draft-ietf-ipsecme-split-dns-15.txt   draft-ietf-ipsecme-split-dns-16.txt 
Network T. Pauly Network T. Pauly
Internet-Draft Apple Inc. Internet-Draft Apple Inc.
Intended status: Standards Track P. Wouters Intended status: Standards Track P. Wouters
Expires: May 26, 2019 Red Hat Expires: May 30, 2019 Red Hat
November 22, 2018 November 26, 2018
Split DNS Configuration for IKEv2 Split DNS Configuration for IKEv2
draft-ietf-ipsecme-split-dns-15 draft-ietf-ipsecme-split-dns-16
Abstract Abstract
This document defines two Configuration Payload Attribute Types This document defines two Configuration Payload Attribute Types
(INTERNAL_DNS_DOMAIN and INTERNAL_DNSSEC_TA) for the Internet Key (INTERNAL_DNS_DOMAIN and INTERNAL_DNSSEC_TA) for the Internet Key
Exchange Protocol Version 2 (IKEv2). These payloads add support for Exchange Protocol Version 2 (IKEv2). These payloads add support for
private (internal-only) DNS domains. These domains are intended to private (internal-only) DNS domains. These domains are intended to
be resolved using non-public DNS servers that are only reachable be resolved using non-public DNS servers that are only reachable
through the IPsec connection. DNS resolution for other domains through the IPsec connection. DNS resolution for other domains
remains unchanged. These Configuration Payloads only apply to split remains unchanged. These Configuration Payloads only apply to split
skipping to change at page 1, line 38 skipping to change at page 1, line 38
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on May 26, 2019. This Internet-Draft will expire on May 30, 2019.
Copyright Notice Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 14 skipping to change at page 2, line 14
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3
2. Applicability . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Applicability . . . . . . . . . . . . . . . . . . . . . . . . 3
3. Protocol Exchange . . . . . . . . . . . . . . . . . . . . . . 4 3. Protocol Exchange . . . . . . . . . . . . . . . . . . . . . . 5
3.1. Configuration Request . . . . . . . . . . . . . . . . . . 5 3.1. Configuration Request . . . . . . . . . . . . . . . . . . 5
3.2. Configuration Reply . . . . . . . . . . . . . . . . . . . 5 3.2. Configuration Reply . . . . . . . . . . . . . . . . . . . 5
3.3. Mapping DNS Servers to Domains . . . . . . . . . . . . . 6 3.3. Mapping DNS Servers to Domains . . . . . . . . . . . . . 6
3.4. Example Exchanges . . . . . . . . . . . . . . . . . . . . 6 3.4. Example Exchanges . . . . . . . . . . . . . . . . . . . . 6
3.4.1. Simple Case . . . . . . . . . . . . . . . . . . . . . 6 3.4.1. Simple Case . . . . . . . . . . . . . . . . . . . . . 6
3.4.2. Requesting Domains and DNSSEC trust anchors . . . . . 7 3.4.2. Requesting Domains and DNSSEC trust anchors . . . . . 7
4. Payload Formats . . . . . . . . . . . . . . . . . . . . . . . 7 4. Payload Formats . . . . . . . . . . . . . . . . . . . . . . . 7
4.1. INTERNAL_DNS_DOMAIN Configuration Attribute Type Request 4.1. INTERNAL_DNS_DOMAIN Configuration Attribute Type Request
and Reply . . . . . . . . . . . . . . . . . . . . . . . . 8 and Reply . . . . . . . . . . . . . . . . . . . . . . . . 8
4.2. INTERNAL_DNSSEC_TA Configuration Attribute . . . . . . . 8 4.2. INTERNAL_DNSSEC_TA Configuration Attribute . . . . . . . 8
skipping to change at page 3, line 12 skipping to change at page 3, line 12
of split tunnel VPN configurations to support configuring Remote of split tunnel VPN configurations to support configuring Remote
Access users to use these special internal-only domain names. Access users to use these special internal-only domain names.
The IKEv2 protocol [RFC7296] negotiates configuration parameters The IKEv2 protocol [RFC7296] negotiates configuration parameters
using Configuration Payload Attribute Types. This document defines using Configuration Payload Attribute Types. This document defines
two Configuration Payload Attribute Types that add support for two Configuration Payload Attribute Types that add support for
trusted Split DNS domains. trusted Split DNS domains.
The INTERNAL_DNS_DOMAIN attribute type is used to convey that the The INTERNAL_DNS_DOMAIN attribute type is used to convey that the
specified DNS domain MUST be resolved using the provided DNS specified DNS domain MUST be resolved using the provided DNS
nameserver IP addresses, causing these requests to use the IPsec nameserver IP addresses as specified in the INTERNAL_IP4_DNS and
connection. INTERNAL_IP6_DNS Configuration Payloads, causing these requests to
use the IPsec connection.
The INTERNAL_DNSSEC_TA attribute type is used to convey a DNSSEC The INTERNAL_DNSSEC_TA attribute type is used to convey a DNSSEC
trust anchor for such a domain. This is required if the external trust anchor for such a domain. This is required if the external
view uses DNSSEC that would prove the internal view does not exist or view uses DNSSEC that would prove the internal view does not exist or
would expect a different DNSSEC key on the different versions would expect a different DNSSEC key on the different versions
(internal and external) of the enterprise domain. (internal and external) of the enterprise domain.
If an INTERNAL_DNS_DOMAIN is sent by the responder, the responder If an INTERNAL_DNS_DOMAIN is sent by the responder, the responder
MUST also include one or more INTERNAL_IP4_DNS or INTERNAL_IP6_DNS MUST also include one or more INTERNAL_IP4_DNS or INTERNAL_IP6_DNS
attributes that contain the IPv4 or IPv6 address of the internal DNS attributes that contain the IPv4 or IPv6 address of the internal DNS
skipping to change at page 4, line 38 skipping to change at page 4, line 40
configured for the enterprise DNS domains which removes the legal and configured for the enterprise DNS domains which removes the legal and
technical responsibility of the enterprise to resolve every DNS technical responsibility of the enterprise to resolve every DNS
domain potentially asked for by the remote user. domain potentially asked for by the remote user.
A client using these configuration payloads will be able to request A client using these configuration payloads will be able to request
and receive Split DNS configurations using the INTERNAL_DNS_DOMAIN and receive Split DNS configurations using the INTERNAL_DNS_DOMAIN
and INTERNAL_DNSSEC_TA configuration attributes. These attributes and INTERNAL_DNSSEC_TA configuration attributes. These attributes
MUST be accompanied by one or more INTERNAL_IP4_DNS or MUST be accompanied by one or more INTERNAL_IP4_DNS or
INTERNAL_IP6_DNS configuration attributes. The client device can INTERNAL_IP6_DNS configuration attributes. The client device can
then use the internal DNS server(s) for any DNS queries within the then use the internal DNS server(s) for any DNS queries within the
assigned domains. DNS queries for other domains MUST be sent to the assigned domains. DNS queries for other domains SHOULD be sent to
regular DNS service of the client. the regular DNS service of the client unless it prefers to use the
IPsec tunnel for all its DNS queries. For example, the client could
trust the IPsec provided DNS servers more than the locally provided
DNS servers especially in the case of connecting to unknown or
untrusted networks (eg coffee shops or hotel networks). Or the
client could prefer the IPsec based DNS servers because those provide
additional features over the local DNS servers.
3. Protocol Exchange 3. Protocol Exchange
In order to negotiate which domains are considered internal to an In order to negotiate which domains are considered internal to an
IKEv2 tunnel, initiators indicate support for Split DNS in their IKEv2 tunnel, initiators indicate support for Split DNS in their
CFG_REQUEST payloads, and responders assign internal domains (and CFG_REQUEST payloads, and responders assign internal domains (and
DNSSEC trust anchors) in their CFG_REPLY payloads. When Split DNS DNSSEC trust anchors) in their CFG_REPLY payloads. When Split DNS
has been negotiated, the existing DNS server configuration attributes has been negotiated, the existing DNS server configuration attributes
will be interpreted as internal DNS servers that can resolve will be interpreted as internal DNS servers that can resolve
hostnames within the internal domains. hostnames within the internal domains.
skipping to change at page 6, line 15 skipping to change at page 6, line 23
Each INTERNAL_DNS_DOMAIN represents a domain that the DNS servers Each INTERNAL_DNS_DOMAIN represents a domain that the DNS servers
address listed in INTERNAL_IP4_DNS and INTERNAL_IP6_DNS can resolve. address listed in INTERNAL_IP4_DNS and INTERNAL_IP6_DNS can resolve.
If the CFG_REQUEST included INTERNAL_DNS_DOMAIN attributes with non- If the CFG_REQUEST included INTERNAL_DNS_DOMAIN attributes with non-
zero lengths, the content MAY be ignored or be interpreted as a zero lengths, the content MAY be ignored or be interpreted as a
suggestion by the responder. suggestion by the responder.
For each DNS domain specified in an INTERNAL_DNS_DOMAIN attribute, For each DNS domain specified in an INTERNAL_DNS_DOMAIN attribute,
one or more INTERNAL_DNSSEC_TA attributes MAY be included by the one or more INTERNAL_DNSSEC_TA attributes MAY be included by the
responder. This attribute lists the corresponding internal DNSSEC responder. This attribute lists the corresponding internal DNSSEC
trust anchor in the DNS presentation format of a DS record as trust anchor information of a DS record (see [RFC4034]). The
specified in [RFC4034]. The INTERNAL_DNSSEC_TA attribute MUST INTERNAL_DNSSEC_TA attribute MUST immediately follow the
immediately follow the INTERNAL_DNS_DOMAIN attribute that it applies INTERNAL_DNS_DOMAIN attribute that it applies to.
to.
3.3. Mapping DNS Servers to Domains 3.3. Mapping DNS Servers to Domains
All DNS servers provided in the CFG_REPLY MUST support resolving All DNS servers provided in the CFG_REPLY MUST support resolving
hostnames within all INTERNAL_DNS_DOMAIN domains. In other words, hostnames within all INTERNAL_DNS_DOMAIN domains. In other words,
the INTERNAL_DNS_DOMAIN attributes in a CFG_REPLY payload form a the INTERNAL_DNS_DOMAIN attributes in a CFG_REPLY payload form a
single list of Split DNS domains that applies to the entire list of single list of Split DNS domains that applies to the entire list of
INTERNAL_IP4_DNS and INTERNAL_IP6_DNS attributes. INTERNAL_IP4_DNS and INTERNAL_IP6_DNS attributes.
3.4. Example Exchanges 3.4. Example Exchanges
skipping to change at page 8, line 25 skipping to change at page 8, line 25
+---------------------------------------------------------------+ +---------------------------------------------------------------+
o Reserved (1 bit) - Defined in IKEv2 RFC [RFC7296]. o Reserved (1 bit) - Defined in IKEv2 RFC [RFC7296].
o Attribute Type (15 bits) set to value 25 for INTERNAL_DNS_DOMAIN. o Attribute Type (15 bits) set to value 25 for INTERNAL_DNS_DOMAIN.
o Length (2 octets) - Length of domain name. o Length (2 octets) - Length of domain name.
o Domain Name (0 or more octets) - A Fully Qualified Domain Name o Domain Name (0 or more octets) - A Fully Qualified Domain Name
used for Split DNS rules, such as "example.com", in DNS used for Split DNS rules, such as "example.com", in DNS
presentation format and optionally using IDNA [RFC5890] for presentation format and using IDNA A-label [RFC5890] for
Internationalized Domain Names. Implementors need to be careful Internationalized Domain Names. Implementors need to be careful
that this value is not null-terminated. that this value is not null-terminated.
4.2. INTERNAL_DNSSEC_TA Configuration Attribute 4.2. INTERNAL_DNSSEC_TA Configuration Attribute
An INTERNAL_DNSSEC_TA Configuration Attribute can either be empty, or An INTERNAL_DNSSEC_TA Configuration Attribute can either be empty, or
it can contain one Trust Anchor by containing a non-zero Length with it can contain one Trust Anchor by containing a non-zero Length with
a DNSKEY Key Tag, DNSKEY Algorithm, Digest Type and Digest Data a DNSKEY Key Tag, DNSKEY Algorithm, Digest Type and Digest Data
fields. fields.
 End of changes. 8 change blocks. 
14 lines changed or deleted 20 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/