| draft-ietf-ipsecme-split-dns-05.txt | draft-ietf-ipsecme-split-dns-06.txt | |||
|---|---|---|---|---|
| Network T. Pauly | Network T. Pauly | |||
| Internet-Draft Apple Inc. | Internet-Draft Apple Inc. | |||
| Intended status: Standards Track P. Wouters | Intended status: Standards Track P. Wouters | |||
| Expires: August 10, 2018 Red Hat | Expires: August 13, 2018 Red Hat | |||
| February 6, 2018 | February 9, 2018 | |||
| Split DNS Configuration for IKEv2 | Split DNS Configuration for IKEv2 | |||
| draft-ietf-ipsecme-split-dns-05 | draft-ietf-ipsecme-split-dns-06 | |||
| Abstract | Abstract | |||
| This document defines two Configuration Payload Attribute Types for | This document defines two Configuration Payload Attribute Types for | |||
| the IKEv2 protocol that add support for private DNS domains. These | the IKEv2 protocol that add support for private DNS domains. These | |||
| domains should be resolved using DNS servers reachable through an | domains should be resolved using DNS servers reachable through an | |||
| IPsec connection, while leaving all other DNS resolution unchanged. | IPsec connection, while leaving all other DNS resolution unchanged. | |||
| This approach of resolving a subset of domains using non-public DNS | This approach of resolving a subset of domains using non-public DNS | |||
| servers is referred to as "Split DNS". | servers is referred to as "Split DNS". | |||
| skipping to change at page 1, line 36 ¶ | skipping to change at page 1, line 36 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on August 10, 2018. | This Internet-Draft will expire on August 13, 2018. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2018 IETF Trust and the persons identified as the | Copyright (c) 2018 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 20 ¶ | skipping to change at page 2, line 20 ¶ | |||
| 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 | 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 | |||
| 2. Background . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 2. Background . . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 3. Protocol Exchange . . . . . . . . . . . . . . . . . . . . . . 3 | 3. Protocol Exchange . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 3.1. Configuration Request . . . . . . . . . . . . . . . . . . 4 | 3.1. Configuration Request . . . . . . . . . . . . . . . . . . 4 | |||
| 3.2. Configuration Reply . . . . . . . . . . . . . . . . . . . 4 | 3.2. Configuration Reply . . . . . . . . . . . . . . . . . . . 4 | |||
| 3.3. Mapping DNS Servers to Domains . . . . . . . . . . . . . 5 | 3.3. Mapping DNS Servers to Domains . . . . . . . . . . . . . 5 | |||
| 3.4. Example Exchanges . . . . . . . . . . . . . . . . . . . . 5 | 3.4. Example Exchanges . . . . . . . . . . . . . . . . . . . . 5 | |||
| 3.4.1. Simple Case . . . . . . . . . . . . . . . . . . . . . 5 | 3.4.1. Simple Case . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 3.4.2. Requesting Domains and DNSSEC trust anchors . . . . . 6 | 3.4.2. Requesting Domains and DNSSEC trust anchors . . . . . 6 | |||
| 4. Payload Formats . . . . . . . . . . . . . . . . . . . . . . . 6 | 4. Payload Formats . . . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 4.1. INTERNAL_DNS_DOMAIN Configuration Attribute Type . . . . 6 | 4.1. INTERNAL_DNS_DOMAIN Configuration Attribute Type Request | |||
| and Reply . . . . . . . . . . . . . . . . . . . . . . . . 6 | ||||
| 4.2. INTERNAL_DNSSEC_TA Configuration Attribute . . . . . . . 7 | 4.2. INTERNAL_DNSSEC_TA Configuration Attribute . . . . . . . 7 | |||
| 5. Split DNS Usage Guidelines . . . . . . . . . . . . . . . . . 7 | 5. Split DNS Usage Guidelines . . . . . . . . . . . . . . . . . 8 | |||
| 6. Security Considerations . . . . . . . . . . . . . . . . . . . 9 | 6. Security Considerations . . . . . . . . . . . . . . . . . . . 9 | |||
| 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 | 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 | |||
| 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 10 | 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 10 | |||
| 8.1. Normative References . . . . . . . . . . . . . . . . . . 10 | 8.1. Normative References . . . . . . . . . . . . . . . . . . 10 | |||
| 8.2. Informative References . . . . . . . . . . . . . . . . . 10 | 8.2. Informative References . . . . . . . . . . . . . . . . . 11 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 11 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 11 | |||
| 1. Introduction | 1. Introduction | |||
| Split DNS is a common configuration for secure tunnels, such as | Split DNS is a common configuration for secure tunnels, such as | |||
| Virtual Private Networks in which host machines private to an | Virtual Private Networks in which host machines private to an | |||
| organization can only be resolved using internal DNS resolvers | organization can only be resolved using internal DNS resolvers | |||
| [RFC2775]. In such configurations, it is often desirable to only | [RFC2775]. In such configurations, it is often desirable to only | |||
| resolve hosts within a set of private domains using the tunnel, while | resolve hosts within a set of private domains using the tunnel, while | |||
| letting resolutions for public hosts be handled by a device's default | letting resolutions for public hosts be handled by a device's default | |||
| skipping to change at page 6, line 37 ¶ | skipping to change at page 6, line 37 ¶ | |||
| INTERNAL_IP4_ADDRESS(198.51.100.234) | INTERNAL_IP4_ADDRESS(198.51.100.234) | |||
| INTERNAL_IP4_DNS(198.51.100.2) | INTERNAL_IP4_DNS(198.51.100.2) | |||
| INTERNAL_IP4_DNS(198.51.100.4) | INTERNAL_IP4_DNS(198.51.100.4) | |||
| INTERNAL_DNS_DOMAIN(example.com) | INTERNAL_DNS_DOMAIN(example.com) | |||
| INTERNAL_DNSSEC_TA(43547,8,1,B6225AB2CC613E0DCA7962BDC2342EA4F1B56083) | INTERNAL_DNSSEC_TA(43547,8,1,B6225AB2CC613E0DCA7962BDC2342EA4F1B56083) | |||
| INTERNAL_DNSSEC_TA(31406,8,2,F78CF3344F72137235098ECBBD08947C2C90....) | INTERNAL_DNSSEC_TA(31406,8,2,F78CF3344F72137235098ECBBD08947C2C90....) | |||
| INTERNAL_DNS_DOMAIN(city.other.com) | INTERNAL_DNS_DOMAIN(city.other.com) | |||
| 4. Payload Formats | 4. Payload Formats | |||
| 4.1. INTERNAL_DNS_DOMAIN Configuration Attribute Type | All multi-octet fields representing integers are laid out in big | |||
| endian order (also known as "most significant byte first", or | ||||
| "network byte order"). | ||||
| 4.1. INTERNAL_DNS_DOMAIN Configuration Attribute Type Request and Reply | ||||
| 1 2 3 | 1 2 3 | |||
| 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | |||
| +-+-----------------------------+-------------------------------+ | +-+-----------------------------+-------------------------------+ | |||
| |R| Attribute Type | Length | | |R| Attribute Type | Length | | |||
| +-+-----------------------------+-------------------------------+ | +-+-----------------------------+-------------------------------+ | |||
| | | | | | | |||
| ~ Domain Name in DNS presentation format ~ | ~ Domain Name in DNS presentation format ~ | |||
| | | | | | | |||
| +---------------------------------------------------------------+ | +---------------------------------------------------------------+ | |||
| skipping to change at page 6, line 48 ¶ | skipping to change at page 7, line 4 ¶ | |||
| 1 2 3 | 1 2 3 | |||
| 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | |||
| +-+-----------------------------+-------------------------------+ | +-+-----------------------------+-------------------------------+ | |||
| |R| Attribute Type | Length | | |R| Attribute Type | Length | | |||
| +-+-----------------------------+-------------------------------+ | +-+-----------------------------+-------------------------------+ | |||
| | | | | | | |||
| ~ Domain Name in DNS presentation format ~ | ~ Domain Name in DNS presentation format ~ | |||
| | | | | | | |||
| +---------------------------------------------------------------+ | +---------------------------------------------------------------+ | |||
| o Reserved (1 bit) - Defined in IKEv2 RFC [RFC7296]. | o Reserved (1 bit) - Defined in IKEv2 RFC [RFC7296]. | |||
| o Attribute Type (15 bits) 25 - INTERNAL_DNS_DOMAIN. | o Attribute Type (15 bits) set to value 25 for INTERNAL_DNS_DOMAIN. | |||
| o Length (2 octets, unsigned integer) - Length of domain name. | o Length (2 octets) - Length of domain name. | |||
| o Domain Name (0 or more octets) - A Fully Qualified Domain Name | o Domain Name (0 or more octets) - A Fully Qualified Domain Name | |||
| used for Split DNS rules, such as "example.com", in DNS | used for Split DNS rules, such as "example.com", in DNS | |||
| presentation format and optionally using IDNA [RFC5890] for | presentation format and optionally using IDNA [RFC5890] for | |||
| Internationalized Domain Names. Implementors need to be careful | Internationalized Domain Names. Implementors need to be careful | |||
| that this value is not null-terminated. | that this value is not null-terminated. | |||
| 4.2. INTERNAL_DNSSEC_TA Configuration Attribute | 4.2. INTERNAL_DNSSEC_TA Configuration Attribute | |||
| An INTERNAL_DNSSEC_TA Configuration Attribute can either be empty, or | ||||
| it can contain one Trust Anchor by containing a non-zero Length with | ||||
| a DNSKEY Key Tag, DNSKEY Algorithm, Digest Type and Digest Data | ||||
| fields. | ||||
| An empty INTERNAL_DNSSEC_TA CFG attribute: | ||||
| 1 2 3 | 1 2 3 | |||
| 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | |||
| +-+-----------------------------+-------------------------------+ | +-+-----------------------------+-------------------------------+ | |||
| |R| Attribute Type | Length | | |R| Attribute Type | Length (set to 0) | | |||
| +-+-----------------------------+-------------------------------+ | ||||
| A non-empty INTERNAL_DNSSEC_TA CFG attribute: | ||||
| 1 2 3 | ||||
| 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | ||||
| +-+-----------------------------+-------------------------------+ | ||||
| |R| Attribute Type | Length | | ||||
| +-+-----------------------------+---------------+---------------+ | +-+-----------------------------+---------------+---------------+ | |||
| | DNSKEY Key Tag | DNSKEY Alg | Digest Type | | | DNSKEY Key Tag | DNSKEY Alg | Digest Type | | |||
| +-------------------------------+---------------+---------------+ | +-------------------------------+---------------+---------------+ | |||
| | | | | | | |||
| ~ Digest Data ~ | ~ Digest Data ~ | |||
| | | | | | | |||
| +---------------------------------------------------------------+ | +---------------------------------------------------------------+ | |||
| o Reserved (1 bit) - Defined in IKEv2 RFC [RFC7296]. | o Reserved (1 bit) - Defined in IKEv2 RFC [RFC7296]. | |||
| o Attribute Type (15 bits) [TBD IANA] - INTERNAL_DNSSEC_TA. | o Attribute Type (15 bits) set to value 26 for INTERNAL_DNSSEC_TA. | |||
| o Length (2 octets, unsigned integer) - Length of DNSSEC Trust | o Length (0 or 2 octets) - Length of DNSSEC Trust Anchor data (4 | |||
| Anchor data. | octets plus the length of the Digest Data) | |||
| o DNSKEY Key Tag value (2 octets) - Delegation Signer (DS) Key Tag | o DNSKEY Key Tag value (0 or 2 octets) - Delegation Signer (DS) Key | |||
| as specified in [RFC4034] Section 5.1 | Tag as specified in [RFC4034] Section 5.1 | |||
| o DNSKEY Algorithm (1 octet) - DNSKEY algorithm value from the IANA | o DNSKEY Algorithm (0 or 1 octet) - DNSKEY algorithm value from the | |||
| DNS Security Algorithm Numbers Registry | IANA DNS Security Algorithm Numbers Registry | |||
| o Digest Type (1 octet) - DS algorithm value from the IANA | o Digest Type (0 or 1 octet) - DS algorithm value from the IANA | |||
| Delegation Signer (DS) Resource Record (RR) Type Digest Algorithms | Delegation Signer (DS) Resource Record (RR) Type Digest Algorithms | |||
| Registry | Registry | |||
| o Digest Data (2 or more octets) - The DNSKEY digest as specified in | o Digest Data (0 or more octets) - The DNSKEY digest as specified in | |||
| [RFC4034] Section 5.1 in presentation format. | [RFC4034] Section 5.1 in presentation format. | |||
| 5. Split DNS Usage Guidelines | 5. Split DNS Usage Guidelines | |||
| If a CFG_REPLY payload contains no INTERNAL_DNS_DOMAIN attributes, | If a CFG_REPLY payload contains no INTERNAL_DNS_DOMAIN attributes, | |||
| the client MAY use the provided INTERNAL_IP4_DNS or INTERNAL_IP6_DNS | the client MAY use the provided INTERNAL_IP4_DNS or INTERNAL_IP6_DNS | |||
| servers as the default DNS server(s) for all queries. | servers as the default DNS server(s) for all queries. | |||
| If a client is configured by local policy to only accept a limited | If a client is configured by local policy to only accept a limited | |||
| number of INTERNAL_DNS_DOMAIN values, the client MUST ignore any | number of INTERNAL_DNS_DOMAIN values, the client MUST ignore any | |||
| skipping to change at page 10, line 9 ¶ | skipping to change at page 10, line 25 ¶ | |||
| 7. IANA Considerations | 7. IANA Considerations | |||
| This document defines two new IKEv2 Configuration Payload Attribute | This document defines two new IKEv2 Configuration Payload Attribute | |||
| Types, which are allocated from the "IKEv2 Configuration Payload | Types, which are allocated from the "IKEv2 Configuration Payload | |||
| Attribute Types" namespace. | Attribute Types" namespace. | |||
| Multi- | Multi- | |||
| Value Attribute Type Valued Length Reference | Value Attribute Type Valued Length Reference | |||
| ------ ------------------- ------ ---------- --------------- | ------ ------------------- ------ ---------- --------------- | |||
| 25 INTERNAL_DNS_DOMAIN YES 0 or more [this document] | 25 INTERNAL_DNS_DOMAIN YES 0 or more [this document] | |||
| [TBD] INTERNAL_DNSSEC_TA YES 0 or more [this document] | 26 INTERNAL_DNSSEC_TA YES 0 or more [this document] | |||
| Figure 1 | Figure 1 | |||
| 8. References | 8. References | |||
| 8.1. Normative References | 8.1. Normative References | |||
| [RFC1918] Rekhter, Y., Moskowitz, B., Karrenberg, D., de Groot, G., | [RFC1918] Rekhter, Y., Moskowitz, B., Karrenberg, D., de Groot, G., | |||
| and E. Lear, "Address Allocation for Private Internets", | and E. Lear, "Address Allocation for Private Internets", | |||
| BCP 5, RFC 1918, DOI 10.17487/RFC1918, February 1996, | BCP 5, RFC 1918, DOI 10.17487/RFC1918, February 1996, | |||
| End of changes. 20 change blocks. | ||||
| 23 lines changed or deleted | 42 lines changed or added | |||
This html diff was produced by rfcdiff 1.46. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||