draft-ietf-hip-rfc5205-bis-02.txt   draft-ietf-hip-rfc5205-bis-03.txt 
Network Working Group J. Laganier Network Working Group J. Laganier
Internet-Draft Juniper Networks Internet-Draft Luminate Wireless, Inc.
Obsoletes: 5205 (if approved) September 22, 2012 Obsoletes: 5205 (if approved) December 11, 2013
Intended status: Standards Track Intended status: Standards Track
Expires: March 26, 2013 Expires: June 14, 2014
Host Identity Protocol (HIP) Domain Name System (DNS) Extension Host Identity Protocol (HIP) Domain Name System (DNS) Extension
draft-ietf-hip-rfc5205-bis-02 draft-ietf-hip-rfc5205-bis-03
Abstract Abstract
This document specifies a new resource record (RR) for the Domain This document specifies a new resource record (RR) for the Domain
Name System (DNS), and how to use it with the Host Identity Protocol Name System (DNS), and how to use it with the Host Identity Protocol
(HIP). This RR allows a HIP node to store in the DNS its Host (HIP). This RR allows a HIP node to store in the DNS its Host
Identity (HI, the public component of the node public-private key Identity (HI, the public component of the node public-private key
pair), Host Identity Tag (HIT, a truncated hash of its public key), pair), Host Identity Tag (HIT, a truncated hash of its public key),
and the Domain Names of its rendezvous servers (RVSs). and the Domain Names of its rendezvous servers (RVSs). This document
obsoletes RFC5205.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on March 26, 2013. This Internet-Draft will expire on June 14, 2014.
Copyright Notice Copyright Notice
Copyright (c) 2012 IETF Trust and the persons identified as the Copyright (c) 2013 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Conventions Used in This Document . . . . . . . . . . . . . . 3 2. Conventions Used in This Document . . . . . . . . . . . . . . 3
3. Usage Scenarios . . . . . . . . . . . . . . . . . . . . . . . 4 3. Usage Scenarios . . . . . . . . . . . . . . . . . . . . . . . 3
3.1. Simple Static Singly Homed End-Host . . . . . . . . . . . 5 3.1. Simple Static Singly Homed End-Host . . . . . . . . . . . 5
3.2. Mobile end-host . . . . . . . . . . . . . . . . . . . . . 6 3.2. Mobile end-host . . . . . . . . . . . . . . . . . . . . . 6
4. Overview of Using the DNS with HIP . . . . . . . . . . . . . . 8 4. Overview of Using the DNS with HIP . . . . . . . . . . . . . 7
4.1. Storing HI, HIT, and RVS in the DNS . . . . . . . . . . . 8 4.1. Storing HI, HIT, and RVS in the DNS . . . . . . . . . . . 8
4.2. Initiating Connections Based on DNS Names . . . . . . . . 8 4.2. Initiating Connections Based on DNS Names . . . . . . . . 8
5. HIP RR Storage Format . . . . . . . . . . . . . . . . . . . . 9 5. HIP RR Storage Format . . . . . . . . . . . . . . . . . . . . 9
5.1. HIT Length Format . . . . . . . . . . . . . . . . . . . . 9 5.1. HIT Length Format . . . . . . . . . . . . . . . . . . . . 9
5.2. PK Algorithm Format . . . . . . . . . . . . . . . . . . . 9 5.2. PK Algorithm Format . . . . . . . . . . . . . . . . . . . 9
5.3. PK Length Format . . . . . . . . . . . . . . . . . . . . . 10 5.3. PK Length Format . . . . . . . . . . . . . . . . . . . . 10
5.4. HIT Format . . . . . . . . . . . . . . . . . . . . . . . . 10 5.4. HIT Format . . . . . . . . . . . . . . . . . . . . . . . 10
5.5. Public Key Format . . . . . . . . . . . . . . . . . . . . 10 5.5. Public Key Format . . . . . . . . . . . . . . . . . . . . 10
5.6. Rendezvous Servers Format . . . . . . . . . . . . . . . . 10 5.6. Rendezvous Servers Format . . . . . . . . . . . . . . . . 10
6. HIP RR Presentation Format . . . . . . . . . . . . . . . . . . 10 6. HIP RR Presentation Format . . . . . . . . . . . . . . . . . 10
7. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 7. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 11
8. Security Considerations . . . . . . . . . . . . . . . . . . . 12 8. Security Considerations . . . . . . . . . . . . . . . . . . . 12
8.1. Attacker Tampering with an Insecure HIP RR . . . . . . . . 12 8.1. Attacker Tampering with an Insecure HIP RR . . . . . . . 12
8.2. Hash and HITs Collisions . . . . . . . . . . . . . . . . . 13 8.2. Hash and HITs Collisions . . . . . . . . . . . . . . . . 13
8.3. DNSSEC . . . . . . . . . . . . . . . . . . . . . . . . . . 13 8.3. DNSSEC . . . . . . . . . . . . . . . . . . . . . . . . . 13
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13
10. Contributors . . . . . . . . . . . . . . . . . . . . . . . . . 14 10. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 14
11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 14 11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 14
12. References . . . . . . . . . . . . . . . . . . . . . . . . . . 14 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 14
12.1. Normative references . . . . . . . . . . . . . . . . . . . 14 12.1. Normative references . . . . . . . . . . . . . . . . . . 14
12.2. Informative references . . . . . . . . . . . . . . . . . . 15 12.2. Informative references . . . . . . . . . . . . . . . . . 15
Appendix A. Changes from RFC 5205 . . . . . . . . . . . . . . . . 16 Appendix A. Changes from RFC 5205 . . . . . . . . . . . . . . . 15
1. Introduction 1. Introduction
This document specifies a new resource record (RR) for the Domain This document specifies a new resource record (RR) for the Domain
Name System (DNS) [RFC1034], and how to use it with the Host Identity Name System (DNS) [RFC1034], and how to use it with the Host Identity
Protocol (HIP) [I-D.ietf-hip-rfc5201-bis]. This RR allows a HIP node Protocol (HIP) [I-D.ietf-hip-rfc5201-bis]. This RR allows a HIP node
to store in the DNS its Host Identity (HI, the public component of to store in the DNS its Host Identity (HI, the public component of
the node public-private key pair), Host Identity Tag (HIT, a the node public-private key pair), Host Identity Tag (HIT, a
truncated hash of its HI), and the Domain Names of its rendezvous truncated hash of its HI), and the Domain Names of its rendezvous
servers (RVSs) [I-D.ietf-hip-rfc5204-bis]. servers (RVSs) [I-D.ietf-hip-rfc5204-bis].
skipping to change at page 4, line 27 skipping to change at page 4, line 15
In these situations, for a node to be reachable by reference to its In these situations, for a node to be reachable by reference to its
Fully Qualified Domain Name (FQDN), the following information should Fully Qualified Domain Name (FQDN), the following information should
be stored in the DNS: be stored in the DNS:
o A set of IP address(es) via A [RFC1035] and AAAA [RFC3596] RR sets o A set of IP address(es) via A [RFC1035] and AAAA [RFC3596] RR sets
(RRSets [RFC2181]). (RRSets [RFC2181]).
o A Host Identity (HI), Host Identity Tag (HIT), and possibly a set o A Host Identity (HI), Host Identity Tag (HIT), and possibly a set
of rendezvous servers (RVS) through HIP RRs. of rendezvous servers (RVS) through HIP RRs.
The HIP RR is class independent.
When a HIP node wants to initiate communication with another HIP When a HIP node wants to initiate communication with another HIP
node, it first needs to perform a HIP base exchange to set up a HIP node, it first needs to perform a HIP base exchange to set up a HIP
association towards its peer. Although such an exchange can be association towards its peer. Although such an exchange can be
initiated opportunistically, i.e., without prior knowledge of the initiated opportunistically, i.e., without prior knowledge of the
Responder's HI, by doing so both nodes knowingly risk man-in-the- Responder's HI, by doing so both nodes knowingly risk man-in-the-
middle attacks on the HIP exchange. To prevent these attacks, it is middle attacks on the HIP exchange. To prevent these attacks, it is
recommended that the Initiator first obtain the HI of the Responder, recommended that the Initiator first obtain the HI of the Responder,
and then initiate the exchange. This can be done, for example, and then initiate the exchange. This can be done, for example,
through manual configuration or DNS lookups. Hence, a new HIP RR is through manual configuration or DNS lookups. Hence, a new HIP RR is
introduced. introduced.
skipping to change at page 5, line 4 skipping to change at page 4, line 43
server as a rendezvous point to maintain reachability with possible server as a rendezvous point to maintain reachability with possible
HIP initiators while moving [RFC5206]. Such a HIP node would publish HIP initiators while moving [RFC5206]. Such a HIP node would publish
in the DNS its RVS domain name(s) in a HIP RR, while keeping its RVS in the DNS its RVS domain name(s) in a HIP RR, while keeping its RVS
up-to-date with its current set of IP addresses. up-to-date with its current set of IP addresses.
When a HIP node wants to initiate a HIP exchange with a Responder, it When a HIP node wants to initiate a HIP exchange with a Responder, it
will perform a number of DNS lookups. Depending on the type of will perform a number of DNS lookups. Depending on the type of
implementation, the order in which those lookups will be issued may implementation, the order in which those lookups will be issued may
vary. For instance, implementations using HIT in APIs may typically vary. For instance, implementations using HIT in APIs may typically
first query for HIP resource records at the Responder FQDN, while first query for HIP resource records at the Responder FQDN, while
those using an IP address in APIs may typically first query for A those using an IP address in APIs may typically first query for A and
and/or AAAA resource records. /or AAAA resource records.
In the following, we assume that the Initiator first queries for HIP In the following, we assume that the Initiator first queries for HIP
resource records at the Responder FQDN. resource records at the Responder FQDN.
If the query for the HIP type was responded to with a DNS answer with If the query for the HIP type was responded to with a DNS answer with
RCODE=3 (Name Error), then the Responder's information is not present RCODE=3 (Name Error), then the Responder's information is not present
in the DNS and further queries for the same owner name SHOULD NOT be in the DNS and further queries for the same owner name SHOULD NOT be
made. made.
In case the query for the HIP records returned a DNS answer with In case the query for the HIP records returned a DNS answer with
skipping to change at page 14, line 34 skipping to change at page 14, line 34
have helped improve this document: Jeff Ahrenholz, Rob Austein, Hannu have helped improve this document: Jeff Ahrenholz, Rob Austein, Hannu
Flinck, Olafur Gudmundsson, Tom Henderson, Peter Koch, Olaf Kolkman, Flinck, Olafur Gudmundsson, Tom Henderson, Peter Koch, Olaf Kolkman,
Miika Komu, Andrew McGregor, Erik Nordmark, and Gabriel Montenegro. Miika Komu, Andrew McGregor, Erik Nordmark, and Gabriel Montenegro.
Some parts of this document stem from the HIP specification Some parts of this document stem from the HIP specification
[I-D.ietf-hip-rfc5201-bis]. [I-D.ietf-hip-rfc5201-bis].
12. References 12. References
12.1. Normative references 12.1. Normative references
[I-D.ietf-hip-rfc5201-bis] Moskowitz, R., Heer, T., Jokela, P., and [I-D.ietf-hip-rfc5201-bis]
T. Henderson, "Host Identity Protocol Moskowitz, R., Heer, T., Jokela, P., and T. Henderson,
Version 2 (HIPv2)", "Host Identity Protocol Version 2 (HIPv2)", draft-ietf-
draft-ietf-hip-rfc5201-bis-09 (work in hip-rfc5201-bis-14 (work in progress), October 2013.
progress), July 2012.
[I-D.ietf-hip-rfc5204-bis] Laganier, J. and L. Eggert, "Host [I-D.ietf-hip-rfc5204-bis]
Identity Protocol (HIP) Rendezvous Laganier, J. and L. Eggert, "Host Identity Protocol (HIP)
Extension", draft-ietf-hip-rfc5204-bis-01 Rendezvous Extension", draft-ietf-hip-rfc5204-bis-02 (work
(work in progress), March 2011. in progress), September 2012.
[RFC1034] Mockapetris, P., "Domain names - concepts [RFC1034] Mockapetris, P., "Domain names - concepts and facilities",
and facilities", STD 13, RFC 1034, STD 13, RFC 1034, November 1987.
November 1987.
[RFC1035] Mockapetris, P., "Domain names - [RFC1035] Mockapetris, P., "Domain names - implementation and
implementation and specification", specification", STD 13, RFC 1035, November 1987.
STD 13, RFC 1035, November 1987.
[RFC2119] Bradner, S., "Key words for use in RFCs [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
to Indicate Requirement Levels", BCP 14, Requirement Levels", BCP 14, RFC 2119, March 1997.
RFC 2119, March 1997.
[RFC2181] Elz, R. and R. Bush, "Clarifications to [RFC2181] Elz, R. and R. Bush, "Clarifications to the DNS
the DNS Specification", RFC 2181, Specification", RFC 2181, July 1997.
July 1997.
[RFC3596] Thomson, S., Huitema, C., Ksinant, V., [RFC3596] Thomson, S., Huitema, C., Ksinant, V., and M. Souissi,
and M. Souissi, "DNS Extensions to "DNS Extensions to Support IP Version 6", RFC 3596,
Support IP Version 6", RFC 3596, October 2003.
October 2003.
[RFC4025] Richardson, M., "A Method for Storing [RFC4025] Richardson, M., "A Method for Storing IPsec Keying
IPsec Keying Material in DNS", RFC 4025, Material in DNS", RFC 4025, March 2005.
March 2005.
[RFC4033] Arends, R., Austein, R., Larson, M., [RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S.
Massey, D., and S. Rose, "DNS Security Rose, "DNS Security Introduction and Requirements", RFC
Introduction and Requirements", RFC 4033, 4033, March 2005.
March 2005.
[RFC4034] Arends, R., Austein, R., Larson, M., [RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S.
Massey, D., and S. Rose, "Resource Rose, "Resource Records for the DNS Security Extensions",
Records for the DNS Security Extensions", RFC 4034, March 2005.
RFC 4034, March 2005.
[RFC4035] Arends, R., Austein, R., Larson, M., [RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S.
Massey, D., and S. Rose, "Protocol Rose, "Protocol Modifications for the DNS Security
Modifications for the DNS Security Extensions", RFC 4035, March 2005.
Extensions", RFC 4035, March 2005.
[RFC4648] Josefsson, S., "The Base16, Base32, and [RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data
Base64 Data Encodings", RFC 4648, Encodings", RFC 4648, October 2006.
October 2006.
12.2. Informative references 12.2. Informative references
[RFC2536] Eastlake, D., "DSA KEYs and SIGs in the [RFC2536] Eastlake, D., "DSA KEYs and SIGs in the Domain Name System
Domain Name System (DNS)", RFC 2536, (DNS)", RFC 2536, March 1999.
March 1999.
[RFC3110] Eastlake, D., "RSA/SHA-1 SIGs and RSA [RFC3110] Eastlake, D., "RSA/SHA-1 SIGs and RSA KEYs in the Domain
KEYs in the Domain Name System (DNS)", Name System (DNS)", RFC 3110, May 2001.
RFC 3110, May 2001.
[RFC3833] Atkins, D. and R. Austein, "Threat [RFC3833] Atkins, D. and R. Austein, "Threat Analysis of the Domain
Analysis of the Domain Name System Name System (DNS)", RFC 3833, August 2004.
(DNS)", RFC 3833, August 2004.
[RFC4423] Moskowitz, R. and P. Nikander, "Host [RFC4423] Moskowitz, R. and P. Nikander, "Host Identity Protocol
Identity Protocol (HIP) Architecture", (HIP) Architecture", RFC 4423, May 2006.
RFC 4423, May 2006.
[RFC5205] Nikander, P. and J. Laganier, "Host [RFC5205] Nikander, P. and J. Laganier, "Host Identity Protocol
Identity Protocol (HIP) Domain Name (HIP) Domain Name System (DNS) Extensions", RFC 5205,
System (DNS) Extensions", RFC 5205, April 2008.
April 2008.
[RFC5206] Henderson, T., Ed., "End-Host Mobility [RFC5206] Henderson, T., Ed., "End-Host Mobility and Multihoming
and Multihoming with the Host Identity with the Host Identity Protocol", RFC 5206, April 2008.
Protocol", RFC 5206, April 2008.
Appendix A. Changes from RFC 5205 Appendix A. Changes from RFC 5205
o Updated HIP references to revised HIP specifications. o Updated HIP references to revised HIP specifications.
Author's Address Author's Address
Julien Laganier Julien Laganier
Juniper Networks Luminate Wireless, Inc.
1094 North Mathilda Avenue Cupertino, CA
Sunnyvale, CA 94089
USA USA
Phone: +1 408 936 0385
EMail: julien.ietf@gmail.com EMail: julien.ietf@gmail.com
 End of changes. 30 change blocks. 
104 lines changed or deleted 87 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/