| < draft-ietf-ipseckey-rr-11.txt | draft-ietf-ipseckey-rr-12.txt > | |||
|---|---|---|---|---|
| IPSECKEY WG M. Richardson | IPSECKEY WG M. Richardson | |||
| Internet-Draft SSW | Internet-Draft SSW | |||
| Expires: January 15, 2005 July 17, 2004 | Expires: July 19, 2005 January 18, 2005 | |||
| A Method for Storing IPsec Keying Material in DNS | A Method for Storing IPsec Keying Material in DNS | |||
| draft-ietf-ipseckey-rr-11.txt | draft-ietf-ipseckey-rr-12.txt | |||
| Status of this Memo | Status of this Memo | |||
| By submitting this Internet-Draft, I certify that any applicable | By submitting this Internet-Draft, I certify that any applicable | |||
| patent or other IPR claims of which I am aware have been disclosed, | patent or other IPR claims of which I am aware have been disclosed, | |||
| and any of which I become aware will be disclosed, in accordance with | and any of which I become aware will be disclosed, in accordance with | |||
| RFC 3667. | RFC 3667. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF), its areas, and its working groups. Note that other | Task Force (IETF), its areas, and its working groups. Note that other | |||
| skipping to change at page 1, line 32 ¶ | skipping to change at page 1, line 32 ¶ | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| The list of current Internet-Drafts can be accessed at http:// | The list of current Internet-Drafts can be accessed at http:// | |||
| www.ietf.org/ietf/1id-abstracts.txt. | www.ietf.org/ietf/1id-abstracts.txt. | |||
| The list of Internet-Draft Shadow Directories can be accessed at | The list of Internet-Draft Shadow Directories can be accessed at | |||
| http://www.ietf.org/shadow.html. | http://www.ietf.org/shadow.html. | |||
| This Internet-Draft will expire on January 15, 2005. | This Internet-Draft will expire on July 19, 2005. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (C) The Internet Society (2004). All Rights Reserved. | Copyright (C) The Internet Society (2005). All Rights Reserved. | |||
| Abstract | Abstract | |||
| This document describes a new resource record for the Domain Name | This document describes a new resource record for the Domain Name | |||
| System (DNS). This record may be used to store public keys for use in | System (DNS). This record may be used to store public keys for use in | |||
| IP security (IPsec) systems. The record also includes provisions for | IP security (IPsec) systems. The record also includes provisions for | |||
| indicating what system should be contacted when establishing an IPsec | indicating what system should be contacted when establishing an IPsec | |||
| tunnel with the entity in question. | tunnel with the entity in question. | |||
| This record replaces the functionality of the sub-type #1 of the KEY | This record replaces the functionality of the sub-type #1 of the KEY | |||
| skipping to change at page 3, line 23 ¶ | skipping to change at page 3, line 23 ¶ | |||
| these cases the host will need to obtain a public key in order to | these cases the host will need to obtain a public key in order to | |||
| authenticate the remote entity, and may also need some guidance about | authenticate the remote entity, and may also need some guidance about | |||
| whether it should contact the entity directly or use another node as | whether it should contact the entity directly or use another node as | |||
| a gateway to the target entity. | a gateway to the target entity. | |||
| The IPSECKEY RR provides a storage mechanism for such data as the | The IPSECKEY RR provides a storage mechanism for such data as the | |||
| public key and the gateway information. | public key and the gateway information. | |||
| The type number for the IPSECKEY RR is TBD. | The type number for the IPSECKEY RR is TBD. | |||
| This record replaces the functionality of the sub-type #1 of the KEY | ||||
| Resource Record, which has been obsoleted by RFC3445 [12]. | ||||
| 1.1 Overview | 1.1 Overview | |||
| The IPSECKEY resource record (RR) is used to publish a public key | The IPSECKEY resource record (RR) is used to publish a public key | |||
| that is to be associated with a Domain Name System (DNS) name for use | that is to be associated with a Domain Name System (DNS)[1] name for | |||
| with the IPsec protocol suite. This can be the public key of a | use with the IPsec protocol suite. This can be the public key of a | |||
| host, network, or application (in the case of per-port keying). | host, network, or application (in the case of per-port keying). | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | |||
| document are to be interpreted as described in RFC2119 [7]. | document are to be interpreted as described in RFC2119 [7]. | |||
| 1.2 Use of DNS address-to-name maps (IN-ADDR.ARPA and IP6.ARPA) | 1.2 Use of DNS address-to-name maps (IN-ADDR.ARPA and IP6.ARPA) | |||
| Often a security gateway will only have access to the IP address of | Often a security gateway will only have access to the IP address of | |||
| the node with which communication is desired, and will not know any | the node with which communication is desired, and will not know any | |||
| skipping to change at page 4, line 9 ¶ | skipping to change at page 4, line 12 ¶ | |||
| Note: even when the IPsec function is the end-host, often only the | Note: even when the IPsec function is the end-host, often only the | |||
| application will know the forward name used. While the case where the | application will know the forward name used. While the case where the | |||
| application knows the forward name is common, the user could easily | application knows the forward name is common, the user could easily | |||
| have typed in a literal IP address. This storage mechanism does not | have typed in a literal IP address. This storage mechanism does not | |||
| preclude using the forward name when it is available, but does not | preclude using the forward name when it is available, but does not | |||
| require it. | require it. | |||
| 1.3 Usage Criteria | 1.3 Usage Criteria | |||
| An IPSECKEY resource record SHOULD be used in combination with DNSSEC | An IPSECKEY resource record SHOULD be used in combination with DNSSEC | |||
| unless some other means of authenticating the IPSECKEY resource | [9] unless some other means of authenticating the IPSECKEY resource | |||
| record is available. | record is available. | |||
| It is expected that there will often be multiple IPSECKEY resource | It is expected that there will often be multiple IPSECKEY resource | |||
| records at the same name. This will be due to the presence of | records at the same name. This will be due to the presence of | |||
| multiple gateways and the need to rollover keys. | multiple gateways and the need to rollover keys. | |||
| This resource record is class independent. | This resource record is class independent. | |||
| 2. Storage formats | 2. Storage formats | |||
| skipping to change at page 18, line 41 ¶ | skipping to change at page 18, line 41 ¶ | |||
| This document and the information contained herein are provided on an | This document and the information contained herein are provided on an | |||
| "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS | "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS | |||
| OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET | OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET | |||
| ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, | ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, | |||
| INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE | INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE | |||
| INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED | INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED | |||
| WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. | WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. | |||
| Copyright Statement | Copyright Statement | |||
| Copyright (C) The Internet Society (2004). This document is subject | Copyright (C) The Internet Society (2005). This document is subject | |||
| to the rights, licenses and restrictions contained in BCP 78, and | to the rights, licenses and restrictions contained in BCP 78, and | |||
| except as set forth therein, the authors retain all their rights. | except as set forth therein, the authors retain all their rights. | |||
| Acknowledgment | Acknowledgment | |||
| Funding for the RFC Editor function is currently provided by the | Funding for the RFC Editor function is currently provided by the | |||
| Internet Society. | Internet Society. | |||
| End of changes. 8 change blocks. | ||||
| 8 lines changed or deleted | 11 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||