idnits 2.17.1 draft-ietf-ipsecme-split-dns-17.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- == There are 1 instance of lines with non-RFC6890-compliant IPv4 addresses in the document. If these are example addresses, they should be changed. == There are 1 instance of lines with private range IPv4 addresses in the document. If these are generic example addresses, they should be changed to use any of the ranges defined in RFC 6890 (or successor): 192.0.2.x, 198.51.100.x or 203.0.113.x. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document seems to lack the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords -- however, there's a paragraph with a matching beginning. Boilerplate error? (The document does seem to have the reference to RFC 2119 which the ID-Checklist requires). -- The document date (March 11, 2019) is 1872 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) No issues found here. Summary: 0 errors (**), 0 flaws (~~), 4 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network T. Pauly 3 Internet-Draft Apple Inc. 4 Intended status: Standards Track P. Wouters 5 Expires: September 12, 2019 Red Hat 6 March 11, 2019 8 Split DNS Configuration for IKEv2 9 draft-ietf-ipsecme-split-dns-17 11 Abstract 13 This document defines two Configuration Payload Attribute Types 14 (INTERNAL_DNS_DOMAIN and INTERNAL_DNSSEC_TA) for the Internet Key 15 Exchange Protocol Version 2 (IKEv2). These payloads add support for 16 private (internal-only) DNS domains. These domains are intended to 17 be resolved using non-public DNS servers that are only reachable 18 through the IPsec connection. DNS resolution for other domains 19 remains unchanged. These Configuration Payloads only apply to split 20 tunnel configurations. 22 Status of This Memo 24 This Internet-Draft is submitted in full conformance with the 25 provisions of BCP 78 and BCP 79. 27 Internet-Drafts are working documents of the Internet Engineering 28 Task Force (IETF). Note that other groups may also distribute 29 working documents as Internet-Drafts. The list of current Internet- 30 Drafts is at https://datatracker.ietf.org/drafts/current/. 32 Internet-Drafts are draft documents valid for a maximum of six months 33 and may be updated, replaced, or obsoleted by other documents at any 34 time. It is inappropriate to use Internet-Drafts as reference 35 material or to cite them other than as "work in progress." 37 This Internet-Draft will expire on September 12, 2019. 39 Copyright Notice 41 Copyright (c) 2019 IETF Trust and the persons identified as the 42 document authors. All rights reserved. 44 This document is subject to BCP 78 and the IETF Trust's Legal 45 Provisions Relating to IETF Documents 46 (https://trustee.ietf.org/license-info) in effect on the date of 47 publication of this document. Please review these documents 48 carefully, as they describe your rights and restrictions with respect 49 to this document. Code Components extracted from this document must 50 include Simplified BSD License text as described in Section 4.e of 51 the Trust Legal Provisions and are provided without warranty as 52 described in the Simplified BSD License. 54 Table of Contents 56 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 57 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 58 2. Applicability . . . . . . . . . . . . . . . . . . . . . . . . 3 59 3. Protocol Exchange . . . . . . . . . . . . . . . . . . . . . . 5 60 3.1. Configuration Request . . . . . . . . . . . . . . . . . . 5 61 3.2. Configuration Reply . . . . . . . . . . . . . . . . . . . 6 62 3.3. Mapping DNS Servers to Domains . . . . . . . . . . . . . 6 63 3.4. Example Exchanges . . . . . . . . . . . . . . . . . . . . 6 64 3.4.1. Simple Case . . . . . . . . . . . . . . . . . . . . . 6 65 3.4.2. Requesting Domains and DNSSEC trust anchors . . . . . 7 66 4. Payload Formats . . . . . . . . . . . . . . . . . . . . . . . 8 67 4.1. INTERNAL_DNS_DOMAIN Configuration Attribute Type Request 68 and Reply . . . . . . . . . . . . . . . . . . . . . . . . 8 69 4.2. INTERNAL_DNSSEC_TA Configuration Attribute . . . . . . . 9 70 5. INTERNAL_DNS_DOMAIN Usage Guidelines . . . . . . . . . . . . 10 71 6. INTERNAL_DNSSEC_TA Usage Guidelines . . . . . . . . . . . . . 11 72 7. Security Considerations . . . . . . . . . . . . . . . . . . . 12 73 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 14 74 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 14 75 9.1. Normative References . . . . . . . . . . . . . . . . . . 14 76 9.2. Informative References . . . . . . . . . . . . . . . . . 15 77 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 15 79 1. Introduction 81 Split tunnel Virtual Private Network ("VPN") configurations only send 82 packets with a specific destination IP range, usually chosen from 83 [RFC1918], via the VPN. All other traffic is not sent via the VPN. 84 This allows an enterprise deployment to offer Remote Access VPN 85 services without needing to accept and forward all the non-enterprise 86 related network traffic generated by their remote users. Resources 87 within the enterprise can be accessed by the user via the VPN, while 88 all other traffic generated by the user is not send over the VPN. 90 These internal resources tend to only have internal-only DNS names 91 and require the use of special internal-only DNS servers to get 92 resolved. Split DNS [RFC2775] is a common configuration that is part 93 of split tunnel VPN configurations to support configuring Remote 94 Access users to use these special internal-only domain names. 96 The IKEv2 protocol [RFC7296] negotiates configuration parameters 97 using Configuration Payload Attribute Types. This document defines 98 two Configuration Payload Attribute Types that add support for 99 trusted Split DNS domains. 101 The INTERNAL_DNS_DOMAIN attribute type is used to convey that the 102 specified DNS domain MUST be resolved using the provided DNS 103 nameserver IP addresses as specified in the INTERNAL_IP4_DNS and 104 INTERNAL_IP6_DNS Configuration Payloads, causing these requests to 105 use the IPsec connection. 107 The INTERNAL_DNSSEC_TA attribute type is used to convey a DNSSEC 108 trust anchor for such a domain. This is required if the external 109 view uses DNSSEC that would prove the internal view does not exist or 110 would expect a different DNSSEC key on the different versions 111 (internal and external) of the enterprise domain. 113 If an INTERNAL_DNS_DOMAIN is sent by the responder, the responder 114 MUST also include one or more INTERNAL_IP4_DNS or INTERNAL_IP6_DNS 115 attributes that contain the IPv4 or IPv6 address of the internal DNS 116 server. 118 For the purposes of this document, DNS resolution servers accessible 119 through an IPsec connection will be referred to as "internal DNS 120 servers", and other DNS servers will be referred to as "external DNS 121 servers". 123 Other tunnel-establishment protocols already support the assignment 124 of Split DNS domains. For example, there are proprietary extensions 125 to IKEv1 that allow a server to assign Split DNS domains to a client. 126 However, the IKEv2 standard does not include a method to configure 127 this option. This document defines a standard way to negotiate this 128 option for IKEv2. 130 1.1. Requirements Language 132 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 133 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 134 "OPTIONAL" in this document are to be interpreted as described in BCP 135 14 [RFC2119] [RFC8174] when, and only when, they appear in all 136 captials, as shown here. 138 2. Applicability 140 If the negotiated IPsec connection is not a split tunnel 141 configuration, the INTERNAL_DNS_DOMAIN and INTERNAL_DNSSEC_TA 142 Configuration Payloads MUST be ignored. This prevents generic (non- 143 enterprise) VPN services from overriding the public DNS hierarchy, 144 which could lead to malicious overrides of DNS and DNSSEC. 146 Such configurations SHOULD instead use only the INTERNAL_IP4_DNS and 147 INTERNAL_IP6_DNS Configuration Payloads to ensure all of the user's 148 DNS traffic is send through the IPsec connection and does not leak 149 unencrypted onto the local network, as the local network is often 150 explicitely exempted from IPsec encryption. 152 For split tunnel configurations, an enterprise can require one or 153 more DNS domains to be resolved via internal DNS servers. This can 154 be a special domain, such as "corp.example.com" for an enterprise 155 that is publicly known to use "example.com". In this case, the 156 remote user needs to be informed what the internal-only domain names 157 are and what the IP addresses of the internal DNS servers are. An 158 enterprise can also run a different version of its public domain on 159 its internal network. In that case, the VPN client is instructed to 160 send DNS queries for the enterprise public domain (eg "example.com") 161 to the internal DNS servers. A configuration for this deployment 162 scenario is referred to as a Split DNS configuration. 164 Split DNS configurations are often preferable to sending all DNS 165 queries to the enterprise. This allows the remote user to only send 166 DNS queries for the enterprise to the internal DNS servers. The 167 enterprise remains unaware of all non-enterprise (DNS) activitiy of 168 the user. It also allows the enterprise DNS servers to only be 169 configured for the enterprise DNS domains which removes the legal and 170 technical responsibility of the enterprise to resolve every DNS 171 domain potentially asked for by the remote user. 173 A client using these configuration payloads will be able to request 174 and receive Split DNS configurations using the INTERNAL_DNS_DOMAIN 175 and INTERNAL_DNSSEC_TA configuration attributes. These attributes 176 MUST be accompanied by one or more INTERNAL_IP4_DNS or 177 INTERNAL_IP6_DNS configuration attributes. The client device can 178 then use the internal DNS server(s) for any DNS queries within the 179 assigned domains. DNS queries for other domains SHOULD be sent to 180 the regular DNS service of the client unless it prefers to use the 181 IPsec tunnel for all its DNS queries. For example, the client could 182 trust the IPsec provided DNS servers more than the locally provided 183 DNS servers especially in the case of connecting to unknown or 184 untrusted networks (eg coffee shops or hotel networks). Or the 185 client could prefer the IPsec based DNS servers because those provide 186 additional features over the local DNS servers. 188 3. Protocol Exchange 190 In order to negotiate which domains are considered internal to an 191 IKEv2 tunnel, initiators indicate support for Split DNS in their 192 CFG_REQUEST payloads, and responders assign internal domains (and 193 DNSSEC trust anchors) in their CFG_REPLY payloads. When Split DNS 194 has been negotiated, the INTERNAL_IP4_DNS and INTERNAL_IP6_DNS DNS 195 server configuration attributes will be interpreted as internal DNS 196 servers that can resolve hostnames within the internal domains. 198 3.1. Configuration Request 200 To indicate support for Split DNS, an initiator includes one or more 201 INTERNAL_DNS_DOMAIN attributes as defined in Section 4 as part of the 202 CFG_REQUEST payload. If an INTERNAL_DNS_DOMAIN attribute is included 203 in the CFG_REQUEST, the initiator MUST also include one or more 204 INTERNAL_IP4_DNS or INTERNAL_IP6_DNS attributes in the CFG_REQUEST. 206 The INTERNAL_DNS_DOMAIN attribute sent by the initiator is usually 207 empty but MAY contain a suggested domain name. 209 The absence of INTERNAL_DNS_DOMAIN attributes in the CFG_REQUEST 210 payload indicates that the initiator does not support or is unwilling 211 to accept Split DNS configuration. 213 To indicate support for receiving DNSSEC trust anchors for Split DNS 214 domains, an initiator includes one or more INTERNAL_DNSSEC_TA 215 attributes as defined in Section 4 as part of the CFG_REQUEST 216 payload. If an INTERNAL_DNSSEC_TA attribute is included in the 217 CFG_REQUEST, the initiator MUST also include one or more 218 INTERNAL_DNS_DOMAIN attributes in the CFG_REQUEST. If the initiator 219 includes an INTERNAL_DNSSEC_TA attribute, but does not include an 220 INTERNAL_DNS_DOMAIN attribute, the responder MAY still respond with 221 both INTERNAL_DNSSEC_TA and INTERNAL_DNS_DOMAIN attributes. 223 An initiator MAY convey its current DNSSEC trust anchors for the 224 domain specified in the INTERNAL_DNS_DOMAIN attribute. A responder 225 can use this information to determine that it does not need to send a 226 different trust anchor. If the initiator does not wish to convey 227 this information, it MUST use a length of 0. 229 The absence of INTERNAL_DNSSEC_TA attributes in the CFG_REQUEST 230 payload indicates that the initiator does not support or is unwilling 231 to accept DNSSEC trust anchor configuration. 233 3.2. Configuration Reply 235 Responders MAY send one or more INTERNAL_DNS_DOMAIN attributes in 236 their CFG_REPLY payload. If an INTERNAL_DNS_DOMAIN attribute is 237 included in the CFG_REPLY, the responder MUST also include one or 238 both of the INTERNAL_IP4_DNS and INTERNAL_IP6_DNS attributes in the 239 CFG_REPLY. These DNS server configurations are necessary to define 240 which servers can receive queries for hostnames in internal domains. 241 If the CFG_REQUEST included an INTERNAL_DNS_DOMAIN attribute, but the 242 CFG_REPLY does not include an INTERNAL_DNS_DOMAIN attribute, the 243 initiator MUST behave as if Split DNS configurations are not 244 supported by the server, unless the initiator has been configured 245 with local policy to define a set of Split DNS domains to use by 246 default. 248 Each INTERNAL_DNS_DOMAIN represents a domain that the DNS servers 249 address listed in INTERNAL_IP4_DNS and INTERNAL_IP6_DNS can resolve. 251 If the CFG_REQUEST included INTERNAL_DNS_DOMAIN attributes with non- 252 zero lengths, the content MAY be ignored or be interpreted as a 253 suggestion by the responder. 255 For each DNS domain specified in an INTERNAL_DNS_DOMAIN attribute, 256 one or more INTERNAL_DNSSEC_TA attributes MAY be included by the 257 responder. This attribute lists the corresponding internal DNSSEC 258 trust anchor information of a DS record (see [RFC4034]). The 259 INTERNAL_DNSSEC_TA attribute MUST immediately follow the 260 INTERNAL_DNS_DOMAIN attribute that it applies to. 262 3.3. Mapping DNS Servers to Domains 264 All DNS servers provided in the CFG_REPLY MUST support resolving 265 hostnames within all INTERNAL_DNS_DOMAIN domains. In other words, 266 the INTERNAL_DNS_DOMAIN attributes in a CFG_REPLY payload form a 267 single list of Split DNS domains that applies to the entire list of 268 INTERNAL_IP4_DNS and INTERNAL_IP6_DNS attributes. 270 3.4. Example Exchanges 272 3.4.1. Simple Case 274 In this example exchange, the initiator requests INTERNAL_IP4_DNS, 275 INTERNAL_IP6_DNS, and INTERNAL_DNS_DOMAIN attributes in the 276 CFG_REQUEST, but does not specify any value for either. This 277 indicates that it supports Split DNS, but has no preference for which 278 DNS requests will be routed through the tunnel. 280 The responder replies with two DNS server addresses, and two internal 281 domains, "example.com" and "city.other.test". 283 Any subsequent DNS queries from the initiator for domains such as 284 "www.example.com" SHOULD use 198.51.100.2 or 198.51.100.4 to resolve. 286 CP(CFG_REQUEST) = 287 INTERNAL_IP4_ADDRESS() 288 INTERNAL_IP4_DNS() 289 INTERNAL_IP6_ADDRESS() 290 INTERNAL_IP6_DNS() 291 INTERNAL_DNS_DOMAIN() 293 CP(CFG_REPLY) = 294 INTERNAL_IP4_ADDRESS(198.51.100.234) 295 INTERNAL_IP4_DNS(198.51.100.2) 296 INTERNAL_IP4_DNS(198.51.100.4) 297 INTERNAL_IP6_ADDRESS(2001:DB8:0:1:2:3:4:5/64) 298 INTERNAL_IP6_DNS(2001:DB8:99:88:77:66:55:44) 299 INTERNAL_DNS_DOMAIN(example.com) 300 INTERNAL_DNS_DOMAIN(city.other.test) 302 3.4.2. Requesting Domains and DNSSEC trust anchors 304 In this example exchange, the initiator requests INTERNAL_IP4_DNS, 305 INTERNAL_IP6_DNS, INTERNAL_DNS_DOMAIN and INTERNAL_DNSSEC_TA 306 attributes in the CFG_REQUEST. 308 Any subsequent DNS queries from the initiator for domains such as 309 "www.example.com" or "city.other.test" would be DNSSEC validated 310 using the DNSSEC trust anchor received in the CFG_REPLY. 312 In this example, the initiator has no existing DNSSEC trust anchors 313 would the requested domain. The "example.com" dommain has DNSSEC 314 trust anchors that are returned, while the "other.test" domain has no 315 DNSSEC trust anchors. 317 CP(CFG_REQUEST) = 318 INTERNAL_IP4_ADDRESS() 319 INTERNAL_IP4_DNS() 320 INTERNAL_IP6_ADDRESS() 321 INTERNAL_IP6_DNS() 322 INTERNAL_DNS_DOMAIN() 323 INTERNAL_DNSSEC_TA() 325 CP(CFG_REPLY) = 326 INTERNAL_IP4_ADDRESS(198.51.100.234) 327 INTERNAL_IP4_DNS(198.51.100.2) 328 INTERNAL_IP4_DNS(198.51.100.4) 329 INTERNAL_IP6_ADDRESS(2001:DB8:0:1:2:3:4:5/64) 330 INTERNAL_IP6_DNS(2001:DB8:99:88:77:66:55:44) 331 INTERNAL_DNS_DOMAIN(example.com) 332 INTERNAL_DNSSEC_TA(43547,8,1,B6225AB2CC613E0DCA7962BDC2342EA4...) 333 INTERNAL_DNSSEC_TA(31406,8,2,F78CF3344F72137235098ECBBD08947C...) 334 INTERNAL_DNS_DOMAIN(city.other.test) 336 4. Payload Formats 338 All multi-octet fields representing integers are laid out in big 339 endian order (also known as "most significant byte first", or 340 "network byte order"). 342 4.1. INTERNAL_DNS_DOMAIN Configuration Attribute Type Request and Reply 344 1 2 3 345 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 346 +-+-----------------------------+-------------------------------+ 347 |R| Attribute Type | Length | 348 +-+-----------------------------+-------------------------------+ 349 | | 350 ~ Domain Name in DNS presentation format ~ 351 | | 352 +---------------------------------------------------------------+ 354 o Reserved (1 bit) - Defined in IKEv2 RFC [RFC7296]. 356 o Attribute Type (15 bits) set to value 25 for INTERNAL_DNS_DOMAIN. 358 o Length (2 octets) - Length of domain name. 360 o Domain Name (0 or more octets) - A Fully Qualified Domain Name 361 used for Split DNS rules, such as "example.com", in DNS 362 presentation format and using IDNA A-label [RFC5890] for 363 Internationalized Domain Names. Implementors need to be careful 364 that this value is not null-terminated. 366 4.2. INTERNAL_DNSSEC_TA Configuration Attribute 368 An INTERNAL_DNSSEC_TA Configuration Attribute can either be empty, or 369 it can contain one Trust Anchor by containing a non-zero Length with 370 a DNSKEY Key Tag, DNSKEY Algorithm, Digest Type and Digest Data 371 fields. 373 An empty INTERNAL_DNSSEC_TA CFG attribute: 375 1 2 3 376 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 377 +-+-----------------------------+-------------------------------+ 378 |R| Attribute Type | Length (set to 0) | 379 +-+-----------------------------+-------------------------------+ 381 o Reserved (1 bit) - Defined in IKEv2 RFC [RFC7296]. 383 o Attribute Type (15 bits) set to value 26 for INTERNAL_DNSSEC_TA. 385 o Length (2 octets) - Set to 0 for an empty attribute. 387 A non-empty INTERNAL_DNSSEC_TA CFG attribute: 389 1 2 3 390 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 391 +-+-----------------------------+-------------------------------+ 392 |R| Attribute Type | Length | 393 +-+-----------------------------+---------------+---------------+ 394 | DNSKEY Key Tag | DNSKEY Alg | Digest Type | 395 +-------------------------------+---------------+---------------+ 396 | | 397 ~ Digest Data ~ 398 | | 399 +---------------------------------------------------------------+ 401 o Reserved (1 bit) - Defined in IKEv2 RFC [RFC7296]. 403 o Attribute Type (15 bits) set to value 26 for INTERNAL_DNSSEC_TA. 405 o Length (2 octets) - Length of DNSSEC Trust Anchor data (4 octets 406 plus the length of the Digest Data). 408 o DNSKEY Key Tag value (2 octets) - Delegation Signer (DS) Key Tag 409 as specified in [RFC4034] Section 5.1. 411 o DNSKEY Algorithm (1 octet) - DNSKEY algorithm value from the IANA 412 DNS Security Algorithm Numbers Registry. 414 o Digest Type (1 octet) - DS algorithm value from the IANA 415 Delegation Signer (DS) Resource Record (RR) Type Digest Algorithms 416 Registry. 418 o Digest Data (1 or more octets) - The DNSKEY digest as specified in 419 [RFC4034] Section 5.1 in presentation format. 421 Each INTERNAL_DNSSEC_TA attribute in the CFG_REPLY payload MUST 422 immediately follow a corresponding INTERNAL_DNS_DOMAIN attribute. As 423 the INTERNAL_DNSSEC_TA format itself does not contain the domain 424 name, it relies on the preceding INTERNAL_DNS_DOMAIN to provide the 425 domain for which it specifies the trust anchor. Any 426 INTERNAL_DNSSEC_TA attribute that is not immediately preceded by an 427 INTERNAL_DNS_DOMAIN or another INTERNAL_DNSSEC_TA attribute applying 428 to the same domain name MUST be ignored. 430 5. INTERNAL_DNS_DOMAIN Usage Guidelines 432 If a CFG_REPLY payload contains no INTERNAL_DNS_DOMAIN attributes, 433 the client MAY use the provided INTERNAL_IP4_DNS or INTERNAL_IP6_DNS 434 servers as the default DNS server(s) for all queries. 436 If a client is configured by local policy to only accept a limited 437 set of INTERNAL_DNS_DOMAIN values, the client MUST ignore any other 438 INTERNAL_DNS_DOMAIN values. 440 For each INTERNAL_DNS_DOMAIN entry in a CFG_REPLY payload that is not 441 prohibited by local policy, the client MUST use the provided 442 INTERNAL_IP4_DNS or INTERNAL_IP6_DNS DNS servers as the only 443 resolvers for the listed domains and its sub-domains and it MUST NOT 444 attempt to resolve the provided DNS domains using its external DNS 445 servers. Other domain names SHOULD be resolved using some other 446 external DNS resolver(s), configured independently from IKE. Queries 447 for these other domains MAY be sent to the internal DNS resolver(s) 448 listed in that CFG_REPLY message, but have no guarantee of being 449 answered. For example, if the INTERNAL_DNS_DOMAIN attribute 450 specifies "example.test", then "example.test", "www.example.test" and 451 "mail.eng.example.test" MUST be resolved using the internal DNS 452 resolver(s), but "otherexample.test" and "ple.test" MUST NOT be 453 resolved using the internal resolver and MUST use the system's 454 external DNS resolver(s). 456 The initiator SHOULD allow the DNS domains listed in the 457 INTERNAL_DNS_DOMAIN attributes to resolve to special IP address 458 ranges, such as those of [RFC1918], even if the initiator host is 459 otherwise configured to block DNS answer containing these special IP 460 address ranges. 462 When an IKE SA is terminated, the DNS forwarding MUST be 463 unconfigured. This includes deleting the DNS forwarding rules; 464 flushing all cached data for DNS domains provided by the 465 INTERNAL_DNS_DOMAIN attribute, including negative cache entries; 466 removing any obtained DNSSEC trust anchors from the list of trust 467 anchors; and clearing the outstanding DNS request queue. 469 INTERNAL_DNS_DOMAIN attributes SHOULD only be used on split tunnel 470 configurations where only a subset of traffic is routed into a 471 private remote network using the IPsec connection. If all traffic is 472 routed over the IPsec connection, the existing global 473 INTERNAL_IP4_DNS and INTERNAL_IP6_DNS can be used without creating 474 specific DNS or DNSSEC exemptions. 476 6. INTERNAL_DNSSEC_TA Usage Guidelines 478 DNS records can be used to publish specific records containing trust 479 anchors for applications. The most common record type is the TLSA 480 record specified in [RFC6698]. This DNS record type publishes which 481 Certificate Authority (CA) certificate or End Entity (EE) certificate 482 to expect for a certain host name. These records are protected by 483 DNSSEC and thus are trustable by the application. Whether to trust 484 TLSA records instead of the traditional WebPKI depends on the local 485 policy of the client. By accepting an INTERNAL_DNSSEC_TA trust 486 anchor via IKE from the remote IKE server, the IPsec client might be 487 allowing the remote IKE server to override the trusted certificates 488 for TLS. Similar override concerns apply to other public key or 489 fingerprint-based DNS records, such as OPENPGPKEY, SMIMEA or IPSECKEY 490 records. 492 Thus, installing an INTERNAL_DNSSEC_TA trust anchor can be seen as 493 the equivalent of installing an Enterprise CA certificate. It allows 494 the remote IKE/IPsec server to modify DNS answers including DNSSEC 495 cryptographic signatures by overriding existing DNS information with 496 trust anchor conveyed via IKE and (temporarilly) installed on the IKE 497 client. Of specific concern is the overriding of [RFC6698] based 498 TLSA records, which represent a confirmation or override of an 499 existing WebPKI TLS certificate. Other DNS record types that convey 500 cryptographic materials (public keys or fingerprints) are OPENPGPKEY, 501 SMIMEA, SSHP and IPSECKEY records. 503 IKE clients willing to accept INTERNAL_DNSSEC_TA attributes MUST use 504 a whitelist of one or more domains that can be updated out of band. 505 IKE clients with an empty whitelist MUST NOT use any 506 INTERNAL_DNSSEC_TA attributes received over IKE. Such clients MAY 507 interpret receiving an INTERNAL_DNSSEC_TA attribute for a non- 508 whitelisted domain as an indication that their local configuration 509 may need to be updated out of band. 511 IKE clients should take care to only whitelist domains that apply to 512 internal or managed domains, rather than to generic Internet traffic. 513 The DNS root zone (".") MUST be ignored if it appears in a whitelist. 514 Other generic or public domains, such as top-level domains (TLDs), 515 similarly MUST be ignored if these appear in a whitelist unless the 516 entity actually is the operator of the TLD. To determine this, an 517 implementation MAY interactively ask the user when a VPN profile is 518 installed or activated to confirm this. Alternatively, it MAY 519 provide a special override keyword in its provisioning configuration 520 to ensure non-interactive agreement can be achieved only by the party 521 provisioning the VPN client, who presumbly is a trusted entity by the 522 end-user. Similarly, an entity might be using a special domain name, 523 such as ".internal", for its internal-only view and might wish to 524 force its provisioning system to accept such a domain in a Split DNS 525 configuration. 527 Any updates to this whitelist of domain names MUST happen via 528 explicit human interaction or by a trusted automated provision system 529 to prevent malicious invisible installation of trust anchors in case 530 of aIKE server compromise. 532 IKE clients SHOULD accept any INTERNAL_DNSSEC_TA updates for 533 subdomain names of the whitelisted domain names. For example, if 534 "example.net" is whitelisted, then INTERNAL_DNSSEC_TA received for 535 "antartica.example.net" SHOULD be accepted. 537 IKE clients MUST ignore any received INTERNAL_DNSSEC_TA attributes 538 for a FDQN for which it did not receive and accept an 539 INTERNAL_DNS_DOMAIN Configuration Payload. 541 In most deployment scenarios, the IKE client has an expectation that 542 it is connecting, using a split-network setup, to a specific 543 organisation or enterprise. A recommended policy would be to only 544 accept INTERNAL_DNSSEC_TA directives from that organization's DNS 545 names. However, this might not be possible in all deployment 546 scenarios, such as one where the IKE server is handing out a number 547 of domains that are not within one parent domain. 549 7. Security Considerations 551 As stated in Section 2, if the negotiated IPsec connection is not a 552 split tunnel configuration, the INTERNAL_DNS_DOMAIN and 553 INTERNAL_DNSSEC_TA Configuration Payloads MUST be ignored. 555 Otherwise, generic VPN service providers could maliciously override 556 DNSSEC based trust anchors of public DNS domains. 558 An initiator MUST only accept INTERNAL_DNSSEC_TAs for which it has a 559 whitelist, since this mechanism allows the credential used to 560 authenticate an IKEv2 association to be leveraged into authenticating 561 credentials for other connections. Initiators should ensure that 562 they have sufficient trust in the responder when using this 563 mechanism. An initiator MAY treat a received INTERNAL_DNSSEC_TA for 564 an non-whitelisted domain as a signal to update the whitelist via a 565 non-IKE provisioning mechanism. See Section 6 for additional 566 security considerations for DNSSEC trust anchors. 568 The use of Split DNS configurations assigned by an IKEv2 responder is 569 predicated on the trust established during IKE SA authentication. 570 However, if IKEv2 is being negotiated with an anonymous or unknown 571 endpoint (such as for Opportunistic Security [RFC7435]), the 572 initiator MUST ignore Split DNS configurations assigned by the 573 responder. 575 If a host connected to an authenticated IKE peer is connecting to 576 another IKE peer that attempts to claim the same domain via the 577 INTERNAL_DNS_DOMAIN attribute, the IKE connection SHOULD only process 578 the DNS information if the two connections are part of the same 579 logical entity. Otherwise, the client SHOULD refuse the DNS 580 information and potentially warn the end-user. For example, if a VPN 581 profile for "Example Corporation" is installed that provides two 582 IPsec connections, one covering 192.168.100.0/24 and one covering 583 10.13.14.0/24 it could be that both connections negotiate the same 584 INTERNAL_DNS_DOMAIN and INTERNAL_DNSSEC_TA values. Since these are 585 part of the same remote organisation (or provisioning profile), the 586 Configuration Payloads can be used. However, if a user installs two 587 VPN profiles from two different unrelated independent entities, both 588 of these could be configured to use the same domain, for example 589 ".internal". These two connections MUST NOT be allowed to be active 590 at the same time. 592 If the initiator is using DNSSEC validation for a domain in its 593 public DNS view, and it requests and receives an INTERNAL_DNS_DOMAIN 594 attribute without an INTERNAL_DNSSEC_TA, it will need to reconfigure 595 its DNS resolver to allow for an insecure delegation. It SHOULD NOT 596 accept insecure delegations for domains that are DNSSEC signed in the 597 public DNS view, for which it has not explicitly requested such 598 deletation by specifying the domain specifically using a 599 INTERNAL_DNS_DOMAIN request. 601 Deployments that configure INTERNAL_DNS_DOMAIN domains should pay 602 close attention to their use of indirect reference RRtypes in their 603 internal-only domain names. Examples of such RRtypes are NS, CNAME, 604 DNAME, MX or SRV records. For example, if the MX record for 605 "internal.example.com" points to "mx.internal.example.net", then both 606 "internal.example.com" and "internal.example.net" should be sent 607 using an INTERNAL_DNS_DOMAIN Configuration Payload. 609 IKE clients MAY want to require whitelisted domains for Top Level 610 Domains (TLDs) and Second Level Domains (SLDs) to further prevent 611 malicious DNS redirections for well known domains. This prevents 612 users from unknowingly giving DNS queries to third parties. This is 613 even more important if those well known domains are not deploying 614 DNSSEC, as the VPN service provider could then even modify the DNS 615 answers without detection. 617 The content of INTERNAL_DNS_DOMAIN and INTERNAL_DNSSEC_TA may be 618 passed to another (DNS) program for processing. As with any network 619 input, the content SHOULD be considered untrusted and handled 620 accordingly. 622 8. IANA Considerations 624 This document defines two new IKEv2 Configuration Payload Attribute 625 Types, which are allocated from the "IKEv2 Configuration Payload 626 Attribute Types" namespace. 628 Multi- 629 Value Attribute Type Valued Length Reference 630 ------ ------------------- ------ ---------- --------------- 631 25 INTERNAL_DNS_DOMAIN YES 0 or more [this document] 632 26 INTERNAL_DNSSEC_TA YES 0 or more [this document] 634 Figure 1 636 9. References 638 9.1. Normative References 640 [RFC1918] Rekhter, Y., Moskowitz, B., Karrenberg, D., de Groot, G., 641 and E. Lear, "Address Allocation for Private Internets", 642 BCP 5, RFC 1918, DOI 10.17487/RFC1918, February 1996, 643 . 645 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 646 Requirement Levels", BCP 14, RFC 2119, 647 DOI 10.17487/RFC2119, March 1997, 648 . 650 [RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S. 651 Rose, "Resource Records for the DNS Security Extensions", 652 RFC 4034, DOI 10.17487/RFC4034, March 2005, 653 . 655 [RFC5890] Klensin, J., "Internationalized Domain Names for 656 Applications (IDNA): Definitions and Document Framework", 657 RFC 5890, DOI 10.17487/RFC5890, August 2010, 658 . 660 [RFC6698] Hoffman, P. and J. Schlyter, "The DNS-Based Authentication 661 of Named Entities (DANE) Transport Layer Security (TLS) 662 Protocol: TLSA", RFC 6698, DOI 10.17487/RFC6698, August 663 2012, . 665 [RFC7296] Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., and T. 666 Kivinen, "Internet Key Exchange Protocol Version 2 667 (IKEv2)", STD 79, RFC 7296, DOI 10.17487/RFC7296, October 668 2014, . 670 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 671 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 672 May 2017, . 674 9.2. Informative References 676 [RFC2775] Carpenter, B., "Internet Transparency", RFC 2775, 677 DOI 10.17487/RFC2775, February 2000, 678 . 680 [RFC7435] Dukhovni, V., "Opportunistic Security: Some Protection 681 Most of the Time", RFC 7435, DOI 10.17487/RFC7435, 682 December 2014, . 684 Authors' Addresses 686 Tommy Pauly 687 Apple Inc. 688 One Apple Park Way 689 Cupertino, California 95014 690 US 692 Email: tpauly@apple.com 693 Paul Wouters 694 Red Hat 696 Email: pwouters@redhat.com