| < draft-ietf-ipsecme-split-dns-08.txt | draft-ietf-ipsecme-split-dns-09.txt > | |||
|---|---|---|---|---|
| Network T. Pauly | Network T. Pauly | |||
| Internet-Draft Apple Inc. | Internet-Draft Apple Inc. | |||
| Intended status: Standards Track P. Wouters | Intended status: Standards Track P. Wouters | |||
| Expires: December 20, 2018 Red Hat | Expires: January 19, 2019 Red Hat | |||
| June 18, 2018 | July 18, 2018 | |||
| Split DNS Configuration for IKEv2 | Split DNS Configuration for IKEv2 | |||
| draft-ietf-ipsecme-split-dns-08 | draft-ietf-ipsecme-split-dns-09 | |||
| Abstract | Abstract | |||
| This document defines two Configuration Payload Attribute Types for | This document defines two Configuration Payload Attribute Types for | |||
| the IKEv2 protocol that add support for private DNS domains. These | the IKEv2 protocol that add support for private DNS domains. These | |||
| domains are intended to be resolved using DNS servers reachable | domains are intended to be resolved using DNS servers reachable | |||
| through an IPsec connection, while leaving all other DNS resolution | through an IPsec connection, while leaving all other DNS resolution | |||
| unchanged. This approach of resolving a subset of domains using non- | unchanged. This approach of resolving a subset of domains using non- | |||
| public DNS servers is referred to as "Split DNS". | public DNS servers is referred to as "Split DNS". | |||
| skipping to change at page 1, line 36 ¶ | skipping to change at page 1, line 36 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on December 20, 2018. | This Internet-Draft will expire on January 19, 2019. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2018 IETF Trust and the persons identified as the | Copyright (c) 2018 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 25 ¶ | skipping to change at page 2, line 25 ¶ | |||
| 3.3. Mapping DNS Servers to Domains . . . . . . . . . . . . . 5 | 3.3. Mapping DNS Servers to Domains . . . . . . . . . . . . . 5 | |||
| 3.4. Example Exchanges . . . . . . . . . . . . . . . . . . . . 5 | 3.4. Example Exchanges . . . . . . . . . . . . . . . . . . . . 5 | |||
| 3.4.1. Simple Case . . . . . . . . . . . . . . . . . . . . . 5 | 3.4.1. Simple Case . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 3.4.2. Requesting Domains and DNSSEC trust anchors . . . . . 6 | 3.4.2. Requesting Domains and DNSSEC trust anchors . . . . . 6 | |||
| 4. Payload Formats . . . . . . . . . . . . . . . . . . . . . . . 6 | 4. Payload Formats . . . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 4.1. INTERNAL_DNS_DOMAIN Configuration Attribute Type Request | 4.1. INTERNAL_DNS_DOMAIN Configuration Attribute Type Request | |||
| and Reply . . . . . . . . . . . . . . . . . . . . . . . . 7 | and Reply . . . . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 4.2. INTERNAL_DNSSEC_TA Configuration Attribute . . . . . . . 7 | 4.2. INTERNAL_DNSSEC_TA Configuration Attribute . . . . . . . 7 | |||
| 5. INTERNAL_DNS_DOMAIN Usage Guidelines . . . . . . . . . . . . 9 | 5. INTERNAL_DNS_DOMAIN Usage Guidelines . . . . . . . . . . . . 9 | |||
| 6. INTERNAL_DNSSEC_TA Usage Guidelines . . . . . . . . . . . . . 10 | 6. INTERNAL_DNSSEC_TA Usage Guidelines . . . . . . . . . . . . . 10 | |||
| 7. Security Considerations . . . . . . . . . . . . . . . . . . . 10 | 7. Security Considerations . . . . . . . . . . . . . . . . . . . 11 | |||
| 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11 | 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12 | |||
| 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 12 | 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 12 | |||
| 9.1. Normative References . . . . . . . . . . . . . . . . . . 12 | 9.1. Normative References . . . . . . . . . . . . . . . . . . 12 | |||
| 9.2. Informative References . . . . . . . . . . . . . . . . . 12 | 9.2. Informative References . . . . . . . . . . . . . . . . . 13 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 13 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 13 | |||
| 1. Introduction | 1. Introduction | |||
| Split DNS is a common configuration for secure tunnels, such as | Split DNS is a common configuration for secure tunnels, such as | |||
| Virtual Private Networks in which host machines private to an | Virtual Private Networks in which host machines private to an | |||
| organization can only be resolved using internal DNS resolvers | organization can only be resolved using internal DNS resolvers | |||
| [RFC2775]. In such configurations, it is often desirable to only | [RFC2775]. In such configurations, it is often desirable to only | |||
| resolve hosts within a set of private domains using the tunnel, while | resolve hosts within a set of private domains using the tunnel, while | |||
| letting resolutions for public hosts be handled by a device's default | letting resolutions for public hosts be handled by a device's default | |||
| skipping to change at page 10, line 10 ¶ | skipping to change at page 10, line 10 ¶ | |||
| INTERNAL_DNS_DOMAIN attributes SHOULD only be used on split tunnel | INTERNAL_DNS_DOMAIN attributes SHOULD only be used on split tunnel | |||
| configurations where only a subset of traffic is routed into a | configurations where only a subset of traffic is routed into a | |||
| private remote network using the IPsec connection. If all traffic is | private remote network using the IPsec connection. If all traffic is | |||
| routed over the IPsec connection, the existing global | routed over the IPsec connection, the existing global | |||
| INTERNAL_IP4_DNS and INTERNAL_IP6_DNS can be used without creating | INTERNAL_IP4_DNS and INTERNAL_IP6_DNS can be used without creating | |||
| specific DNS exemptions. | specific DNS exemptions. | |||
| 6. INTERNAL_DNSSEC_TA Usage Guidelines | 6. INTERNAL_DNSSEC_TA Usage Guidelines | |||
| Installing an INTERNAL_DNSSEC_TA trust anchor can be seen as the | DNS records can be used to publish specific records containing trust | |||
| equivalent of installing an Enterprise Certificate Agency (CA) | anchors for applications. The most common record type is the TLSA | |||
| record specified in [RFC6698]. This DNS record type publishes which | ||||
| CA certificate or EE certificate to expect for a certain host name. | ||||
| These records are protected by DNSSEC and thus can be trusted by the | ||||
| application. Whether to trust TLSA records instead of the | ||||
| traditional WebPKI depends on the local policy of the client. By | ||||
| accepting an INTERNAL_DNSSEC_TA trust anchor via IKE from the remote | ||||
| IKE server, the IPsec client might be allowing the remote IKE server | ||||
| to override the trusted certificates for TLS. Similar override | ||||
| concerns apply to other public key or fingerprint based DNS records, | ||||
| such as OPENPGPKEY, SMIMEA or IPSECKEY records. | ||||
| Thus, installing an INTERNAL_DNSSEC_TA trust anchor can be seen as | ||||
| the equivalent of installing an Enterprise Certificate Agency (CA) | ||||
| certificate. It allows the remote IKE/IPsec server to modify DNS | certificate. It allows the remote IKE/IPsec server to modify DNS | |||
| answers including its DNSSEC cryptographic signatures by overriding | answers including its DNSSEC cryptographic signatures by overriding | |||
| existing DNS information with trust anchor conveyed via IKE and | existing DNS information with trust anchor conveyed via IKE and | |||
| (temporarilly) installed on the IKE client. Of specific concern is | (temporarilly) installed on the IKE client. Of specific concern is | |||
| the overriding of [RFC6698] based TLSA records, which represent a | the overriding of [RFC6698] based TLSA records, which represent a | |||
| confirmation or override of an existing WebPKI TLS certificate. | confirmation or override of an existing WebPKI TLS certificate. | |||
| Other DNS record types that convey cryptographic materials (public | Other DNS record types that convey cryptographic materials (public | |||
| keys or fingerprints) are OPENPGPKEY, SMIMEA, SSHP and IPSECKEY | keys or fingerprints) are OPENPGPKEY, SMIMEA, SSHP and IPSECKEY | |||
| records. | records. | |||
| IKE clients MUST use a preconfigured whitelist of domain names for | ||||
| which it will allow INTERNAL_DNSSEC_TA updates. | ||||
| The DNS root zone (".") MUST NOT be whitelisted. | ||||
| Any updates to this whitelist of domain names MUST happen via | ||||
| explicit human interaction to prevent invisible installation of trust | ||||
| anchors. | ||||
| IKE clients SHOULD accept any INTERNAL_DNSSEC_TA updates for | ||||
| subdomain names of the whitelisted domain names. For example, if | ||||
| "example.net" is whitelisted, then INTERNAL_DNSSEC_TA received for | ||||
| "antartica.example.net" SHOULD be accepted. | ||||
| IKE clients MAY interpret an INTERNAL_DNSSEC_TA for domain that was | ||||
| not preconfigured as an indication that it needs to update its IKE | ||||
| configuration (out of band). The client MUST NOT use such a | ||||
| INTERNAL_DNSSEC_TA to reconfigure its local DNS settings. | ||||
| IKE clients MUST ignore any received INTERNAL_DNSSEC_TA requests for | IKE clients MUST ignore any received INTERNAL_DNSSEC_TA requests for | |||
| a FDQN for which it did not receive and accept an INTERNAL_DNS_DOMAIN | a FDQN for which it did not receive and accept an INTERNAL_DNS_DOMAIN | |||
| Configuration Payload. | Configuration Payload. | |||
| DNS records can be used to publish specific records containing trust | ||||
| anchors for applications. The most common record type is the TLSA | ||||
| record specified in [RFC6698]. This DNS record type publishes which | ||||
| CA certificate or EE certificate to expect for a certain host name. | ||||
| These records are protected by DNSSEC and thus can be trusted by the | ||||
| application. Whether to trust TLSA records instead of the | ||||
| traditional WebPKI depends on the local policy of the client. By | ||||
| accepting an INTERNAL_DNSSEC_TA trust anchor via IKE from the remote | ||||
| IKE server, the IPsec client might be allowing the remote IKE server | ||||
| to override the trusted certificates for TLS. The same applies to | ||||
| other public key or fingerprint based DNS records, such as | ||||
| OPENPGPKEY, SMIMEA or IPSECKEY records. | ||||
| In most deployment scenario's, the IKE client has an expectation that | In most deployment scenario's, the IKE client has an expectation that | |||
| it is connecting, using a split-network setup, to a specific | it is connecting, using a split-network setup, to a specific | |||
| organisation or enterprise. A recommended policy would be to only | organisation or enterprise. A recommended policy would be to only | |||
| accept INTERNAL_DNSSEC_TA directives from that organization's DNS | accept INTERNAL_DNSSEC_TA directives from that organization's DNS | |||
| names. However, this might not be possible in all deployment | names. However, this might not be possible in all deployment | |||
| scenarios, such as one where the IKE server is handing out a number | scenarios, such as one where the IKE server is handing out a number | |||
| of domains that are not within one parent domain. | of domains that are not within one parent domain. | |||
| 7. Security Considerations | 7. Security Considerations | |||
| End of changes. 8 change blocks. | ||||
| 22 lines changed or deleted | 41 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||