| draft-ietf-ipsecme-split-dns-15.txt | draft-ietf-ipsecme-split-dns-16.txt | |||
|---|---|---|---|---|
| Network T. Pauly | Network T. Pauly | |||
| Internet-Draft Apple Inc. | Internet-Draft Apple Inc. | |||
| Intended status: Standards Track P. Wouters | Intended status: Standards Track P. Wouters | |||
| Expires: May 26, 2019 Red Hat | Expires: May 30, 2019 Red Hat | |||
| November 22, 2018 | November 26, 2018 | |||
| Split DNS Configuration for IKEv2 | Split DNS Configuration for IKEv2 | |||
| draft-ietf-ipsecme-split-dns-15 | draft-ietf-ipsecme-split-dns-16 | |||
| Abstract | Abstract | |||
| This document defines two Configuration Payload Attribute Types | This document defines two Configuration Payload Attribute Types | |||
| (INTERNAL_DNS_DOMAIN and INTERNAL_DNSSEC_TA) for the Internet Key | (INTERNAL_DNS_DOMAIN and INTERNAL_DNSSEC_TA) for the Internet Key | |||
| Exchange Protocol Version 2 (IKEv2). These payloads add support for | Exchange Protocol Version 2 (IKEv2). These payloads add support for | |||
| private (internal-only) DNS domains. These domains are intended to | private (internal-only) DNS domains. These domains are intended to | |||
| be resolved using non-public DNS servers that are only reachable | be resolved using non-public DNS servers that are only reachable | |||
| through the IPsec connection. DNS resolution for other domains | through the IPsec connection. DNS resolution for other domains | |||
| remains unchanged. These Configuration Payloads only apply to split | remains unchanged. These Configuration Payloads only apply to split | |||
| skipping to change at page 1, line 38 ¶ | skipping to change at page 1, line 38 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on May 26, 2019. | This Internet-Draft will expire on May 30, 2019. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2018 IETF Trust and the persons identified as the | Copyright (c) 2018 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 14 ¶ | skipping to change at page 2, line 14 ¶ | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| described in the Simplified BSD License. | described in the Simplified BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 | 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 | |||
| 2. Applicability . . . . . . . . . . . . . . . . . . . . . . . . 3 | 2. Applicability . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 3. Protocol Exchange . . . . . . . . . . . . . . . . . . . . . . 4 | 3. Protocol Exchange . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 3.1. Configuration Request . . . . . . . . . . . . . . . . . . 5 | 3.1. Configuration Request . . . . . . . . . . . . . . . . . . 5 | |||
| 3.2. Configuration Reply . . . . . . . . . . . . . . . . . . . 5 | 3.2. Configuration Reply . . . . . . . . . . . . . . . . . . . 5 | |||
| 3.3. Mapping DNS Servers to Domains . . . . . . . . . . . . . 6 | 3.3. Mapping DNS Servers to Domains . . . . . . . . . . . . . 6 | |||
| 3.4. Example Exchanges . . . . . . . . . . . . . . . . . . . . 6 | 3.4. Example Exchanges . . . . . . . . . . . . . . . . . . . . 6 | |||
| 3.4.1. Simple Case . . . . . . . . . . . . . . . . . . . . . 6 | 3.4.1. Simple Case . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 3.4.2. Requesting Domains and DNSSEC trust anchors . . . . . 7 | 3.4.2. Requesting Domains and DNSSEC trust anchors . . . . . 7 | |||
| 4. Payload Formats . . . . . . . . . . . . . . . . . . . . . . . 7 | 4. Payload Formats . . . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 4.1. INTERNAL_DNS_DOMAIN Configuration Attribute Type Request | 4.1. INTERNAL_DNS_DOMAIN Configuration Attribute Type Request | |||
| and Reply . . . . . . . . . . . . . . . . . . . . . . . . 8 | and Reply . . . . . . . . . . . . . . . . . . . . . . . . 8 | |||
| 4.2. INTERNAL_DNSSEC_TA Configuration Attribute . . . . . . . 8 | 4.2. INTERNAL_DNSSEC_TA Configuration Attribute . . . . . . . 8 | |||
| skipping to change at page 3, line 12 ¶ | skipping to change at page 3, line 12 ¶ | |||
| of split tunnel VPN configurations to support configuring Remote | of split tunnel VPN configurations to support configuring Remote | |||
| Access users to use these special internal-only domain names. | Access users to use these special internal-only domain names. | |||
| The IKEv2 protocol [RFC7296] negotiates configuration parameters | The IKEv2 protocol [RFC7296] negotiates configuration parameters | |||
| using Configuration Payload Attribute Types. This document defines | using Configuration Payload Attribute Types. This document defines | |||
| two Configuration Payload Attribute Types that add support for | two Configuration Payload Attribute Types that add support for | |||
| trusted Split DNS domains. | trusted Split DNS domains. | |||
| The INTERNAL_DNS_DOMAIN attribute type is used to convey that the | The INTERNAL_DNS_DOMAIN attribute type is used to convey that the | |||
| specified DNS domain MUST be resolved using the provided DNS | specified DNS domain MUST be resolved using the provided DNS | |||
| nameserver IP addresses, causing these requests to use the IPsec | nameserver IP addresses as specified in the INTERNAL_IP4_DNS and | |||
| connection. | INTERNAL_IP6_DNS Configuration Payloads, causing these requests to | |||
| use the IPsec connection. | ||||
| The INTERNAL_DNSSEC_TA attribute type is used to convey a DNSSEC | The INTERNAL_DNSSEC_TA attribute type is used to convey a DNSSEC | |||
| trust anchor for such a domain. This is required if the external | trust anchor for such a domain. This is required if the external | |||
| view uses DNSSEC that would prove the internal view does not exist or | view uses DNSSEC that would prove the internal view does not exist or | |||
| would expect a different DNSSEC key on the different versions | would expect a different DNSSEC key on the different versions | |||
| (internal and external) of the enterprise domain. | (internal and external) of the enterprise domain. | |||
| If an INTERNAL_DNS_DOMAIN is sent by the responder, the responder | If an INTERNAL_DNS_DOMAIN is sent by the responder, the responder | |||
| MUST also include one or more INTERNAL_IP4_DNS or INTERNAL_IP6_DNS | MUST also include one or more INTERNAL_IP4_DNS or INTERNAL_IP6_DNS | |||
| attributes that contain the IPv4 or IPv6 address of the internal DNS | attributes that contain the IPv4 or IPv6 address of the internal DNS | |||
| skipping to change at page 4, line 38 ¶ | skipping to change at page 4, line 40 ¶ | |||
| configured for the enterprise DNS domains which removes the legal and | configured for the enterprise DNS domains which removes the legal and | |||
| technical responsibility of the enterprise to resolve every DNS | technical responsibility of the enterprise to resolve every DNS | |||
| domain potentially asked for by the remote user. | domain potentially asked for by the remote user. | |||
| A client using these configuration payloads will be able to request | A client using these configuration payloads will be able to request | |||
| and receive Split DNS configurations using the INTERNAL_DNS_DOMAIN | and receive Split DNS configurations using the INTERNAL_DNS_DOMAIN | |||
| and INTERNAL_DNSSEC_TA configuration attributes. These attributes | and INTERNAL_DNSSEC_TA configuration attributes. These attributes | |||
| MUST be accompanied by one or more INTERNAL_IP4_DNS or | MUST be accompanied by one or more INTERNAL_IP4_DNS or | |||
| INTERNAL_IP6_DNS configuration attributes. The client device can | INTERNAL_IP6_DNS configuration attributes. The client device can | |||
| then use the internal DNS server(s) for any DNS queries within the | then use the internal DNS server(s) for any DNS queries within the | |||
| assigned domains. DNS queries for other domains MUST be sent to the | assigned domains. DNS queries for other domains SHOULD be sent to | |||
| regular DNS service of the client. | the regular DNS service of the client unless it prefers to use the | |||
| IPsec tunnel for all its DNS queries. For example, the client could | ||||
| trust the IPsec provided DNS servers more than the locally provided | ||||
| DNS servers especially in the case of connecting to unknown or | ||||
| untrusted networks (eg coffee shops or hotel networks). Or the | ||||
| client could prefer the IPsec based DNS servers because those provide | ||||
| additional features over the local DNS servers. | ||||
| 3. Protocol Exchange | 3. Protocol Exchange | |||
| In order to negotiate which domains are considered internal to an | In order to negotiate which domains are considered internal to an | |||
| IKEv2 tunnel, initiators indicate support for Split DNS in their | IKEv2 tunnel, initiators indicate support for Split DNS in their | |||
| CFG_REQUEST payloads, and responders assign internal domains (and | CFG_REQUEST payloads, and responders assign internal domains (and | |||
| DNSSEC trust anchors) in their CFG_REPLY payloads. When Split DNS | DNSSEC trust anchors) in their CFG_REPLY payloads. When Split DNS | |||
| has been negotiated, the existing DNS server configuration attributes | has been negotiated, the existing DNS server configuration attributes | |||
| will be interpreted as internal DNS servers that can resolve | will be interpreted as internal DNS servers that can resolve | |||
| hostnames within the internal domains. | hostnames within the internal domains. | |||
| skipping to change at page 6, line 15 ¶ | skipping to change at page 6, line 23 ¶ | |||
| Each INTERNAL_DNS_DOMAIN represents a domain that the DNS servers | Each INTERNAL_DNS_DOMAIN represents a domain that the DNS servers | |||
| address listed in INTERNAL_IP4_DNS and INTERNAL_IP6_DNS can resolve. | address listed in INTERNAL_IP4_DNS and INTERNAL_IP6_DNS can resolve. | |||
| If the CFG_REQUEST included INTERNAL_DNS_DOMAIN attributes with non- | If the CFG_REQUEST included INTERNAL_DNS_DOMAIN attributes with non- | |||
| zero lengths, the content MAY be ignored or be interpreted as a | zero lengths, the content MAY be ignored or be interpreted as a | |||
| suggestion by the responder. | suggestion by the responder. | |||
| For each DNS domain specified in an INTERNAL_DNS_DOMAIN attribute, | For each DNS domain specified in an INTERNAL_DNS_DOMAIN attribute, | |||
| one or more INTERNAL_DNSSEC_TA attributes MAY be included by the | one or more INTERNAL_DNSSEC_TA attributes MAY be included by the | |||
| responder. This attribute lists the corresponding internal DNSSEC | responder. This attribute lists the corresponding internal DNSSEC | |||
| trust anchor in the DNS presentation format of a DS record as | trust anchor information of a DS record (see [RFC4034]). The | |||
| specified in [RFC4034]. The INTERNAL_DNSSEC_TA attribute MUST | INTERNAL_DNSSEC_TA attribute MUST immediately follow the | |||
| immediately follow the INTERNAL_DNS_DOMAIN attribute that it applies | INTERNAL_DNS_DOMAIN attribute that it applies to. | |||
| to. | ||||
| 3.3. Mapping DNS Servers to Domains | 3.3. Mapping DNS Servers to Domains | |||
| All DNS servers provided in the CFG_REPLY MUST support resolving | All DNS servers provided in the CFG_REPLY MUST support resolving | |||
| hostnames within all INTERNAL_DNS_DOMAIN domains. In other words, | hostnames within all INTERNAL_DNS_DOMAIN domains. In other words, | |||
| the INTERNAL_DNS_DOMAIN attributes in a CFG_REPLY payload form a | the INTERNAL_DNS_DOMAIN attributes in a CFG_REPLY payload form a | |||
| single list of Split DNS domains that applies to the entire list of | single list of Split DNS domains that applies to the entire list of | |||
| INTERNAL_IP4_DNS and INTERNAL_IP6_DNS attributes. | INTERNAL_IP4_DNS and INTERNAL_IP6_DNS attributes. | |||
| 3.4. Example Exchanges | 3.4. Example Exchanges | |||
| skipping to change at page 8, line 25 ¶ | skipping to change at page 8, line 25 ¶ | |||
| +---------------------------------------------------------------+ | +---------------------------------------------------------------+ | |||
| o Reserved (1 bit) - Defined in IKEv2 RFC [RFC7296]. | o Reserved (1 bit) - Defined in IKEv2 RFC [RFC7296]. | |||
| o Attribute Type (15 bits) set to value 25 for INTERNAL_DNS_DOMAIN. | o Attribute Type (15 bits) set to value 25 for INTERNAL_DNS_DOMAIN. | |||
| o Length (2 octets) - Length of domain name. | o Length (2 octets) - Length of domain name. | |||
| o Domain Name (0 or more octets) - A Fully Qualified Domain Name | o Domain Name (0 or more octets) - A Fully Qualified Domain Name | |||
| used for Split DNS rules, such as "example.com", in DNS | used for Split DNS rules, such as "example.com", in DNS | |||
| presentation format and optionally using IDNA [RFC5890] for | presentation format and using IDNA A-label [RFC5890] for | |||
| Internationalized Domain Names. Implementors need to be careful | Internationalized Domain Names. Implementors need to be careful | |||
| that this value is not null-terminated. | that this value is not null-terminated. | |||
| 4.2. INTERNAL_DNSSEC_TA Configuration Attribute | 4.2. INTERNAL_DNSSEC_TA Configuration Attribute | |||
| An INTERNAL_DNSSEC_TA Configuration Attribute can either be empty, or | An INTERNAL_DNSSEC_TA Configuration Attribute can either be empty, or | |||
| it can contain one Trust Anchor by containing a non-zero Length with | it can contain one Trust Anchor by containing a non-zero Length with | |||
| a DNSKEY Key Tag, DNSKEY Algorithm, Digest Type and Digest Data | a DNSKEY Key Tag, DNSKEY Algorithm, Digest Type and Digest Data | |||
| fields. | fields. | |||
| End of changes. 8 change blocks. | ||||
| 14 lines changed or deleted | 20 lines changed or added | |||
This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||