draft-ietf-ipsecme-split-dns-10.txt   draft-ietf-ipsecme-split-dns-11.txt 
Network T. Pauly Network T. Pauly
Internet-Draft Apple Inc. Internet-Draft Apple Inc.
Intended status: Standards Track P. Wouters Intended status: Standards Track P. Wouters
Expires: January 19, 2019 Red Hat Expires: January 20, 2019 Red Hat
July 18, 2018 July 19, 2018
Split DNS Configuration for IKEv2 Split DNS Configuration for IKEv2
draft-ietf-ipsecme-split-dns-10 draft-ietf-ipsecme-split-dns-11
Abstract Abstract
This document defines two Configuration Payload Attribute Types for This document defines two Configuration Payload Attribute Types for
the IKEv2 protocol that add support for private DNS domains. These the IKEv2 protocol that add support for private DNS domains. These
domains are intended to be resolved using DNS servers reachable domains are intended to be resolved using DNS servers reachable
through an IPsec connection, while leaving all other DNS resolution through an IPsec connection, while leaving all other DNS resolution
unchanged. This approach of resolving a subset of domains using non- unchanged. This approach of resolving a subset of domains using non-
public DNS servers is referred to as "Split DNS". public DNS servers is referred to as "Split DNS".
skipping to change at page 1, line 36 skipping to change at page 1, line 36
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 19, 2019. This Internet-Draft will expire on January 20, 2019.
Copyright Notice Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 23 skipping to change at page 2, line 23
3.1. Configuration Request . . . . . . . . . . . . . . . . . . 4 3.1. Configuration Request . . . . . . . . . . . . . . . . . . 4
3.2. Configuration Reply . . . . . . . . . . . . . . . . . . . 4 3.2. Configuration Reply . . . . . . . . . . . . . . . . . . . 4
3.3. Mapping DNS Servers to Domains . . . . . . . . . . . . . 5 3.3. Mapping DNS Servers to Domains . . . . . . . . . . . . . 5
3.4. Example Exchanges . . . . . . . . . . . . . . . . . . . . 5 3.4. Example Exchanges . . . . . . . . . . . . . . . . . . . . 5
3.4.1. Simple Case . . . . . . . . . . . . . . . . . . . . . 5 3.4.1. Simple Case . . . . . . . . . . . . . . . . . . . . . 5
3.4.2. Requesting Domains and DNSSEC trust anchors . . . . . 6 3.4.2. Requesting Domains and DNSSEC trust anchors . . . . . 6
4. Payload Formats . . . . . . . . . . . . . . . . . . . . . . . 6 4. Payload Formats . . . . . . . . . . . . . . . . . . . . . . . 6
4.1. INTERNAL_DNS_DOMAIN Configuration Attribute Type Request 4.1. INTERNAL_DNS_DOMAIN Configuration Attribute Type Request
and Reply . . . . . . . . . . . . . . . . . . . . . . . . 7 and Reply . . . . . . . . . . . . . . . . . . . . . . . . 7
4.2. INTERNAL_DNSSEC_TA Configuration Attribute . . . . . . . 7 4.2. INTERNAL_DNSSEC_TA Configuration Attribute . . . . . . . 7
5. INTERNAL_DNS_DOMAIN Usage Guidelines . . . . . . . . . . . . 9 5. INTERNAL_DNS_DOMAIN Usage Guidelines . . . . . . . . . . . . 8
6. INTERNAL_DNSSEC_TA Usage Guidelines . . . . . . . . . . . . . 10 6. INTERNAL_DNSSEC_TA Usage Guidelines . . . . . . . . . . . . . 9
7. Security Considerations . . . . . . . . . . . . . . . . . . . 11 7. Security Considerations . . . . . . . . . . . . . . . . . . . 11
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11
9. References . . . . . . . . . . . . . . . . . . . . . . . . . 12 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 12
9.1. Normative References . . . . . . . . . . . . . . . . . . 12 9.1. Normative References . . . . . . . . . . . . . . . . . . 12
9.2. Informative References . . . . . . . . . . . . . . . . . 13 9.2. Informative References . . . . . . . . . . . . . . . . . 13
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 13 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 13
1. Introduction 1. Introduction
Split DNS is a common configuration for secure tunnels, such as Split DNS is a common configuration for secure tunnels, such as
Virtual Private Networks in which host machines private to an Virtual Private Networks in which host machines private to an
organization can only be resolved using internal DNS resolvers organization can only be resolved using internal DNS resolvers
skipping to change at page 3, line 37 skipping to change at page 3, line 37
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP "OPTIONAL" in this document are to be interpreted as described in BCP
14 [RFC2119] [RFC8174] when, and only when, they appear in all 14 [RFC2119] [RFC8174] when, and only when, they appear in all
captials, as shown here. captials, as shown here.
2. Background 2. Background
Split DNS is a common configuration for enterprise VPN deployments, Split DNS is a common configuration for enterprise VPN deployments,
in which only one or a few private DNS domains are accessible and in which one or more private DNS domains are only accessible and
resolvable via an IPsec based VPN connection. resolvable via an IPsec based VPN connection.
Other tunnel-establishment protocols already support the assignment Other tunnel-establishment protocols already support the assignment
of Split DNS domains. For example, there are proprietary extensions of Split DNS domains. For example, there are proprietary extensions
to IKEv1 that allow a server to assign Split DNS domains to a client. to IKEv1 that allow a server to assign Split DNS domains to a client.
However, the IKEv2 standard does not include a method to configure However, the IKEv2 standard does not include a method to configure
this option. This document defines a standard way to negotiate this this option. This document defines a standard way to negotiate this
option for IKEv2. option for IKEv2.
3. Protocol Exchange 3. Protocol Exchange
skipping to change at page 8, line 13 skipping to change at page 7, line 44
fields. fields.
An empty INTERNAL_DNSSEC_TA CFG attribute: An empty INTERNAL_DNSSEC_TA CFG attribute:
1 2 3 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-----------------------------+-------------------------------+ +-+-----------------------------+-------------------------------+
|R| Attribute Type | Length (set to 0) | |R| Attribute Type | Length (set to 0) |
+-+-----------------------------+-------------------------------+ +-+-----------------------------+-------------------------------+
o Reserved (1 bit) - Defined in IKEv2 RFC [RFC7296].
o Attribute Type (15 bits) set to value 26 for INTERNAL_DNSSEC_TA.
o Length (2 octets) - Set to 0 for an empty attribute.
A non-empty INTERNAL_DNSSEC_TA CFG attribute: A non-empty INTERNAL_DNSSEC_TA CFG attribute:
1 2 3 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-----------------------------+-------------------------------+ +-+-----------------------------+-------------------------------+
|R| Attribute Type | Length | |R| Attribute Type | Length |
+-+-----------------------------+---------------+---------------+ +-+-----------------------------+---------------+---------------+
| DNSKEY Key Tag | DNSKEY Alg | Digest Type | | DNSKEY Key Tag | DNSKEY Alg | Digest Type |
+-------------------------------+---------------+---------------+ +-------------------------------+---------------+---------------+
| | | |
~ Digest Data ~ ~ Digest Data ~
| | | |
+---------------------------------------------------------------+ +---------------------------------------------------------------+
o Reserved (1 bit) - Defined in IKEv2 RFC [RFC7296]. o Reserved (1 bit) - Defined in IKEv2 RFC [RFC7296].
o Attribute Type (15 bits) set to value 26 for INTERNAL_DNSSEC_TA. o Attribute Type (15 bits) set to value 26 for INTERNAL_DNSSEC_TA.
o Length (0 or 2 octets) - Length of DNSSEC Trust Anchor data (4 o Length (2 octets) - Length of DNSSEC Trust Anchor data (4 octets
octets plus the length of the Digest Data). plus the length of the Digest Data).
o DNSKEY Key Tag value (0 or 2 octets) - Delegation Signer (DS) Key o DNSKEY Key Tag value (2 octets) - Delegation Signer (DS) Key Tag
Tag as specified in [RFC4034] Section 5.1. as specified in [RFC4034] Section 5.1.
o DNSKEY Algorithm (0 or 1 octet) - DNSKEY algorithm value from the o DNSKEY Algorithm (1 octet) - DNSKEY algorithm value from the IANA
IANA DNS Security Algorithm Numbers Registry. DNS Security Algorithm Numbers Registry.
o Digest Type (0 or 1 octet) - DS algorithm value from the IANA o Digest Type (1 octet) - DS algorithm value from the IANA
Delegation Signer (DS) Resource Record (RR) Type Digest Algorithms Delegation Signer (DS) Resource Record (RR) Type Digest Algorithms
Registry. Registry.
o Digest Data (0 or more octets) - The DNSKEY digest as specified in o Digest Data (1 or more octets) - The DNSKEY digest as specified in
[RFC4034] Section 5.1 in presentation format. [RFC4034] Section 5.1 in presentation format.
INTERNAL_DNSSEC_TA payloads MUST immediately follow an Each INTERNAL_DNSSEC_TA attribute in the CFG_REPLY payload MUST
INTERNAL_DNS_DOMAIN payload. As the INTERNAL_DNSSEC_TA format itself immediately follow a corresponding INTERNAL_DNS_DOMAIN attribute. As
does not contain the domain name, it relies on the preceding the INTERNAL_DNSSEC_TA format itself does not contain the domain
INTERNAL_DNS_DOMAIN to provide the domain for which it specifies the name, it relies on the preceding INTERNAL_DNS_DOMAIN to provide the
trust anchor. domain for which it specifies the trust anchor. Any
INTERNAL_DNSSEC_TA attribute that is not immediately preceded by an
INTERNAL_DNS_DOMAIN attribute MUST be ignored and treated as a
protocol error.
5. INTERNAL_DNS_DOMAIN Usage Guidelines 5. INTERNAL_DNS_DOMAIN Usage Guidelines
If a CFG_REPLY payload contains no INTERNAL_DNS_DOMAIN attributes, If a CFG_REPLY payload contains no INTERNAL_DNS_DOMAIN attributes,
the client MAY use the provided INTERNAL_IP4_DNS or INTERNAL_IP6_DNS the client MAY use the provided INTERNAL_IP4_DNS or INTERNAL_IP6_DNS
servers as the default DNS server(s) for all queries. servers as the default DNS server(s) for all queries.
If a client is configured by local policy to only accept a limited If a client is configured by local policy to only accept a limited
number of INTERNAL_DNS_DOMAIN values, the client MUST ignore any number of INTERNAL_DNS_DOMAIN values, the client MUST ignore any
other INTERNAL_DNS_DOMAIN values. other INTERNAL_DNS_DOMAIN values.
For each INTERNAL_DNS_DOMAIN entry in a CFG_REPLY payload that is not For each INTERNAL_DNS_DOMAIN entry in a CFG_REPLY payload that is not
prohibited by local policy, the client MUST use the provided prohibited by local policy, the client MUST use the provided
INTERNAL_IP4_DNS or INTERNAL_IP6_DNS DNS servers as the only INTERNAL_IP4_DNS or INTERNAL_IP6_DNS DNS servers as the only
resolvers for the listed domains and its sub-domains and it MUST NOT resolvers for the listed domains and its sub-domains and it MUST NOT
attempt to resolve the provided DNS domains using its external DNS attempt to resolve the provided DNS domains using its external DNS
servers. servers. Other domain names SHOULD be resolved using some other
external DNS resolver(s), configured independently from IKE. Queries
If the initiator host is configured to block DNS answers containing for these other domains MAY be sent to the internal DNS resolver(s)
IP addresses from special IP address ranges such as those of listed in that CFG_REPLY message, but have no guarantee of being
[RFC1918], the initiator SHOULD allow the DNS domains listed in the answered. For example, if the INTERNAL_DNS_DOMAIN attribute
INTERNAL_DNS_DOMAIN attributes to contain those Special IP addresses. specifies "example.com", then "example.com", "www.example.com" and
"mail.eng.example.com" MUST be resolved using the internal DNS
resolver(s), but "anotherexample.com" and "ample.com" SHOULD NOT be
resolved using the internal resolver and SHOULD use the system's
external DNS resolver(s).
If a CFG_REPLY contains one or more INTERNAL_DNS_DOMAIN attributes The initiator SHOULD allow the DNS domains listed in the
and its local policy does not forbid these values, the client MUST INTERNAL_DNS_DOMAIN attributes to resolve to special IP address
configure its DNS resolver to resolve those domains and all their ranges, such as those of [RFC1918], even if the initiator host is
subdomains using only the DNS resolver(s) listed in that CFG_REPLY otherwise configured to block DNS answer containing these special IP
message. If those resolvers fail, those names MUST NOT be resolved addresses.
using any other DNS resolvers. Other domain names SHOULD be resolved
using some other external DNS resolver(s), configured independently
from IKE. Queries for these other domains MAY be sent to the
internal DNS resolver(s) listed in that CFG_REPLY message, but have
no guarantee of being answered. For example, if the
INTERNAL_DNS_DOMAIN attribute specifies "example.com", then
"example.com", "www.example.com" and "mail.eng.example.com" MUST be
resolved using the internal DNS resolver(s), but "anotherexample.com"
and "ample.com" SHOULD NOT be resolved using the internal resolver
and SHOULD use the system's external DNS resolver(s).
When an IKE SA is terminated, the DNS forwarding MUST be When an IKE SA is terminated, the DNS forwarding MUST be
unconfigured. This includes deleting the DNS forwarding rules; unconfigured. This includes deleting the DNS forwarding rules;
flushing all cached data for DNS domains provided by the flushing all cached data for DNS domains provided by the
INTERNAL_DNS_DOMAIN attribute, including negative cache entries; INTERNAL_DNS_DOMAIN attribute, including negative cache entries;
removing any obtained DNSSEC trust anchors from the list of trust removing any obtained DNSSEC trust anchors from the list of trust
anchors; and clearing the outstanding DNS request queue. anchors; and clearing the outstanding DNS request queue.
INTERNAL_DNS_DOMAIN attributes SHOULD only be used on split tunnel INTERNAL_DNS_DOMAIN attributes SHOULD only be used on split tunnel
configurations where only a subset of traffic is routed into a configurations where only a subset of traffic is routed into a
skipping to change at page 10, line 37 skipping to change at page 10, line 25
existing DNS information with trust anchor conveyed via IKE and existing DNS information with trust anchor conveyed via IKE and
(temporarilly) installed on the IKE client. Of specific concern is (temporarilly) installed on the IKE client. Of specific concern is
the overriding of [RFC6698] based TLSA records, which represent a the overriding of [RFC6698] based TLSA records, which represent a
confirmation or override of an existing WebPKI TLS certificate. confirmation or override of an existing WebPKI TLS certificate.
Other DNS record types that convey cryptographic materials (public Other DNS record types that convey cryptographic materials (public
keys or fingerprints) are OPENPGPKEY, SMIMEA, SSHP and IPSECKEY keys or fingerprints) are OPENPGPKEY, SMIMEA, SSHP and IPSECKEY
records. records.
IKE clients MUST use a preconfigured whitelist of one or more domain IKE clients MUST use a preconfigured whitelist of one or more domain
names for which it will allow INTERNAL_DNSSEC_TA updates. This list names for which it will allow INTERNAL_DNSSEC_TA updates. This list
may be sent in the CFG_REQUEST payload, or may be applied after can either be sent in the CFG_REQUEST payload, or else be applied
reception of the CFG_REPLY payload. after reception of the CFG_REPLY payload.
IKE clients should take care to only whitelist domains that apply to IKE clients should take care to only whitelist domains that apply to
internal or managed domains, rather than to generic Internet traffic. internal or managed domains, rather than to generic Internet traffic.
The DNS root zone (".") MUST NOT be whitelisted. Other generic or The DNS root zone (".") MUST NOT be whitelisted. Other generic or
public domains, such as top-level domains, similarly SHOULD NOT be public domains, such as top-level domains, similarly SHOULD NOT be
whitelisted. whitelisted.
Any updates to this whitelist of domain names MUST happen via Any updates to this whitelist of domain names MUST happen via
explicit human interaction to prevent invisible installation of trust explicit human interaction to prevent invisible installation of trust
anchors. anchors.
 End of changes. 16 change blocks. 
44 lines changed or deleted 47 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/