draft-ietf-ipsecme-split-dns-05.txt   draft-ietf-ipsecme-split-dns-06.txt 
Network T. Pauly Network T. Pauly
Internet-Draft Apple Inc. Internet-Draft Apple Inc.
Intended status: Standards Track P. Wouters Intended status: Standards Track P. Wouters
Expires: August 10, 2018 Red Hat Expires: August 13, 2018 Red Hat
February 6, 2018 February 9, 2018
Split DNS Configuration for IKEv2 Split DNS Configuration for IKEv2
draft-ietf-ipsecme-split-dns-05 draft-ietf-ipsecme-split-dns-06
Abstract Abstract
This document defines two Configuration Payload Attribute Types for This document defines two Configuration Payload Attribute Types for
the IKEv2 protocol that add support for private DNS domains. These the IKEv2 protocol that add support for private DNS domains. These
domains should be resolved using DNS servers reachable through an domains should be resolved using DNS servers reachable through an
IPsec connection, while leaving all other DNS resolution unchanged. IPsec connection, while leaving all other DNS resolution unchanged.
This approach of resolving a subset of domains using non-public DNS This approach of resolving a subset of domains using non-public DNS
servers is referred to as "Split DNS". servers is referred to as "Split DNS".
skipping to change at page 1, line 36 skipping to change at page 1, line 36
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on August 10, 2018. This Internet-Draft will expire on August 13, 2018.
Copyright Notice Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 20 skipping to change at page 2, line 20
1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3
2. Background . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Background . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. Protocol Exchange . . . . . . . . . . . . . . . . . . . . . . 3 3. Protocol Exchange . . . . . . . . . . . . . . . . . . . . . . 3
3.1. Configuration Request . . . . . . . . . . . . . . . . . . 4 3.1. Configuration Request . . . . . . . . . . . . . . . . . . 4
3.2. Configuration Reply . . . . . . . . . . . . . . . . . . . 4 3.2. Configuration Reply . . . . . . . . . . . . . . . . . . . 4
3.3. Mapping DNS Servers to Domains . . . . . . . . . . . . . 5 3.3. Mapping DNS Servers to Domains . . . . . . . . . . . . . 5
3.4. Example Exchanges . . . . . . . . . . . . . . . . . . . . 5 3.4. Example Exchanges . . . . . . . . . . . . . . . . . . . . 5
3.4.1. Simple Case . . . . . . . . . . . . . . . . . . . . . 5 3.4.1. Simple Case . . . . . . . . . . . . . . . . . . . . . 5
3.4.2. Requesting Domains and DNSSEC trust anchors . . . . . 6 3.4.2. Requesting Domains and DNSSEC trust anchors . . . . . 6
4. Payload Formats . . . . . . . . . . . . . . . . . . . . . . . 6 4. Payload Formats . . . . . . . . . . . . . . . . . . . . . . . 6
4.1. INTERNAL_DNS_DOMAIN Configuration Attribute Type . . . . 6 4.1. INTERNAL_DNS_DOMAIN Configuration Attribute Type Request
and Reply . . . . . . . . . . . . . . . . . . . . . . . . 6
4.2. INTERNAL_DNSSEC_TA Configuration Attribute . . . . . . . 7 4.2. INTERNAL_DNSSEC_TA Configuration Attribute . . . . . . . 7
5. Split DNS Usage Guidelines . . . . . . . . . . . . . . . . . 7 5. Split DNS Usage Guidelines . . . . . . . . . . . . . . . . . 8
6. Security Considerations . . . . . . . . . . . . . . . . . . . 9 6. Security Considerations . . . . . . . . . . . . . . . . . . . 9
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 10 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 10
8.1. Normative References . . . . . . . . . . . . . . . . . . 10 8.1. Normative References . . . . . . . . . . . . . . . . . . 10
8.2. Informative References . . . . . . . . . . . . . . . . . 10 8.2. Informative References . . . . . . . . . . . . . . . . . 11
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 11 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 11
1. Introduction 1. Introduction
Split DNS is a common configuration for secure tunnels, such as Split DNS is a common configuration for secure tunnels, such as
Virtual Private Networks in which host machines private to an Virtual Private Networks in which host machines private to an
organization can only be resolved using internal DNS resolvers organization can only be resolved using internal DNS resolvers
[RFC2775]. In such configurations, it is often desirable to only [RFC2775]. In such configurations, it is often desirable to only
resolve hosts within a set of private domains using the tunnel, while resolve hosts within a set of private domains using the tunnel, while
letting resolutions for public hosts be handled by a device's default letting resolutions for public hosts be handled by a device's default
skipping to change at page 6, line 37 skipping to change at page 6, line 37
INTERNAL_IP4_ADDRESS(198.51.100.234) INTERNAL_IP4_ADDRESS(198.51.100.234)
INTERNAL_IP4_DNS(198.51.100.2) INTERNAL_IP4_DNS(198.51.100.2)
INTERNAL_IP4_DNS(198.51.100.4) INTERNAL_IP4_DNS(198.51.100.4)
INTERNAL_DNS_DOMAIN(example.com) INTERNAL_DNS_DOMAIN(example.com)
INTERNAL_DNSSEC_TA(43547,8,1,B6225AB2CC613E0DCA7962BDC2342EA4F1B56083) INTERNAL_DNSSEC_TA(43547,8,1,B6225AB2CC613E0DCA7962BDC2342EA4F1B56083)
INTERNAL_DNSSEC_TA(31406,8,2,F78CF3344F72137235098ECBBD08947C2C90....) INTERNAL_DNSSEC_TA(31406,8,2,F78CF3344F72137235098ECBBD08947C2C90....)
INTERNAL_DNS_DOMAIN(city.other.com) INTERNAL_DNS_DOMAIN(city.other.com)
4. Payload Formats 4. Payload Formats
4.1. INTERNAL_DNS_DOMAIN Configuration Attribute Type All multi-octet fields representing integers are laid out in big
endian order (also known as "most significant byte first", or
"network byte order").
4.1. INTERNAL_DNS_DOMAIN Configuration Attribute Type Request and Reply
1 2 3 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-----------------------------+-------------------------------+ +-+-----------------------------+-------------------------------+
|R| Attribute Type | Length | |R| Attribute Type | Length |
+-+-----------------------------+-------------------------------+ +-+-----------------------------+-------------------------------+
| | | |
~ Domain Name in DNS presentation format ~ ~ Domain Name in DNS presentation format ~
| | | |
+---------------------------------------------------------------+ +---------------------------------------------------------------+
skipping to change at page 6, line 48 skipping to change at page 7, line 4
1 2 3 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-----------------------------+-------------------------------+ +-+-----------------------------+-------------------------------+
|R| Attribute Type | Length | |R| Attribute Type | Length |
+-+-----------------------------+-------------------------------+ +-+-----------------------------+-------------------------------+
| | | |
~ Domain Name in DNS presentation format ~ ~ Domain Name in DNS presentation format ~
| | | |
+---------------------------------------------------------------+ +---------------------------------------------------------------+
o Reserved (1 bit) - Defined in IKEv2 RFC [RFC7296]. o Reserved (1 bit) - Defined in IKEv2 RFC [RFC7296].
o Attribute Type (15 bits) 25 - INTERNAL_DNS_DOMAIN. o Attribute Type (15 bits) set to value 25 for INTERNAL_DNS_DOMAIN.
o Length (2 octets, unsigned integer) - Length of domain name. o Length (2 octets) - Length of domain name.
o Domain Name (0 or more octets) - A Fully Qualified Domain Name o Domain Name (0 or more octets) - A Fully Qualified Domain Name
used for Split DNS rules, such as "example.com", in DNS used for Split DNS rules, such as "example.com", in DNS
presentation format and optionally using IDNA [RFC5890] for presentation format and optionally using IDNA [RFC5890] for
Internationalized Domain Names. Implementors need to be careful Internationalized Domain Names. Implementors need to be careful
that this value is not null-terminated. that this value is not null-terminated.
4.2. INTERNAL_DNSSEC_TA Configuration Attribute 4.2. INTERNAL_DNSSEC_TA Configuration Attribute
An INTERNAL_DNSSEC_TA Configuration Attribute can either be empty, or
it can contain one Trust Anchor by containing a non-zero Length with
a DNSKEY Key Tag, DNSKEY Algorithm, Digest Type and Digest Data
fields.
An empty INTERNAL_DNSSEC_TA CFG attribute:
1 2 3 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-----------------------------+-------------------------------+ +-+-----------------------------+-------------------------------+
|R| Attribute Type | Length | |R| Attribute Type | Length (set to 0) |
+-+-----------------------------+-------------------------------+
A non-empty INTERNAL_DNSSEC_TA CFG attribute:
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-----------------------------+-------------------------------+
|R| Attribute Type | Length |
+-+-----------------------------+---------------+---------------+ +-+-----------------------------+---------------+---------------+
| DNSKEY Key Tag | DNSKEY Alg | Digest Type | | DNSKEY Key Tag | DNSKEY Alg | Digest Type |
+-------------------------------+---------------+---------------+ +-------------------------------+---------------+---------------+
| | | |
~ Digest Data ~ ~ Digest Data ~
| | | |
+---------------------------------------------------------------+ +---------------------------------------------------------------+
o Reserved (1 bit) - Defined in IKEv2 RFC [RFC7296]. o Reserved (1 bit) - Defined in IKEv2 RFC [RFC7296].
o Attribute Type (15 bits) [TBD IANA] - INTERNAL_DNSSEC_TA. o Attribute Type (15 bits) set to value 26 for INTERNAL_DNSSEC_TA.
o Length (2 octets, unsigned integer) - Length of DNSSEC Trust o Length (0 or 2 octets) - Length of DNSSEC Trust Anchor data (4
Anchor data. octets plus the length of the Digest Data)
o DNSKEY Key Tag value (2 octets) - Delegation Signer (DS) Key Tag o DNSKEY Key Tag value (0 or 2 octets) - Delegation Signer (DS) Key
as specified in [RFC4034] Section 5.1 Tag as specified in [RFC4034] Section 5.1
o DNSKEY Algorithm (1 octet) - DNSKEY algorithm value from the IANA o DNSKEY Algorithm (0 or 1 octet) - DNSKEY algorithm value from the
DNS Security Algorithm Numbers Registry IANA DNS Security Algorithm Numbers Registry
o Digest Type (1 octet) - DS algorithm value from the IANA o Digest Type (0 or 1 octet) - DS algorithm value from the IANA
Delegation Signer (DS) Resource Record (RR) Type Digest Algorithms Delegation Signer (DS) Resource Record (RR) Type Digest Algorithms
Registry Registry
o Digest Data (2 or more octets) - The DNSKEY digest as specified in o Digest Data (0 or more octets) - The DNSKEY digest as specified in
[RFC4034] Section 5.1 in presentation format. [RFC4034] Section 5.1 in presentation format.
5. Split DNS Usage Guidelines 5. Split DNS Usage Guidelines
If a CFG_REPLY payload contains no INTERNAL_DNS_DOMAIN attributes, If a CFG_REPLY payload contains no INTERNAL_DNS_DOMAIN attributes,
the client MAY use the provided INTERNAL_IP4_DNS or INTERNAL_IP6_DNS the client MAY use the provided INTERNAL_IP4_DNS or INTERNAL_IP6_DNS
servers as the default DNS server(s) for all queries. servers as the default DNS server(s) for all queries.
If a client is configured by local policy to only accept a limited If a client is configured by local policy to only accept a limited
number of INTERNAL_DNS_DOMAIN values, the client MUST ignore any number of INTERNAL_DNS_DOMAIN values, the client MUST ignore any
skipping to change at page 10, line 9 skipping to change at page 10, line 25
7. IANA Considerations 7. IANA Considerations
This document defines two new IKEv2 Configuration Payload Attribute This document defines two new IKEv2 Configuration Payload Attribute
Types, which are allocated from the "IKEv2 Configuration Payload Types, which are allocated from the "IKEv2 Configuration Payload
Attribute Types" namespace. Attribute Types" namespace.
Multi- Multi-
Value Attribute Type Valued Length Reference Value Attribute Type Valued Length Reference
------ ------------------- ------ ---------- --------------- ------ ------------------- ------ ---------- ---------------
25 INTERNAL_DNS_DOMAIN YES 0 or more [this document] 25 INTERNAL_DNS_DOMAIN YES 0 or more [this document]
[TBD] INTERNAL_DNSSEC_TA YES 0 or more [this document] 26 INTERNAL_DNSSEC_TA YES 0 or more [this document]
Figure 1 Figure 1
8. References 8. References
8.1. Normative References 8.1. Normative References
[RFC1918] Rekhter, Y., Moskowitz, B., Karrenberg, D., de Groot, G., [RFC1918] Rekhter, Y., Moskowitz, B., Karrenberg, D., de Groot, G.,
and E. Lear, "Address Allocation for Private Internets", and E. Lear, "Address Allocation for Private Internets",
BCP 5, RFC 1918, DOI 10.17487/RFC1918, February 1996, BCP 5, RFC 1918, DOI 10.17487/RFC1918, February 1996,
 End of changes. 20 change blocks. 
23 lines changed or deleted 42 lines changed or added

This html diff was produced by rfcdiff 1.46. The latest version is available from http://tools.ietf.org/tools/rfcdiff/