idnits 2.17.1 draft-ietf-ipsecme-split-dns-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (March 13, 2017) is 2598 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'TBD IANA' is mentioned on line 307, but not defined == Missing Reference: 'TBD' is mentioned on line 428, but not defined Summary: 0 errors (**), 0 flaws (~~), 3 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network T. Pauly 3 Internet-Draft Apple Inc. 4 Intended status: Standards Track P. Wouters 5 Expires: September 14, 2017 Red Hat 6 March 13, 2017 8 Split DNS Configuration for IKEv2 9 draft-ietf-ipsecme-split-dns-00 11 Abstract 13 This document defines two Configuration Payload Attribute Types for 14 the IKEv2 protocol that add support for private DNS domains. These 15 domains should be resolved using DNS servers reachable through an 16 IPsec connection, while leaving all other DNS resolution unchanged. 17 This approach of resolving a subset of domains using non-public DNS 18 servers is referred to as "Split DNS". 20 Status of This Memo 22 This Internet-Draft is submitted in full conformance with the 23 provisions of BCP 78 and BCP 79. 25 Internet-Drafts are working documents of the Internet Engineering 26 Task Force (IETF). Note that other groups may also distribute 27 working documents as Internet-Drafts. The list of current Internet- 28 Drafts is at http://datatracker.ietf.org/drafts/current/. 30 Internet-Drafts are draft documents valid for a maximum of six months 31 and may be updated, replaced, or obsoleted by other documents at any 32 time. It is inappropriate to use Internet-Drafts as reference 33 material or to cite them other than as "work in progress." 35 This Internet-Draft will expire on September 14, 2017. 37 Copyright Notice 39 Copyright (c) 2017 IETF Trust and the persons identified as the 40 document authors. All rights reserved. 42 This document is subject to BCP 78 and the IETF Trust's Legal 43 Provisions Relating to IETF Documents 44 (http://trustee.ietf.org/license-info) in effect on the date of 45 publication of this document. Please review these documents 46 carefully, as they describe your rights and restrictions with respect 47 to this document. Code Components extracted from this document must 48 include Simplified BSD License text as described in Section 4.e of 49 the Trust Legal Provisions and are provided without warranty as 50 described in the Simplified BSD License. 52 Table of Contents 54 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 55 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 56 2. Background . . . . . . . . . . . . . . . . . . . . . . . . . 3 57 3. Protocol Exchange . . . . . . . . . . . . . . . . . . . . . . 3 58 3.1. Configuration Request . . . . . . . . . . . . . . . . . . 4 59 3.2. Configuration Reply . . . . . . . . . . . . . . . . . . . 4 60 3.3. Mapping DNS Servers to Domains . . . . . . . . . . . . . 5 61 3.4. Example Exchanges . . . . . . . . . . . . . . . . . . . . 5 62 3.4.1. Simple Case . . . . . . . . . . . . . . . . . . . . . 5 63 3.4.2. Requesting Domains and DNSSEC trust anchors . . . . . 5 64 4. Payload Formats . . . . . . . . . . . . . . . . . . . . . . . 6 65 4.1. INTERNAL_DNS_DOMAIN Configuration Attribute Type . . . . 6 66 4.2. INTERNAL_DNSSEC_TA Configuration Attribute . . . . . . . 7 67 5. Split DNS Usage Guidelines . . . . . . . . . . . . . . . . . 7 68 6. Security Considerations . . . . . . . . . . . . . . . . . . . 9 69 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 70 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 10 71 8.1. Normative References . . . . . . . . . . . . . . . . . . 10 72 8.2. Informative References . . . . . . . . . . . . . . . . . 10 73 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 11 75 1. Introduction 77 Split DNS is a common configuration for secure tunnels, such as 78 Virtual Private Networks in which host machines private to an 79 organization can only be resolved using internal DNS resolvers 80 [RFC2775]. In such configurations, it is often desirable to only 81 resolve hosts within a set of private domains using the tunnel, while 82 letting resolutions for public hosts be handled by a device's default 83 DNS configuration. 85 The Internet Key Exchange protocol version 2 [RFC7296] negotiates 86 configuration parameters using Configuration Payload Attribute Types. 87 This document defines two Configuration Payload Attribute Types that 88 add support for trusted Split DNS domains. 90 The INTERNAL_DNS_DOMAIN attribute type is used to convey one or more 91 DNS domains that should be resolved only using the provided DNS 92 nameserver IP addresses, causing these requests to use the IPsec 93 connection. 95 The INTERNAL_DNSSEC_TA attribute type is used to convey DNSSEC trust 96 anchors for those domains. 98 When only a subset of traffic is routed into a private network using 99 an IPsec SA, these Configuration Payload options can be used to 100 define which private domains should be resolved through the IPsec 101 connection without affecting the client's global DNS resolution. 103 For the purposes of this document, DNS resolution servers accessible 104 through an IPsec connection will be referred to as "internal DNS 105 servers", and other DNS servers will be referred to as "external DNS 106 servers". 108 A client using these configuration payloads will be able to request 109 and receive Split DNS configurations using the INTERNAL_DNS_DOMAIN 110 and INTERNAL_DNSSEC_TA configuration attributes. The client device 111 can use the internal DNS server(s) for any DNS queries within the 112 assigned domains. DNS queries for other domains should be send to 113 its regular external DNS server. 115 1.1. Requirements Language 117 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 118 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 119 document are to be interpreted as described in RFC 2119 [RFC2119]. 121 2. Background 123 Split DNS is a common configuration for enterprise VPN deployments, 124 in which only one or a few private DNS domains are accessible and 125 resolvable via an IPsec based VPN connection. 127 Other tunnel-establishment protocols already support the assignment 128 of Split DNS domains. For example, there are proprietary extensions 129 to IKEv1 that allow a server to assign Split DNS domains to a client. 130 However, the IKEv2 standard does not include a method to configure 131 this option. This document defines a standard way to negotiate this 132 option for IKEv2. 134 3. Protocol Exchange 136 In order to negotiate which domains are considered internal to an 137 IKEv2 tunnel, initiators indicate support for Split DNS in their 138 CFG_REQUEST payloads, and responders assign internal domains (and 139 DNSSEC trust anchors) in their CFG_REPLY payloads. When Split DNS 140 has been negotiated, the existing DNS server configuration attributes 141 will be interpreted as internal DNS servers that can resolve 142 hostnames within the internal domains. 144 3.1. Configuration Request 146 To indicate support for Split DNS, an initiator sends a CFG_REQUEST 147 payload MAY with one INTERNAL_DNS_DOMAIN attributes as defined in 148 Section 4. If an INTERNAL_DNS_DOMAIN attribute is included in the 149 CFG_REQUEST, the initiator SHOULD also include one or more 150 INTERNAL_IP4_DNS and INTERNAL_IP6_DNS attributes in its CFG_REQUEST. 152 The length of the INTERNAL_DNS_DOMAIN attribute sent by the initiator 153 is zero. 155 The absence of INTERNAL_DNS_DOMAIN attributes in the CFG_REQUEST 156 payload indicates that the initiator does not support or is unwilling 157 to accept Split DNS configuration. 159 To indicate support for DNSSEC, an initiator sending a CFG_REQUEST 160 payload MAY include one INTERNAL_DNS_TA attributes as defined in 161 Section 4. 163 An initiator MAY convey its current DNSSEC trust anchors for the 164 domain specified in the INTERNAL_DNS_DOMAIN attribute. If it does 165 not wish to convey this information, it MUST use a length of 0. 167 The absence of INTERNAL_DNS_TA attributes in the CFG_REQUEST payload 168 indicates that the initiator does not support or is unwilling to 169 accept DNSSEC trust anchor configuration. 171 3.2. Configuration Reply 173 Responders MAY send one or more INTERNAL_DNS_DOMAIN attributes in 174 their CFG_REPLY payload if the CFG_REQUEST contained at least one 175 INTERNAL_DNS_DOMAIN attribute. If the CFG_REQUEST did not contain an 176 INTERNAL_DNS_DOMAIN attribute, the responder MUST NOT include an 177 INTERNAL_DNS_DOMAIN attribute in the CFG_REPLY. If an 178 INTERNAL_DNS_DOMAIN attribute is included in the CFG_REPLY, the 179 responder SHOULD also include one or both of the INTERNAL_IP4_DNS and 180 INTERNAL_IP6_DNS attributes in its CFG_REPLY. These DNS server 181 configurations are necessary to define which servers should receive 182 queries for hostnames in internal domains. If the CFG_REQUEST 183 included an INTERNAL_DNS_DOMAIN attribute, but the CFG_REPLY does not 184 include an INTERNAL_DNS_DOMAIN attribute, the initiator should behave 185 as if Split DNS configurations are not supported by the server. 187 Each INTERNAL_DNS_DOMAIN represents a domain that the DNS servers 188 address listed in INTERNAL_IP4_DNS and INTERNAL_IP6_DNS can resolve. 190 If the CFG_REQUEST included INTERNAL_DNS_DOMAIN attributes with non- 191 zero lengths, the content MUST be ignored. 193 For each DNS domain specified in an INTERNAL_DNS_DOMAIN attribute, 194 one or more INTERNAL_DNSSEC_TA attributes MAY be included by the 195 responder. This attribute lists the corresponding DSSNEC trust 196 anchor in the DNS wire format of a DS record as specified in 197 [RFC4034]. The INTERNAL_DNSSEC_TA attribute MUST immediately follow 198 the INTERNAL_DNS_DOMAIN attribute that it applies to. 200 3.3. Mapping DNS Servers to Domains 202 All DNS servers provided in the CFG_REPLY MUST support resolving 203 hostnames within all INTERNAL_DNS_DOMAIN domains. In other words, 204 the INTERNAL_DNS_DOMAIN attributes in a CFG_REPLY payload form a 205 single list of Split DNS domains that applies to the entire list of 206 INTERNAL_IP4_DNS and INTERNAL_IP6_DNS attributes. 208 3.4. Example Exchanges 210 3.4.1. Simple Case 212 In this example exchange, the initiator requests INTERNAL_IP4_DNS and 213 INTERNAL_DNS_DOMAIN attributes in its CFG_REQUEST, but does not 214 specify any value for either. This indicates that it supports Split 215 DNS, but has no preference for which DNS requests should be routed 216 through the tunnel. 218 The responder replies with two DNS server addresses, and two internal 219 domains, "example.com" and "city.other.com". 221 Any subsequent DNS queries from the initiator for domains such as 222 "www.example.com" should use 198.51.100.2 or 198.51.100.4 to resolve. 224 CP(CFG_REQUEST) = 225 INTERNAL_IP4_ADDRESS() 226 INTERNAL_IP4_DNS() 227 INTERNAL_DNS_DOMAIN() 229 CP(CFG_REPLY) = 230 INTERNAL_IP4_ADDRESS(198.51.100.234) 231 INTERNAL_IP4_DNS(198.51.100.2) 232 INTERNAL_IP4_DNS(198.51.100.4) 233 INTERNAL_DNS_DOMAIN(example.com) 234 INTERNAL_DNS_DOMAIN(city.other.com) 236 3.4.2. Requesting Domains and DNSSEC trust anchors 238 In this example exchange, the initiator requests INTERNAL_IP4_DNS, 239 INTERNAL_DNS_DOMAIN and INTERNAL_DNS_TA attributess in its 240 CFG_REQUEST 241 Any subsequent DNS queries from the initiator for domains such as 242 "www.example.com" or "city.other.com" would be DNSSEC validated using 243 the DNSSEC trust anchor received in the CFG_REPLY 245 In this example, the initiator has no existing DNSSEC trust anchors 246 would the requested domain. the "example.com" dommain has DNSSEC 247 trust anchors that are returned, while the "other.com" domain has no 248 DNSSEC trust anchors 250 CP(CFG_REQUEST) = 251 INTERNAL_IP4_ADDRESS() 252 INTERNAL_IP4_DNS() 253 INTERNAL_DNS_DOMAIN() 254 INTERNAL_DNS_TA() 256 CP(CFG_REPLY) = 257 INTERNAL_IP4_ADDRESS(198.51.100.234) 258 INTERNAL_IP4_DNS(198.51.100.2) 259 INTERNAL_IP4_DNS(198.51.100.4) 260 INTERNAL_DNS_DOMAIN(example.com) 261 INTERNAL_DNS_TA(43547,8,1,B6225AB2CC613E0DCA7962BDC2342EA4F1B56083) 262 INTERNAL_DNS_TA(31406,8,2,F78CF3344F72137235098ECBBD08947C2C90....) 263 INTERNAL_DNS_DOMAIN(city.other.com) 265 4. Payload Formats 267 4.1. INTERNAL_DNS_DOMAIN Configuration Attribute Type 269 1 2 3 270 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 271 +-+-----------------------------+-------------------------------+ 272 |R| Attribute Type | Length | 273 +-+-----------------------------+-------------------------------+ 274 | | 275 ~ Domain Name ~ 276 | | 277 +---------------------------------------------------------------+ 279 o Reserved (1 bit) - Defined in IKEv2 RFC [RFC7296]. 281 o Attribute Type (15 bits) 25 - INTERNAL_DNS_DOMAIN. 283 o Length (2 octets, unsigned integer) - Length of domain name. 285 o Domain Name (0 or more octets) - A domain or subdomain used for 286 Split DNS rules, such as example.com. This is a string of ASCII 287 characters with labels separated by dots, with no trailing dot, 288 using IDNA [RFC5890] for non-ASCII DNS domains. The value is NOT 289 null-terminated. 291 4.2. INTERNAL_DNSSEC_TA Configuration Attribute 293 1 2 3 294 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 295 +-+-----------------------------+-------------------------------+ 296 |R| Attribute Type | Length | 297 +-+-----------------------------+---------------+---------------+ 298 | Key Tag | Algorithm | Digest Type | 299 +-------------------------------+---------------+---------------+ 300 | | 301 ~ Digest ~ 302 | | 303 +---------------------------------------------------------------+ 305 o Reserved (1 bit) - Defined in IKEv2 RFC [RFC7296]. 307 o Attribute Type (15 bits) [TBD IANA] - INTERNAL_DNSSEC_TA. 309 o Length (2 octets, unsigned integer) - Length of DNSSEC Trust 310 Anchor data. 312 o Key Tag value (0 or 2 octets, unsigned integer) - Key Tag as 313 specified in [RFC4034] Section 5.1 315 o DNSKEY algorithm (0 or 1 octet) - Value from the IANA DNS Security 316 Algorithm Numbers Registry 318 o DS algorithm (0 or 1 octet) - Value from the IANA Delegation 319 Signer (DS) Resource Record (RR) Type Digest Algorithms Registry 321 o Digest (0 or more octets) - The raw digest as specified in 322 [RFC4034] Section 5.1 324 5. Split DNS Usage Guidelines 326 If a CFG_REPLY payload contains no INTERNAL_DNS_DOMAIN attributes, 327 the client MAY use the provided INTERNAL_IP4_DNS or INTERNAL_IP6_DNS 328 servers as the default DNS server(s) for all queries. 330 If a client is configured by local policy to only accept a limited 331 number of INTERNAL_DNS_DOMAIN values, the client MUST ignore any 332 other INTERNAL_DNS_DOMAIN values. 334 For each INTERNAL_DNS_DOMAIN entry in a CFG_REPLY payload that is not 335 prohibited by local policy, the client MUST use the provided 336 INTERNAL_IP4_DNS or INTERNAL_IP6_DNS DNS servers as the only 337 resolvers for the listed domains and its sub-domains and it MUST NOT 338 attempt to resolve the provided DNS domains using its external DNS 339 servers. 341 If the initiator host is configured to block DNS answers containing 342 IP addresses from special IP address ranges such as those of 343 [RFC1918], the initiator SHOULD allow the DNS domains listed in the 344 INTERNAL_DNS_DOMAIN attributes to contain those Special IP addresses 345 that are covered by the Child SA's. 347 If a CFG_REPLY contains one or more INTERNAL_DNS_DOMAIN attributes 348 and its local policy does not forbid these values, the client MUST 349 configure its DNS resolver to resolve those domains and all their 350 subdomains using only the DNS resolver(s) listed in that CFG_REPLY 351 message. If those resolvers fail, those names MUST NOT be resolved 352 using any other DNS resolvers. Other domain names SHOULD be resolved 353 using some other external DNS resolver(s), configured independently 354 from IKE. Queries for these other domains MAY be sent to the 355 internal DNS resolver(s) listed in that CFG_REPLY message, but have 356 no guarantee of being answered. For example, if the 357 INTERNAL_DNS_DOMAIN attribute specifies "example.com", then 358 "example.com", "www.example.com" and "mail.eng.example.com" MUST be 359 resolved using the internal DNS resolver(s), but "anotherexample.com" 360 and "ample.com" SHOULD NOT be resolved using the internal resolver 361 and SHOULD use the system's external DNS resolver(s). 363 An initiator SHOULD ignore INTERNAL_DNS_DOMAIN attributes containing 364 domains that are designated Special Use Domain Names in [RFC6761], 365 such as "local", "localhost", "invalid", etc. Although it may 366 explicitly wish to support some Special Use Domain Names. 368 When an IPsec connection is terminated, the DNS forwarding must be 369 unconfigured. The DNS forwarding itself MUST be be deleted. All 370 cached data of the INTERNAL_DNS_DOMAIN provided DNS domainis MUST be 371 flushed. This includes negative cache entries. Obtained DNSSEC 372 trust anchors MUST be removed from the list of trust anchors. The 373 outstanding DNS request queue MUST be cleared. 375 INTERNAL_DNS_DOMAIN and INTERNAL_DNSSEC_TA attributes SHOULD only be 376 used on split tunnel configurations where only a subset of traffic is 377 routed into a private remote network using the IPsec connection. If 378 all traffic is routed over the IPsec connection, the existing global 379 INTERNAL_IP4_DNS and INTERNAL_IP6_DNS can be used without creating 380 specific DNS exemptions. 382 6. Security Considerations 384 The use of Split DNS configurations assigned by an IKEv2 responder is 385 predicated on the trust established during IKE SA authentication. 386 However, if IKEv2 is being negotiated with an anonymous or unknown 387 endpoint (such as for Opportunistic Security [RFC7435]), the 388 initiator MUST ignore Split DNS configurations assigned by the 389 responder. 391 If a host connected to an authenticated IKE peer is connecting to 392 another IKE peer that attempts to claim the same domain via the 393 INTERNAL_DNS_DOMAIN attribute, the IKE connection should only process 394 the DNS information if the two connections are part of the same 395 logical entity. Otherwise, the client should refuse the DNS 396 information and potentially warn the enduser. 398 INTERNAL_DNSSEC_TA directives MUST immediately follow an 399 INTERNAL_DNS_DOMAIN directive. As the INTERNAL_DNSSEC_TA format 400 itself does not contain the domain name, it relies on the preceding 401 INTERNAL_DNS_DOMAIN to provide the domain for which it specifies the 402 trust anchor. 404 If the initiator is using DNSSEC validation for a domain in its 405 public DNS view, and it requests and receives an INTERNAL_DNS_DOMAIN 406 attribute without an INTERNAL_DNSSEC_TA, it will need to reconfigure 407 its DNS resolver to allow for an insecure delegation. It SHOULD NOT 408 accept insecure delegations for domains that are DNSSEC signed in the 409 public DNS view, for which it has not explicitely requested such 410 deletation by specifying the domain specifically using a 411 INTERNAL_DNS_DOMAIN(domain) request. 413 A domain that is served via INTERNAL_DNS_DOMAIN should pay close 414 attention to their use of indirect reference RRtypes such as CNAME, 415 DNAME, MX or SRV records so that resolving works as intended when 416 all, some or none of the IPsec connections are established. 418 7. IANA Considerations 420 This document defines two new IKEv2 Configuration Payload Attribute 421 Types, which are allocated from the "IKEv2 Configuration Payload 422 Attribute Types" namespace. 424 Multi- 425 Value Attribute Type Valued Length Reference 426 ------ ------------------- ------ ---------- --------------- 427 25 INTERNAL_DNS_DOMAIN YES 0 or more [this document] 428 [TBD] INTERNAL_DNSSEC_TA YES 0 or more [this document] 430 Figure 1 432 8. References 434 8.1. Normative References 436 [RFC1918] Rekhter, Y., Moskowitz, B., Karrenberg, D., de Groot, G., 437 and E. Lear, "Address Allocation for Private Internets", 438 BCP 5, RFC 1918, DOI 10.17487/RFC1918, February 1996, 439 . 441 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 442 Requirement Levels", BCP 14, RFC 2119, 443 DOI 10.17487/RFC2119, March 1997, 444 . 446 [RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S. 447 Rose, "Resource Records for the DNS Security Extensions", 448 RFC 4034, DOI 10.17487/RFC4034, March 2005, 449 . 451 [RFC5890] Klensin, J., "Internationalized Domain Names for 452 Applications (IDNA): Definitions and Document Framework", 453 RFC 5890, DOI 10.17487/RFC5890, August 2010, 454 . 456 [RFC7296] Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., and T. 457 Kivinen, "Internet Key Exchange Protocol Version 2 458 (IKEv2)", STD 79, RFC 7296, DOI 10.17487/RFC7296, October 459 2014, . 461 8.2. Informative References 463 [RFC2775] Carpenter, B., "Internet Transparency", RFC 2775, 464 DOI 10.17487/RFC2775, February 2000, 465 . 467 [RFC6761] Cheshire, S. and M. Krochmal, "Special-Use Domain Names", 468 RFC 6761, DOI 10.17487/RFC6761, February 2013, 469 . 471 [RFC7435] Dukhovni, V., "Opportunistic Security: Some Protection 472 Most of the Time", RFC 7435, DOI 10.17487/RFC7435, 473 December 2014, . 475 Authors' Addresses 477 Tommy Pauly 478 Apple Inc. 479 1 Infinite Loop 480 Cupertino, California 95014 481 US 483 Email: tpauly@apple.com 485 Paul Wouters 486 Red Hat 488 Email: pwouters@redhat.com