draft-ietf-ipsecme-split-dns-16.txt   draft-ietf-ipsecme-split-dns-17.txt 
Network T. Pauly Network T. Pauly
Internet-Draft Apple Inc. Internet-Draft Apple Inc.
Intended status: Standards Track P. Wouters Intended status: Standards Track P. Wouters
Expires: May 30, 2019 Red Hat Expires: September 12, 2019 Red Hat
November 26, 2018 March 11, 2019
Split DNS Configuration for IKEv2 Split DNS Configuration for IKEv2
draft-ietf-ipsecme-split-dns-16 draft-ietf-ipsecme-split-dns-17
Abstract Abstract
This document defines two Configuration Payload Attribute Types This document defines two Configuration Payload Attribute Types
(INTERNAL_DNS_DOMAIN and INTERNAL_DNSSEC_TA) for the Internet Key (INTERNAL_DNS_DOMAIN and INTERNAL_DNSSEC_TA) for the Internet Key
Exchange Protocol Version 2 (IKEv2). These payloads add support for Exchange Protocol Version 2 (IKEv2). These payloads add support for
private (internal-only) DNS domains. These domains are intended to private (internal-only) DNS domains. These domains are intended to
be resolved using non-public DNS servers that are only reachable be resolved using non-public DNS servers that are only reachable
through the IPsec connection. DNS resolution for other domains through the IPsec connection. DNS resolution for other domains
remains unchanged. These Configuration Payloads only apply to split remains unchanged. These Configuration Payloads only apply to split
tunnel configurations. tunnel configurations.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on May 30, 2019. This Internet-Draft will expire on September 12, 2019.
Copyright Notice Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the Copyright (c) 2019 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3
2. Applicability . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Applicability . . . . . . . . . . . . . . . . . . . . . . . . 3
3. Protocol Exchange . . . . . . . . . . . . . . . . . . . . . . 5 3. Protocol Exchange . . . . . . . . . . . . . . . . . . . . . . 5
3.1. Configuration Request . . . . . . . . . . . . . . . . . . 5 3.1. Configuration Request . . . . . . . . . . . . . . . . . . 5
3.2. Configuration Reply . . . . . . . . . . . . . . . . . . . 5 3.2. Configuration Reply . . . . . . . . . . . . . . . . . . . 6
3.3. Mapping DNS Servers to Domains . . . . . . . . . . . . . 6 3.3. Mapping DNS Servers to Domains . . . . . . . . . . . . . 6
3.4. Example Exchanges . . . . . . . . . . . . . . . . . . . . 6 3.4. Example Exchanges . . . . . . . . . . . . . . . . . . . . 6
3.4.1. Simple Case . . . . . . . . . . . . . . . . . . . . . 6 3.4.1. Simple Case . . . . . . . . . . . . . . . . . . . . . 6
3.4.2. Requesting Domains and DNSSEC trust anchors . . . . . 7 3.4.2. Requesting Domains and DNSSEC trust anchors . . . . . 7
4. Payload Formats . . . . . . . . . . . . . . . . . . . . . . . 7 4. Payload Formats . . . . . . . . . . . . . . . . . . . . . . . 8
4.1. INTERNAL_DNS_DOMAIN Configuration Attribute Type Request 4.1. INTERNAL_DNS_DOMAIN Configuration Attribute Type Request
and Reply . . . . . . . . . . . . . . . . . . . . . . . . 8 and Reply . . . . . . . . . . . . . . . . . . . . . . . . 8
4.2. INTERNAL_DNSSEC_TA Configuration Attribute . . . . . . . 8 4.2. INTERNAL_DNSSEC_TA Configuration Attribute . . . . . . . 9
5. INTERNAL_DNS_DOMAIN Usage Guidelines . . . . . . . . . . . . 10 5. INTERNAL_DNS_DOMAIN Usage Guidelines . . . . . . . . . . . . 10
6. INTERNAL_DNSSEC_TA Usage Guidelines . . . . . . . . . . . . . 11 6. INTERNAL_DNSSEC_TA Usage Guidelines . . . . . . . . . . . . . 11
7. Security Considerations . . . . . . . . . . . . . . . . . . . 12 7. Security Considerations . . . . . . . . . . . . . . . . . . . 12
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 14 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 14
9. References . . . . . . . . . . . . . . . . . . . . . . . . . 14 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 14
9.1. Normative References . . . . . . . . . . . . . . . . . . 14 9.1. Normative References . . . . . . . . . . . . . . . . . . 14
9.2. Informative References . . . . . . . . . . . . . . . . . 15 9.2. Informative References . . . . . . . . . . . . . . . . . 15
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 15 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 15
1. Introduction 1. Introduction
skipping to change at page 5, line 11 skipping to change at page 5, line 11
untrusted networks (eg coffee shops or hotel networks). Or the untrusted networks (eg coffee shops or hotel networks). Or the
client could prefer the IPsec based DNS servers because those provide client could prefer the IPsec based DNS servers because those provide
additional features over the local DNS servers. additional features over the local DNS servers.
3. Protocol Exchange 3. Protocol Exchange
In order to negotiate which domains are considered internal to an In order to negotiate which domains are considered internal to an
IKEv2 tunnel, initiators indicate support for Split DNS in their IKEv2 tunnel, initiators indicate support for Split DNS in their
CFG_REQUEST payloads, and responders assign internal domains (and CFG_REQUEST payloads, and responders assign internal domains (and
DNSSEC trust anchors) in their CFG_REPLY payloads. When Split DNS DNSSEC trust anchors) in their CFG_REPLY payloads. When Split DNS
has been negotiated, the existing DNS server configuration attributes has been negotiated, the INTERNAL_IP4_DNS and INTERNAL_IP6_DNS DNS
will be interpreted as internal DNS servers that can resolve server configuration attributes will be interpreted as internal DNS
hostnames within the internal domains. servers that can resolve hostnames within the internal domains.
3.1. Configuration Request 3.1. Configuration Request
To indicate support for Split DNS, an initiator includes one more To indicate support for Split DNS, an initiator includes one or more
INTERNAL_DNS_DOMAIN attributes as defined in Section 4 as part of the INTERNAL_DNS_DOMAIN attributes as defined in Section 4 as part of the
CFG_REQUEST payload. If an INTERNAL_DNS_DOMAIN attribute is included CFG_REQUEST payload. If an INTERNAL_DNS_DOMAIN attribute is included
in the CFG_REQUEST, the initiator MUST also include one or more in the CFG_REQUEST, the initiator MUST also include one or more
INTERNAL_IP4_DNS and INTERNAL_IP6_DNS attributes in the CFG_REQUEST. INTERNAL_IP4_DNS or INTERNAL_IP6_DNS attributes in the CFG_REQUEST.
The INTERNAL_DNS_DOMAIN attribute sent by the initiator is usually The INTERNAL_DNS_DOMAIN attribute sent by the initiator is usually
empty but MAY contain a suggested domain name. empty but MAY contain a suggested domain name.
The absence of INTERNAL_DNS_DOMAIN attributes in the CFG_REQUEST The absence of INTERNAL_DNS_DOMAIN attributes in the CFG_REQUEST
payload indicates that the initiator does not support or is unwilling payload indicates that the initiator does not support or is unwilling
to accept Split DNS configuration. to accept Split DNS configuration.
To indicate support for DNSSEC, an initiator includes one or more To indicate support for receiving DNSSEC trust anchors for Split DNS
INTERNAL_DNSSEC_TA attributes as defined in Section 4 as part of the domains, an initiator includes one or more INTERNAL_DNSSEC_TA
CFG_REQUEST payload. If an INTERNAL_DNSSEC_TA attribute is included attributes as defined in Section 4 as part of the CFG_REQUEST
in the CFG_REQUEST, the initiator MUST also include one or more payload. If an INTERNAL_DNSSEC_TA attribute is included in the
CFG_REQUEST, the initiator MUST also include one or more
INTERNAL_DNS_DOMAIN attributes in the CFG_REQUEST. If the initiator INTERNAL_DNS_DOMAIN attributes in the CFG_REQUEST. If the initiator
includes an INTERNAL_DNSSEC_TA attribute, but does not inclue an includes an INTERNAL_DNSSEC_TA attribute, but does not include an
INTERNAL_DNS_DOMAIN attribute, the responder MAY still respond with INTERNAL_DNS_DOMAIN attribute, the responder MAY still respond with
both INTERNAL_DNSSEC_TA and INTERNAL_DNS_DOMAIN attributes. both INTERNAL_DNSSEC_TA and INTERNAL_DNS_DOMAIN attributes.
An initiator MAY convey its current DNSSEC trust anchors for the An initiator MAY convey its current DNSSEC trust anchors for the
domain specified in the INTERNAL_DNS_DOMAIN attribute. If it does domain specified in the INTERNAL_DNS_DOMAIN attribute. A responder
not wish to convey this information, it MUST use a length of 0. can use this information to determine that it does not need to send a
different trust anchor. If the initiator does not wish to convey
this information, it MUST use a length of 0.
The absence of INTERNAL_DNSSEC_TA attributes in the CFG_REQUEST The absence of INTERNAL_DNSSEC_TA attributes in the CFG_REQUEST
payload indicates that the initiator does not support or is unwilling payload indicates that the initiator does not support or is unwilling
to accept DNSSEC trust anchor configuration. to accept DNSSEC trust anchor configuration.
3.2. Configuration Reply 3.2. Configuration Reply
Responders MAY send one or more INTERNAL_DNS_DOMAIN attributes in Responders MAY send one or more INTERNAL_DNS_DOMAIN attributes in
their CFG_REPLY payload. If an INTERNAL_DNS_DOMAIN attribute is their CFG_REPLY payload. If an INTERNAL_DNS_DOMAIN attribute is
included in the CFG_REPLY, the responder MUST also include one or included in the CFG_REPLY, the responder MUST also include one or
both of the INTERNAL_IP4_DNS and INTERNAL_IP6_DNS attributes in the both of the INTERNAL_IP4_DNS and INTERNAL_IP6_DNS attributes in the
CFG_REPLY. These DNS server configurations are necessary to define CFG_REPLY. These DNS server configurations are necessary to define
which servers can receive queries for hostnames in internal domains. which servers can receive queries for hostnames in internal domains.
If the CFG_REQUEST included an INTERNAL_DNS_DOMAIN attribute, but the If the CFG_REQUEST included an INTERNAL_DNS_DOMAIN attribute, but the
CFG_REPLY does not include an INTERNAL_DNS_DOMAIN attribute, the CFG_REPLY does not include an INTERNAL_DNS_DOMAIN attribute, the
initiator MUST behave as if Split DNS configurations are not initiator MUST behave as if Split DNS configurations are not
supported by the server, unless the initiator has been configured supported by the server, unless the initiator has been configured
with local polict to define a set of Split DNS domains to use by with local policy to define a set of Split DNS domains to use by
default. default.
Each INTERNAL_DNS_DOMAIN represents a domain that the DNS servers Each INTERNAL_DNS_DOMAIN represents a domain that the DNS servers
address listed in INTERNAL_IP4_DNS and INTERNAL_IP6_DNS can resolve. address listed in INTERNAL_IP4_DNS and INTERNAL_IP6_DNS can resolve.
If the CFG_REQUEST included INTERNAL_DNS_DOMAIN attributes with non- If the CFG_REQUEST included INTERNAL_DNS_DOMAIN attributes with non-
zero lengths, the content MAY be ignored or be interpreted as a zero lengths, the content MAY be ignored or be interpreted as a
suggestion by the responder. suggestion by the responder.
For each DNS domain specified in an INTERNAL_DNS_DOMAIN attribute, For each DNS domain specified in an INTERNAL_DNS_DOMAIN attribute,
skipping to change at page 6, line 39 skipping to change at page 6, line 46
All DNS servers provided in the CFG_REPLY MUST support resolving All DNS servers provided in the CFG_REPLY MUST support resolving
hostnames within all INTERNAL_DNS_DOMAIN domains. In other words, hostnames within all INTERNAL_DNS_DOMAIN domains. In other words,
the INTERNAL_DNS_DOMAIN attributes in a CFG_REPLY payload form a the INTERNAL_DNS_DOMAIN attributes in a CFG_REPLY payload form a
single list of Split DNS domains that applies to the entire list of single list of Split DNS domains that applies to the entire list of
INTERNAL_IP4_DNS and INTERNAL_IP6_DNS attributes. INTERNAL_IP4_DNS and INTERNAL_IP6_DNS attributes.
3.4. Example Exchanges 3.4. Example Exchanges
3.4.1. Simple Case 3.4.1. Simple Case
In this example exchange, the initiator requests INTERNAL_IP4_DNS and In this example exchange, the initiator requests INTERNAL_IP4_DNS,
INTERNAL_DNS_DOMAIN attributes in the CFG_REQUEST, but does not INTERNAL_IP6_DNS, and INTERNAL_DNS_DOMAIN attributes in the
specify any value for either. This indicates that it supports Split CFG_REQUEST, but does not specify any value for either. This
DNS, but has no preference for which DNS requests will be routed indicates that it supports Split DNS, but has no preference for which
through the tunnel. DNS requests will be routed through the tunnel.
The responder replies with two DNS server addresses, and two internal The responder replies with two DNS server addresses, and two internal
domains, "example.com" and "city.other.test". domains, "example.com" and "city.other.test".
Any subsequent DNS queries from the initiator for domains such as Any subsequent DNS queries from the initiator for domains such as
"www.example.com" SHOULD use 198.51.100.2 or 198.51.100.4 to resolve. "www.example.com" SHOULD use 198.51.100.2 or 198.51.100.4 to resolve.
CP(CFG_REQUEST) = CP(CFG_REQUEST) =
INTERNAL_IP4_ADDRESS() INTERNAL_IP4_ADDRESS()
INTERNAL_IP4_DNS() INTERNAL_IP4_DNS()
INTERNAL_IP6_ADDRESS()
INTERNAL_IP6_DNS()
INTERNAL_DNS_DOMAIN() INTERNAL_DNS_DOMAIN()
CP(CFG_REPLY) = CP(CFG_REPLY) =
INTERNAL_IP4_ADDRESS(198.51.100.234) INTERNAL_IP4_ADDRESS(198.51.100.234)
INTERNAL_IP4_DNS(198.51.100.2) INTERNAL_IP4_DNS(198.51.100.2)
INTERNAL_IP4_DNS(198.51.100.4) INTERNAL_IP4_DNS(198.51.100.4)
INTERNAL_IP6_ADDRESS(2001:DB8:0:1:2:3:4:5/64)
INTERNAL_IP6_DNS(2001:DB8:99:88:77:66:55:44)
INTERNAL_DNS_DOMAIN(example.com) INTERNAL_DNS_DOMAIN(example.com)
INTERNAL_DNS_DOMAIN(city.other.test) INTERNAL_DNS_DOMAIN(city.other.test)
3.4.2. Requesting Domains and DNSSEC trust anchors 3.4.2. Requesting Domains and DNSSEC trust anchors
In this example exchange, the initiator requests INTERNAL_IP4_DNS, In this example exchange, the initiator requests INTERNAL_IP4_DNS,
INTERNAL_DNS_DOMAIN and INTERNAL_DNSSEC_TA attributes in the INTERNAL_IP6_DNS, INTERNAL_DNS_DOMAIN and INTERNAL_DNSSEC_TA
CFG_REQUEST. attributes in the CFG_REQUEST.
Any subsequent DNS queries from the initiator for domains such as Any subsequent DNS queries from the initiator for domains such as
"www.example.com" or "city.other.test" would be DNSSEC validated "www.example.com" or "city.other.test" would be DNSSEC validated
using the DNSSEC trust anchor received in the CFG_REPLY. using the DNSSEC trust anchor received in the CFG_REPLY.
In this example, the initiator has no existing DNSSEC trust anchors In this example, the initiator has no existing DNSSEC trust anchors
would the requested domain. the "example.com" dommain has DNSSEC would the requested domain. The "example.com" dommain has DNSSEC
trust anchors that are returned, while the "other.test" domain has no trust anchors that are returned, while the "other.test" domain has no
DNSSEC trust anchors. DNSSEC trust anchors.
CP(CFG_REQUEST) = CP(CFG_REQUEST) =
INTERNAL_IP4_ADDRESS() INTERNAL_IP4_ADDRESS()
INTERNAL_IP4_DNS() INTERNAL_IP4_DNS()
INTERNAL_IP6_ADDRESS()
INTERNAL_IP6_DNS()
INTERNAL_DNS_DOMAIN() INTERNAL_DNS_DOMAIN()
INTERNAL_DNSSEC_TA() INTERNAL_DNSSEC_TA()
CP(CFG_REPLY) = CP(CFG_REPLY) =
INTERNAL_IP4_ADDRESS(198.51.100.234) INTERNAL_IP4_ADDRESS(198.51.100.234)
INTERNAL_IP4_DNS(198.51.100.2) INTERNAL_IP4_DNS(198.51.100.2)
INTERNAL_IP4_DNS(198.51.100.4) INTERNAL_IP4_DNS(198.51.100.4)
INTERNAL_IP6_ADDRESS(2001:DB8:0:1:2:3:4:5/64)
INTERNAL_IP6_DNS(2001:DB8:99:88:77:66:55:44)
INTERNAL_DNS_DOMAIN(example.com) INTERNAL_DNS_DOMAIN(example.com)
INTERNAL_DNSSEC_TA(43547,8,1,B6225AB2CC613E0DCA7962BDC2342EA4...) INTERNAL_DNSSEC_TA(43547,8,1,B6225AB2CC613E0DCA7962BDC2342EA4...)
INTERNAL_DNSSEC_TA(31406,8,2,F78CF3344F72137235098ECBBD08947C...) INTERNAL_DNSSEC_TA(31406,8,2,F78CF3344F72137235098ECBBD08947C...)
INTERNAL_DNS_DOMAIN(city.other.test) INTERNAL_DNS_DOMAIN(city.other.test)
4. Payload Formats 4. Payload Formats
All multi-octet fields representing integers are laid out in big All multi-octet fields representing integers are laid out in big
endian order (also known as "most significant byte first", or endian order (also known as "most significant byte first", or
"network byte order"). "network byte order").
skipping to change at page 9, line 46 skipping to change at page 10, line 22
o Digest Data (1 or more octets) - The DNSKEY digest as specified in o Digest Data (1 or more octets) - The DNSKEY digest as specified in
[RFC4034] Section 5.1 in presentation format. [RFC4034] Section 5.1 in presentation format.
Each INTERNAL_DNSSEC_TA attribute in the CFG_REPLY payload MUST Each INTERNAL_DNSSEC_TA attribute in the CFG_REPLY payload MUST
immediately follow a corresponding INTERNAL_DNS_DOMAIN attribute. As immediately follow a corresponding INTERNAL_DNS_DOMAIN attribute. As
the INTERNAL_DNSSEC_TA format itself does not contain the domain the INTERNAL_DNSSEC_TA format itself does not contain the domain
name, it relies on the preceding INTERNAL_DNS_DOMAIN to provide the name, it relies on the preceding INTERNAL_DNS_DOMAIN to provide the
domain for which it specifies the trust anchor. Any domain for which it specifies the trust anchor. Any
INTERNAL_DNSSEC_TA attribute that is not immediately preceded by an INTERNAL_DNSSEC_TA attribute that is not immediately preceded by an
INTERNAL_DNS_DOMAIN or another INTERNAL_DNSSEC_TA attribute applying INTERNAL_DNS_DOMAIN or another INTERNAL_DNSSEC_TA attribute applying
to the same domain name MUST be ignored and treated as a protocol to the same domain name MUST be ignored.
error.
5. INTERNAL_DNS_DOMAIN Usage Guidelines 5. INTERNAL_DNS_DOMAIN Usage Guidelines
If a CFG_REPLY payload contains no INTERNAL_DNS_DOMAIN attributes, If a CFG_REPLY payload contains no INTERNAL_DNS_DOMAIN attributes,
the client MAY use the provided INTERNAL_IP4_DNS or INTERNAL_IP6_DNS the client MAY use the provided INTERNAL_IP4_DNS or INTERNAL_IP6_DNS
servers as the default DNS server(s) for all queries. servers as the default DNS server(s) for all queries.
If a client is configured by local policy to only accept a limited If a client is configured by local policy to only accept a limited
number of INTERNAL_DNS_DOMAIN values, the client MUST ignore any set of INTERNAL_DNS_DOMAIN values, the client MUST ignore any other
other INTERNAL_DNS_DOMAIN values. INTERNAL_DNS_DOMAIN values.
For each INTERNAL_DNS_DOMAIN entry in a CFG_REPLY payload that is not For each INTERNAL_DNS_DOMAIN entry in a CFG_REPLY payload that is not
prohibited by local policy, the client MUST use the provided prohibited by local policy, the client MUST use the provided
INTERNAL_IP4_DNS or INTERNAL_IP6_DNS DNS servers as the only INTERNAL_IP4_DNS or INTERNAL_IP6_DNS DNS servers as the only
resolvers for the listed domains and its sub-domains and it MUST NOT resolvers for the listed domains and its sub-domains and it MUST NOT
attempt to resolve the provided DNS domains using its external DNS attempt to resolve the provided DNS domains using its external DNS
servers. Other domain names SHOULD be resolved using some other servers. Other domain names SHOULD be resolved using some other
external DNS resolver(s), configured independently from IKE. Queries external DNS resolver(s), configured independently from IKE. Queries
for these other domains MAY be sent to the internal DNS resolver(s) for these other domains MAY be sent to the internal DNS resolver(s)
listed in that CFG_REPLY message, but have no guarantee of being listed in that CFG_REPLY message, but have no guarantee of being
skipping to change at page 10, line 49 skipping to change at page 11, line 19
flushing all cached data for DNS domains provided by the flushing all cached data for DNS domains provided by the
INTERNAL_DNS_DOMAIN attribute, including negative cache entries; INTERNAL_DNS_DOMAIN attribute, including negative cache entries;
removing any obtained DNSSEC trust anchors from the list of trust removing any obtained DNSSEC trust anchors from the list of trust
anchors; and clearing the outstanding DNS request queue. anchors; and clearing the outstanding DNS request queue.
INTERNAL_DNS_DOMAIN attributes SHOULD only be used on split tunnel INTERNAL_DNS_DOMAIN attributes SHOULD only be used on split tunnel
configurations where only a subset of traffic is routed into a configurations where only a subset of traffic is routed into a
private remote network using the IPsec connection. If all traffic is private remote network using the IPsec connection. If all traffic is
routed over the IPsec connection, the existing global routed over the IPsec connection, the existing global
INTERNAL_IP4_DNS and INTERNAL_IP6_DNS can be used without creating INTERNAL_IP4_DNS and INTERNAL_IP6_DNS can be used without creating
specific DNS exemptions. specific DNS or DNSSEC exemptions.
6. INTERNAL_DNSSEC_TA Usage Guidelines 6. INTERNAL_DNSSEC_TA Usage Guidelines
DNS records can be used to publish specific records containing trust DNS records can be used to publish specific records containing trust
anchors for applications. The most common record type is the TLSA anchors for applications. The most common record type is the TLSA
record specified in [RFC6698]. This DNS record type publishes which record specified in [RFC6698]. This DNS record type publishes which
CA certificate or EE certificate to expect for a certain host name. Certificate Authority (CA) certificate or End Entity (EE) certificate
These records are protected by DNSSEC and thus can be trusted by the to expect for a certain host name. These records are protected by
application. Whether to trust TLSA records instead of the DNSSEC and thus are trustable by the application. Whether to trust
traditional WebPKI depends on the local policy of the client. By TLSA records instead of the traditional WebPKI depends on the local
accepting an INTERNAL_DNSSEC_TA trust anchor via IKE from the remote policy of the client. By accepting an INTERNAL_DNSSEC_TA trust
IKE server, the IPsec client might be allowing the remote IKE server anchor via IKE from the remote IKE server, the IPsec client might be
to override the trusted certificates for TLS. Similar override allowing the remote IKE server to override the trusted certificates
concerns apply to other public key or fingerprint based DNS records, for TLS. Similar override concerns apply to other public key or
such as OPENPGPKEY, SMIMEA or IPSECKEY records. fingerprint-based DNS records, such as OPENPGPKEY, SMIMEA or IPSECKEY
records.
Thus, installing an INTERNAL_DNSSEC_TA trust anchor can be seen as Thus, installing an INTERNAL_DNSSEC_TA trust anchor can be seen as
the equivalent of installing an Enterprise Certificate Authority (CA) the equivalent of installing an Enterprise CA certificate. It allows
certificate. It allows the remote IKE/IPsec server to modify DNS the remote IKE/IPsec server to modify DNS answers including DNSSEC
answers including its DNSSEC cryptographic signatures by overriding cryptographic signatures by overriding existing DNS information with
existing DNS information with trust anchor conveyed via IKE and trust anchor conveyed via IKE and (temporarilly) installed on the IKE
(temporarilly) installed on the IKE client. Of specific concern is client. Of specific concern is the overriding of [RFC6698] based
the overriding of [RFC6698] based TLSA records, which represent a TLSA records, which represent a confirmation or override of an
confirmation or override of an existing WebPKI TLS certificate. existing WebPKI TLS certificate. Other DNS record types that convey
Other DNS record types that convey cryptographic materials (public cryptographic materials (public keys or fingerprints) are OPENPGPKEY,
keys or fingerprints) are OPENPGPKEY, SMIMEA, SSHP and IPSECKEY SMIMEA, SSHP and IPSECKEY records.
records.
IKE clients willing to accept INTERNAL_DNSSEC_TA attributes MUST use IKE clients willing to accept INTERNAL_DNSSEC_TA attributes MUST use
a whitelist of one or more domains that can be updated out of band. a whitelist of one or more domains that can be updated out of band.
IKE clients with an empty whitelist MUST NOT use any IKE clients with an empty whitelist MUST NOT use any
INTERNAL_DNSSEC_TA attributes received over IKE. Such clients MAY INTERNAL_DNSSEC_TA attributes received over IKE. Such clients MAY
interpret receiving an INTERNAL_DNSSEC_TA attribute for a non- interpret receiving an INTERNAL_DNSSEC_TA attribute for a non-
whitelisted domain as an indication that their local configuration whitelisted domain as an indication that their local configuration
may need to be updated out of band. may need to be updated out of band.
IKE clients should take care to only whitelist domains that apply to IKE clients should take care to only whitelist domains that apply to
skipping to change at page 12, line 17 skipping to change at page 12, line 34
Any updates to this whitelist of domain names MUST happen via Any updates to this whitelist of domain names MUST happen via
explicit human interaction or by a trusted automated provision system explicit human interaction or by a trusted automated provision system
to prevent malicious invisible installation of trust anchors in case to prevent malicious invisible installation of trust anchors in case
of aIKE server compromise. of aIKE server compromise.
IKE clients SHOULD accept any INTERNAL_DNSSEC_TA updates for IKE clients SHOULD accept any INTERNAL_DNSSEC_TA updates for
subdomain names of the whitelisted domain names. For example, if subdomain names of the whitelisted domain names. For example, if
"example.net" is whitelisted, then INTERNAL_DNSSEC_TA received for "example.net" is whitelisted, then INTERNAL_DNSSEC_TA received for
"antartica.example.net" SHOULD be accepted. "antartica.example.net" SHOULD be accepted.
IKE clients MAY interpret an INTERNAL_DNSSEC_TA for domain that was IKE clients MUST ignore any received INTERNAL_DNSSEC_TA attributes
not preconfigured as an indication that it needs to update its IKE for a FDQN for which it did not receive and accept an
configuration (out of band). The client MUST NOT use such a INTERNAL_DNS_DOMAIN Configuration Payload.
INTERNAL_DNSSEC_TA to reconfigure its local DNS settings.
IKE clients MUST ignore any received INTERNAL_DNSSEC_TA requests for
a FDQN for which it did not receive and accept an INTERNAL_DNS_DOMAIN
Configuration Payload.
In most deployment scenario's, the IKE client has an expectation that In most deployment scenarios, the IKE client has an expectation that
it is connecting, using a split-network setup, to a specific it is connecting, using a split-network setup, to a specific
organisation or enterprise. A recommended policy would be to only organisation or enterprise. A recommended policy would be to only
accept INTERNAL_DNSSEC_TA directives from that organization's DNS accept INTERNAL_DNSSEC_TA directives from that organization's DNS
names. However, this might not be possible in all deployment names. However, this might not be possible in all deployment
scenarios, such as one where the IKE server is handing out a number scenarios, such as one where the IKE server is handing out a number
of domains that are not within one parent domain. of domains that are not within one parent domain.
7. Security Considerations 7. Security Considerations
As stated in Section 2, if the negotiated IPsec connection is not a As stated in Section 2, if the negotiated IPsec connection is not a
skipping to change at page 12, line 39 skipping to change at page 13, line 4
accept INTERNAL_DNSSEC_TA directives from that organization's DNS accept INTERNAL_DNSSEC_TA directives from that organization's DNS
names. However, this might not be possible in all deployment names. However, this might not be possible in all deployment
scenarios, such as one where the IKE server is handing out a number scenarios, such as one where the IKE server is handing out a number
of domains that are not within one parent domain. of domains that are not within one parent domain.
7. Security Considerations 7. Security Considerations
As stated in Section 2, if the negotiated IPsec connection is not a As stated in Section 2, if the negotiated IPsec connection is not a
split tunnel configuration, the INTERNAL_DNS_DOMAIN and split tunnel configuration, the INTERNAL_DNS_DOMAIN and
INTERNAL_DNSSEC_TA Configuration Payloads MUST be ignored. INTERNAL_DNSSEC_TA Configuration Payloads MUST be ignored.
Otherwise, generic VPN service providers could maliciously override Otherwise, generic VPN service providers could maliciously override
DNSSEC based trust anchors of public DNS domains. DNSSEC based trust anchors of public DNS domains.
An initiator MUST only accept INTERNAL_DNSSEC_TA's for which it has a An initiator MUST only accept INTERNAL_DNSSEC_TAs for which it has a
whitelist. It MAY treat a received INTERNAL_DNSSEC_TA for an non- whitelist, since this mechanism allows the credential used to
whitelisted domain as a signal to update the whitelist via a non-IKE authenticate an IKEv2 association to be leveraged into authenticating
provisioning mechanism. See Section 6 for additional security credentials for other connections. Initiators should ensure that
considerations for DNSSEC trust anchors. they have sufficient trust in the responder when using this
mechanism. An initiator MAY treat a received INTERNAL_DNSSEC_TA for
an non-whitelisted domain as a signal to update the whitelist via a
non-IKE provisioning mechanism. See Section 6 for additional
security considerations for DNSSEC trust anchors.
The use of Split DNS configurations assigned by an IKEv2 responder is The use of Split DNS configurations assigned by an IKEv2 responder is
predicated on the trust established during IKE SA authentication. predicated on the trust established during IKE SA authentication.
However, if IKEv2 is being negotiated with an anonymous or unknown However, if IKEv2 is being negotiated with an anonymous or unknown
endpoint (such as for Opportunistic Security [RFC7435]), the endpoint (such as for Opportunistic Security [RFC7435]), the
initiator MUST ignore Split DNS configurations assigned by the initiator MUST ignore Split DNS configurations assigned by the
responder. responder.
If a host connected to an authenticated IKE peer is connecting to If a host connected to an authenticated IKE peer is connecting to
another IKE peer that attempts to claim the same domain via the another IKE peer that attempts to claim the same domain via the
skipping to change at page 13, line 31 skipping to change at page 13, line 49
".internal". These two connections MUST NOT be allowed to be active ".internal". These two connections MUST NOT be allowed to be active
at the same time. at the same time.
If the initiator is using DNSSEC validation for a domain in its If the initiator is using DNSSEC validation for a domain in its
public DNS view, and it requests and receives an INTERNAL_DNS_DOMAIN public DNS view, and it requests and receives an INTERNAL_DNS_DOMAIN
attribute without an INTERNAL_DNSSEC_TA, it will need to reconfigure attribute without an INTERNAL_DNSSEC_TA, it will need to reconfigure
its DNS resolver to allow for an insecure delegation. It SHOULD NOT its DNS resolver to allow for an insecure delegation. It SHOULD NOT
accept insecure delegations for domains that are DNSSEC signed in the accept insecure delegations for domains that are DNSSEC signed in the
public DNS view, for which it has not explicitly requested such public DNS view, for which it has not explicitly requested such
deletation by specifying the domain specifically using a deletation by specifying the domain specifically using a
INTERNAL_DNS_DOMAIN(domain) request. INTERNAL_DNS_DOMAIN request.
Deployments that configure INTERNAL_DNS_DOMAIN domains should pay Deployments that configure INTERNAL_DNS_DOMAIN domains should pay
close attention to their use of indirect reference RRtypes in their close attention to their use of indirect reference RRtypes in their
internal-only domain names. Examples of such RRtypes are NS, CNAME, internal-only domain names. Examples of such RRtypes are NS, CNAME,
DNAME, MX or SRV records. For example, if the MX record for DNAME, MX or SRV records. For example, if the MX record for
"internal.example.com" points to "mx.internal.example.net", then both "internal.example.com" points to "mx.internal.example.net", then both
"internal.example.com" and "internal.example.net" should be sent "internal.example.com" and "internal.example.net" should be sent
using an INTERNAL_DNS_DOMAIN Configuration Payload. using an INTERNAL_DNS_DOMAIN Configuration Payload.
IKE clients MAY want to require whitelisted domains for Top Level IKE clients MAY want to require whitelisted domains for Top Level
skipping to change at page 14, line 32 skipping to change at page 14, line 48
9.1. Normative References 9.1. Normative References
[RFC1918] Rekhter, Y., Moskowitz, B., Karrenberg, D., de Groot, G., [RFC1918] Rekhter, Y., Moskowitz, B., Karrenberg, D., de Groot, G.,
and E. Lear, "Address Allocation for Private Internets", and E. Lear, "Address Allocation for Private Internets",
BCP 5, RFC 1918, DOI 10.17487/RFC1918, February 1996, BCP 5, RFC 1918, DOI 10.17487/RFC1918, February 1996,
<https://www.rfc-editor.org/info/rfc1918>. <https://www.rfc-editor.org/info/rfc1918>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, <https://www.rfc- DOI 10.17487/RFC2119, March 1997,
editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S. [RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S.
Rose, "Resource Records for the DNS Security Extensions", Rose, "Resource Records for the DNS Security Extensions",
RFC 4034, DOI 10.17487/RFC4034, March 2005, RFC 4034, DOI 10.17487/RFC4034, March 2005,
<https://www.rfc-editor.org/info/rfc4034>. <https://www.rfc-editor.org/info/rfc4034>.
[RFC5890] Klensin, J., "Internationalized Domain Names for [RFC5890] Klensin, J., "Internationalized Domain Names for
Applications (IDNA): Definitions and Document Framework", Applications (IDNA): Definitions and Document Framework",
RFC 5890, DOI 10.17487/RFC5890, August 2010, RFC 5890, DOI 10.17487/RFC5890, August 2010,
<https://www.rfc-editor.org/info/rfc5890>. <https://www.rfc-editor.org/info/rfc5890>.
skipping to change at page 15, line 17 skipping to change at page 15, line 32
(IKEv2)", STD 79, RFC 7296, DOI 10.17487/RFC7296, October (IKEv2)", STD 79, RFC 7296, DOI 10.17487/RFC7296, October
2014, <https://www.rfc-editor.org/info/rfc7296>. 2014, <https://www.rfc-editor.org/info/rfc7296>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>. May 2017, <https://www.rfc-editor.org/info/rfc8174>.
9.2. Informative References 9.2. Informative References
[RFC2775] Carpenter, B., "Internet Transparency", RFC 2775, [RFC2775] Carpenter, B., "Internet Transparency", RFC 2775,
DOI 10.17487/RFC2775, February 2000, <https://www.rfc- DOI 10.17487/RFC2775, February 2000,
editor.org/info/rfc2775>. <https://www.rfc-editor.org/info/rfc2775>.
[RFC7435] Dukhovni, V., "Opportunistic Security: Some Protection [RFC7435] Dukhovni, V., "Opportunistic Security: Some Protection
Most of the Time", RFC 7435, DOI 10.17487/RFC7435, Most of the Time", RFC 7435, DOI 10.17487/RFC7435,
December 2014, <https://www.rfc-editor.org/info/rfc7435>. December 2014, <https://www.rfc-editor.org/info/rfc7435>.
Authors' Addresses Authors' Addresses
Tommy Pauly Tommy Pauly
Apple Inc. Apple Inc.
One Apple Park Way One Apple Park Way
 End of changes. 35 change blocks. 
74 lines changed or deleted 84 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/