| draft-ietf-ipsecme-split-dns-10.txt | draft-ietf-ipsecme-split-dns-11.txt | |||
|---|---|---|---|---|
| Network T. Pauly | Network T. Pauly | |||
| Internet-Draft Apple Inc. | Internet-Draft Apple Inc. | |||
| Intended status: Standards Track P. Wouters | Intended status: Standards Track P. Wouters | |||
| Expires: January 19, 2019 Red Hat | Expires: January 20, 2019 Red Hat | |||
| July 18, 2018 | July 19, 2018 | |||
| Split DNS Configuration for IKEv2 | Split DNS Configuration for IKEv2 | |||
| draft-ietf-ipsecme-split-dns-10 | draft-ietf-ipsecme-split-dns-11 | |||
| Abstract | Abstract | |||
| This document defines two Configuration Payload Attribute Types for | This document defines two Configuration Payload Attribute Types for | |||
| the IKEv2 protocol that add support for private DNS domains. These | the IKEv2 protocol that add support for private DNS domains. These | |||
| domains are intended to be resolved using DNS servers reachable | domains are intended to be resolved using DNS servers reachable | |||
| through an IPsec connection, while leaving all other DNS resolution | through an IPsec connection, while leaving all other DNS resolution | |||
| unchanged. This approach of resolving a subset of domains using non- | unchanged. This approach of resolving a subset of domains using non- | |||
| public DNS servers is referred to as "Split DNS". | public DNS servers is referred to as "Split DNS". | |||
| skipping to change at page 1, line 36 ¶ | skipping to change at page 1, line 36 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on January 19, 2019. | This Internet-Draft will expire on January 20, 2019. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2018 IETF Trust and the persons identified as the | Copyright (c) 2018 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (https://trustee.ietf.org/license-info) in effect on the date of | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 23 ¶ | skipping to change at page 2, line 23 ¶ | |||
| 3.1. Configuration Request . . . . . . . . . . . . . . . . . . 4 | 3.1. Configuration Request . . . . . . . . . . . . . . . . . . 4 | |||
| 3.2. Configuration Reply . . . . . . . . . . . . . . . . . . . 4 | 3.2. Configuration Reply . . . . . . . . . . . . . . . . . . . 4 | |||
| 3.3. Mapping DNS Servers to Domains . . . . . . . . . . . . . 5 | 3.3. Mapping DNS Servers to Domains . . . . . . . . . . . . . 5 | |||
| 3.4. Example Exchanges . . . . . . . . . . . . . . . . . . . . 5 | 3.4. Example Exchanges . . . . . . . . . . . . . . . . . . . . 5 | |||
| 3.4.1. Simple Case . . . . . . . . . . . . . . . . . . . . . 5 | 3.4.1. Simple Case . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 3.4.2. Requesting Domains and DNSSEC trust anchors . . . . . 6 | 3.4.2. Requesting Domains and DNSSEC trust anchors . . . . . 6 | |||
| 4. Payload Formats . . . . . . . . . . . . . . . . . . . . . . . 6 | 4. Payload Formats . . . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 4.1. INTERNAL_DNS_DOMAIN Configuration Attribute Type Request | 4.1. INTERNAL_DNS_DOMAIN Configuration Attribute Type Request | |||
| and Reply . . . . . . . . . . . . . . . . . . . . . . . . 7 | and Reply . . . . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 4.2. INTERNAL_DNSSEC_TA Configuration Attribute . . . . . . . 7 | 4.2. INTERNAL_DNSSEC_TA Configuration Attribute . . . . . . . 7 | |||
| 5. INTERNAL_DNS_DOMAIN Usage Guidelines . . . . . . . . . . . . 9 | 5. INTERNAL_DNS_DOMAIN Usage Guidelines . . . . . . . . . . . . 8 | |||
| 6. INTERNAL_DNSSEC_TA Usage Guidelines . . . . . . . . . . . . . 10 | 6. INTERNAL_DNSSEC_TA Usage Guidelines . . . . . . . . . . . . . 9 | |||
| 7. Security Considerations . . . . . . . . . . . . . . . . . . . 11 | 7. Security Considerations . . . . . . . . . . . . . . . . . . . 11 | |||
| 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12 | 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11 | |||
| 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 12 | 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 12 | |||
| 9.1. Normative References . . . . . . . . . . . . . . . . . . 12 | 9.1. Normative References . . . . . . . . . . . . . . . . . . 12 | |||
| 9.2. Informative References . . . . . . . . . . . . . . . . . 13 | 9.2. Informative References . . . . . . . . . . . . . . . . . 13 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 13 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 13 | |||
| 1. Introduction | 1. Introduction | |||
| Split DNS is a common configuration for secure tunnels, such as | Split DNS is a common configuration for secure tunnels, such as | |||
| Virtual Private Networks in which host machines private to an | Virtual Private Networks in which host machines private to an | |||
| organization can only be resolved using internal DNS resolvers | organization can only be resolved using internal DNS resolvers | |||
| skipping to change at page 3, line 37 ¶ | skipping to change at page 3, line 37 ¶ | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | |||
| "OPTIONAL" in this document are to be interpreted as described in BCP | "OPTIONAL" in this document are to be interpreted as described in BCP | |||
| 14 [RFC2119] [RFC8174] when, and only when, they appear in all | 14 [RFC2119] [RFC8174] when, and only when, they appear in all | |||
| captials, as shown here. | captials, as shown here. | |||
| 2. Background | 2. Background | |||
| Split DNS is a common configuration for enterprise VPN deployments, | Split DNS is a common configuration for enterprise VPN deployments, | |||
| in which only one or a few private DNS domains are accessible and | in which one or more private DNS domains are only accessible and | |||
| resolvable via an IPsec based VPN connection. | resolvable via an IPsec based VPN connection. | |||
| Other tunnel-establishment protocols already support the assignment | Other tunnel-establishment protocols already support the assignment | |||
| of Split DNS domains. For example, there are proprietary extensions | of Split DNS domains. For example, there are proprietary extensions | |||
| to IKEv1 that allow a server to assign Split DNS domains to a client. | to IKEv1 that allow a server to assign Split DNS domains to a client. | |||
| However, the IKEv2 standard does not include a method to configure | However, the IKEv2 standard does not include a method to configure | |||
| this option. This document defines a standard way to negotiate this | this option. This document defines a standard way to negotiate this | |||
| option for IKEv2. | option for IKEv2. | |||
| 3. Protocol Exchange | 3. Protocol Exchange | |||
| skipping to change at page 8, line 13 ¶ | skipping to change at page 7, line 44 ¶ | |||
| fields. | fields. | |||
| An empty INTERNAL_DNSSEC_TA CFG attribute: | An empty INTERNAL_DNSSEC_TA CFG attribute: | |||
| 1 2 3 | 1 2 3 | |||
| 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | |||
| +-+-----------------------------+-------------------------------+ | +-+-----------------------------+-------------------------------+ | |||
| |R| Attribute Type | Length (set to 0) | | |R| Attribute Type | Length (set to 0) | | |||
| +-+-----------------------------+-------------------------------+ | +-+-----------------------------+-------------------------------+ | |||
| o Reserved (1 bit) - Defined in IKEv2 RFC [RFC7296]. | ||||
| o Attribute Type (15 bits) set to value 26 for INTERNAL_DNSSEC_TA. | ||||
| o Length (2 octets) - Set to 0 for an empty attribute. | ||||
| A non-empty INTERNAL_DNSSEC_TA CFG attribute: | A non-empty INTERNAL_DNSSEC_TA CFG attribute: | |||
| 1 2 3 | 1 2 3 | |||
| 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | |||
| +-+-----------------------------+-------------------------------+ | +-+-----------------------------+-------------------------------+ | |||
| |R| Attribute Type | Length | | |R| Attribute Type | Length | | |||
| +-+-----------------------------+---------------+---------------+ | +-+-----------------------------+---------------+---------------+ | |||
| | DNSKEY Key Tag | DNSKEY Alg | Digest Type | | | DNSKEY Key Tag | DNSKEY Alg | Digest Type | | |||
| +-------------------------------+---------------+---------------+ | +-------------------------------+---------------+---------------+ | |||
| | | | | | | |||
| ~ Digest Data ~ | ~ Digest Data ~ | |||
| | | | | | | |||
| +---------------------------------------------------------------+ | +---------------------------------------------------------------+ | |||
| o Reserved (1 bit) - Defined in IKEv2 RFC [RFC7296]. | o Reserved (1 bit) - Defined in IKEv2 RFC [RFC7296]. | |||
| o Attribute Type (15 bits) set to value 26 for INTERNAL_DNSSEC_TA. | o Attribute Type (15 bits) set to value 26 for INTERNAL_DNSSEC_TA. | |||
| o Length (0 or 2 octets) - Length of DNSSEC Trust Anchor data (4 | o Length (2 octets) - Length of DNSSEC Trust Anchor data (4 octets | |||
| octets plus the length of the Digest Data). | plus the length of the Digest Data). | |||
| o DNSKEY Key Tag value (0 or 2 octets) - Delegation Signer (DS) Key | o DNSKEY Key Tag value (2 octets) - Delegation Signer (DS) Key Tag | |||
| Tag as specified in [RFC4034] Section 5.1. | as specified in [RFC4034] Section 5.1. | |||
| o DNSKEY Algorithm (0 or 1 octet) - DNSKEY algorithm value from the | o DNSKEY Algorithm (1 octet) - DNSKEY algorithm value from the IANA | |||
| IANA DNS Security Algorithm Numbers Registry. | DNS Security Algorithm Numbers Registry. | |||
| o Digest Type (0 or 1 octet) - DS algorithm value from the IANA | o Digest Type (1 octet) - DS algorithm value from the IANA | |||
| Delegation Signer (DS) Resource Record (RR) Type Digest Algorithms | Delegation Signer (DS) Resource Record (RR) Type Digest Algorithms | |||
| Registry. | Registry. | |||
| o Digest Data (0 or more octets) - The DNSKEY digest as specified in | o Digest Data (1 or more octets) - The DNSKEY digest as specified in | |||
| [RFC4034] Section 5.1 in presentation format. | [RFC4034] Section 5.1 in presentation format. | |||
| INTERNAL_DNSSEC_TA payloads MUST immediately follow an | Each INTERNAL_DNSSEC_TA attribute in the CFG_REPLY payload MUST | |||
| INTERNAL_DNS_DOMAIN payload. As the INTERNAL_DNSSEC_TA format itself | immediately follow a corresponding INTERNAL_DNS_DOMAIN attribute. As | |||
| does not contain the domain name, it relies on the preceding | the INTERNAL_DNSSEC_TA format itself does not contain the domain | |||
| INTERNAL_DNS_DOMAIN to provide the domain for which it specifies the | name, it relies on the preceding INTERNAL_DNS_DOMAIN to provide the | |||
| trust anchor. | domain for which it specifies the trust anchor. Any | |||
| INTERNAL_DNSSEC_TA attribute that is not immediately preceded by an | ||||
| INTERNAL_DNS_DOMAIN attribute MUST be ignored and treated as a | ||||
| protocol error. | ||||
| 5. INTERNAL_DNS_DOMAIN Usage Guidelines | 5. INTERNAL_DNS_DOMAIN Usage Guidelines | |||
| If a CFG_REPLY payload contains no INTERNAL_DNS_DOMAIN attributes, | If a CFG_REPLY payload contains no INTERNAL_DNS_DOMAIN attributes, | |||
| the client MAY use the provided INTERNAL_IP4_DNS or INTERNAL_IP6_DNS | the client MAY use the provided INTERNAL_IP4_DNS or INTERNAL_IP6_DNS | |||
| servers as the default DNS server(s) for all queries. | servers as the default DNS server(s) for all queries. | |||
| If a client is configured by local policy to only accept a limited | If a client is configured by local policy to only accept a limited | |||
| number of INTERNAL_DNS_DOMAIN values, the client MUST ignore any | number of INTERNAL_DNS_DOMAIN values, the client MUST ignore any | |||
| other INTERNAL_DNS_DOMAIN values. | other INTERNAL_DNS_DOMAIN values. | |||
| For each INTERNAL_DNS_DOMAIN entry in a CFG_REPLY payload that is not | For each INTERNAL_DNS_DOMAIN entry in a CFG_REPLY payload that is not | |||
| prohibited by local policy, the client MUST use the provided | prohibited by local policy, the client MUST use the provided | |||
| INTERNAL_IP4_DNS or INTERNAL_IP6_DNS DNS servers as the only | INTERNAL_IP4_DNS or INTERNAL_IP6_DNS DNS servers as the only | |||
| resolvers for the listed domains and its sub-domains and it MUST NOT | resolvers for the listed domains and its sub-domains and it MUST NOT | |||
| attempt to resolve the provided DNS domains using its external DNS | attempt to resolve the provided DNS domains using its external DNS | |||
| servers. | servers. Other domain names SHOULD be resolved using some other | |||
| external DNS resolver(s), configured independently from IKE. Queries | ||||
| If the initiator host is configured to block DNS answers containing | for these other domains MAY be sent to the internal DNS resolver(s) | |||
| IP addresses from special IP address ranges such as those of | listed in that CFG_REPLY message, but have no guarantee of being | |||
| [RFC1918], the initiator SHOULD allow the DNS domains listed in the | answered. For example, if the INTERNAL_DNS_DOMAIN attribute | |||
| INTERNAL_DNS_DOMAIN attributes to contain those Special IP addresses. | specifies "example.com", then "example.com", "www.example.com" and | |||
| "mail.eng.example.com" MUST be resolved using the internal DNS | ||||
| resolver(s), but "anotherexample.com" and "ample.com" SHOULD NOT be | ||||
| resolved using the internal resolver and SHOULD use the system's | ||||
| external DNS resolver(s). | ||||
| If a CFG_REPLY contains one or more INTERNAL_DNS_DOMAIN attributes | The initiator SHOULD allow the DNS domains listed in the | |||
| and its local policy does not forbid these values, the client MUST | INTERNAL_DNS_DOMAIN attributes to resolve to special IP address | |||
| configure its DNS resolver to resolve those domains and all their | ranges, such as those of [RFC1918], even if the initiator host is | |||
| subdomains using only the DNS resolver(s) listed in that CFG_REPLY | otherwise configured to block DNS answer containing these special IP | |||
| message. If those resolvers fail, those names MUST NOT be resolved | addresses. | |||
| using any other DNS resolvers. Other domain names SHOULD be resolved | ||||
| using some other external DNS resolver(s), configured independently | ||||
| from IKE. Queries for these other domains MAY be sent to the | ||||
| internal DNS resolver(s) listed in that CFG_REPLY message, but have | ||||
| no guarantee of being answered. For example, if the | ||||
| INTERNAL_DNS_DOMAIN attribute specifies "example.com", then | ||||
| "example.com", "www.example.com" and "mail.eng.example.com" MUST be | ||||
| resolved using the internal DNS resolver(s), but "anotherexample.com" | ||||
| and "ample.com" SHOULD NOT be resolved using the internal resolver | ||||
| and SHOULD use the system's external DNS resolver(s). | ||||
| When an IKE SA is terminated, the DNS forwarding MUST be | When an IKE SA is terminated, the DNS forwarding MUST be | |||
| unconfigured. This includes deleting the DNS forwarding rules; | unconfigured. This includes deleting the DNS forwarding rules; | |||
| flushing all cached data for DNS domains provided by the | flushing all cached data for DNS domains provided by the | |||
| INTERNAL_DNS_DOMAIN attribute, including negative cache entries; | INTERNAL_DNS_DOMAIN attribute, including negative cache entries; | |||
| removing any obtained DNSSEC trust anchors from the list of trust | removing any obtained DNSSEC trust anchors from the list of trust | |||
| anchors; and clearing the outstanding DNS request queue. | anchors; and clearing the outstanding DNS request queue. | |||
| INTERNAL_DNS_DOMAIN attributes SHOULD only be used on split tunnel | INTERNAL_DNS_DOMAIN attributes SHOULD only be used on split tunnel | |||
| configurations where only a subset of traffic is routed into a | configurations where only a subset of traffic is routed into a | |||
| skipping to change at page 10, line 37 ¶ | skipping to change at page 10, line 25 ¶ | |||
| existing DNS information with trust anchor conveyed via IKE and | existing DNS information with trust anchor conveyed via IKE and | |||
| (temporarilly) installed on the IKE client. Of specific concern is | (temporarilly) installed on the IKE client. Of specific concern is | |||
| the overriding of [RFC6698] based TLSA records, which represent a | the overriding of [RFC6698] based TLSA records, which represent a | |||
| confirmation or override of an existing WebPKI TLS certificate. | confirmation or override of an existing WebPKI TLS certificate. | |||
| Other DNS record types that convey cryptographic materials (public | Other DNS record types that convey cryptographic materials (public | |||
| keys or fingerprints) are OPENPGPKEY, SMIMEA, SSHP and IPSECKEY | keys or fingerprints) are OPENPGPKEY, SMIMEA, SSHP and IPSECKEY | |||
| records. | records. | |||
| IKE clients MUST use a preconfigured whitelist of one or more domain | IKE clients MUST use a preconfigured whitelist of one or more domain | |||
| names for which it will allow INTERNAL_DNSSEC_TA updates. This list | names for which it will allow INTERNAL_DNSSEC_TA updates. This list | |||
| may be sent in the CFG_REQUEST payload, or may be applied after | can either be sent in the CFG_REQUEST payload, or else be applied | |||
| reception of the CFG_REPLY payload. | after reception of the CFG_REPLY payload. | |||
| IKE clients should take care to only whitelist domains that apply to | IKE clients should take care to only whitelist domains that apply to | |||
| internal or managed domains, rather than to generic Internet traffic. | internal or managed domains, rather than to generic Internet traffic. | |||
| The DNS root zone (".") MUST NOT be whitelisted. Other generic or | The DNS root zone (".") MUST NOT be whitelisted. Other generic or | |||
| public domains, such as top-level domains, similarly SHOULD NOT be | public domains, such as top-level domains, similarly SHOULD NOT be | |||
| whitelisted. | whitelisted. | |||
| Any updates to this whitelist of domain names MUST happen via | Any updates to this whitelist of domain names MUST happen via | |||
| explicit human interaction to prevent invisible installation of trust | explicit human interaction to prevent invisible installation of trust | |||
| anchors. | anchors. | |||
| End of changes. 16 change blocks. | ||||
| 44 lines changed or deleted | 47 lines changed or added | |||
This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||