--- 1/draft-ietf-mboned-driad-amt-discovery-01.txt 2019-03-08 15:13:25.647834067 -0800 +++ 2/draft-ietf-mboned-driad-amt-discovery-02.txt 2019-03-08 15:13:25.715835750 -0800 @@ -1,19 +1,19 @@ Mboned J. Holland Internet-Draft Akamai Technologies, Inc. -Updates: 7450 (if approved) February 14, 2019 +Updates: 7450 (if approved) March 08, 2019 Intended status: Standards Track -Expires: August 18, 2019 +Expires: September 9, 2019 DNS Reverse IP AMT Discovery - draft-ietf-mboned-driad-amt-discovery-01 + draft-ietf-mboned-driad-amt-discovery-02 Abstract This document updates RFC 7450 (Automatic Multicast Tunneling, or AMT) by extending the relay discovery process to use a new DNS resource record named AMTRELAY when discovering AMT relays for source-specific multicast channels. The reverse IP DNS zone for a multicast sender's IP address is configured to use AMTRELAY resource records to advertise a set of AMT relays that can receive and forward multicast traffic from that sender over an AMT tunnel. @@ -26,21 +26,21 @@ Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on August 18, 2019. + This Internet-Draft will expire on September 9, 2019. Copyright Notice Copyright (c) 2019 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents @@ -90,29 +90,29 @@ 4.2.1. RData Format - Precedence . . . . . . . . . . . . . . 24 4.2.2. RData Format - Discovery Optional (D-bit) . . . . . . 24 4.2.3. RData Format - Type . . . . . . . . . . . . . . . . . 24 4.2.4. RData Format - Relay . . . . . . . . . . . . . . . . 25 4.3. AMTRELAY Record Presentation Format . . . . . . . . . . . 25 4.3.1. Representation of AMTRELAY RRs . . . . . . . . . . . 25 4.3.2. Examples . . . . . . . . . . . . . . . . . . . . . . 26 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 26 6. Security Considerations . . . . . . . . . . . . . . . . . . . 27 - 6.1. Record-spoofing . . . . . . . . . . . . . . . . . . . . . 27 - 6.2. Local Override . . . . . . . . . . . . . . . . . . . . . 27 - 6.3. Congestion . . . . . . . . . . . . . . . . . . . . . . . 27 + 6.1. Use of AMT . . . . . . . . . . . . . . . . . . . . . . . 27 + 6.2. Record-spoofing . . . . . . . . . . . . . . . . . . . . . 27 + 6.3. Congestion . . . . . . . . . . . . . . . . . . . . . . . 28 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 28 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 28 8.1. Normative References . . . . . . . . . . . . . . . . . . 28 - 8.2. Informative References . . . . . . . . . . . . . . . . . 29 - Appendix A. Unknown RRType construction . . . . . . . . . . . . 30 - Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 31 + 8.2. Informative References . . . . . . . . . . . . . . . . . 30 + Appendix A. Unknown RRType construction . . . . . . . . . . . . 31 + Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 32 1. Introduction This document defines DNS Reverse IP AMT Discovery (DRIAD), a mechanism for AMT gateways to discover AMT relays that are capable of forwarding multicast traffic from a known source IP address. AMT (Automatic Multicast Tunneling) is defined in [RFC7450], and provides a method to transport multicast traffic over a unicast tunnel, in order to traverse non-multicast-capable network segments. @@ -1216,57 +1216,75 @@ | 3 | A wire-encoded domain name is present | | 4-255 | Unassigned | +-------+---------------------------------------+ Values 0, 1, 2, and 3 are further explained in Section 4.2.3 and Section 4.2.4. Relay type numbers 4 through 255 can be assigned with a policy of Specification Required (as described in [RFC8126]). 6. Security Considerations - [ TBD: these 3 are just the first few most obvious issues, with just - sketches of the problem. Explain better, and look for trickier - issues. ] +6.1. Use of AMT -6.1. Record-spoofing + This document defines a mechanism that enables a more widespread and + automated use of AMT, even without access to a multicast backbone. + Operators of networks and applications that include a DRIAD-capable + AMT gateway are advised to carefully consider the security + considerations in Section 6 of [RFC7450]. - If AMT is used to ingest multicast traffic, providing a false - AMTRELAY record to a gateway using it for discovery can result in - Denial of Service, or artificial multicast traffic from a source - under an attacker's control. + AMT gateway operators also are encouraged to implement the + opportunistic use of IPSec [RFC4301] when IPSECKEY records [RFC4025] + are available to secure traffic from AMT relays, or when a trust + relationship with the AMT relays can be otherwise secured. - Therefore, it is important to ensure that the AMTRELAY record is - authentic, with DNSSEC [RFC4033] or other operational safeguards that - can provide assurance of the authenticity of the record contents. +6.2. Record-spoofing -6.2. Local Override + The AMTRELAY resource record contains information that SHOULD be + communicated to the DNS client without being modified. The method + used to ensure the result was unmodified is up to the client. - The local relays, while important for overall network performance, - can't be secured by DNSSEC. + There must be a trust relationship between the end consumer of this + resource record and the DNS server. This relationship may be end-to- + end DNSSEC validation, a TSIG [RFC2845] or SIG(0) [RFC2931] channel + to another secure source, a secure local channel on the host, DNS + over TLS [RFC7858] or HTTPS [RFC8484], or some other secure + mechanism. + + If an AMT gateway accepts a maliciously crafted AMTRELAY record, the + result could be a Denial of Service, or receivers processing + multicast traffic from a source under the attacker's control. 6.3. Congestion Multicast traffic, particularly interdomain multicast traffic, carries some congestion risks, as described in Section 4 of - [RFC8085]. Network operators are advised to take precautions - including monitoring of application traffic behavior, traffic - authentication, and rate-limiting of multicast traffic, in order to - ensure network health. + [RFC8085]. + + Application implementors and network operators that use DRIAD-capable + AMT gateways are advised to take precautions including monitoring of + application traffic behavior, traffic authentication at ingest, rate- + limiting of multicast traffic, and the use of circuit-breaker + techniques such as those described in Section 3.1.10 of [RFC8085] and + similar protections at the network level, in order to ensure network + health in the event of misconfiguration, poorly written applications + that don't follow UDP congestion control principles, or deliberate + attack. 7. Acknowledgements This specification was inspired by the previous work of Doug Nortz, Robert Sayko, David Segelstein, and Percy Tarapore, presented in the MBONED working group at IETF 93. Thanks to Jeff Goldsmith, Toerless Eckert, Mikael Abrahamsson, Lenny - Giuliano, and Mark Andrews for their very helpful comments. + Giuliano, Mark Andrews, Sandy Zheng, Kyle Rose, and Ben Kaduk for + their very helpful comments. 8. References 8.1. Normative References [RFC1034] Mockapetris, P., "Domain names - concepts and facilities", STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987, . [RFC1035] Mockapetris, P., "Domain names - implementation and @@ -1337,29 +1355,41 @@ DOI 10.17487/RFC8305, December 2017, . 8.2. Informative References [RFC2317] Eidnes, H., de Groot, G., and P. Vixie, "Classless IN- ADDR.ARPA delegation", BCP 20, RFC 2317, DOI 10.17487/RFC2317, March 1998, . + [RFC2845] Vixie, P., Gudmundsson, O., Eastlake 3rd, D., and B. + Wellington, "Secret Key Transaction Authentication for DNS + (TSIG)", RFC 2845, DOI 10.17487/RFC2845, May 2000, + . + + [RFC2931] Eastlake 3rd, D., "DNS Request and Transaction Signatures + ( SIG(0)s )", RFC 2931, DOI 10.17487/RFC2931, September + 2000, . + [RFC3550] Schulzrinne, H., Casner, S., Frederick, R., and V. Jacobson, "RTP: A Transport Protocol for Real-Time Applications", STD 64, RFC 3550, DOI 10.17487/RFC3550, July 2003, . - [RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S. - Rose, "DNS Security Introduction and Requirements", - RFC 4033, DOI 10.17487/RFC4033, March 2005, - . + [RFC4025] Richardson, M., "A Method for Storing IPsec Keying + Material in DNS", RFC 4025, DOI 10.17487/RFC4025, March + 2005, . + + [RFC4301] Kent, S. and K. Seo, "Security Architecture for the + Internet Protocol", RFC 4301, DOI 10.17487/RFC4301, + December 2005, . [RFC5110] Savola, P., "Overview of the Internet Multicast Routing Architecture", RFC 5110, DOI 10.17487/RFC5110, January 2008, . [RFC6726] Paila, T., Walsh, R., Luby, M., Roca, V., and R. Lehtonen, "FLUTE - File Delivery over Unidirectional Transport", RFC 6726, DOI 10.17487/RFC6726, November 2012, . @@ -1367,31 +1397,40 @@ Traffic Leakages in Dual-Stack Hosts/Networks", RFC 7359, DOI 10.17487/RFC7359, August 2014, . [RFC7761] Fenner, B., Handley, M., Holbrook, H., Kouvelas, I., Parekh, R., Zhang, Z., and L. Zheng, "Protocol Independent Multicast - Sparse Mode (PIM-SM): Protocol Specification (Revised)", STD 83, RFC 7761, DOI 10.17487/RFC7761, March 2016, . + [RFC7858] Hu, Z., Zhu, L., Heidemann, J., Mankin, A., Wessels, D., + and P. Hoffman, "Specification for DNS over Transport + Layer Security (TLS)", RFC 7858, DOI 10.17487/RFC7858, May + 2016, . + [RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for Writing an IANA Considerations Section in RFCs", BCP 26, RFC 8126, DOI 10.17487/RFC8126, June 2017, . [RFC8313] Tarapore, P., Ed., Sayko, R., Shepherd, G., Eckert, T., Ed., and R. Krishnan, "Use of Multicast across Inter- domain Peering Points", BCP 213, RFC 8313, DOI 10.17487/RFC8313, January 2018, . + [RFC8484] Hoffman, P. and P. McManus, "DNS Queries over HTTPS + (DoH)", RFC 8484, DOI 10.17487/RFC8484, October 2018, + . + [RFC8499] Hoffman, P., Sullivan, A., and K. Fujiwara, "DNS Terminology", BCP 219, RFC 8499, DOI 10.17487/RFC8499, January 2019, . Appendix A. Unknown RRType construction In a DNS resolver that understands the AMTRELAY type, the zone file might contain this line: IN AMTRELAY 128 0 3 amtrelays.example.com.