draft-ietf-ipsecme-split-dns-07.txt   draft-ietf-ipsecme-split-dns-08.txt 
Network T. Pauly Network T. Pauly
Internet-Draft Apple Inc. Internet-Draft Apple Inc.
Intended status: Standards Track P. Wouters Intended status: Standards Track P. Wouters
Expires: August 31, 2018 Red Hat Expires: December 20, 2018 Red Hat
February 27, 2018 June 18, 2018
Split DNS Configuration for IKEv2 Split DNS Configuration for IKEv2
draft-ietf-ipsecme-split-dns-07 draft-ietf-ipsecme-split-dns-08
Abstract Abstract
This document defines two Configuration Payload Attribute Types for This document defines two Configuration Payload Attribute Types for
the IKEv2 protocol that add support for private DNS domains. These the IKEv2 protocol that add support for private DNS domains. These
domains are intended to be resolved using DNS servers reachable domains are intended to be resolved using DNS servers reachable
through an IPsec connection, while leaving all other DNS resolution through an IPsec connection, while leaving all other DNS resolution
unchanged. This approach of resolving a subset of domains using non- unchanged. This approach of resolving a subset of domains using non-
public DNS servers is referred to as "Split DNS". public DNS servers is referred to as "Split DNS".
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on August 31, 2018. This Internet-Draft will expire on December 20, 2018.
Copyright Notice Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
skipping to change at page 2, line 23 skipping to change at page 2, line 23
3.1. Configuration Request . . . . . . . . . . . . . . . . . . 4 3.1. Configuration Request . . . . . . . . . . . . . . . . . . 4
3.2. Configuration Reply . . . . . . . . . . . . . . . . . . . 4 3.2. Configuration Reply . . . . . . . . . . . . . . . . . . . 4
3.3. Mapping DNS Servers to Domains . . . . . . . . . . . . . 5 3.3. Mapping DNS Servers to Domains . . . . . . . . . . . . . 5
3.4. Example Exchanges . . . . . . . . . . . . . . . . . . . . 5 3.4. Example Exchanges . . . . . . . . . . . . . . . . . . . . 5
3.4.1. Simple Case . . . . . . . . . . . . . . . . . . . . . 5 3.4.1. Simple Case . . . . . . . . . . . . . . . . . . . . . 5
3.4.2. Requesting Domains and DNSSEC trust anchors . . . . . 6 3.4.2. Requesting Domains and DNSSEC trust anchors . . . . . 6
4. Payload Formats . . . . . . . . . . . . . . . . . . . . . . . 6 4. Payload Formats . . . . . . . . . . . . . . . . . . . . . . . 6
4.1. INTERNAL_DNS_DOMAIN Configuration Attribute Type Request 4.1. INTERNAL_DNS_DOMAIN Configuration Attribute Type Request
and Reply . . . . . . . . . . . . . . . . . . . . . . . . 7 and Reply . . . . . . . . . . . . . . . . . . . . . . . . 7
4.2. INTERNAL_DNSSEC_TA Configuration Attribute . . . . . . . 7 4.2. INTERNAL_DNSSEC_TA Configuration Attribute . . . . . . . 7
5. Split DNS Usage Guidelines . . . . . . . . . . . . . . . . . 8 5. INTERNAL_DNS_DOMAIN Usage Guidelines . . . . . . . . . . . . 9
6. Security Considerations . . . . . . . . . . . . . . . . . . . 10 6. INTERNAL_DNSSEC_TA Usage Guidelines . . . . . . . . . . . . . 10
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 7. Security Considerations . . . . . . . . . . . . . . . . . . . 10
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 11 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11
8.1. Normative References . . . . . . . . . . . . . . . . . . 11 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 12
8.2. Informative References . . . . . . . . . . . . . . . . . 11 9.1. Normative References . . . . . . . . . . . . . . . . . . 12
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 12 9.2. Informative References . . . . . . . . . . . . . . . . . 12
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 13
1. Introduction 1. Introduction
Split DNS is a common configuration for secure tunnels, such as Split DNS is a common configuration for secure tunnels, such as
Virtual Private Networks in which host machines private to an Virtual Private Networks in which host machines private to an
organization can only be resolved using internal DNS resolvers organization can only be resolved using internal DNS resolvers
[RFC2775]. In such configurations, it is often desirable to only [RFC2775]. In such configurations, it is often desirable to only
resolve hosts within a set of private domains using the tunnel, while resolve hosts within a set of private domains using the tunnel, while
letting resolutions for public hosts be handled by a device's default letting resolutions for public hosts be handled by a device's default
DNS configuration. DNS configuration.
skipping to change at page 8, line 47 skipping to change at page 8, line 47
o DNSKEY Algorithm (0 or 1 octet) - DNSKEY algorithm value from the o DNSKEY Algorithm (0 or 1 octet) - DNSKEY algorithm value from the
IANA DNS Security Algorithm Numbers Registry. IANA DNS Security Algorithm Numbers Registry.
o Digest Type (0 or 1 octet) - DS algorithm value from the IANA o Digest Type (0 or 1 octet) - DS algorithm value from the IANA
Delegation Signer (DS) Resource Record (RR) Type Digest Algorithms Delegation Signer (DS) Resource Record (RR) Type Digest Algorithms
Registry. Registry.
o Digest Data (0 or more octets) - The DNSKEY digest as specified in o Digest Data (0 or more octets) - The DNSKEY digest as specified in
[RFC4034] Section 5.1 in presentation format. [RFC4034] Section 5.1 in presentation format.
5. Split DNS Usage Guidelines INTERNAL_DNSSEC_TA payloads MUST immediately follow an
INTERNAL_DNS_DOMAIN payload. As the INTERNAL_DNSSEC_TA format itself
does not contain the domain name, it relies on the preceding
INTERNAL_DNS_DOMAIN to provide the domain for which it specifies the
trust anchor.
5. INTERNAL_DNS_DOMAIN Usage Guidelines
If a CFG_REPLY payload contains no INTERNAL_DNS_DOMAIN attributes, If a CFG_REPLY payload contains no INTERNAL_DNS_DOMAIN attributes,
the client MAY use the provided INTERNAL_IP4_DNS or INTERNAL_IP6_DNS the client MAY use the provided INTERNAL_IP4_DNS or INTERNAL_IP6_DNS
servers as the default DNS server(s) for all queries. servers as the default DNS server(s) for all queries.
If a client is configured by local policy to only accept a limited If a client is configured by local policy to only accept a limited
number of INTERNAL_DNS_DOMAIN values, the client MUST ignore any number of INTERNAL_DNS_DOMAIN values, the client MUST ignore any
other INTERNAL_DNS_DOMAIN values. other INTERNAL_DNS_DOMAIN values.
For each INTERNAL_DNS_DOMAIN entry in a CFG_REPLY payload that is not For each INTERNAL_DNS_DOMAIN entry in a CFG_REPLY payload that is not
skipping to change at page 9, line 44 skipping to change at page 9, line 50
and "ample.com" SHOULD NOT be resolved using the internal resolver and "ample.com" SHOULD NOT be resolved using the internal resolver
and SHOULD use the system's external DNS resolver(s). and SHOULD use the system's external DNS resolver(s).
When an IKE SA is terminated, the DNS forwarding MUST be When an IKE SA is terminated, the DNS forwarding MUST be
unconfigured. This includes deleting the DNS forwarding rules; unconfigured. This includes deleting the DNS forwarding rules;
flushing all cached data for DNS domains provided by the flushing all cached data for DNS domains provided by the
INTERNAL_DNS_DOMAIN attribute, including negative cache entries; INTERNAL_DNS_DOMAIN attribute, including negative cache entries;
removing any obtained DNSSEC trust anchors from the list of trust removing any obtained DNSSEC trust anchors from the list of trust
anchors; and clearing the outstanding DNS request queue. anchors; and clearing the outstanding DNS request queue.
INTERNAL_DNS_DOMAIN and INTERNAL_DNSSEC_TA attributes SHOULD only be INTERNAL_DNS_DOMAIN attributes SHOULD only be used on split tunnel
used on split tunnel configurations where only a subset of traffic is configurations where only a subset of traffic is routed into a
routed into a private remote network using the IPsec connection. If private remote network using the IPsec connection. If all traffic is
all traffic is routed over the IPsec connection, the existing global routed over the IPsec connection, the existing global
INTERNAL_IP4_DNS and INTERNAL_IP6_DNS can be used without creating INTERNAL_IP4_DNS and INTERNAL_IP6_DNS can be used without creating
specific DNS exemptions. specific DNS exemptions.
6. Security Considerations 6. INTERNAL_DNSSEC_TA Usage Guidelines
Installing an INTERNAL_DNSSEC_TA trust anchor can be seen as the
equivalent of installing an Enterprise Certificate Agency (CA)
certificate. It allows the remote IKE/IPsec server to modify DNS
answers including its DNSSEC cryptographic signatures by overriding
existing DNS information with trust anchor conveyed via IKE and
(temporarilly) installed on the IKE client. Of specific concern is
the overriding of [RFC6698] based TLSA records, which represent a
confirmation or override of an existing WebPKI TLS certificate.
Other DNS record types that convey cryptographic materials (public
keys or fingerprints) are OPENPGPKEY, SMIMEA, SSHP and IPSECKEY
records.
IKE clients MUST ignore any received INTERNAL_DNSSEC_TA requests for
a FDQN for which it did not receive and accept an INTERNAL_DNS_DOMAIN
Configuration Payload.
DNS records can be used to publish specific records containing trust
anchors for applications. The most common record type is the TLSA
record specified in [RFC6698]. This DNS record type publishes which
CA certificate or EE certificate to expect for a certain host name.
These records are protected by DNSSEC and thus can be trusted by the
application. Whether to trust TLSA records instead of the
traditional WebPKI depends on the local policy of the client. By
accepting an INTERNAL_DNSSEC_TA trust anchor via IKE from the remote
IKE server, the IPsec client might be allowing the remote IKE server
to override the trusted certificates for TLS. The same applies to
other public key or fingerprint based DNS records, such as
OPENPGPKEY, SMIMEA or IPSECKEY records.
In most deployment scenario's, the IKE client has an expectation that
it is connecting, using a split-network setup, to a specific
organisation or enterprise. A recommended policy would be to only
accept INTERNAL_DNSSEC_TA directives from that organization's DNS
names. However, this might not be possible in all deployment
scenarios, such as one where the IKE server is handing out a number
of domains that are not within one parent domain.
7. Security Considerations
The use of Split DNS configurations assigned by an IKEv2 responder is The use of Split DNS configurations assigned by an IKEv2 responder is
predicated on the trust established during IKE SA authentication. predicated on the trust established during IKE SA authentication.
However, if IKEv2 is being negotiated with an anonymous or unknown However, if IKEv2 is being negotiated with an anonymous or unknown
endpoint (such as for Opportunistic Security [RFC7435]), the endpoint (such as for Opportunistic Security [RFC7435]), the
initiator MUST ignore Split DNS configurations assigned by the initiator MUST ignore Split DNS configurations assigned by the
responder. responder.
If a host connected to an authenticated IKE peer is connecting to If a host connected to an authenticated IKE peer is connecting to
another IKE peer that attempts to claim the same domain via the another IKE peer that attempts to claim the same domain via the
INTERNAL_DNS_DOMAIN attribute, the IKE connection SHOULD only process INTERNAL_DNS_DOMAIN attribute, the IKE connection SHOULD only process
the DNS information if the two connections are part of the same the DNS information if the two connections are part of the same
logical entity. Otherwise, the client SHOULD refuse the DNS logical entity. Otherwise, the client SHOULD refuse the DNS
information and potentially warn the end-user. information and potentially warn the end-user.
INTERNAL_DNSSEC_TA payloads MUST immediately follow an
INTERNAL_DNS_DOMAIN payload. As the INTERNAL_DNSSEC_TA format itself
does not contain the domain name, it relies on the preceding
INTERNAL_DNS_DOMAIN to provide the domain for which it specifies the
trust anchor.
If the initiator is using DNSSEC validation for a domain in its If the initiator is using DNSSEC validation for a domain in its
public DNS view, and it requests and receives an INTERNAL_DNS_DOMAIN public DNS view, and it requests and receives an INTERNAL_DNS_DOMAIN
attribute without an INTERNAL_DNSSEC_TA, it will need to reconfigure attribute without an INTERNAL_DNSSEC_TA, it will need to reconfigure
its DNS resolver to allow for an insecure delegation. It SHOULD NOT its DNS resolver to allow for an insecure delegation. It SHOULD NOT
accept insecure delegations for domains that are DNSSEC signed in the accept insecure delegations for domains that are DNSSEC signed in the
public DNS view, for which it has not explicitely requested such public DNS view, for which it has not explicitely requested such
deletation by specifying the domain specifically using a deletation by specifying the domain specifically using a
INTERNAL_DNS_DOMAIN(domain) request. INTERNAL_DNS_DOMAIN(domain) request.
Deployments that configure INTERNAL_DNS_DOMAIN domains should pay Deployments that configure INTERNAL_DNS_DOMAIN domains should pay
close attention to their use of indirect reference RRtypes such as close attention to their use of indirect reference RRtypes such as
CNAME, DNAME, MX or SRV records so that resolving works as intended CNAME, DNAME, MX or SRV records so that resolving works as intended
when all, some, or none of the IPsec connections are established. when all, some, or none of the IPsec connections are established.
The content of INTERNAL_DNS_DOMAIN and INTERNAL_DNSSEC_TA may be The content of INTERNAL_DNS_DOMAIN and INTERNAL_DNSSEC_TA may be
passed to another (DNS) program for processing. As with any network passed to another (DNS) program for processing. As with any network
input, the content SHOULD be considered untrusted and handled input, the content SHOULD be considered untrusted and handled
accordingly. accordingly.
7. IANA Considerations 8. IANA Considerations
This document defines two new IKEv2 Configuration Payload Attribute This document defines two new IKEv2 Configuration Payload Attribute
Types, which are allocated from the "IKEv2 Configuration Payload Types, which are allocated from the "IKEv2 Configuration Payload
Attribute Types" namespace. Attribute Types" namespace.
Multi- Multi-
Value Attribute Type Valued Length Reference Value Attribute Type Valued Length Reference
------ ------------------- ------ ---------- --------------- ------ ------------------- ------ ---------- ---------------
25 INTERNAL_DNS_DOMAIN YES 0 or more [this document] 25 INTERNAL_DNS_DOMAIN YES 0 or more [this document]
26 INTERNAL_DNSSEC_TA YES 0 or more [this document] 26 INTERNAL_DNSSEC_TA YES 0 or more [this document]
Figure 1 Figure 1
8. References 9. References
8.1. Normative References 9.1. Normative References
[RFC1918] Rekhter, Y., Moskowitz, B., Karrenberg, D., de Groot, G., [RFC1918] Rekhter, Y., Moskowitz, B., Karrenberg, D., de Groot, G.,
and E. Lear, "Address Allocation for Private Internets", and E. Lear, "Address Allocation for Private Internets",
BCP 5, RFC 1918, DOI 10.17487/RFC1918, February 1996, BCP 5, RFC 1918, DOI 10.17487/RFC1918, February 1996,
<https://www.rfc-editor.org/info/rfc1918>. <https://www.rfc-editor.org/info/rfc1918>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997, <https://www.rfc-
<https://www.rfc-editor.org/info/rfc2119>. editor.org/info/rfc2119>.
[RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S. [RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S.
Rose, "Resource Records for the DNS Security Extensions", Rose, "Resource Records for the DNS Security Extensions",
RFC 4034, DOI 10.17487/RFC4034, March 2005, RFC 4034, DOI 10.17487/RFC4034, March 2005,
<https://www.rfc-editor.org/info/rfc4034>. <https://www.rfc-editor.org/info/rfc4034>.
[RFC5890] Klensin, J., "Internationalized Domain Names for [RFC5890] Klensin, J., "Internationalized Domain Names for
Applications (IDNA): Definitions and Document Framework", Applications (IDNA): Definitions and Document Framework",
RFC 5890, DOI 10.17487/RFC5890, August 2010, RFC 5890, DOI 10.17487/RFC5890, August 2010,
<https://www.rfc-editor.org/info/rfc5890>. <https://www.rfc-editor.org/info/rfc5890>.
[RFC6698] Hoffman, P. and J. Schlyter, "The DNS-Based Authentication
of Named Entities (DANE) Transport Layer Security (TLS)
Protocol: TLSA", RFC 6698, DOI 10.17487/RFC6698, August
2012, <https://www.rfc-editor.org/info/rfc6698>.
[RFC7296] Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., and T. [RFC7296] Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., and T.
Kivinen, "Internet Key Exchange Protocol Version 2 Kivinen, "Internet Key Exchange Protocol Version 2
(IKEv2)", STD 79, RFC 7296, DOI 10.17487/RFC7296, October (IKEv2)", STD 79, RFC 7296, DOI 10.17487/RFC7296, October
2014, <https://www.rfc-editor.org/info/rfc7296>. 2014, <https://www.rfc-editor.org/info/rfc7296>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>. May 2017, <https://www.rfc-editor.org/info/rfc8174>.
8.2. Informative References 9.2. Informative References
[RFC2775] Carpenter, B., "Internet Transparency", RFC 2775, [RFC2775] Carpenter, B., "Internet Transparency", RFC 2775,
DOI 10.17487/RFC2775, February 2000, DOI 10.17487/RFC2775, February 2000, <https://www.rfc-
<https://www.rfc-editor.org/info/rfc2775>. editor.org/info/rfc2775>.
[RFC7435] Dukhovni, V., "Opportunistic Security: Some Protection [RFC7435] Dukhovni, V., "Opportunistic Security: Some Protection
Most of the Time", RFC 7435, DOI 10.17487/RFC7435, Most of the Time", RFC 7435, DOI 10.17487/RFC7435,
December 2014, <https://www.rfc-editor.org/info/rfc7435>. December 2014, <https://www.rfc-editor.org/info/rfc7435>.
Authors' Addresses Authors' Addresses
Tommy Pauly Tommy Pauly
Apple Inc. Apple Inc.
One Apple Park Way One Apple Park Way
 End of changes. 17 change blocks. 
33 lines changed or deleted 78 lines changed or added

This html diff was produced by rfcdiff 1.46. The latest version is available from http://tools.ietf.org/tools/rfcdiff/