Network Working Group T. Pauly
Internet-Draft Apple, Inc.
Intended status: Standards Track D. Damjanovic
Expires: 4 September 2025 Microsoft
Y. Rosomakho
Zscaler
3 March 2025
Communicating Proxy Configurations in Provisioning Domains
draft-ietf-intarea-proxy-config-04
Abstract
This document defines a mechanism for accessing provisioning domain
information associated with a proxy, such as other proxy URIs that
support different protocols and a list of DNS zones that are
accessible via a proxy.
Discussion Venues
This note is to be removed before publishing as an RFC.
Source for this draft and an issue tracker can be found at
https://github.com/tfpauly/privacy-proxy.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on 4 September 2025.
Copyright Notice
Copyright (c) 2025 IETF Trust and the persons identified as the
document authors. All rights reserved.
Pauly, et al. Expires 4 September 2025 [Page 1]
�
Internet-Draft Proxy Configuration PvDs March 2025
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document. Code Components
extracted from this document must include Revised BSD License text as
described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Revised BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Background . . . . . . . . . . . . . . . . . . . . . . . 3
1.2. Requirements . . . . . . . . . . . . . . . . . . . . . . 4
2. Fetching PvD Additional Information for proxies . . . . . . . 4
3. Enumerating proxies within a PvD . . . . . . . . . . . . . . 5
3.1. Example . . . . . . . . . . . . . . . . . . . . . . . . . 8
4. Destination accessibility information for proxies . . . . . . 9
4.1. Example . . . . . . . . . . . . . . . . . . . . . . . . . 11
5. Discovering proxies from network PvDs . . . . . . . . . . . . 12
6. Security Considerations . . . . . . . . . . . . . . . . . . . 13
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13
7.1. New PvD Additional Information key . . . . . . . . . . . 13
7.2. New PvD Proxy Information Registry . . . . . . . . . . . 13
7.3. New PvD Proxy Protocol Registry . . . . . . . . . . . . . 14
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 14
8.1. Normative References . . . . . . . . . . . . . . . . . . 14
8.2. Informative References . . . . . . . . . . . . . . . . . 15
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 16
1. Introduction
HTTP proxies that use the CONNECT method Section 9.3.6 of [HTTP]
(often referred to as "forward" proxies) allow clients to open
connections to hosts via a proxy. These typically allow for TCP
stream proxying, but can also support UDP proxying [CONNECT-UDP] and
IP packet proxying [CONNECT-IP]. Such proxies are not just defined
as hostnames and ports, but can use URI templates [URITEMPLATE].
In order to make use of multiple related proxies, clients need a way
to understand which proxies are associated with one another.
Client can also benefit from learning about additional information
associated with the proxy to optimize their proxy usage, such knowing
that a proxy is configured to only allow access to a limited set of
destinations.
Pauly, et al. Expires 4 September 2025 [Page 2]
�
Internet-Draft Proxy Configuration PvDs March 2025
These improvements to client behavior can be achieved through the use
of Provisioning Domains. Provisioning Domains (PvDs) are defined in
[PVD] as consistent sets of network configuration information, which
can include proxy configuration details Section 2 of [PVD].
[PVDDATA] defines a JSON [JSON] format for describing Provisioning
Domain Additional Information, which is an extensible dictionary of
properties of the Provisioning Domain.
This document defines several mechanisms to use PvDs to help clients
understand how to use proxies:
1. A way to fetch PvD Additional Information associated with a known
proxy URI (Section 2)
2. A way to list one or more proxy URIs in a PvD, allowing clients
to learn about other proxy options given a known proxy
(Section 3).
3. A way to define a limited set of destinations that are accessible
through the proxy (Section 4).
Additionally, this document partly describes how these mechanisms
might be used to discover proxies associated with a network
(Section 5).
Using this mechanism a client can learn that a legacy insecure HTTP
proxy that the client is configured with is also accessible using
HTTPS. In this way, clients can upgrade to a more secure connection
to the proxy.
1.1. Background
Other non-standard mechanisms for proxy configuration and discovery
have been used historically, some of which are described in
[RFC3040].
Proxy Auto Configuration (PAC) files Section 6.2 of [RFC3040] are
Javascript scripts that take URLs as input and provide an output of a
proxy configuration to use.
Web Proxy Auto-Discovery Protocol (WPAD) Section 6.4 of [RFC3040]
allows networks to advertise proxies to use by advertising a PAC
file. This solution squats on DHCP option 252.
These common (but non-standard) mechanisms only support defining
proxies by hostname and port, and do not support configuring a full
URI template [URITEMPLATE].
Pauly, et al. Expires 4 September 2025 [Page 3]
�
Internet-Draft Proxy Configuration PvDs March 2025
The mechanisms defined in this document are intended to offer a
standard alternative that works for URI-based proxies and avoids
dependencies on executing Javascript scripts, which are prone to
implementation-specific inconsistencies and can open up security
vulnerabilities.
1.2. Requirements
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in
BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.
2. Fetching PvD Additional Information for proxies
This document defines a way to fetch PvD Additional Information
associated with a proxy. This PvD describes the properties of the
network accessible through the proxy.
In order to fetch PvD Additional Information associated with a proxy,
a client issues an HTTP GET request for the well-known PvD URI
(".well-known/pvd") [PVDDATA] and the host authority of the proxy.
This is applicable for both proxies that are identified by a host and
port only (such as SOCKS proxies and HTTP CONNECT proxies) and
proxies that are identified by a URI or URI template.
For example, a client would issue the following request for the PvD
associated with "https://proxy.example.org/
masque{?target_host,target_port}":
:method = GET
:scheme = https
:authority = proxy.example.org
:path = /.well-known/pvd
accept = application/pvd+json
For a HTTP CONNECT proxy on "proxy.example.org:8080", the client
would send the following request:
:method = GET
:scheme = https
:authority = proxy.example.org:8080
:path = /.well-known/pvd
accept = application/pvd+json
Pauly, et al. Expires 4 September 2025 [Page 4]
�
Internet-Draft Proxy Configuration PvDs March 2025
Note that all proxies that are colocated on the same host and port
share the same PvD Additional Information. Proxy deployments that
need separate PvD configuration properties SHOULD use different
hosts.
PvD Additional Information is required to contain the "identifier",
"expires", and "prefixes" keys. For proxy PvDs as defined in this
document, the "identifier" MUST match the hostname of the HTTP proxy.
The "prefixes" array SHOULD be empty by default.
3. Enumerating proxies within a PvD
This document defines a new PvD Additional Information key, proxies,
that is an array of dictionaries, where each dictionary in the array
defines a single proxy that is available as part of the PvD (see
Section 7.1). Each proxy is defined by a proxy protocol, a proxy
location (i.e., a hostname and port or a URI template [URITEMPLATE]),
along with potentially other keys.
This document defines two mandatory keys for the sub-dictionaries in
the proxies array, protocol and proxy. There are also optional keys,
including alpn, mandatory, and destination accessibility keys defined
in Section 4. Other optional keys can be added to the dictionary to
further define or restrict the use of a proxy.
Pauly, et al. Expires 4 September 2025 [Page 5]
�
Internet-Draft Proxy Configuration PvDs March 2025
+=========+========+============+=======+=================================+
|JSON Key |Optional|Description |Type |Example |
+=========+========+============+=======+=================================+
|protocol |No |The protocol|String |"connect-udp" |
| | |used to | | |
| | |communicate | | |
| | |with the | | |
| | |proxy | | |
+---------+--------+------------+-------+---------------------------------+
|proxy |No |String |String |"https://proxy.example.org:4443/ |
| | |containing | |masque{?target_host,target_port}"|
| | |the URI | | |
| | |template or | | |
| | |hostname and| | |
| | |port of the | | |
| | |proxy, | | |
| | |depending on| | |
| | |the format | | |
| | |defined by | | |
| | |the protocol| | |
+---------+--------+------------+-------+---------------------------------+
|alpn |Yes |An array of |Array |["h3","h2"] |
| | |Application-|of | |
| | |Layer |Strings| |
| | |Protocol | | |
| | |Negotiation | | |
| | |protocol | | |
| | |identifiers | | |
+---------+--------+------------+-------+---------------------------------+
|mandatory|Yes |An array of |Array |["matchDomains"] |
| | |optional |of | |
| | |keys that |Strings| |
| | |client must | | |
| | |understand | | |
| | |and process | | |
| | |to use this | | |
| | |proxy | | |
+---------+--------+------------+-------+---------------------------------+
Table 1
The values for the protocol key are defined in the proxy protocol
registry (Section 7.3), with the initial contents provided below.
For consistency, any new proxy types that use HTTP Upgrade Tokens
(and use the :protocol pseudo-header) SHOULD define the protocol
value to match the Upgrade Token / :protocol value.
Pauly, et al. Expires 4 September 2025 [Page 6]
�
Internet-Draft Proxy Configuration PvDs March 2025
+===============+===============+===============+===================+
| Proxy | Proxy | Reference | Notes |
| Protocol | Location | | |
| | Format | | |
+===============+===============+===============+===================+
| socks5 | hostname:port | [SOCKSv5] | |
+---------------+---------------+---------------+-------------------+
| http-connect | hostname:port | Section 9.3.6 | Standard CONNECT |
| | | of [HTTP] | method, using |
| | | | unencrypted HTTP |
| | | | to the proxy |
+---------------+---------------+---------------+-------------------+
| https-connect | hostname:port | Section 9.3.6 | Standard CONNECT |
| | | of [HTTP] | method, using |
| | | | TLS-protected |
| | | | HTTP to the |
| | | | proxy |
+---------------+---------------+---------------+-------------------+
| connect-udp | URI template | [CONNECT-UDP] | |
+---------------+---------------+---------------+-------------------+
| connect-ip | URI template | [CONNECT-IP] | |
+---------------+---------------+---------------+-------------------+
| connect-tcp | URI template | [CONNECT-TCP] | |
+---------------+---------------+---------------+-------------------+
Table 2
The value of proxy depends on the Proxy Location Format defined by
proxy protocol. The types defined here either use a hostname and
port, or a full URI template.
If the alpn key is present, it provides a hint for the Application-
Layer Protocol Negotiation (ALPN) [ALPN] protocol identifiers
associated with this server. For HTTP proxies, this can indicate if
the proxy supports HTTP/3, HTTP/2, etc.
The value of the mandatory key is a list of keys that the client must
understand and process to be able to use the proxy. A client that
does not understand a key from the list or cannot fully process the
value of a key from the list MUST ignore the entire proxy definition.
The list can contain only keys that are registered in an IANA
registry, defined in Section 7.2 and that are marked as optional.
The mandatory list MUST NOT include any entries that are not present
in the sub-dictionary.
Pauly, et al. Expires 4 September 2025 [Page 7]
�
Internet-Draft Proxy Configuration PvDs March 2025
When a PvD that contains the proxies key is fetched from a known
proxy using the method described in Section 2 the proxies list
describes equivalent proxies (potentially supporting other protocols)
that can be used in addition to the known proxy.
Such cases are useful for informing clients of related proxies as a
discovery method, with the assumption that the client already is
aware of one proxy. Many historical methods of configuring a proxy
only allow configuring a single FQDN hostname for the proxy. A
client can attempt to fetch the PvD information from the well-known
URI to learn the list of complete URIs that support non-default
protocols, such as [CONNECT-UDP] and [CONNECT-IP].
3.1. Example
Given a known HTTP CONNECT proxy FQDN, "proxy.example.org", a client
could request PvD Additional Information with the following request:
:method = GET
:scheme = https
:authority = proxy.example.org
:path = /.well-known/pvd
accept = application/pvd+json
If the proxy has a PvD definition for this FQDN, it would return the
following response to indicate a PvD that has two related proxy URIs.
:status = 200
content-type = application/pvd+json
content-length = 222
{
"identifier": "proxy.example.org.",
"expires": "2023-06-23T06:00:00Z",
"prefixes": [],
"proxies": [
{
"protocol": "http-connect",
"proxy": "proxy.example.org:80"
},
{
"protocol": "connect-udp",
"proxy": "https://proxy.example.org/masque{?target_host,target_port}"
}
]
}
Pauly, et al. Expires 4 September 2025 [Page 8]
�
Internet-Draft Proxy Configuration PvDs March 2025
The client would learn the URI template of the proxy that supports
UDP using [CONNECT-UDP], at "https://proxy.example.org/
masque{?target_host,target_port}".
4. Destination accessibility information for proxies
Destination accessibility information is used when only a subset of
destinations is reachable through a proxy. Destination restrictions
are often used in VPN tunnel configurations such as split DNS in
IKEv2 [IKEV2SPLIT].
PvD Additional Information can be used to indicate that a proxy PvD
only allows access to a limited set of destinations.
This document defines two optional keys for subdictionaries in the
proxies array that are used to signal information about destinations
available through the proxy.
+=========+==========+=================================+=========+
| JSON | Optional | Description | Type |
| Key | | | |
+=========+==========+=================================+=========+
| match | Yes | An array of destination objects | Array |
| | | defining targets accessible | of |
| | | over this proxy | Objects |
+---------+----------+---------------------------------+---------+
| exclude | Yes | An array of destination objects | Array |
| | | defining targets that cannot be | of |
| | | accessed over this proxy | Objects |
+---------+----------+---------------------------------+---------+
Table 3
This document defined three keys for destination objects. A
destination object cannot be empty and MUST contain at least one
valid key. Each provided key MUST correspond to an array with at
least one entry.
Pauly, et al. Expires 4 September 2025 [Page 9]
�
Internet-Draft Proxy Configuration PvDs March 2025
+=========+===================+=========+===========================+
| JSON | Description | Type | Example |
| Key | | | |
+=========+===================+=========+===========================+
| domains | An array of | Array | ["www.example.com", |
| | FQDNs and | of | "*.internal.example.com"] |
| | wildcard DNS | Strings | |
| | domains | | |
+---------+-------------------+---------+---------------------------+
| subnets | An array of | Array | ["2001:DB8::1", |
| | IPv4 and IPv6 | of | "192.168.1.0/24"] |
| | addresses and | Strings | |
| | subnets | | |
+---------+-------------------+---------+---------------------------+
| ports | An array of | Array | ["80", "443", |
| | TCP and UDP | of | "1024-65535"] |
| | port ranges | Strings | |
+---------+-------------------+---------+---------------------------+
Table 4
When present in a PvD Additional Information dictionary that is
retrieved for a proxy as described in Section 2, entries in the
domains array of a match object indicate specific FQDNs and zones
that are accessible using the proxy. If a hostname does not match
any entry, then a client SHOULD assume that the hostname will not be
accessible through the proxy. If a hostname is included in the
domains array of an exclude object, then the client SHOULD NOT access
it through the proxy. The domains array can be present in an exclude
object even if domains is omitted from all match objects or match key
is not present in the proxies array subdictionary. When this is the
case, the client assumes that all domains except the domains listed
in the domains from exclude objects are accessible through the proxy.
If domains arrays are specified in match and exclude objects, domains
arrays from exclude objects SHOULD list more specific domains within
entries in domains arrays from match objects.
Pauly, et al. Expires 4 September 2025 [Page 10]
�
Internet-Draft Proxy Configuration PvDs March 2025
A wildcard prefix (*.) is used to indicate matching entire domains or
subdomains instead of specific hostnames. Note that this can be used
to match multiple levels of subdomains. For example "_.example.com"
matches "internal.example.com" as well as "www.public.example.com".
Entries that include the wildcard prefix also SHOULD be treated as if
they match an FQDN that only contains the string after the prefix,
with no subdomain. So, an entry "_.example.com" in the domains array
of a match object would match the FQDN "example.com", unless
"example.com" was specifically included in the domains array of an
exclude object. This is done to prevent commonly needing to include
both "*.example.com" and "example.com" in the domains array of a
match object.
Entries in subnets array of a match object correspond to IP addresses
and subnets that are available through the proxy, while entries in
subnets array of an exclude object define IP addresses and subnets
that SHOULD NOT be used with the proxy. Subnet-based destination
information SHOULD only be used when applications are communicating
with destinations identified by only an IP address and not a
hostname. If subnets arrays are specified in match and exclude
objects, subnets arrays from exclude objects SHOULD list more
specific subnets within entries in subnets arrays from match objects.
Port specification, if provided, refines the criteria for domain or
subnet matching. For example, ports array of ["80", "443"] together
with domains array of ["www.example.com"] in a match object specifies
that only ports 80 and 443 of "www.example.com" domain are accessible
through the proxy. If ports key is not present in a match or exclude
object, all ports are assumed to match. Comma-separated port list
may contain individual port numbers (such as "80") or inclusive
ranges of ports. For example "1024-2048" matches all ports from 1024
to 2048, including the 1024 and 1028.
Entries listed in a match object MUST NOT expand the set of
destinations that a client is willing to send to a particular proxy.
The list can only narrow the list of destinations that the client is
willing to send through the proxy. For example, if the client has a
local policy to only send requests for "*.example.com" to a proxy
"proxy.example.com", and domains array of a match object contains
"internal.example.com" and "other.company.com", the client would end
up only proxying "internal.example.com" through the proxy.
4.1. Example
Given a proxy URI template "https://proxy.example.org/
masque{?target_host,target_port}", which in this case is for UDP
proxying, the client could request PvD additional information with
the following request:
Pauly, et al. Expires 4 September 2025 [Page 11]
�
Internet-Draft Proxy Configuration PvDs March 2025
:method = GET
:scheme = https
:authority = proxy.example.org
:path = /.well-known/pvd
accept = application/pvd+json
If the proxy has a PvD definition for this proxy, it could return the
following response to indicate a PvD that has one accessible zone,
"*.internal.example.org".
:status = 200
content-type = application/pvd+json
content-length = 135
{
"identifier": "proxy.example.org.",
"expires": "2023-06-23T06:00:00Z",
"prefixes": [],
"proxies": [
{
"protocol": "http-connect",
"proxy": "proxy.example.org:80"
},
{
"protocol": "connect-udp",
"proxy": "https://proxy.example.org/masque{?target_host,target_port}",
"match": [{
domains: [ "*.internal.example.org" ]
}]
}
]
}
The client could then choose to use this proxy only for accessing
names that fall within the "*.internal.example.org" zone.
5. Discovering proxies from network PvDs
[PVDDATA] defines how PvD Additional Information is discovered based
on network advertisements using Router Advertisements [RFC4861]. A
network defining its configuration via PvD information can include
the proxies key (Section 3) to inform clients of a list of proxies
available on the network.
This association of proxies with the network's PvD can be used as a
mechanism to discover proxies, as an alternative to PAC files.
However, client systems MUST NOT automatically send traffic over
proxies advertised in this way without explicit configuration,
Pauly, et al. Expires 4 September 2025 [Page 12]
�
Internet-Draft Proxy Configuration PvDs March 2025
policy, or user permission. For example, a client can use this
mechanism to choose between known proxies, such as if the client was
already proxying traffic and has multiple options to choose between.
Further security and experience considerations are needed for these
cases.
6. Security Considerations
Configuration advertised via PvD Additional Information, such DNS
zones or associated proxies, can only be safely used when fetched
over a secure TLS-protected connection, and the client has validated
that that the hostname of the proxy, the identifier of the PvD, and
the validated hostname identity on the certificate all match.
7. IANA Considerations
7.1. New PvD Additional Information key
This document registers a new key in the "Additional Information PvD
Keys" registry.
JSON Key: proxies
Description: Array of proxy dictionaries associated with this PvD
Type: Array of dictionaries
Example: [ { "protocol": "connect-udp", "proxy":
"https://proxy.example.org/masque{?target_host,target_port}" } ]
7.2. New PvD Proxy Information Registry
IANA is requested to create a new registry "Proxy Information PvD
Keys", within the "Provisioning Domains (PvDs)" registry page. This
new registry reserves JSON keys for use in sub-dictionaries under the
proxies key. The initial contents of this registry are given in
Section 3 and Section 4.
New assignments in the "Proxy Information PvD Keys" registry will be
administered by IANA through Expert Review [RFC8126]. Experts are
requested to ensure that defined keys do not overlap in names or
semantics.
Pauly, et al. Expires 4 September 2025 [Page 13]
�
Internet-Draft Proxy Configuration PvDs March 2025
7.3. New PvD Proxy Protocol Registry
IANA is requested to create a new registry "Proxy Protocol PvD
Values", within the "Provisioning Domains (PvDs)" registry page.
This new registry reserves JSON values for the protocol key in
proxies sub-dictionaries. The initial contents of this registry are
given in Section 3.
New assignments in the "Proxy Protocol PvD Values" registry will be
administered by IANA through Expert Review [RFC8126]. Experts are
requested to ensure that defined keys do not overlap in names or
semantics, and have clear format definitions. The reference and
notes fields MAY be empty.
8. References
8.1. Normative References
[ALPN] Friedl, S., Popov, A., Langley, A., and E. Stephan,
"Transport Layer Security (TLS) Application-Layer Protocol
Negotiation Extension", RFC 7301, DOI 10.17487/RFC7301,
July 2014, <https://www.rfc-editor.org/rfc/rfc7301>.
[CONNECT-IP]
Pauly, T., Ed., Schinazi, D., Chernyakhovsky, A.,
Kühlewind, M., and M. Westerlund, "Proxying IP in HTTP",
RFC 9484, DOI 10.17487/RFC9484, October 2023,
<https://www.rfc-editor.org/rfc/rfc9484>.
[CONNECT-TCP]
Schwartz, B. M., "Template-Driven HTTP CONNECT Proxying
for TCP", Work in Progress, Internet-Draft, draft-ietf-
httpbis-connect-tcp-06, 21 October 2024,
<https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-
connect-tcp-06>.
[CONNECT-UDP]
Schinazi, D., "Proxying UDP in HTTP", RFC 9298,
DOI 10.17487/RFC9298, August 2022,
<https://www.rfc-editor.org/rfc/rfc9298>.
[HTTP] Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke,
Ed., "HTTP Semantics", STD 97, RFC 9110,
DOI 10.17487/RFC9110, June 2022,
<https://www.rfc-editor.org/rfc/rfc9110>.
Pauly, et al. Expires 4 September 2025 [Page 14]
�
Internet-Draft Proxy Configuration PvDs March 2025
[JSON] Bray, T., Ed., "The JavaScript Object Notation (JSON) Data
Interchange Format", STD 90, RFC 8259,
DOI 10.17487/RFC8259, December 2017,
<https://www.rfc-editor.org/rfc/rfc8259>.
[PVDDATA] Pfister, P., Vyncke, É., Pauly, T., Schinazi, D., and W.
Shao, "Discovering Provisioning Domain Names and Data",
RFC 8801, DOI 10.17487/RFC8801, July 2020,
<https://www.rfc-editor.org/rfc/rfc8801>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/rfc/rfc2119>.
[RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for
Writing an IANA Considerations Section in RFCs", BCP 26,
RFC 8126, DOI 10.17487/RFC8126, June 2017,
<https://www.rfc-editor.org/rfc/rfc8126>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/rfc/rfc8174>.
[SOCKSv5] Leech, M., Ganis, M., Lee, Y., Kuris, R., Koblas, D., and
L. Jones, "SOCKS Protocol Version 5", RFC 1928,
DOI 10.17487/RFC1928, March 1996,
<https://www.rfc-editor.org/rfc/rfc1928>.
[URITEMPLATE]
Gregorio, J., Fielding, R., Hadley, M., Nottingham, M.,
and D. Orchard, "URI Template", RFC 6570,
DOI 10.17487/RFC6570, March 2012,
<https://www.rfc-editor.org/rfc/rfc6570>.
8.2. Informative References
[IKEV2SPLIT]
Pauly, T. and P. Wouters, "Split DNS Configuration for the
Internet Key Exchange Protocol Version 2 (IKEv2)",
RFC 8598, DOI 10.17487/RFC8598, May 2019,
<https://www.rfc-editor.org/rfc/rfc8598>.
[PVD] Anipko, D., Ed., "Multiple Provisioning Domain
Architecture", RFC 7556, DOI 10.17487/RFC7556, June 2015,
<https://www.rfc-editor.org/rfc/rfc7556>.
Pauly, et al. Expires 4 September 2025 [Page 15]
�
Internet-Draft Proxy Configuration PvDs March 2025
[RFC3040] Cooper, I., Melve, I., and G. Tomlinson, "Internet Web
Replication and Caching Taxonomy", RFC 3040,
DOI 10.17487/RFC3040, January 2001,
<https://www.rfc-editor.org/rfc/rfc3040>.
[RFC4861] Narten, T., Nordmark, E., Simpson, W., and H. Soliman,
"Neighbor Discovery for IP version 6 (IPv6)", RFC 4861,
DOI 10.17487/RFC4861, September 2007,
<https://www.rfc-editor.org/rfc/rfc4861>.
Authors' Addresses
Tommy Pauly
Apple, Inc.
Email: tpauly@apple.com
Dragana Damjanovic
Microsoft
Email: ddamjanovic@microsoft.com
Yaroslav Rosomakho
Zscaler
Email: yrosomakho@zscaler.com
Pauly, et al. Expires 4 September 2025 [Page 16]