| < draft-ietf-ipsecme-split-dns-03.txt | draft-ietf-ipsecme-split-dns-04.txt > | |||
|---|---|---|---|---|
| Network T. Pauly | Network T. Pauly | |||
| Internet-Draft Apple Inc. | Internet-Draft Apple Inc. | |||
| Intended status: Standards Track P. Wouters | Intended status: Standards Track P. Wouters | |||
| Expires: May 16, 2018 Red Hat | Expires: July 26, 2018 Red Hat | |||
| November 12, 2017 | January 22, 2018 | |||
| Split DNS Configuration for IKEv2 | Split DNS Configuration for IKEv2 | |||
| draft-ietf-ipsecme-split-dns-03 | draft-ietf-ipsecme-split-dns-04 | |||
| Abstract | Abstract | |||
| This document defines two Configuration Payload Attribute Types for | This document defines two Configuration Payload Attribute Types for | |||
| the IKEv2 protocol that add support for private DNS domains. These | the IKEv2 protocol that add support for private DNS domains. These | |||
| domains should be resolved using DNS servers reachable through an | domains should be resolved using DNS servers reachable through an | |||
| IPsec connection, while leaving all other DNS resolution unchanged. | IPsec connection, while leaving all other DNS resolution unchanged. | |||
| This approach of resolving a subset of domains using non-public DNS | This approach of resolving a subset of domains using non-public DNS | |||
| servers is referred to as "Split DNS". | servers is referred to as "Split DNS". | |||
| skipping to change at page 1, line 36 ¶ | skipping to change at page 1, line 36 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on May 16, 2018. | This Internet-Draft will expire on July 26, 2018. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2017 IETF Trust and the persons identified as the | Copyright (c) 2018 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| skipping to change at page 2, line 24 ¶ | skipping to change at page 2, line 24 ¶ | |||
| 3.2. Configuration Reply . . . . . . . . . . . . . . . . . . . 4 | 3.2. Configuration Reply . . . . . . . . . . . . . . . . . . . 4 | |||
| 3.3. Mapping DNS Servers to Domains . . . . . . . . . . . . . 5 | 3.3. Mapping DNS Servers to Domains . . . . . . . . . . . . . 5 | |||
| 3.4. Example Exchanges . . . . . . . . . . . . . . . . . . . . 5 | 3.4. Example Exchanges . . . . . . . . . . . . . . . . . . . . 5 | |||
| 3.4.1. Simple Case . . . . . . . . . . . . . . . . . . . . . 5 | 3.4.1. Simple Case . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 3.4.2. Requesting Domains and DNSSEC trust anchors . . . . . 6 | 3.4.2. Requesting Domains and DNSSEC trust anchors . . . . . 6 | |||
| 4. Payload Formats . . . . . . . . . . . . . . . . . . . . . . . 6 | 4. Payload Formats . . . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 4.1. INTERNAL_DNS_DOMAIN Configuration Attribute Type . . . . 6 | 4.1. INTERNAL_DNS_DOMAIN Configuration Attribute Type . . . . 6 | |||
| 4.2. INTERNAL_DNSSEC_TA Configuration Attribute . . . . . . . 7 | 4.2. INTERNAL_DNSSEC_TA Configuration Attribute . . . . . . . 7 | |||
| 5. Split DNS Usage Guidelines . . . . . . . . . . . . . . . . . 7 | 5. Split DNS Usage Guidelines . . . . . . . . . . . . . . . . . 7 | |||
| 6. Security Considerations . . . . . . . . . . . . . . . . . . . 9 | 6. Security Considerations . . . . . . . . . . . . . . . . . . . 9 | |||
| 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 | 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 | |||
| 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 10 | 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 10 | |||
| 8.1. Normative References . . . . . . . . . . . . . . . . . . 10 | 8.1. Normative References . . . . . . . . . . . . . . . . . . 10 | |||
| 8.2. Informative References . . . . . . . . . . . . . . . . . 10 | 8.2. Informative References . . . . . . . . . . . . . . . . . 10 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 11 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 11 | |||
| 1. Introduction | 1. Introduction | |||
| Split DNS is a common configuration for secure tunnels, such as | Split DNS is a common configuration for secure tunnels, such as | |||
| Virtual Private Networks in which host machines private to an | Virtual Private Networks in which host machines private to an | |||
| organization can only be resolved using internal DNS resolvers | organization can only be resolved using internal DNS resolvers | |||
| skipping to change at page 8, line 37 ¶ | skipping to change at page 8, line 37 ¶ | |||
| using some other external DNS resolver(s), configured independently | using some other external DNS resolver(s), configured independently | |||
| from IKE. Queries for these other domains MAY be sent to the | from IKE. Queries for these other domains MAY be sent to the | |||
| internal DNS resolver(s) listed in that CFG_REPLY message, but have | internal DNS resolver(s) listed in that CFG_REPLY message, but have | |||
| no guarantee of being answered. For example, if the | no guarantee of being answered. For example, if the | |||
| INTERNAL_DNS_DOMAIN attribute specifies "example.com", then | INTERNAL_DNS_DOMAIN attribute specifies "example.com", then | |||
| "example.com", "www.example.com" and "mail.eng.example.com" MUST be | "example.com", "www.example.com" and "mail.eng.example.com" MUST be | |||
| resolved using the internal DNS resolver(s), but "anotherexample.com" | resolved using the internal DNS resolver(s), but "anotherexample.com" | |||
| and "ample.com" SHOULD NOT be resolved using the internal resolver | and "ample.com" SHOULD NOT be resolved using the internal resolver | |||
| and SHOULD use the system's external DNS resolver(s). | and SHOULD use the system's external DNS resolver(s). | |||
| An initiator SHOULD ignore INTERNAL_DNS_DOMAIN attributes containing | ||||
| domains that are designated Special Use Domain Names in [RFC6761], | ||||
| such as "local", "localhost", "invalid", etc. Although it may | ||||
| explicitly wish to support some Special Use Domain Names. | ||||
| When an IKE SA is terminated, the DNS forwarding must be | When an IKE SA is terminated, the DNS forwarding must be | |||
| unconfigured. The DNS forwarding itself MUST be be deleted. All | unconfigured. The DNS forwarding itself MUST be be deleted. All | |||
| cached data of the INTERNAL_DNS_DOMAIN provided DNS domainis MUST be | cached data of the INTERNAL_DNS_DOMAIN provided DNS domainis MUST be | |||
| flushed. This includes negative cache entries. Obtained DNSSEC | flushed. This includes negative cache entries. Obtained DNSSEC | |||
| trust anchors MUST be removed from the list of trust anchors. The | trust anchors MUST be removed from the list of trust anchors. The | |||
| outstanding DNS request queue MUST be cleared. | outstanding DNS request queue MUST be cleared. | |||
| INTERNAL_DNS_DOMAIN and INTERNAL_DNSSEC_TA attributes SHOULD only be | INTERNAL_DNS_DOMAIN and INTERNAL_DNSSEC_TA attributes SHOULD only be | |||
| used on split tunnel configurations where only a subset of traffic is | used on split tunnel configurations where only a subset of traffic is | |||
| routed into a private remote network using the IPsec connection. If | routed into a private remote network using the IPsec connection. If | |||
| skipping to change at page 9, line 44 ¶ | skipping to change at page 9, line 42 ¶ | |||
| public DNS view, for which it has not explicitely requested such | public DNS view, for which it has not explicitely requested such | |||
| deletation by specifying the domain specifically using a | deletation by specifying the domain specifically using a | |||
| INTERNAL_DNS_DOMAIN(domain) request. | INTERNAL_DNS_DOMAIN(domain) request. | |||
| A domain that is served via INTERNAL_DNS_DOMAIN should pay close | A domain that is served via INTERNAL_DNS_DOMAIN should pay close | |||
| attention to their use of indirect reference RRtypes such as CNAME, | attention to their use of indirect reference RRtypes such as CNAME, | |||
| DNAME, MX or SRV records so that resolving works as intended when | DNAME, MX or SRV records so that resolving works as intended when | |||
| all, some or none of the IPsec connections are established. | all, some or none of the IPsec connections are established. | |||
| The content of INTERNAL_DNS_DOMAIN and INTERNAL_DNSSEC_TA may be | The content of INTERNAL_DNS_DOMAIN and INTERNAL_DNSSEC_TA may be | |||
| passed to another (DNS) program for processing. The content MUST be | passed to another (DNS) program for processing. As with any network | |||
| verified and sanitized before passing it to other software. For | input, the content should be considered untrusted and handled | |||
| example, domain names are limited to alphanumeric characters and the | accordingly. | |||
| minus ("-") and underscore ("_") symbol and if other other characters | ||||
| are present, the entire payload could be ignored and not passed to | ||||
| DNS software, or the malicious characters could be filtered out | ||||
| before passing the payload to DNS software. | ||||
| 7. IANA Considerations | 7. IANA Considerations | |||
| This document defines two new IKEv2 Configuration Payload Attribute | This document defines two new IKEv2 Configuration Payload Attribute | |||
| Types, which are allocated from the "IKEv2 Configuration Payload | Types, which are allocated from the "IKEv2 Configuration Payload | |||
| Attribute Types" namespace. | Attribute Types" namespace. | |||
| Multi- | Multi- | |||
| Value Attribute Type Valued Length Reference | Value Attribute Type Valued Length Reference | |||
| ------ ------------------- ------ ---------- --------------- | ------ ------------------- ------ ---------- --------------- | |||
| skipping to change at page 11, line 5 ¶ | skipping to change at page 10, line 48 ¶ | |||
| Kivinen, "Internet Key Exchange Protocol Version 2 | Kivinen, "Internet Key Exchange Protocol Version 2 | |||
| (IKEv2)", STD 79, RFC 7296, DOI 10.17487/RFC7296, October | (IKEv2)", STD 79, RFC 7296, DOI 10.17487/RFC7296, October | |||
| 2014, <https://www.rfc-editor.org/info/rfc7296>. | 2014, <https://www.rfc-editor.org/info/rfc7296>. | |||
| 8.2. Informative References | 8.2. Informative References | |||
| [RFC2775] Carpenter, B., "Internet Transparency", RFC 2775, | [RFC2775] Carpenter, B., "Internet Transparency", RFC 2775, | |||
| DOI 10.17487/RFC2775, February 2000, <https://www.rfc- | DOI 10.17487/RFC2775, February 2000, <https://www.rfc- | |||
| editor.org/info/rfc2775>. | editor.org/info/rfc2775>. | |||
| [RFC6761] Cheshire, S. and M. Krochmal, "Special-Use Domain Names", | ||||
| RFC 6761, DOI 10.17487/RFC6761, February 2013, | ||||
| <https://www.rfc-editor.org/info/rfc6761>. | ||||
| [RFC7435] Dukhovni, V., "Opportunistic Security: Some Protection | [RFC7435] Dukhovni, V., "Opportunistic Security: Some Protection | |||
| Most of the Time", RFC 7435, DOI 10.17487/RFC7435, | Most of the Time", RFC 7435, DOI 10.17487/RFC7435, | |||
| December 2014, <https://www.rfc-editor.org/info/rfc7435>. | December 2014, <https://www.rfc-editor.org/info/rfc7435>. | |||
| Authors' Addresses | Authors' Addresses | |||
| Tommy Pauly | Tommy Pauly | |||
| Apple Inc. | Apple Inc. | |||
| 1 Infinite Loop | 1 Infinite Loop | |||
| Cupertino, California 95014 | Cupertino, California 95014 | |||
| End of changes. 8 change blocks. | ||||
| 22 lines changed or deleted | 9 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||