--- 1/draft-ietf-ipsecme-split-dns-10.txt 2018-07-19 08:13:22.811259661 -0700 +++ 2/draft-ietf-ipsecme-split-dns-11.txt 2018-07-19 08:13:22.839260337 -0700 @@ -1,19 +1,19 @@ Network T. Pauly Internet-Draft Apple Inc. Intended status: Standards Track P. Wouters -Expires: January 19, 2019 Red Hat - July 18, 2018 +Expires: January 20, 2019 Red Hat + July 19, 2018 Split DNS Configuration for IKEv2 - draft-ietf-ipsecme-split-dns-10 + draft-ietf-ipsecme-split-dns-11 Abstract This document defines two Configuration Payload Attribute Types for the IKEv2 protocol that add support for private DNS domains. These domains are intended to be resolved using DNS servers reachable through an IPsec connection, while leaving all other DNS resolution unchanged. This approach of resolving a subset of domains using non- public DNS servers is referred to as "Split DNS". @@ -25,21 +25,21 @@ Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on January 19, 2019. + This Internet-Draft will expire on January 20, 2019. Copyright Notice Copyright (c) 2018 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents @@ -58,24 +58,24 @@ 3.1. Configuration Request . . . . . . . . . . . . . . . . . . 4 3.2. Configuration Reply . . . . . . . . . . . . . . . . . . . 4 3.3. Mapping DNS Servers to Domains . . . . . . . . . . . . . 5 3.4. Example Exchanges . . . . . . . . . . . . . . . . . . . . 5 3.4.1. Simple Case . . . . . . . . . . . . . . . . . . . . . 5 3.4.2. Requesting Domains and DNSSEC trust anchors . . . . . 6 4. Payload Formats . . . . . . . . . . . . . . . . . . . . . . . 6 4.1. INTERNAL_DNS_DOMAIN Configuration Attribute Type Request and Reply . . . . . . . . . . . . . . . . . . . . . . . . 7 4.2. INTERNAL_DNSSEC_TA Configuration Attribute . . . . . . . 7 - 5. INTERNAL_DNS_DOMAIN Usage Guidelines . . . . . . . . . . . . 9 - 6. INTERNAL_DNSSEC_TA Usage Guidelines . . . . . . . . . . . . . 10 + 5. INTERNAL_DNS_DOMAIN Usage Guidelines . . . . . . . . . . . . 8 + 6. INTERNAL_DNSSEC_TA Usage Guidelines . . . . . . . . . . . . . 9 7. Security Considerations . . . . . . . . . . . . . . . . . . . 11 - 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12 + 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 12 9.1. Normative References . . . . . . . . . . . . . . . . . . 12 9.2. Informative References . . . . . . . . . . . . . . . . . 13 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 13 1. Introduction Split DNS is a common configuration for secure tunnels, such as Virtual Private Networks in which host machines private to an organization can only be resolved using internal DNS resolvers @@ -119,21 +119,21 @@ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all captials, as shown here. 2. Background Split DNS is a common configuration for enterprise VPN deployments, - in which only one or a few private DNS domains are accessible and + in which one or more private DNS domains are only accessible and resolvable via an IPsec based VPN connection. Other tunnel-establishment protocols already support the assignment of Split DNS domains. For example, there are proprietary extensions to IKEv1 that allow a server to assign Split DNS domains to a client. However, the IKEv2 standard does not include a method to configure this option. This document defines a standard way to negotiate this option for IKEv2. 3. Protocol Exchange @@ -310,97 +310,100 @@ fields. An empty INTERNAL_DNSSEC_TA CFG attribute: 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-----------------------------+-------------------------------+ |R| Attribute Type | Length (set to 0) | +-+-----------------------------+-------------------------------+ + o Reserved (1 bit) - Defined in IKEv2 RFC [RFC7296]. + + o Attribute Type (15 bits) set to value 26 for INTERNAL_DNSSEC_TA. + + o Length (2 octets) - Set to 0 for an empty attribute. + A non-empty INTERNAL_DNSSEC_TA CFG attribute: 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-----------------------------+-------------------------------+ |R| Attribute Type | Length | +-+-----------------------------+---------------+---------------+ | DNSKEY Key Tag | DNSKEY Alg | Digest Type | +-------------------------------+---------------+---------------+ | | ~ Digest Data ~ | | +---------------------------------------------------------------+ o Reserved (1 bit) - Defined in IKEv2 RFC [RFC7296]. o Attribute Type (15 bits) set to value 26 for INTERNAL_DNSSEC_TA. - o Length (0 or 2 octets) - Length of DNSSEC Trust Anchor data (4 - octets plus the length of the Digest Data). + o Length (2 octets) - Length of DNSSEC Trust Anchor data (4 octets + plus the length of the Digest Data). - o DNSKEY Key Tag value (0 or 2 octets) - Delegation Signer (DS) Key - Tag as specified in [RFC4034] Section 5.1. + o DNSKEY Key Tag value (2 octets) - Delegation Signer (DS) Key Tag + as specified in [RFC4034] Section 5.1. - o DNSKEY Algorithm (0 or 1 octet) - DNSKEY algorithm value from the - IANA DNS Security Algorithm Numbers Registry. + o DNSKEY Algorithm (1 octet) - DNSKEY algorithm value from the IANA + DNS Security Algorithm Numbers Registry. - o Digest Type (0 or 1 octet) - DS algorithm value from the IANA + o Digest Type (1 octet) - DS algorithm value from the IANA Delegation Signer (DS) Resource Record (RR) Type Digest Algorithms Registry. - o Digest Data (0 or more octets) - The DNSKEY digest as specified in + o Digest Data (1 or more octets) - The DNSKEY digest as specified in [RFC4034] Section 5.1 in presentation format. - INTERNAL_DNSSEC_TA payloads MUST immediately follow an - INTERNAL_DNS_DOMAIN payload. As the INTERNAL_DNSSEC_TA format itself - does not contain the domain name, it relies on the preceding - INTERNAL_DNS_DOMAIN to provide the domain for which it specifies the - trust anchor. + Each INTERNAL_DNSSEC_TA attribute in the CFG_REPLY payload MUST + immediately follow a corresponding INTERNAL_DNS_DOMAIN attribute. As + the INTERNAL_DNSSEC_TA format itself does not contain the domain + name, it relies on the preceding INTERNAL_DNS_DOMAIN to provide the + domain for which it specifies the trust anchor. Any + INTERNAL_DNSSEC_TA attribute that is not immediately preceded by an + INTERNAL_DNS_DOMAIN attribute MUST be ignored and treated as a + protocol error. 5. INTERNAL_DNS_DOMAIN Usage Guidelines If a CFG_REPLY payload contains no INTERNAL_DNS_DOMAIN attributes, the client MAY use the provided INTERNAL_IP4_DNS or INTERNAL_IP6_DNS servers as the default DNS server(s) for all queries. If a client is configured by local policy to only accept a limited number of INTERNAL_DNS_DOMAIN values, the client MUST ignore any other INTERNAL_DNS_DOMAIN values. For each INTERNAL_DNS_DOMAIN entry in a CFG_REPLY payload that is not prohibited by local policy, the client MUST use the provided INTERNAL_IP4_DNS or INTERNAL_IP6_DNS DNS servers as the only resolvers for the listed domains and its sub-domains and it MUST NOT attempt to resolve the provided DNS domains using its external DNS - servers. - - If the initiator host is configured to block DNS answers containing - IP addresses from special IP address ranges such as those of - [RFC1918], the initiator SHOULD allow the DNS domains listed in the - INTERNAL_DNS_DOMAIN attributes to contain those Special IP addresses. + servers. Other domain names SHOULD be resolved using some other + external DNS resolver(s), configured independently from IKE. Queries + for these other domains MAY be sent to the internal DNS resolver(s) + listed in that CFG_REPLY message, but have no guarantee of being + answered. For example, if the INTERNAL_DNS_DOMAIN attribute + specifies "example.com", then "example.com", "www.example.com" and + "mail.eng.example.com" MUST be resolved using the internal DNS + resolver(s), but "anotherexample.com" and "ample.com" SHOULD NOT be + resolved using the internal resolver and SHOULD use the system's + external DNS resolver(s). - If a CFG_REPLY contains one or more INTERNAL_DNS_DOMAIN attributes - and its local policy does not forbid these values, the client MUST - configure its DNS resolver to resolve those domains and all their - subdomains using only the DNS resolver(s) listed in that CFG_REPLY - message. If those resolvers fail, those names MUST NOT be resolved - using any other DNS resolvers. Other domain names SHOULD be resolved - using some other external DNS resolver(s), configured independently - from IKE. Queries for these other domains MAY be sent to the - internal DNS resolver(s) listed in that CFG_REPLY message, but have - no guarantee of being answered. For example, if the - INTERNAL_DNS_DOMAIN attribute specifies "example.com", then - "example.com", "www.example.com" and "mail.eng.example.com" MUST be - resolved using the internal DNS resolver(s), but "anotherexample.com" - and "ample.com" SHOULD NOT be resolved using the internal resolver - and SHOULD use the system's external DNS resolver(s). + The initiator SHOULD allow the DNS domains listed in the + INTERNAL_DNS_DOMAIN attributes to resolve to special IP address + ranges, such as those of [RFC1918], even if the initiator host is + otherwise configured to block DNS answer containing these special IP + addresses. When an IKE SA is terminated, the DNS forwarding MUST be unconfigured. This includes deleting the DNS forwarding rules; flushing all cached data for DNS domains provided by the INTERNAL_DNS_DOMAIN attribute, including negative cache entries; removing any obtained DNSSEC trust anchors from the list of trust anchors; and clearing the outstanding DNS request queue. INTERNAL_DNS_DOMAIN attributes SHOULD only be used on split tunnel configurations where only a subset of traffic is routed into a @@ -431,22 +434,22 @@ existing DNS information with trust anchor conveyed via IKE and (temporarilly) installed on the IKE client. Of specific concern is the overriding of [RFC6698] based TLSA records, which represent a confirmation or override of an existing WebPKI TLS certificate. Other DNS record types that convey cryptographic materials (public keys or fingerprints) are OPENPGPKEY, SMIMEA, SSHP and IPSECKEY records. IKE clients MUST use a preconfigured whitelist of one or more domain names for which it will allow INTERNAL_DNSSEC_TA updates. This list - may be sent in the CFG_REQUEST payload, or may be applied after - reception of the CFG_REPLY payload. + can either be sent in the CFG_REQUEST payload, or else be applied + after reception of the CFG_REPLY payload. IKE clients should take care to only whitelist domains that apply to internal or managed domains, rather than to generic Internet traffic. The DNS root zone (".") MUST NOT be whitelisted. Other generic or public domains, such as top-level domains, similarly SHOULD NOT be whitelisted. Any updates to this whitelist of domain names MUST happen via explicit human interaction to prevent invisible installation of trust anchors.