.

Discussion Venues

This note is to be removed before publishing as an RFC.

Source for this draft and an issue tracker can be found at https://github.com/tfpauly/privacy-proxy.

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on 24 April 2025.

Table of Contents

1. Introduction

HTTP proxies that use the CONNECT method Section 9.3.6 of [HTTP] (often referred to as "forward" proxies) allow clients to open connections to hosts via a proxy. These typically allow for TCP stream proxying, but can also support UDP proxying [CONNECT-UDP] and IP packet proxying [CONNECT-IP]. Such proxies are not just defined as hostnames and ports, but can use URI templates [URITEMPLATE].

In order to make use of multiple related proxies, clients need a way to understand which proxies are associated with one another.

Client can also benefit from learning about additional information associated with the proxy to optimize their proxy usage, such knowing that a proxy is configured to only allow access to a limited set of destinations.

These improvements to client behavior can be achieved through the use of Provisioning Domains. Provisioning Domains (PvDs) are defined in [PVD] as consistent sets of network configuration information, which can include proxy configuration details Section 2 of [PVD]. [PVDDATA] defines a JSON [JSON] format for describing Provisioning Domain Additional Information, which is an extensible dictionary of properties of the Provisioning Domain.

This document defines several mechanisms to use PvDs to help clients understand how to use proxies:

  1. A way to fetch PvD Additional Information associated with a known proxy URI (Section 2)

  2. A way to list one or more proxy URIs in a PvD, allowing clients to learn about other proxy options given a known proxy (Section 3).

  3. A way to define a limited set of destinations that are accessible through the proxy (Section 4).

Additionally, this document partly describes how these mechanisms might be used to discover proxies associated with a network (Section 5).

Using this mechanism a client can learn that a legacy insecure HTTP proxy that the client is configured with is also accessible using HTTPS. In this way, clients can upgrade to a more secure connection to the proxy.

1.1. Background

Other non-standard mechanisms for proxy configuration and discovery have been used historically, some of which are described in [RFC3040].

Proxy Auto Configuration (PAC) files Section 6.2 of [RFC3040] are Javascript scripts that take URLs as input and provide an output of a proxy configuration to use.

Web Proxy Auto-Discovery Protocol (WPAD) Section 6.4 of [RFC3040] allows networks to advertise proxies to use by advertising a PAC file. This solution squats on DHCP option 252.

These common (but non-standard) mechanisms only support defining proxies by hostname and port, and do not support configuring a full URI template [URITEMPLATE].

The mechanisms defined in this document are intended to offer a standard alternative that works for URI-based proxies and avoids dependencies on executing Javascript scripts, which are prone to implementation-specific inconsistencies and can open up security vulnerabilities.

1.2. Requirements

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.

2. Fetching PvD Additional Information for proxies

This document defines a way to fetch PvD Additional Information associated with a proxy. This PvD describes the properties of the network accessible through the proxy.

In order to fetch PvD Additional Information associated with a proxy, a client issues an HTTP GET request for the well-known PvD URI (".well-known/pvd") [PVDDATA] and the host authority of the proxy. This is applicable for both proxies that are identified by a host and port only (such as SOCKS proxies and HTTP CONNECT proxies) and proxies that are identified by a URI or URI template.

For example, a client would issue the following request for the PvD associated with "https://proxy.example.org/masque{?target_host,target_port}":

:method = GET
:scheme = https
:authority = proxy.example.org
:path = /.well-known/pvd
accept = application/pvd+json

For a HTTP CONNECT proxy on "proxy.example.org:8080", the client would send the following request:

:method = GET
:scheme = https
:authority = proxy.example.org:8080
:path = /.well-known/pvd
accept = application/pvd+json

Note that all proxies that are colocated on the same host and port share the same PvD Additional Information. Proxy deployments that need separate PvD configuration properties SHOULD use different hosts.

PvD Additional Information is required to contain the "identifier", "expires", and "prefixes" keys. For proxy PvDs as defined in this document, the "identifier" MUST match the hostname of the HTTP proxy. The "prefixes" array SHOULD be empty by default.

3. Enumerating proxies within a PvD

This document defines a new PvD Additional Information key, proxies, that is an array of dictionaries, where each dictionary in the array defines a single proxy that is available as part of the PvD (see Section 7.1). Each proxy is defined by a proxy protocol, a proxy location (i.e., a hostname and port or a URI template [URITEMPLATE]), along with potentially other keys.

This document defines two mandatory keys for the sub-dictionaries in the proxies array, protocol and proxy. There are also optional keys, including alpn, and destination accessibility keys defined in Section 4. Other optional keys can be added to the dictionary to further define or restrict the use of a proxy. Clients that do not recognize or understand a key in a proxy sub-dictionary MUST ignore the entire proxy definition, since the proxy might be only applicable for particular uses. These keys are registered in an IANA registry, defined in Section 7.2.

Table 1
JSON Key Optional Description Type Example
protocol No The protocol used to communicate with the proxy String "connect-udp"
proxy No String containing the URI template or hostname and port of the proxy, depending on the format defined by the protocol String "https://proxy.example.org:4443/masque{?target_host,target_port}"
alpn Yes An array of Application-Layer Protocol Negotiation protocol identifiers Array of Strings ["h3","h2"]

The values for the protocol key are defined in the proxy protocol registry (Section 7.3), with the initial contents provided below. For consistency, any new proxy types that use HTTP Upgrade Tokens (and use the :protocol pseudo-header) SHOULD define the protocol value to match the Upgrade Token / :protocol value.

Table 2
Proxy Protocol Proxy Location Format Reference Notes
socks5 hostname:port [SOCKSv5]  
http-connect hostname:port Section 9.3.6 of [HTTP] Standard CONNECT method, using unencrypted HTTP to the proxy
https-connect hostname:port Section 9.3.6 of [HTTP] Standard CONNECT method, using TLS-protected HTTP to the proxy
connect-udp URI template [CONNECT-UDP]  
connect-ip URI template [CONNECT-IP]  
connect-tcp URI template [CONNECT-TCP]  

The value of proxy depends on the Proxy Location Format defined by proxy protocol. The types defined here either use a hostname and port, or a full URI template.

If the alpn key is present, it provides a hint for the Application-Layer Protocol Negotiation (ALPN) [ALPN] protocol identifiers associated with this server. For HTTP proxies, this can indicate if the proxy supports HTTP/3, HTTP/2, etc.

When a PvD that contains the proxies key is fetched from a known proxy using the method described in Section 2 the proxies list describes equivalent proxies (potentially supporting other protocols) that can be used in addition to the known proxy.

Such cases are useful for informing clients of related proxies as a discovery method, with the assumption that the client already is aware of one proxy. Many historical methods of configuring a proxy only allow configuring a single FQDN hostname for the proxy. A client can attempt to fetch the PvD information from the well-known URI to learn the list of complete URIs that support non-default protocols, such as [CONNECT-UDP] and [CONNECT-IP].

3.1. Example

Given a known HTTP CONNECT proxy FQDN, "proxy.example.org", a client could request PvD Additional Information with the following request:

:method = GET
:scheme = https
:authority = proxy.example.org
:path = /.well-known/pvd
accept = application/pvd+json

If the proxy has a PvD definition for this FQDN, it would return the following response to indicate a PvD that has two related proxy URIs.

:status = 200
content-type = application/pvd+json
content-length = 222

{
  "identifier": "proxy.example.org.",
  "expires": "2023-06-23T06:00:00Z",
  "prefixes": [],
  "proxies": [
    {
      "protocol": "http-connect",
      "proxy": "proxy.example.org:80"
    },
    {
      "protocol": "connect-udp",
      "proxy": "https://proxy.example.org/masque{?target_host,target_port}"
    }
  ]
}

The client would learn the URI template of the proxy that supports UDP using [CONNECT-UDP], at "https://proxy.example.org/masque{?target_host,target_port}".

4. Destination accessibility information for proxies

Destination accessibility information is used when only a subset of destinations is reachable through a proxy. Destination restrictions are often used in VPN tunnel configurations such as split DNS in IKEv2 [IKEV2SPLIT].

PvD Additional Information can be used to indicate that a proxy PvD only allows access to a limited set of destinations.

This document defines five optional keys for subdictionaries in the proxies array that are used to signal information about destinations available through the proxy.

Table 3
JSON Key Optional Description Type Example
matchDomains Yes An array of FQDNs and wildcard DNS domains that can be accessed over this proxy Array of Strings [ "www.example.com", "*.internal.example.com" ]
excludeDomains Yes An array of FQDNs and wildcard DNS domains that cannot be accessed over this proxy. If matchDomains is specified, excludeDomains should list more specific domains within entries in the matchDomains array Array of Strings [ "public.example.com" ]
matchSubnets Yes An array of IP addresses and subnets that can be accessed over this proxy Array of Strings [ "2001:DB8::1", "192.168.1.0/24" ]
excludeSubnets Yes An array of IP addresses and subnets that cannot be accessed over this proxy. If matchSubnets is specified, excludeDomains should list more specific subnets within entries in the matchSubnets array Array of Strings [ "192.0.2.0/16", "192.51.100.1" ]
matchPorts Yes An array of TCP or UDP port ranges accessible over this proxy Array of Strings [ "80", "443", "1024-65535" ]

When present in a PvD Additional Information dictionary that is retrieved for a proxy as described in Section 2, entries in the matchDomains array indicate specific FQDNs and zones that are accessible using the proxy. If a hostname does match any entry, then a client SHOULD assume that the hostname will not be accessible through the proxy. If a hostname is included in the excludeDomains array, then the client SHOULD NOT access it through the proxy. The excludeDomains parameter can be present even if matchDomains is omitted. When this is the case, the client assumes that all domains except the domains listed in the excludeDomains array are accessible through the proxy.

Entries listed in matchDomains MUST NOT expand the set of domains that a client is willing to send to a particular proxy. The list can only narrow the list of domains that the client is willing to send through the proxy. For example, if the client has a local policy to only send requests for "*.example.com" to a proxy "proxy.example.com", and the matchDomains array contains "internal.example.com" and "other.company.com", the client would end up only proxying "internal.example.com" through the proxy.

A wildcard prefix (*.) is used to indicate matching entire domains or subdomains instead of specific hostnames. Note that this can be used to match multiple levels of subdomains. For example ".example.com" matches "internal.example.com" as well as "www.public.example.com". Entries that include the wildcard prefix also SHOULD be treated as if they match an FQDN that only contains the string after the prefix, with no subdomain. So, an entry in matchDomains of ".example.com" would match the FQDN "example.com", unless "example.com" were specifically included in excludeDomains. This is done to prevent commonly needing to include both "*.example.com" and "example.com" in the matchDomains list.

Entries in matchSubnets correspond to IP addresses and subnets that are available through the proxy, while entries in excludeSubnets define IP addresses and subnets that SHOULD NOT be used with the proxy. Subnet-based destination information SHOULD only be used when applications are communicating with destinations identified by only an IP address and not a hostname.

matchPorts in a list of strings that can be used to instruct the client that only specific destination TCP or UDP ports are accessible through the proxy. The list may contain individual port numbers (such as "80") or inclusive ranges of ports. For example "1024-2048" matches all ports from 1024 to 2048, including the 1024 and 1028.

4.1. Example

Given a proxy URI template "https://proxy.example.org/masque{?target_host,target_port}", which in this case is for UDP proxying, the client could request PvD additional information with the following request:

:method = GET
:scheme = https
:authority = proxy.example.org
:path = /.well-known/pvd
accept = application/pvd+json

If the proxy has a PvD definition for this proxy, it could return the following response to indicate a PvD that has one accessible zone, "*.internal.example.org".

:status = 200
content-type = application/pvd+json
content-length = 135

{
  "identifier": "proxy.example.org.",
  "expires": "2023-06-23T06:00:00Z",
  "prefixes": [],
  "proxies": [
    {
      "protocol": "http-connect",
      "proxy": "proxy.example.org:80"
    },
    {
      "protocol": "connect-udp",
      "proxy": "https://proxy.example.org/masque{?target_host,target_port}",
      "matchDomains": [ "*.internal.example.org" ]
    }
  ]
}

The client could then choose to use this proxy only for accessing names that fall within the "*.internal.example.org" zone.

5. Discovering proxies from network PvDs

[PVDDATA] defines how PvD Additional Information is discovered based on network advertisements using Router Advertisements [RFC4861]. A network defining its configuration via PvD information can include the proxies key (Section 3) to inform clients of a list of proxies available on the network.

This association of proxies with the network's PvD can be used as a mechanism to discover proxies, as an alternative to PAC files. However, client systems MUST NOT automatically send traffic over proxies advertised in this way without explicit configuration, policy, or user permission. For example, a client can use this mechanism to choose between known proxies, such as if the client was already proxying traffic and has multiple options to choose between.

Further security and experience considerations are needed for these cases.

6. Security Considerations

Configuration advertised via PvD Additional Information, such DNS zones or associated proxies, can only be safely used when fetched over a secure TLS-protected connection, and the client has validated that that the hostname of the proxy, the identifier of the PvD, and the validated hostname identity on the certificate all match.

7. IANA Considerations

7.1. New PvD Additional Information key

This document registers a new key in the "Additional Information PvD Keys" registry.

JSON Key: proxies

Description: Array of proxy dictionaries associated with this PvD

Type: Array of dictionaries

Example: [ { "protocol": "connect-udp", "proxy": "https://proxy.example.org/masque{?target_host,target_port}" } ]

7.2. New PvD Proxy Information Registry

IANA is requested to create a new registry "Proxy Information PvD Keys", within the "Provisioning Domains (PvDs)" registry page. This new registry reserves JSON keys for use in sub-dictionaries under the proxies key. The initial contents of this registry are given in Section 3 and Section 4.

New assignments in the "Proxy Information PvD Keys" registry will be administered by IANA through Expert Review [RFC8126]. Experts are requested to ensure that defined keys do not overlap in names or semantics.

7.3. New PvD Proxy Protocol Registry

IANA is requested to create a new registry "Proxy Protocol PvD Values", within the "Provisioning Domains (PvDs)" registry page. This new registry reserves JSON values for the protocol key in proxies sub-dictionaries. The initial contents of this registry are given in Section 3.

New assignments in the "Proxy Protocol PvD Values" registry will be administered by IANA through Expert Review [RFC8126]. Experts are requested to ensure that defined keys do not overlap in names or semantics, and have clear format definitions. The reference and notes fields MAY be empty.

8. References

8.1. Normative References

[ALPN]
Friedl, S., Popov, A., Langley, A., and E. Stephan, "Transport Layer Security (TLS) Application-Layer Protocol Negotiation Extension", RFC 7301, DOI 10.17487/RFC7301, , <https://www.rfc-editor.org/rfc/rfc7301>.
[CONNECT-IP]
Pauly, T., Ed., Schinazi, D., Chernyakhovsky, A., Kühlewind, M., and M. Westerlund, "Proxying IP in HTTP", RFC 9484, DOI 10.17487/RFC9484, , <https://www.rfc-editor.org/rfc/rfc9484>.
[CONNECT-TCP]
Schwartz, B. M., "Template-Driven HTTP CONNECT Proxying for TCP", Work in Progress, Internet-Draft, draft-ietf-httpbis-connect-tcp-05, , <https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-connect-tcp-05>.
[CONNECT-UDP]
Schinazi, D., "Proxying UDP in HTTP", RFC 9298, DOI 10.17487/RFC9298, , <https://www.rfc-editor.org/rfc/rfc9298>.
[HTTP]
Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke, Ed., "HTTP Semantics", STD 97, RFC 9110, DOI 10.17487/RFC9110, , <https://www.rfc-editor.org/rfc/rfc9110>.
[JSON]
Bray, T., Ed., "The JavaScript Object Notation (JSON) Data Interchange Format", STD 90, RFC 8259, DOI 10.17487/RFC8259, , <https://www.rfc-editor.org/rfc/rfc8259>.
[PVDDATA]
Pfister, P., Vyncke, É., Pauly, T., Schinazi, D., and W. Shao, "Discovering Provisioning Domain Names and Data", RFC 8801, DOI 10.17487/RFC8801, , <https://www.rfc-editor.org/rfc/rfc8801>.
[RFC2119]
Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, , <https://www.rfc-editor.org/rfc/rfc2119>.
[RFC8126]
Cotton, M., Leiba, B., and T. Narten, "Guidelines for Writing an IANA Considerations Section in RFCs", BCP 26, RFC 8126, DOI 10.17487/RFC8126, , <https://www.rfc-editor.org/rfc/rfc8126>.
[RFC8174]
Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, , <https://www.rfc-editor.org/rfc/rfc8174>.
[SOCKSv5]
Leech, M., Ganis, M., Lee, Y., Kuris, R., Koblas, D., and L. Jones, "SOCKS Protocol Version 5", RFC 1928, DOI 10.17487/RFC1928, , <https://www.rfc-editor.org/rfc/rfc1928>.
[URITEMPLATE]
Gregorio, J., Fielding, R., Hadley, M., Nottingham, M., and D. Orchard, "URI Template", RFC 6570, DOI 10.17487/RFC6570, , <https://www.rfc-editor.org/rfc/rfc6570>.

8.2. Informative References

[IKEV2SPLIT]
Pauly, T. and P. Wouters, "Split DNS Configuration for the Internet Key Exchange Protocol Version 2 (IKEv2)", RFC 8598, DOI 10.17487/RFC8598, , <https://www.rfc-editor.org/rfc/rfc8598>.
[PVD]
Anipko, D., Ed., "Multiple Provisioning Domain Architecture", RFC 7556, DOI 10.17487/RFC7556, , <https://www.rfc-editor.org/rfc/rfc7556>.
[RFC3040]
Cooper, I., Melve, I., and G. Tomlinson, "Internet Web Replication and Caching Taxonomy", RFC 3040, DOI 10.17487/RFC3040, , <https://www.rfc-editor.org/rfc/rfc3040>.
[RFC4861]
Narten, T., Nordmark, E., Simpson, W., and H. Soliman, "Neighbor Discovery for IP version 6 (IPv6)", RFC 4861, DOI 10.17487/RFC4861, , <https://www.rfc-editor.org/rfc/rfc4861>.

Authors' Addresses

Tommy Pauly
Apple, Inc.
Dragana Damjanovic
Microsoft