Internet DRAFT - draft-vanderstok-core-dna
draft-vanderstok-core-dna
CoRE P. van der Stok, Ed.
Internet-Draft vanderstok consultancy
Intended status: Informational K. Lynn
Expires: January 11, 2013 Consultant
A. Brandt
Sigma Designs
July 10, 2012
CoRE Discovery, Naming, and Addressing
draft-vanderstok-core-dna-02
Abstract
This is a working document intended to focus discussion and refine
draft language for the CoAP protocol specification (or other proposed
standards) in the areas of discovery, naming, and addressing.
Requirements on discovery are motivated. Special emphasis is placed
on group definition and discovery. Examples show how groups can be
represented in CoAP Resource Directories or DNS-SD.
Status of this Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 11, 2013.
Copyright Notice
Copyright (c) 2012 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
van der Stok, et al. Expires January 11, 2013 [Page 1]
Internet-Draft CoRE Discovery, Naming, and Addressing July 2012
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3
1.2. Motivation . . . . . . . . . . . . . . . . . . . . . . . . 4
1.3. Applicability . . . . . . . . . . . . . . . . . . . . . . 4
2. Architecture . . . . . . . . . . . . . . . . . . . . . . . . . 5
3. Use Cases . . . . . . . . . . . . . . . . . . . . . . . . . . 5
3.1. Discovery scope . . . . . . . . . . . . . . . . . . . . . 6
3.2. Interactive mapping . . . . . . . . . . . . . . . . . . . 6
3.3. M2M mapping . . . . . . . . . . . . . . . . . . . . . . . 7
3.4. End-point grouping . . . . . . . . . . . . . . . . . . . . 7
3.5. Discovery queries . . . . . . . . . . . . . . . . . . . . 10
3.6. Sleeping devices . . . . . . . . . . . . . . . . . . . . . 11
4. DNS and RD examples . . . . . . . . . . . . . . . . . . . . . 12
4.1. DNS-SD examples . . . . . . . . . . . . . . . . . . . . . 13
4.2. RD examples . . . . . . . . . . . . . . . . . . . . . . . 19
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 24
6. Security Considerations . . . . . . . . . . . . . . . . . . . 24
6.1. DNS Security considerations . . . . . . . . . . . . . . . 24
6.2. RD Security considerations . . . . . . . . . . . . . . . . 26
7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 26
8. Changelog . . . . . . . . . . . . . . . . . . . . . . . . . . 26
9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 26
9.1. Normative References . . . . . . . . . . . . . . . . . . . 26
9.2. Informative References . . . . . . . . . . . . . . . . . . 28
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 29
van der Stok, et al. Expires January 11, 2013 [Page 2]
Internet-Draft CoRE Discovery, Naming, and Addressing July 2012
1. Introduction
The CoRE working group is chartered to design and standardize a
Constrained Application Protocol (CoAP) for resource constrained
devices and networks [I-D.ietf-core-coap]. The requirements for CoRE
are documented in [I-D.shelby-core-coap-req]. This draft discusses
the requirements on service discovery for M2M and interactive
applications using resource constrained devices. We propose the use
of DNS-SD [I-D.cheshire-dnsext-dns-sd] and Resource Directory (RD)
[I-D.shelby-core-resource-directory] to satisfy the requirements.
The proposal relies heavily on naming and addressing conventions.
Special emphasis is placed on the definition, naming, and discovery
of groups.
1.1. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119].
Addtional privileged words are described below.
A "device" is a physical processor connected to at least one link
through a network interface. Each interface has at least one IP
unicast address. The IP address is optionally bound to a host name,
which may be a Fully Qualified Domain Name (FQDN).
An "end-point" corresponds to a "service" and is indentified by a
unique {protocol, host, port} tuple. The identity of an endpoint may
be specified by the 'scheme' and 'authority' parts of a URI
[RFC3986]. 'Protocol' is a label that indicates application and
transport protocol bindings as well as default port (if port is not
specified) and possibly default semantics such as web-linking
[RFC5988]. 'Host' corresponds to the [RFC3986] ABNF production as
updated by [I-D.ietf-6man-uri-zoneid].
A "service type", e.g. _bldg-ctrl._tcp, is equivalent to the
'protocol' label described above. It identifies an application
protocol, typically defined by a Standards Development Organization
(SDO), and is ultimately registered with IANA
[I-D.cheshire-dnsext-dns-sd]. The SDO may additionally specify
service subtypes (e.g. _light, _onoff-control, _air-flow ...) to
designate units of functionality, the attributes of the subtypes, and
the primitives acting on the attributes.
A "resource" is any attribute of an end-point that can be acted upon
by REST methods. A resource is identified by a URI, that is, an end-
point plus a 'path' component [RFC3986].
van der Stok, et al. Expires January 11, 2013 [Page 3]
Internet-Draft CoRE Discovery, Naming, and Addressing July 2012
A "Function Set" is a service subtype with a set of resources and
behaviors that may be accessed through a REST interface. A Function
Set will typically be decribed by a base URI plus an interface
definition as described in [I-D.shelby-core-interfaces]. The
interface definition may specify the naming patterns of subordinate
resources and the methods that act on them.
A "Profile" is a group of Function Sets defined by a specification.
A "Collection" is a set of two or more homogeneous subordinate
resources that may be acted upon in the aggregate by sending messages
to their parent resource, or individually by sending messages to the
collection member.
A "Device type" describes a standardized set of Function Sets that
satisfy a use case for a hosting device.
A "group" is a set of end-points.
A "multicast group" is a group of end-points that share a multicast
address. The multicast address is optionally bound to a FQDN that
identifies the multicast group. For the purposes of this document, a
(multicast) group generally hosts one Function Set.
1.2. Motivation
In this draft, we focus and expand discussions on requirements
pertaining to discovery, naming, and addressing, including REQ8 of
the CoRE charter:
REQ8: A definition of how to use CoAP to advertise about or query
for a Device's description. This description may include the
device name and a list of its Resources, each with a URL, an
interface description URI (pointing e.g. to a Web Application
Description Language (WADL) document) and an optional name or
identifier. The name taxonomy used for this description will
be consistent with other IETF work, e.g.
draft-cheshire-dnsext-dns-sd. [charter]
The basis of this draft originated in [I-D.vanderstok-core-bc].
1.3. Applicability
This note applies to discovery of services for commissioning and
auto-configuration in building networks (for example: residential and
office). The examples are inspired by the building environment. The
proposed solutions and recommendations can be applied more generally.
van der Stok, et al. Expires January 11, 2013 [Page 4]
Internet-Draft CoRE Discovery, Naming, and Addressing July 2012
2. Architecture
This section illustrates the aspects of naming schemes and their
support by DNS-based Service Discovery (DNS-SD)
[I-D.cheshire-dnsext-dns-sd] , Extended Multicast DNS (xmDNS)
[I-D.lynn-homenet-site-mdns], and the Resource Directory (RD)
[I-D.shelby-core-resource-directory] on a set of network
architectures.
The basic network for low-power nodes can be composed of low-resource
nodes sharing the same IPv6 prefix and connected to low-power links
like IEEE 802.15.4, ITU-T G.9959, or Powerline. The "lowpan" is a
good example of such a network [RFC4944], [RFC6282]. The network can
be either isolated or connected. This draft assumes that application
profiles are defined above coap or http, for example, applications as
specified by the ZigBee Smart Energy Profile 2.0 (SEP2), Obix, or
BACnet IT working groups. The naming and discovery solutions
presented here are applicable to multiple interconnected subnets.
Example network architectures are:
- An isolated lowpan consists of at least two lowpan devices, one of
which is an edge router that is not connected to a backbone. A
Resource Directory may be situated on the edge router.
Alternatively, xmDNS responders may execute on each device.
- A connected lowpan consists of at least two lowpan devices, one of
which is an edge router that is connected to a backbone. A
Resource Directory may be situated on an edge router.
Alternatively, xmDNS responders may execute on each device or the
DNS-SD service may be available over the backbone.
- Interconnected lowpans consist of at least two lowpans connected
via edge routers to the same backbone. A Resource Directory may be
situated on each edge router. Alternatively, xmDNS responders may
execute on each device or the DNS-SD service may be available over
the backbone.
- A site is a set of interconnected subnets that is locally
administered. A site may include zero or more lowpans. Border
routers may prevent some messages from passing into or out of the
site.
In certain scenarios, the domain may correspond to the network
topology. In the general case, the domain and network subnet
structure may differ.
3. Use Cases
The use of service discovery is presented in two environments: (1)
interactive service discovery, and (2) M2M service discovery. From
van der Stok, et al. Expires January 11, 2013 [Page 5]
Internet-Draft CoRE Discovery, Naming, and Addressing July 2012
the use cases we derive the types of queries that service discovery
should support. In particular, a primary motivation is the discovery
of groups that support a given Function Set.
3.1. Discovery scope
In the simplest case the discovery scope is limited to the services
and resources provided on the LowPAN. In more complex cases,
discovery has a scope that can be defined with domain names. The
authority part of a URI [RFC3986] can express the location of the
device hosting the service. A common example is the naming
associated with the structure of a building. A device may acquire a
FQDN that relates directly to its location in the building. For
example, power-strip.office4.floor1.example.com (or shorter
ps.o4.f1.example.com) refers to a power-strip with device name
"power-strip" (or short "ps") in office4 at floor1 in the building of
the company example.com. Another naming scheme can be functional
like TV1.media.IT.example.com, possibly refering to TV number 1
maintained by the media group of the IT department of the example
organisation. Domain naming can be used to express that devices are
situated in the same building area or belong to the same
organisational units. Multiple FQDNs can identify a given device.
The DNS provides the mapping from Fully Qualified Domain Name (FQDN)
to network address and vice-versa. The RD realtes domain names to
end-points. The binding of domain names to a physical device (for
example, assigning a given FQDN to the TV in the corner) depends on
the operational conditions as described below.
3.2. Interactive mapping
In the residential context, naming of the device is done by the
occupant of the home. After connecting the device to the network, an
IP-address is assigned, possibly based on the EUI-64 value of the
network interface. The occupant can use a remote control with a
graphical user interface to display all devices that provide a given
service (e.g. a "lighting" service). The remote control prompts the
occupant to identify the (default named) devices, possibly
accompanied by on/off switching, barcode scanning, or other manual
intervention. The occupant can provide a meaningful name that will
be bound to that device. The installation steps can be as follows:
Service discovery returns all interfaces on which the specified
service is available. The occupant, with or without additional
physical support, establishes the binding between an IP address
(based on MAC address or other unique identifier) and the name of the
device providing the service, plus its relationship with other
devices or function sets in the system. In some cases a device has
multiple names, and an additional mapping between user specified name
van der Stok, et al. Expires January 11, 2013 [Page 6]
Internet-Draft CoRE Discovery, Naming, and Addressing July 2012
and an automatically generated DNS name is supported.
3.3. M2M mapping
In the commercial context (e.g. office buildings) it is usual to
employ a Comissioning Tool (CT) to provide the mapping from physical
device to IP network address or FQDN. The professional context is
more rigid than the home because the absence of devices and also the
unwanted presence of devices needs to be detected. Devices are named
by an architect or installation contractor. Names can be generated
automatically and need not be human-friendly. The CT contains the
names and the physical locations of the devices. At commissioning
time the interfaces have acquired a network address, possibly based
on the EUI-64. The physical device is identified by reading in a
unique identifier (e.g. EUI-64 of interface, UUID of device) with a
reader (e.g. barcode reader). Consequently, the device name to
network address binding is stored into DNS (or elsewhere).
Alternatives for identifying devices are pushing buttons on the
device or remotely switching on/off the device.
3.4. End-point grouping
Groups can be used to express that end-points are related by
supporting a specific Function Set (e.g. HVAC equipment controlled
by the closest temperature sensor). Grouping is also necessary when
a set of end-points has to react together, more or less
synchronously, to a sequence of commands sent by one or more devices.
A common example is provided by lighting applications where a subset
of lights in the building are dimmed to the same level, set to the
same colour, or switched off simultaneously. Another example is
provided by a power-strip supporting a set of power-outlets. Power-
outlets are switched on/off individually or all together. Other
examples concern the home, such as a "sleep mode" setting of all
media devices in the home when the user activates the night scene.
Group naming is done the same way as for device naming. Related end-
points are grouped and named. The group name is constructed like a
FQDN with the group name as prefix. Adressing the group can be done
in two ways: (1) by addressing each end-point of the group
individually (which requires serial access), or (2) by defining a
multicast address for a multicast group. In the latter case, each
hosting device must enable reception by a given end-point of the
messages sent to the multicast address. The members of the multicast
group must have identical port number and path, because the requests
are specified in a single multicast message.
The Function Set specified in a message can contain a collection of
resources of the same subtype. The Function Set path postfixed with
van der Stok, et al. Expires January 11, 2013 [Page 7]
Internet-Draft CoRE Discovery, Naming, and Addressing July 2012
an identifier refers to the individual resources of the collection.
For example: the /path/light points to the resource collection of the
service subtype light. Each member of the collection can be
identified with /path/light/x, with x in {1,2,3,..}. Consequently,
the /path/light/1/onoff specifies the onoff resource of collection
member 1 of Function Set with /path/light, and /path/light/onoff
specifies the resource onoff of all collection members contained by
the Function Set with /path/light. When /path/light/onoff is used in
a multicast message, it is interpreted as a message to a single light
resource by devices having only one, and to all members of the
collection for devices having several light resources.
In [I-D.shelby-core-interfaces] the Batch interface is used to
manipulate a collection of subresources with one message. Both the
batch and the collection are static. The collection contains
homogeneous resources where the batch can contain heterogeneous
resources.
It is expected that SDOs will standardize resource types, profiles
(path names) and group naming conventions. Manufacturers design the
functions supported by a device and select the Profiles, resources
and collections. Each manufacturer can precede the profile path
names with a manufacturer defined path prefix; for example when a
device supports multiple standards. Domain name, device name, group
name and group members are installation dependent.
Figure 1 illustrates some of the concepts described above. A device
is identified with the name "Power-strip". In the example, no domain
names are associated with the device, and the name "power-strip"
resolves to a Unique Local Address (ULA)[RFC4193]. The device
provides two end-points: one delivers a http service and the second a
CoAP service. The http server and CoAP server share the same IP-
address and use different ports 80 and 61616 respectively. Two
different service subtypes, one identified by Function Set, ps, and
one identified by Function Set, pm, are supported by one end-point.
The Function Set "Power strip" contains a collection of four
resources, "Outlet 1" to "Outlet 4", each one accessible via the
accompanying paths /ps/1 to ps/4. The path /ps interfaces to the
entire resource collection. The attribute "output" is defined in the
service subtype specification.
van der Stok, et al. Expires January 11, 2013 [Page 8]
Internet-Draft CoRE Discovery, Naming, and Addressing July 2012
+-------------------------------------------------------------------+
| "Power-strip" |
| [device] has at least one NIC/IP address, may have a name |
| |
| +---------------------------------------------------------------+ |
| | "HTTP server" | |
| | [End-point] http://power-strip (at default TCP port 80) | |
| +---------------------------------------------------------------+ |
| |
| +---------------------------------------------------------------+ |
| | "CoAP server" | |
| | [End-point] coap://power-strip (at default UDP port 61616) | |
| | | |
| | +-----------------------------------------------------------+ | |
| | | "Power Meter" | | |
| | | [Function Set] coap://power-strip/pm | | |
| | +-----------------------------------------------------------+ | |
| | | |
| | +-----------------------------------------------------------+ | |
| | | "Power strip" | | |
| | | [Function Set] coap://power-strip/ps | | |
| | | | | |
| | | +-------------------------------------------------------+ | | |
| | | | "Outlet 1" | | | |
| | | | [Collection member] coap://power-strip/ps/1 | | | |
| | | | [resource] coap://power-strip/ps/1/output | | | |
| | | | ... | | | |
| | | +-------------------------------------------------------+ | | |
| | | | | |
| | | +-------------------------------------------------------+ | | |
| | | | "Outlet 2" | | | |
| | | | [Collection member] coap://power-strip/ps/2 | | | |
| | | +-------------------------------------------------------+ | | |
| | | | | |
| | | +-------------------------------------------------------+ | | |
| | | | "Outlet 3" | | | |
| | | | [Collection member] coap://power-strip/ps/3 | | | |
| | | +-------------------------------------------------------+ | | |
| | | | | |
| | | +-------------------------------------------------------+ | | |
| | | | "Outlet 4" | | | |
| | | | [Collection member] coap://power-strip/ps/4 | | | |
| | | +-------------------------------------------------------+ | | |
| | +-----------------------------------------------------------+ | |
| +---------------------------------------------------------------+ |
+-------------------------------------------------------------------+
Figure 1: device with end-points, Function Sets and resources
van der Stok, et al. Expires January 11, 2013 [Page 9]
Internet-Draft CoRE Discovery, Naming, and Addressing July 2012
3.5. Discovery queries
The following conditions are assumed to be valid. A device has
acquired an IP address and a name, possibly stored in DNS. The
resource naming (path) in the device obeys a standardized profile.
The resource types of the Function Sets are also standardardized. A
device may belong to a domain.
Service discovery should support that a device can learn its
domain(s) and all the end-points within a domain providing a given
service (e.g. temperature measurement). The device learns of these
end-points the path name that prefixes the path names defined by the
profile. Devices need to learn the groups to which they belong and
learn all the members of those groups. This section motivates that a
discovery service supports the following queries:
Goal Description
Name_resolution Resolve the group or device name to IP address and
optional port number
Return_server Return all end-points (Function-Sets) supporting a
given service (sub-)type within a given domain
Create_group Create a group of end-points providing a given
service (sub-)type within a given domain
Enroll_member Enroll an end-point as member of a given group
Remove_member Remove an end-point as member of a given group
Return_group Return all groups of which a given end-point (device)
is a member
Return_member Return end-points belonging to a given group
Name_resolution is supported by DNS and CoAP resource discovery.
Names are required in the context of home control and manual setup of
installations. Names are persistent and meaningful as compared to IP
addresses and are preferably used in applications when IP addresses
can change.
Return_server is the most common use of service discovery and was
originally designed for interactive use. The canonical IT example is
finding all printers within a zone, which allows a user to select the
desired printer from the returned list. Another example is in the
context of UPnP [UPNP], where all media players are returned on a
screen and the user can select the desired media player on the screen
and play the selected content. In M2M applications, the returned
names are not displayed on a screen but an application uses the
returned list to select a (set of) Function Set(s) to control.
Consequently, names in M2M applications need not be human
interpretable (for example, they can be unique numbers).
Create_group is useful in commissioning scenarios, where end-points
van der Stok, et al. Expires January 11, 2013 [Page 10]
Internet-Draft CoRE Discovery, Naming, and Addressing July 2012
need to be grouped to receive the same command in a possibly
synchronous fashion. Groups can also be created to express relations
between devices such as ownership. The command creates a group name
and creates a list of the members of the group. When the group is a
multicast group, the command defines a unique multicast address and
port, and specifies the path.
Enroll_member supports network and device reconfiguration. When the
physical lay-out of an installation changes because devices are
added, changed or removed, the associated groups also need to be
modified.
Remove_member, see motivation under Enroll_member
Return_group is needed to learn the groups of which an end-point is
member. The command is necessary for commissioning purposes where a
Commissioning Tool (CT) is used. The CT, on the basis of designs
provided by architects, decorators, sound/light engineers, defines
groups and group members and stores that information in the service
discovery database. In the next phase, the members of a group may
need to learn their membership from the service discovery to enable
reception of multicast messages.
Return_member can be used to learn which end-points are member of a
given group. This command is useful in connection with Return_group.
The end-point knowing to which groups it belongs can establish
communication with the group members. For example, membership of a
group instructs new devices, replacing faulty ones, which other
devices share access rights or need to be consulted regularly.
3.6. Sleeping devices
This section suggests that service discovery of sleeping devices is
mostly a matter of discovering the proxy. It is expected that a
proxy will handle communications for the sleeping device, as
expressed in [I-D.giacomin-core-sleepy-option] and in
[I-D.vial-core-mirror-proxy]. The message sent to the sleeping
device is directed to the proxy. The proxy will send the message on
with a delay, or send the result of a function on the history of
messages, when the sleeping device is ready. Different communication
protocols between proxy and sleeping device are described in
[I-D.giacomin-core-sleepy-option] and in
[I-D.vial-core-mirror-proxy]. The setting up of the proxy is
preferably standardized for a large set of proxy types. During the
setting-up process, (offline or online) the proxy will take over all
the entry-points of the sleeping device. The entry-points of the
proxy can be entered into the discovery respository and consequently
discovered like any other device.
van der Stok, et al. Expires January 11, 2013 [Page 11]
Internet-Draft CoRE Discovery, Naming, and Addressing July 2012
For groups, two cases need to be considered (1) sleeping device is
member of a group and receives group messages, and (2) the sleeping
device sends messages to a group. Ad (1), when the sleeping device
needs to receive messages sent to a group, the proxy will receive
those messages and the end-point of the proxy is entered as group
member to receive the group messages. Ad (2) When the sleeping
device sends messages to a group, it is preferable that the sleeping
device sends just one multicast message to the group to minimize
energy costs. It is required that when one member of the group
receives the message, all other group members receive it as well
(unanimity), covered by the "reliability" REQ1 in
[I-D.ietf-core-groupcomm]). A simple broadcast over a lowpan will
not always succceed and additional multicast algorithms like Trickle
[RFC6206] need to be introduced.
4. DNS and RD examples
The following device configuration and environment are assumed for
the examples. The devices are placed on floor-x (fx) in two rooms
room-y (ry) and room-z (rz). Both rooms contain a powerstrip with a
powermeter and four power outlets. In each room there are two
luminaires and one presence sensor (PIR). Each luminaire contains a
dimmable light and a light sensor. Per floor there is a clock to set
day and night time modes of the devices. The domains are:
ry.fx.bldg.org, rz.fx.bldg.org and fx.bldg.org. The device names of
the 4 luminaires are lm00203, lm00204, lm00205, and lm00206. The
device names of the two powerstrips are ps0057, and ps0078. The
paths of the Function Sets of the luminaire are: /lamp with resource
/lamp/dim for the dimmable light, and /light with resource /light/
lumen for the light sensor. The Function Set path for four outlets
is /ps with resource /ps/output. The path of each individual outlet
is /ps/x with x in {1,2,3,4}, and with resource ps/x/output. The
names of the two PIRs are pir0 and pir1. The Function Set path of
the PIR is /occup, also being the resource.
Relating location to the domain name is a relevant example of domain
naming. Multiple domain names, related to other application aspects,
can be specified and applied simultaneously.
As described in section 3, devices do not announce themselves to the
discovery repository, as is usual for IT applications, but they are
entered (partially) with the aid of a central tool, for example a
Remote Control, dedicated device, IPAD or other means.
The examples are constructed such that DNS can be used as repository
for the RD.
van der Stok, et al. Expires January 11, 2013 [Page 12]
Internet-Draft CoRE Discovery, Naming, and Addressing July 2012
4.1. DNS-SD examples
4.1.1. Basic Concepts
In conformance with [I-D.cheshire-dnsext-dns-sd], DNS-based discovery
uses A or AAAA, PTR, SRV, and TXT Resource Records (RR). The SRV RR
[RFC2782] specifies an end-point. An associated (identically named)
TXT RR can contain a URI path. The SRV/TXT pair can specify a
Function Set. An A or AAAA RR [RFC1035] binds a device name or
multicast group name to an IP address. The PTR RR binds a service
type to an end-point or Function Sets.
In cases where the end-point port may be dynamic, e.g. in the IPHC
[RFC6282] compressible range, a new 'coap+srv' scheme is proposed
(after [I-D.jennings-http-srv]). The authority part of a coap+srv
URI specifies the name and location of an SRV record, which in turn
contains values for device (IP address) and port.
4.1.2. Commissioning devices
Commissioning is the process to store the relation between a FQDN and
a device. It is assumed that either a Remote Control (RC) in the
home or a Commissioning Tool (CT) in the professional domain store
the relation in DNS.
In the professional domain, the CT is assumed to contain information
about the devices as prescibed by architect or installation company.
The information in the CT contains device name, device domain name,
and location in the building, but the relation with the installed
device, identified with an unique identifier (e.g. EUI-64) is not
established. By reading a bar code (or pushing buttons, switching
on/off equipment, etc.), the CT learns the unique identifier of the
device to be commissioned. All kinds of techniques can be used to
establish the relation between IP address and unique identifier.
When the identifier is the EUI-64 value, the IP address of the device
can be constructed. When the identifier is not the EUI-64, a
proprietary procol can be used to ask a given device its identifier.
Etc. etc. The CT can learn the end-points (services) available on
the device by querying /.well-known/core. In some cases the CT
already obtained the end-points from a configuration file. Given
these data, the CT can enter the devices and its services into DNS.
Either automatically, or on instructions of an operator, the CT
defines the groups in the DNS.
The home domain is different from the professional domain in the
sense that no configuration information exists. The RC can for
example use xmDNS to learn the addresses of all the devices present
in its site. The RC can query devices for the presence of a given
van der Stok, et al. Expires January 11, 2013 [Page 13]
Internet-Draft CoRE Discovery, Naming, and Addressing July 2012
service. The RC can query DNS for its own domain name and use that
for the other devices in the site. Once (new) devices are named,
this information can be stored in DNS for use in the network.
4.1.3. device examples
The relation between device name and IP address is expressed for the
example devices in the following table.
lm00203.ry.fx.bldg.org. IN AAAA fdfd::1234
lm00204.ry.fx.bldg.org. IN AAAA fdfd::1235
ps0057.ry.fx.bldg.org. IN AAAA fdfd::1236
pir1.ry.fx.bldg.org. IN AAAA fdfd::1237
lm00205.rz.fx.bldg.org. IN AAAA fdfd::1238
lm00206.rz.fx.bldg.org. IN AAAA fdfd::1239
ps0058.rz.fx.bldg.org. IN AAAA fdfd::1240
pir2.rz.fx.bldg.org. IN AAAA fdfd::1241
clock.fx.bldg.org. IN AAAA fdfd::1242
The next part defines the Resource Records to specify the end-points
and their Function Sets. The names of the SRV RRs need to be unique
to the DNS server, and follow the naming suggested in
[I-D.cheshire-dnsext-dns-sd]. An end-point is represented with one
SRV RR with a name "_service.domain". A Function-Set is represented
with a SRV/TXT pair with name "subtype._sub._service.domain".
The service type "_bc._udp" is assumed to exist with the service
subtypes "lamp", "sensor", "power", "presence", and "timer". Unique
names of the SRV RRs can be created from the service subtype prefixed
by the EUI-64 value. With EUI-64 value "1234" the SRV name
1234_bc._udp.domain can be created for the corresponding end-point.
Given that the service _bc._udp supports subtype lamp the name
1234lamp._sub._bc._udp.domain is created for for each SRV/TXT pair
describing a Function-Set serving the lamp subtype. They are valid
within the authority zone, bldg.org, of the name server. For
presentation purposes, 1234_bc is short for 1234_bc._udp.bldg.org,
1234lamp is short for 1234lamp._sub._bc._udp.bldg.org, etc. The
luminaires with name "lm00xxx" provide each one end-point hosting two
Function Sets with the paths /lamp and /light.
van der Stok, et al. Expires January 11, 2013 [Page 14]
Internet-Draft CoRE Discovery, Naming, and Addressing July 2012
end-point host name
1234_bc IN SRV 0 0 Port lm00203.ry.fx.bldg.org
IN TXT txtvers=1
2345_bc IN SRV 0 0 Port lm00204.ry.fx.bldg.org
IN TXT txtvers=1
3456_bc IN SRV 0 0 Port lm00205.rz.fx.bldg.org
IN TXT txtvers=1
4567_bc IN SRV 0 0 Port lm00206.rz.fx.bldg.org
IN TXT txtvers=1
5678_bc IN SRV 0 0 Port ps0057.ry.fx.bldg.org
IN TXT txtvers=1
6789_bc IN SRV 0 0 Port ps0058.rz.fx.bldg.org
IN TXT txtvers=1
7890_bc IN SRV 0 0 Port pir1.ry.fx.bldg.org
IN TXT txtvers=1
8901_bc IN SRV 0 0 Port pir2.rz.fx.bldg.org
IN TXT txtvers=1
9012_bc IN SRV 0 0 Port clock.fx.bldg.org
IN TXT txtvers=1
The above list of SRV RRs specifies the attributes of the end-points:
devices, port numbers, and IP addresses with related AAAA RR. The
Function Sets are specified with a another set of SRV/TXT pairs. The
accompanying TXT RR specify the paths of the associated Function
Set(s). The accompanying example table is:
van der Stok, et al. Expires January 11, 2013 [Page 15]
Internet-Draft CoRE Discovery, Naming, and Addressing July 2012
Function Set host name
1234lamp IN SRV 0 0 Port lm00203.ry.fx.bldg.org
IN TXT txtvers=1 path=/lamp
1234sensor IN SRV 0 0 Port lm00203.ry.fx.bldg.org
IN TXT txtvers=1 path=/light
2345lamp IN SRV 0 0 Port lm00204.ry.fx.bldg.org
IN TXT txtvers=1 path=/lamp
2345sensor IN SRV 0 0 Port lm00204.ry.fx.bldg.org
IN TXT txtvers=1 path=/light
5678power IN SRV 0 0 Port ps0057.ry.fx.bldg.org
IN TXT txtvers=1 path=/ps
7890presence IN SRV 0 0 Port pir1.ry.fx.bldg.org
IN TXT txtvers=1 path=/occup
3456lamp IN SRV 0 0 Port lm00205.rz.fx.bldg.org
IN TXT txtvers=1 path=/lamp
3456sensor IN SRV 0 0 Port lm00205.rz.fx.bldg.org
IN TXT txtvers=1 path=/light
4567lamp IN SRV 0 0 Port lm00206.rz.fx.bldg.org
IN TXT txtvers=1 path=/lamp
4567sensor IN SRV 0 0 Port lm00206.rz.fx.bldg.org
IN TXT txtvers=1 path=/light
6789power IN SRV 0 0 Port ps0058.rz.fx.bldg.org
IN TXT txtvers=1 path=/ps
8901presence IN SRV 0 0 Port pir2.rz.fx.bldg.org
IN TXT txtvers=1 path=/occup
9012timer IN SRV 0 0 Port clock.fx.bldg.org
IN TXT txtvers=1 path=/time
The names of the SRV records can be created automatically, as long as
they identify the SRV records uniquely within the set of RR entries
in the DNS zone. The SRV record with name xxxxpower stands for a
power collection, accessed via the path /ps which refers to a
Function Set that contains a collection of two or more resources.
PTR records specify the possible service discovery queries. The
names of the PTR records are the names of the service (sub)types,
defined by IANA, and their values refer to the names of the
associated end-points (SRV records) or Function-Sets (SRV/TXT
records). To support the query "all lamps within fx.bldg.org", the
following PTR records need to be added for service subtype:
lamp._sub._bc._udp.
lamp._sub._bc._udp.bldg.org IN PTR 1234lamp
lamp._sub._bc._udp.bldg.org IN PTR 2345lamp
lamp._sub._bc._udp.bldg.org IN PTR 3456lamp
lamp._sub._bc._udp.bldg.org IN PTR 4567lamp
Where xxxxlamp is still short for xxxxlamp._sub._bc._udp.bldg.org.
van der Stok, et al. Expires January 11, 2013 [Page 16]
Internet-Draft CoRE Discovery, Naming, and Addressing July 2012
Equally to query all services within a domain, PTR records with as
name the building control service, "_bc.udp", refer to all SRV
records describing all discoverable end-points.
_bc._udp.bldg.org IN PTR 1234_bc._udp.bldg.org
_bc._udp.bldg.org IN PTR 2345_bc._udp.bldg.org
_bc._udp.bldg.org IN PTR 3456_bc._udp.bldg.org
_bc._udp.bldg.org IN PTR 4567_bc._udp.bldg.org
_bc._udp.bldg.org IN PTR 5678_bc._udp.bldg.org
_bc._udp.bldg.org IN PTR etc, etc.
It is shown above how PTR records support the queries filtered on
service type. Filtering on domain can be done adding additional PTR
records which select the Function Sets of a given type within a given
domain. The set of PTR records below filters on all lamps within
domain ry.fx.bldg.org.
lamp._sub._bc._udp.ry.fx.bldg.org. IN PTR 1234lamp
lamp._sub._bc._udp.ry.fx.bldg.org. IN PTR 2345lamp
4.1.4. Group examples
As an example, five multicast-groups are defined to group all lamps
on floor "fx", all lamps in office "ry", all lamps in office "rz",
all power-strips on floor "fx", and all devices in the building
controlled by a central timer. The multicast-group names are entered
into DNS like the device names to enable resolution from multicast-
group name to multicast address.
lamp-fx.fx.bldg.org. IN AAAA ff15::11
lamp-ry.ry.fx.bldg.org. IN AAAA ff15::12
lamp-rz.rz.fx.bldg.org. IN AAAA ff15::13
power-fx.fx.bldg.org. IN AAAA ff15::14
timer-bldg.bldg.org. IN AAAA ff15::15
It is expected that SDOs will specify naming conventions for group
names, extending the service (sub)type names for end-points and
Function Sets.
The path and port of the multicast-groups is defined with SRV and TXT
RRs. Accordingly the group is bound to end-points (SRV RR) and
Function Sets (SRV+TXT RR). For convenience we assume that a
multicast group is bound to a service subtype. In the example below
the groups concern the service subtypes "lamp", "power", and "timer".
(Remark gp1-lamp is short for gp1-lamp._sub._bc._udp.bldg.org, etc.)
van der Stok, et al. Expires January 11, 2013 [Page 17]
Internet-Draft CoRE Discovery, Naming, and Addressing July 2012
gp1-lamp IN SRV 0 0 Port lamp-fx.fx.bldg.org.
IN TXT path=/lamp
gp2-lamp IN SRV 0 0 Port lamp-ry.ry.fx.bldg.org.
IN TXT path=/lamp
gp3-lamp IN SRV 0 0 Port lamp-rz.rz.fx.bldg.org.
IN TXT path=/lamp
gp-power IN SRV 0 0 Port power-fx.fx.bldg.org.
IN TXT path=/ps
gp-timer IN SRV 0 0 Port timer-bldg.bldg.org.
IN TXT path=/time
The groups for the power strips need extra attention because the
power strips include a collection of resources. The path to the
group can be defined as /ps or as /ps/x with x in {1,2,3,4}. When
using /ps/x the group contains the outlet x of the power strips.
Using the path /ps as done in the table above refers to all outlets
of a powerstrip. When sending a message to the power-fx group with
as path /ps/x then the message will be received by Function Sets with
path ps/x only.
The members of the groups can be stored in DNS by using the reverse
DNS resolution technique. It is not unusual that a given IP address
refers to multiple FQDNs. Extrapolating to group names extends the
reverse DNS resolution in a natural manner. Below the members of
group lamp-fx.fx.bldg.org with IP address ff15::11 containing all
four lamps is shown.
1.1.0.....0.5.1.f.f.IP6.arpa. IN PTR lm00206.rz.fx.bldg.org.
1.1.0.....0.5.1.f.f.IP6.arpa. IN PTR lm00205.rz.fx.bldg.org.
1.1.0.....0.5.1.f.f.IP6.arpa. IN PTR lm00204.ry.fx.bldg.org.
1.1.0.....0.5.1.f.f.IP6.arpa. IN PTR lm00203.ry.fx.bldg.org.
1.1.0.....0.5.1.f.f.IP6.arpa. IN PTR lamp-fx.fx.bldg.org.
With the above table queries like "return all members of lamp-fx" can
be answered.
Additional tables are needed to specify the multicast groups to which
the end-point of a device belongs. A PTR RR with the name of the
Function Set can refer to the name of the group. In the table below
the Function Set "1234lamp" is member of the groups "lamp-fx" and
"lamp-ry":
1234lamp IN PTR lamp-fx.fx.bldg.org
1234lamp IN PTR lamp-ry.ry.fx.bldg.org
Consequently, a device can query DNS for the groups to which its
Function Set belongs, and consecutively enable the reception of the
associated multicast messages.
van der Stok, et al. Expires January 11, 2013 [Page 18]
Internet-Draft CoRE Discovery, Naming, and Addressing July 2012
4.1.5. Discovery validation
This section describes how the disovery requirements are met with
DNS-SD. It is assumed that the DNS server tables are correctly
filled in.
Name_resolution: Group- or device-name is resolved to IP address by
sending a query to DNS to return all AAAA records with the given
name.
Return_server: Suppose the given service is defined by
instance._sub._service.domain. All Function Sets supporting this
service in the domain are found by sending a query to DNS to return
all PTR records with the name instance._sub._service.domain. The
returned PTR records refer to the names of the SRV/TXT pairs
describing the port, FQDN and path of the associated Function Sets.
Additional queries return all SRV and TXT records with the names
returned by the first query. To query the end-points a query is sent
to return all PTR records with name service.domain.
Create-Group: Groups are created by creating resource records in DNS
as described in section 4.1.4. The filing of the DNS server tables
is done by a trusted Remote Control or commissioning Device (see
section 4.1.2). Section 6.1 discusses the security aspects.
Enroll-member, Remove-member: See Create-Group.
Return-Group: Suppose the given Function Set is given by the name
instance._sub._bc._service.domain. All groups to which this Function
Set belongs are found by sending a query to DNS to return all PTR
records with the name instance._sub._bc._service.domain. The
returned PTR records refer to the names of the associated groups.
Name resolution provides the IP address.
Return-member: The members of a group with name group group.domain
are found by resolving the group name to an IP address. The members
of the group are obtained by sending a query to DNS to return all PTR
records with as the name the inverted IP-address. The PRT records
refer to the names of the associated devices.
4.2. RD examples
Resource discovery in CoAP handles resource paths (called links) for
the resources hosted on the server, augmented with attributes of
these resources. A well-known path "/.well-known/core" [RFC5785] is
a default Function Set for requesting the list of links on a given
server [I-D.shelby-core-resource-directory]. The Resource Directory
(RD) stores links to resources hosted by other servers. The link-
van der Stok, et al. Expires January 11, 2013 [Page 19]
Internet-Draft CoRE Discovery, Naming, and Addressing July 2012
format [I-D.ietf-core-link-format] defines link extensions to specify
the service type and end-point as used by DNS-SD. When querying the
Resource Directory for links, filters can be applied to return only
links with specified attribute values. A node learns the IP-address
of the RD by for example sending a multicast request to a predefined
multicast address registered with IANA, or by assuming that the RD is
located in the edge router.
Contrary to DNS-SD, the RD has not defined a process which permits
SDOs to specify service (sub)types. Consequently, the same service
type examples are used for DNS-SD as for RD, where service type
postfixed with subtype (DNS) equals "resource type" (RD). The "host"
name of DNS is used as "end-point" name for RD.
This draft adheres to the mapping between DNS and link-format,
described in [I-D.lynn-core-discovery-mapping].
4.2.1. Commissioning devices
It is assumed that either a Remote Control (RC) in the home or a
Commissioning Tool (CT) in the professional domain is used to fill in
the RD. Devices cannot enter links into the RD contrary to the
suggestion in [I-D.shelby-core-resource-directory]. Both the RC or
the CT have to fill in the RD, because at link creation the RD
generates a location of the link-entry (e.g. /ed/453), that is
returned to the creator of the link. Consequently, the CT or the RD
need to create the link, because they need the location to update the
link with additional information.
In the professional domain, the CT learns the identity of the device
as described earlier, reads the services of the devices with a GET to
/.well-known/core on the device, and stores them into the RD.
In the home domain, the RC can read in the EUI-64 of the device to be
entered. The user types in domain names and device names on the RC.
Consecutively, the RC follows the same procedure as the CT.
4.2.2. Device examples
For convenience, it is assumed that DNS contains the mapping from
FQDN to IP address with AAAA RRs and vice-versa with PTR RRs. In all
examples the FQDN is used and not the IP-address. It is assumed that
the service type "_bc" has the subtypes: "lamp", "sensor", "power",
"presence", and "timer". Registration is done with the following
statements by CT or RC to the RD with authority: //rd.example.com/
and path /rd. Each POST command to the RD defines an end-point in
the URI and defines the corresponding Function Sets in the payload.
van der Stok, et al. Expires January 11, 2013 [Page 20]
Internet-Draft CoRE Discovery, Naming, and Addressing July 2012
POST coap://rd.example.com/rd?ep=lm00203;d=ry.fx.bldg.org
Etag: 0x21
Payload:
</lamp>;rt="lamp._sub._bc",
</light>;rt="sensor._sub._bc"
Res: 2.01 created
Location: /rd/1234
The other end-points are defined with (leaving out the response):
POST coap://rd.example.com/rd?ep=lm00204;d=ry.fx.bldg.org
Payload:
</lamp>;rt="lamp._sub._bc",
</light>;rt="sensor._sub._bc"
POST coap://rd.example.com/rd?ep=lm00205;d=rz.fx.bldg.org
Payload:
</lamp>;rt="lamp._sub._bc",
</light>;rt="sensor._sub._bc"
POST coap://rd.example.com/rd?ep=lm00206;d=rz.fx.bldg.org
Payload:
</lamp>;rt="lamp._sub._bc",
</light>;rt="sensor._sub._bc"
van der Stok, et al. Expires January 11, 2013 [Page 21]
Internet-Draft CoRE Discovery, Naming, and Addressing July 2012
POST coap://rd.example.com/rd?ep=ps0057;d=ry.fx.bldg.org
Payload:
</ps>;rt="power._sub._bc",
</ps/1>;rt="power._sub._bc",
</ps/2>;rt="power._sub._bc",
</ps/3>;rt="power._sub._bc",
</ps/4>;rt="power._sub._bc"
POST coap://rd.example.com/rd?ep=ps0058;d=rz.fx.bldg.org
Payload:
</ps>;rt="power._sub._bc",
</ps/1>;rt="power._sub._bc",
</ps/2>;rt="power._sub._bc",
</ps/3>;rt="power._sub._bc",
</ps/4>;rt="power._sub._bc"
POST coap://rd.example.com/rd?ep=pir1;d=ry.fx.bldg.org
Payload:
</occup>;rt="presence._sub._bc"
POST coap://rd.example.com/rd?ep=pir2;d=rz.fx.bldg.org
Payload:
</occup>;rt="presence._sub._bc"
POST coap://rd.example.com/rd?ep=clock;d=fx.bldg.org
Payload:
</time>;rt="timer._sub._bc"
Update or removal of the groups is done by using the returned
location (not shown above) as described in
[I-D.shelby-core-resource-directory] for the end-points.
4.2.3. Group examples
The same five multicast groups of the DNS example are used. The
group name to address mapping is specified in DNS with AAAA RRs. The
group name is not easily identified with an end-point. Therefore the
mnemonic gp is added as link-format attribute. The group members are
included by citing the end-point names, which allows a unique
identification of the members. In all examples the group name is
used and not the IP-address. Registration is done with the following
statements by CT or RC to the RD with authority: /rd.example.com/ and
path /rd, leaving out Etag:, Res:, and Location: lines. The group
name is defined in the URI, while all the members (end-points) are
specified in the payload. The path in the payload defines together
with the end-point the Function Set.
van der Stok, et al. Expires January 11, 2013 [Page 22]
Internet-Draft CoRE Discovery, Naming, and Addressing July 2012
POST coap://rd.example.com/rd?gp=lamp-fx;d=fx.bldg.org
Payload:
</lamp>;rt="lamp._sub._bc";ep=lm00206,
</lamp>;rt="lamp._sub._bc";ep=lm00205,
</lamp>;rt="lamp._sub._bc";ep=lm00204,
</lamp>;rt="lamp._sub._bc";ep=lm00203
POST coap://rd.example.com/rd?gp=lamp-ry;d=ry.fx.bldg.org
Payload:
</lamp>;rt="lamp._sub._bc";ep=lm00204,
</lamp>;rt="lamp._sub._bc";ep=lm00203
POST coap://rd.example.com/rd?gp=lamp-rz;d=rz.fx.bldg.org
Payload:
</lamp>;rt="lamp._sub._bc";ep=lm00206,
</lamp>;rt="lamp._sub._bc";ep=lm00205
POST coap://rd.example.com/rd?gp=power-fx;d=fx.bldg.org
Payload:
</ps>;rt="power._sub._bc";ep=ps0057,
</ps>;rt="power._sub._bc";ep=ps0058
POST coap://rd.example.com/rd?gp=timer-bldg;d=bldg.org
Payload:
</time>;rt="timer._sub._bc";ep=clock
With the above statements the groups are defined in the RD.
4.2.4. Discovery validation
This section describes how the disovery requirements are met with the
RD. It is assumed that the RD tables are correctly filled in.
Name_resolution: When LoWPAN is connected to backbone, it is assumed
that DNS is used for name resolution. When LoWPAN is stand-alone
without DNS server, IP addresses are used to connect to an interface.
Return_server: Suppose the given service is defined by
instance._sub._service. The query
GET coap://rd.example.com/rd-lookup/res?rt=instance.
_sub._service
Res: 2.05 content
<coap://name.domain/path>;rt="instance._sub._service"
returns all Function Sets providing the specified service. By
changing the "res?" part in the query by "ep?" all end-points are
returned.
van der Stok, et al. Expires January 11, 2013 [Page 23]
Internet-Draft CoRE Discovery, Naming, and Addressing July 2012
Create-Group: Groups are created by sending POST commands to RD as
described in section 4.2.2. The filling of the RD server tables is
done by a trusted Remote Control or commissioning Device (see section
4.2.1). Section 6.1 discusses the security aspects.
Enroll-member, Remove-member: See Create-Group.
Return-Group: Suppose the given end-point is given by the name
ep.domain. All groups to which this end-point belongs are found by
sending a query
GET coap://rd.example.com/rd-lookup/gp?ep=ep.domain
Res: 2.05 content
<coap://name.domain/path>;gp="group.domain"
returns all groups of which the specified end-point, ep.domain, is a
member.
Return-member: The members of a group with name group group.domain
are found by the query
GET coap://rd.example.com/rd-lookup/ep?gp=group.domain
Res: 2.05 content
<coap://name.domain/path>;ep="ep.domain"
which returns all end-points which are member of the group gp.domain.
5. IANA Considerations
This document makes no request of IANA.
Note to RFC Editor: this section may be removed on publication as an
RFC.
6. Security Considerations
Security considerations apply to use of DNS and RD separately,
because they use different security mechanisms.
6.1. DNS Security considerations
Security extensions for DNS are provided by Domain Name System
Security Extensions (DNSSEC) as described in [RFC4033], [RFC4034],
and [RFC4035]. In particular [RFC4033] describes all documents
relevant to DNSSEC. The central design decision of DNSSEC is to
provide origin authentication and integrity protection for DNS data.
van der Stok, et al. Expires January 11, 2013 [Page 24]
Internet-Draft CoRE Discovery, Naming, and Addressing July 2012
All transported DNS data are freely accessible. Consequently, all
correctly functioning nodes will receive the domain and group names
to which they belong, and will receive the addresses of the multicast
and unicast destinations, and the multicast address of the groups to
which they belong. Accordingly, commands will be sent to the
intended destinations and accepted by the intended destinations. All
resolvers MUST be configured with a security anchor. The anchor can
be stored non-volatile memory or be provided by other out-of-band
means.
Updating of DNS data, e.g,. zone data MUST be done using the secure
dynamic updates mechanism. For example, a commissioning device is
used to fill in the DNS server. Both the device sending the update
requests (i.e., the commissioning device) and the DNS Server MUST
share a Transaction Signature (TSIG) key [RFC2845]. The TSIG key is
a symmetric-key and it can be generated using the dnssec-keygen
primitive. The TSIG key is then used to sign the DNS update message,
thus ensuring the authenticity of the request. An access control
list can be defined in the DNS to authorize updates to the DNS data.
The Berkeley Internet Name Daemon (BIND) implementation of the
Internet System Consortium (ISC) provides a mechanism to specify
access control lists, ensuring that updates of DNS zone data can only
be performed by authorized parties. The allow-update option in a
zone statement is used to control access to a zone. This option
grants clients with a particular TSIG key the permission to update
any record of any name in the zone. To allow for finer-granular
access control, the update-policy option can be used within a zone
statement, it specifies a set of rules where each rule either grants
or denies permissions to one or more names to be updated by one or
more identities. The identity can be determined based on the TSIG
key in the TSIG record.
In the home and also during construction in the professional case,
islands of security exist when the authorative DNS server has no
connection to parent or children zones. In a later stage, access can
be provided via DNS root servers involving a second security anchor.
Alternatively, stub resolvers access contact recursive name servers
via an secure channel as SIG(0) [RFC2931] or TSIG [RFC2845].
In spite of using DNSSEC, rogue devices can obtain valid addresses
and accept commands for these destinations. This is not worse than
rogue devices accepting any packet via a NIC in promiscuous mode.
Rogue devices can send unwanted commands to the thus observed IP
address. The same addresses can also be obtained by listening to the
network traffic.
van der Stok, et al. Expires January 11, 2013 [Page 25]
Internet-Draft CoRE Discovery, Naming, and Addressing July 2012
6.2. RD Security considerations
Security for Resource Direcory is provided by recommended CoAP
security techniques: DTLS.
7. Acknowledgments
Zach Shelby wrote the original Discovery section in
[I-D.ietf-core-coap] which forms the basis for this draft. This I-D
has benefited from conversations with and comments from Emmanuel
Frimout, Michael Verschoor, Jamie Mc Cormack, Esko Dijk, Dee
Denteneer, Joop Talstra, Jerald Martocci, Matthieu Vial, Jerome
Hamel, George Yianni, and Nicolas Riou.
Sye Loong Keoh, Sandeep Kumar, and Oscar Garcia Morchon contributed
actively to security considerations.
8. Changelog
Changes from -02 to -03:
o adapted to resource direcory version -03
o DNS-SD examples follow better DNS-SD naming conventions
o added gp= link-format attribute
o added security considerations
o groups of end-points and groups of Function Sets instead of groups
of devices
o less centered around DNS, more RD aspects
9. References
9.1. Normative References
[RFC1035] Mockapetris, P., "Domain names - implementation and
specification", STD 13, RFC 1035, November 1987.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2782] Gulbrandsen, A., Vixie, P., and L. Esibov, "A DNS RR for
specifying the location of services (DNS SRV)", RFC 2782,
February 2000.
[RFC2845] Vixie, P., Gudmundsson, O., Eastlake, D., and B.
Wellington, "Secret Key Transaction Authentication for DNS
(TSIG)", RFC 2845, May 2000.
van der Stok, et al. Expires January 11, 2013 [Page 26]
Internet-Draft CoRE Discovery, Naming, and Addressing July 2012
[RFC2931] Eastlake, D., "DNS Request and Transaction Signatures (
SIG(0)s)", RFC 2931, September 2000.
[RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
Resource Identifier (URI): Generic Syntax", STD 66,
RFC 3986, January 2005.
[RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S.
Rose, "DNS Security Introduction and Requirements",
RFC 4033, March 2005.
[RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S.
Rose, "Resource Records for the DNS Security Extensions",
RFC 4034, March 2005.
[RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S.
Rose, "Protocol Modifications for the DNS Security
Extensions", RFC 4035, March 2005.
[RFC4193] Hinden, R. and B. Haberman, "Unique Local IPv6 Unicast
Addresses", RFC 4193, October 2005.
[RFC4291] Hinden, R. and S. Deering, "IP Version 6 Addressing
Architecture", RFC 4291, February 2006.
[RFC4605] Fenner, B., He, H., Haberman, B., and H. Sandick,
"Internet Group Management Protocol (IGMP) / Multicast
Listener Discovery (MLD)-Based Multicast Forwarding
("IGMP/MLD Proxying")", RFC 4605, August 2006.
[RFC4944] Montenegro, G., Kushalnagar, N., Hui, J., and D. Culler,
"Transmission of IPv6 Packets over IEEE 802.15.4
Networks", RFC 4944, September 2007.
[RFC5234] Crocker, D. and P. Overell, "Augmented BNF for Syntax
Specifications: ABNF", STD 68, RFC 5234, January 2008.
[RFC5785] Nottingham, M. and E. Hammer-Lahav, "Defining Well-Known
Uniform Resource Identifiers (URIs)", RFC 5785,
April 2010.
[RFC5988] Nottingham, M., "Web Linking", RFC 5988, October 2010.
[RFC6282] Hui, J. and P. Thubert, "Compression Format for IPv6
Datagrams over IEEE 802.15.4-Based Networks", RFC 6282,
September 2011.
[RFC6206] Levis, P., Clausen, T., Hui, J., Gnawali, O., and J. Ko,
van der Stok, et al. Expires January 11, 2013 [Page 27]
Internet-Draft CoRE Discovery, Naming, and Addressing July 2012
"The Trickle Algorithm", RFC 6206, March 2011.
9.2. Informative References
[I-D.cheshire-dnsext-dns-sd]
Cheshire, S. and M. Krochmal, "DNS-Based Service
Discovery", draft-cheshire-dnsext-dns-sd-11 (work in
progress), December 2011.
[I-D.eggert-core-congestion-control]
Eggert, L., "Congestion Control for the Constrained
Application Protocol (CoAP)",
draft-eggert-core-congestion-control-01 (work in
progress), January 2011.
[I-D.ietf-6man-uri-zoneid]
Carpenter, B. and R. Hinden, "Representing IPv6 Zone
Identifiers in Uniform Resource Identifiers",
draft-ietf-6man-uri-zoneid-01 (work in progress),
May 2012.
[I-D.ietf-core-coap]
Shelby, Z., Hartke, K., Bormann, C., and B. Frank,
"Constrained Application Protocol (CoAP)",
draft-ietf-core-coap-10 (work in progress), June 2012.
[I-D.ietf-core-groupcomm]
Rahman, A. and E. Dijk, "Group Communication for CoAP",
draft-ietf-core-groupcomm-01 (work in progress),
March 2012.
[I-D.ietf-core-link-format]
Shelby, Z., "CoRE Link Format",
draft-ietf-core-link-format-14 (work in progress),
June 2012.
[I-D.lynn-core-discovery-mapping]
Lynn, K. and Z. Shelby, "CoRE Link-Format to DNS-Based
Service Discovery Mapping",
draft-lynn-core-discovery-mapping-01 (work in progress),
July 2011.
[I-D.lynn-homenet-site-mdns]
Lynn, K. and D. Sturek, "Extended Multicast DNS",
draft-lynn-homenet-site-mdns-00 (work in progress),
March 2012.
[I-D.shelby-core-coap-req]
van der Stok, et al. Expires January 11, 2013 [Page 28]
Internet-Draft CoRE Discovery, Naming, and Addressing July 2012
Shelby, Z., Stuber, M., Sturek, D., Frank, B., and R.
Kelsey, "CoAP Requirements and Features",
draft-shelby-core-coap-req-02 (work in progress),
October 2010.
[I-D.shelby-core-interfaces]
Shelby, Z. and M. Vial, "CoRE Interfaces",
draft-shelby-core-interfaces-02 (work in progress),
March 2012.
[I-D.shelby-core-resource-directory]
Shelby, Z. and S. Krco, "CoRE Resource Directory",
draft-shelby-core-resource-directory-03 (work in
progress), May 2012.
[I-D.vanderstok-core-bc]
Stok, P. and K. Lynn, "CoAP Utilization for Building
Control", draft-vanderstok-core-bc-05 (work in progress),
October 2011.
[I-D.jennings-http-srv]
Jennings, C., "DNS SRV Records for HTTP",
draft-jennings-http-srv-05 (work in progress), March 2009.
[I-D.giacomin-core-sleepy-option]
Fossati, T., Giacomin, P., Loreto, S., and M. Rossini,
"Sleepy Option for CoAP",
draft-giacomin-core-sleepy-option-00 (work in progress),
February 2012.
[I-D.vial-core-mirror-proxy]
Vial, M., "CoRE Mirror Proxy",
draft-vial-core-mirror-proxy-00 (work in progress),
March 2012.
[ZeroConf]
Cheshire, S. and D. Steinberg, "Zero Configuration
Networking: The Definitive Guide", O'Reilly Media, Inc. ,
ISBN 0-596-10100-7, 2006.
[UPNP] "Universal Plug and Play", Web http://www.upnp.org, 2012.
van der Stok, et al. Expires January 11, 2013 [Page 29]
Internet-Draft CoRE Discovery, Naming, and Addressing July 2012
Authors' Addresses
Peter van der Stok (editor)
vanderstok consultancy
Kamperfoelie 8
Helmond, 5708 DM
The Netherlands
Email: consultancy@vanderstok.org
Kerry Lynn
Consultant
Phone: +1-978-460-4253
Email: kerlyn@ieee.org
Anders Brandt
Sigma Designs
Emdrupvej 26A, 1.
Copenhagen O, 2100
Denmark
Email: Anders_Brandt@sigmadesigns.com
van der Stok, et al. Expires January 11, 2013 [Page 30]