draft-ietf-ipsecme-split-dns-08.txt   draft-ietf-ipsecme-split-dns-09.txt 
Network T. Pauly Network T. Pauly
Internet-Draft Apple Inc. Internet-Draft Apple Inc.
Intended status: Standards Track P. Wouters Intended status: Standards Track P. Wouters
Expires: December 20, 2018 Red Hat Expires: January 19, 2019 Red Hat
June 18, 2018 July 18, 2018
Split DNS Configuration for IKEv2 Split DNS Configuration for IKEv2
draft-ietf-ipsecme-split-dns-08 draft-ietf-ipsecme-split-dns-09
Abstract Abstract
This document defines two Configuration Payload Attribute Types for This document defines two Configuration Payload Attribute Types for
the IKEv2 protocol that add support for private DNS domains. These the IKEv2 protocol that add support for private DNS domains. These
domains are intended to be resolved using DNS servers reachable domains are intended to be resolved using DNS servers reachable
through an IPsec connection, while leaving all other DNS resolution through an IPsec connection, while leaving all other DNS resolution
unchanged. This approach of resolving a subset of domains using non- unchanged. This approach of resolving a subset of domains using non-
public DNS servers is referred to as "Split DNS". public DNS servers is referred to as "Split DNS".
skipping to change at page 1, line 36 skipping to change at page 1, line 36
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on December 20, 2018. This Internet-Draft will expire on January 19, 2019.
Copyright Notice Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 25 skipping to change at page 2, line 25
3.3. Mapping DNS Servers to Domains . . . . . . . . . . . . . 5 3.3. Mapping DNS Servers to Domains . . . . . . . . . . . . . 5
3.4. Example Exchanges . . . . . . . . . . . . . . . . . . . . 5 3.4. Example Exchanges . . . . . . . . . . . . . . . . . . . . 5
3.4.1. Simple Case . . . . . . . . . . . . . . . . . . . . . 5 3.4.1. Simple Case . . . . . . . . . . . . . . . . . . . . . 5
3.4.2. Requesting Domains and DNSSEC trust anchors . . . . . 6 3.4.2. Requesting Domains and DNSSEC trust anchors . . . . . 6
4. Payload Formats . . . . . . . . . . . . . . . . . . . . . . . 6 4. Payload Formats . . . . . . . . . . . . . . . . . . . . . . . 6
4.1. INTERNAL_DNS_DOMAIN Configuration Attribute Type Request 4.1. INTERNAL_DNS_DOMAIN Configuration Attribute Type Request
and Reply . . . . . . . . . . . . . . . . . . . . . . . . 7 and Reply . . . . . . . . . . . . . . . . . . . . . . . . 7
4.2. INTERNAL_DNSSEC_TA Configuration Attribute . . . . . . . 7 4.2. INTERNAL_DNSSEC_TA Configuration Attribute . . . . . . . 7
5. INTERNAL_DNS_DOMAIN Usage Guidelines . . . . . . . . . . . . 9 5. INTERNAL_DNS_DOMAIN Usage Guidelines . . . . . . . . . . . . 9
6. INTERNAL_DNSSEC_TA Usage Guidelines . . . . . . . . . . . . . 10 6. INTERNAL_DNSSEC_TA Usage Guidelines . . . . . . . . . . . . . 10
7. Security Considerations . . . . . . . . . . . . . . . . . . . 10 7. Security Considerations . . . . . . . . . . . . . . . . . . . 11
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12
9. References . . . . . . . . . . . . . . . . . . . . . . . . . 12 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 12
9.1. Normative References . . . . . . . . . . . . . . . . . . 12 9.1. Normative References . . . . . . . . . . . . . . . . . . 12
9.2. Informative References . . . . . . . . . . . . . . . . . 12 9.2. Informative References . . . . . . . . . . . . . . . . . 13
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 13 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 13
1. Introduction 1. Introduction
Split DNS is a common configuration for secure tunnels, such as Split DNS is a common configuration for secure tunnels, such as
Virtual Private Networks in which host machines private to an Virtual Private Networks in which host machines private to an
organization can only be resolved using internal DNS resolvers organization can only be resolved using internal DNS resolvers
[RFC2775]. In such configurations, it is often desirable to only [RFC2775]. In such configurations, it is often desirable to only
resolve hosts within a set of private domains using the tunnel, while resolve hosts within a set of private domains using the tunnel, while
letting resolutions for public hosts be handled by a device's default letting resolutions for public hosts be handled by a device's default
skipping to change at page 10, line 10 skipping to change at page 10, line 10
INTERNAL_DNS_DOMAIN attributes SHOULD only be used on split tunnel INTERNAL_DNS_DOMAIN attributes SHOULD only be used on split tunnel
configurations where only a subset of traffic is routed into a configurations where only a subset of traffic is routed into a
private remote network using the IPsec connection. If all traffic is private remote network using the IPsec connection. If all traffic is
routed over the IPsec connection, the existing global routed over the IPsec connection, the existing global
INTERNAL_IP4_DNS and INTERNAL_IP6_DNS can be used without creating INTERNAL_IP4_DNS and INTERNAL_IP6_DNS can be used without creating
specific DNS exemptions. specific DNS exemptions.
6. INTERNAL_DNSSEC_TA Usage Guidelines 6. INTERNAL_DNSSEC_TA Usage Guidelines
Installing an INTERNAL_DNSSEC_TA trust anchor can be seen as the DNS records can be used to publish specific records containing trust
equivalent of installing an Enterprise Certificate Agency (CA) anchors for applications. The most common record type is the TLSA
record specified in [RFC6698]. This DNS record type publishes which
CA certificate or EE certificate to expect for a certain host name.
These records are protected by DNSSEC and thus can be trusted by the
application. Whether to trust TLSA records instead of the
traditional WebPKI depends on the local policy of the client. By
accepting an INTERNAL_DNSSEC_TA trust anchor via IKE from the remote
IKE server, the IPsec client might be allowing the remote IKE server
to override the trusted certificates for TLS. Similar override
concerns apply to other public key or fingerprint based DNS records,
such as OPENPGPKEY, SMIMEA or IPSECKEY records.
Thus, installing an INTERNAL_DNSSEC_TA trust anchor can be seen as
the equivalent of installing an Enterprise Certificate Agency (CA)
certificate. It allows the remote IKE/IPsec server to modify DNS certificate. It allows the remote IKE/IPsec server to modify DNS
answers including its DNSSEC cryptographic signatures by overriding answers including its DNSSEC cryptographic signatures by overriding
existing DNS information with trust anchor conveyed via IKE and existing DNS information with trust anchor conveyed via IKE and
(temporarilly) installed on the IKE client. Of specific concern is (temporarilly) installed on the IKE client. Of specific concern is
the overriding of [RFC6698] based TLSA records, which represent a the overriding of [RFC6698] based TLSA records, which represent a
confirmation or override of an existing WebPKI TLS certificate. confirmation or override of an existing WebPKI TLS certificate.
Other DNS record types that convey cryptographic materials (public Other DNS record types that convey cryptographic materials (public
keys or fingerprints) are OPENPGPKEY, SMIMEA, SSHP and IPSECKEY keys or fingerprints) are OPENPGPKEY, SMIMEA, SSHP and IPSECKEY
records. records.
IKE clients MUST use a preconfigured whitelist of domain names for
which it will allow INTERNAL_DNSSEC_TA updates.
The DNS root zone (".") MUST NOT be whitelisted.
Any updates to this whitelist of domain names MUST happen via
explicit human interaction to prevent invisible installation of trust
anchors.
IKE clients SHOULD accept any INTERNAL_DNSSEC_TA updates for
subdomain names of the whitelisted domain names. For example, if
"example.net" is whitelisted, then INTERNAL_DNSSEC_TA received for
"antartica.example.net" SHOULD be accepted.
IKE clients MAY interpret an INTERNAL_DNSSEC_TA for domain that was
not preconfigured as an indication that it needs to update its IKE
configuration (out of band). The client MUST NOT use such a
INTERNAL_DNSSEC_TA to reconfigure its local DNS settings.
IKE clients MUST ignore any received INTERNAL_DNSSEC_TA requests for IKE clients MUST ignore any received INTERNAL_DNSSEC_TA requests for
a FDQN for which it did not receive and accept an INTERNAL_DNS_DOMAIN a FDQN for which it did not receive and accept an INTERNAL_DNS_DOMAIN
Configuration Payload. Configuration Payload.
DNS records can be used to publish specific records containing trust
anchors for applications. The most common record type is the TLSA
record specified in [RFC6698]. This DNS record type publishes which
CA certificate or EE certificate to expect for a certain host name.
These records are protected by DNSSEC and thus can be trusted by the
application. Whether to trust TLSA records instead of the
traditional WebPKI depends on the local policy of the client. By
accepting an INTERNAL_DNSSEC_TA trust anchor via IKE from the remote
IKE server, the IPsec client might be allowing the remote IKE server
to override the trusted certificates for TLS. The same applies to
other public key or fingerprint based DNS records, such as
OPENPGPKEY, SMIMEA or IPSECKEY records.
In most deployment scenario's, the IKE client has an expectation that In most deployment scenario's, the IKE client has an expectation that
it is connecting, using a split-network setup, to a specific it is connecting, using a split-network setup, to a specific
organisation or enterprise. A recommended policy would be to only organisation or enterprise. A recommended policy would be to only
accept INTERNAL_DNSSEC_TA directives from that organization's DNS accept INTERNAL_DNSSEC_TA directives from that organization's DNS
names. However, this might not be possible in all deployment names. However, this might not be possible in all deployment
scenarios, such as one where the IKE server is handing out a number scenarios, such as one where the IKE server is handing out a number
of domains that are not within one parent domain. of domains that are not within one parent domain.
7. Security Considerations 7. Security Considerations
 End of changes. 8 change blocks. 
22 lines changed or deleted 41 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/