idnits 2.17.1 draft-mglt-naming-delegation-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (July 2, 2012) is 4314 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 3315 (Obsoleted by RFC 8415) ** Obsolete normative reference: RFC 3633 (Obsoleted by RFC 8415) ** Obsolete normative reference: RFC 5996 (Obsoleted by RFC 7296) Summary: 3 errors (**), 0 flaws (~~), 1 warning (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 HOMENET W. Cloetens 3 Internet-Draft SoftAtHome 4 Intended status: Standards Track P. Lemordant 5 Expires: January 3, 2013 D. Migault (Ed) 6 Francetelecom - Orange 7 July 2, 2012 9 IPv6 Home Network Naming Delegation Architecture 10 draft-mglt-naming-delegation-00.txt 12 Abstract 14 This document describes the Naming Delegation Architecture that makes 15 IPv6 Home Network globally reachable with Names or Fully Qualified 16 Domain Names (FQDN). In this architecture, the Customer Premise 17 Equipment (CPE) acts as the DNS Authoritative Server of the Home 18 Network also called the Delegated DNS Server. The Naming Delegation 19 is configured between the Delegated DNS Server and the Delegating DNS 20 Server managed by the ISP. 22 The use case considered in this document is an End User that 23 subscribes its ISP a specific Delegated Domain for its Home Network. 24 This document describes how the CPE automatically sets the Naming 25 Delegation between the Delegating and Delegated DNS Server. 27 The Naming Delegation is requested by the CPE. The CPE DHCP Client 28 and the ISP DHCP Server exchange DHCP Options to properly set the 29 Naming Delegation. More specifically, the CPE DHCP Client (resp. the 30 ISP DHCP Server) configures the DNS(SEC) Zones of the Delegated DNS 31 Server (resp. Delegating DNS Server). For the Delegating DNS Server, 32 the necessary pieces of information required to set the Naming 33 Delegation are the IP address of the Delegated DNS Server, and if 34 DNSSEC is used, the Delegation of Signing Information. For the 35 Delegated DNS Server, the necessary information is the Delegated 36 Domain associated to the Home Network. 38 Status of this Memo 40 This Internet-Draft is submitted in full conformance with the 41 provisions of BCP 78 and BCP 79. 43 Internet-Drafts are working documents of the Internet Engineering 44 Task Force (IETF). Note that other groups may also distribute 45 working documents as Internet-Drafts. The list of current Internet- 46 Drafts is at http://datatracker.ietf.org/drafts/current/. 48 Internet-Drafts are draft documents valid for a maximum of six months 49 and may be updated, replaced, or obsoleted by other documents at any 50 time. It is inappropriate to use Internet-Drafts as reference 51 material or to cite them other than as "work in progress." 53 This Internet-Draft will expire on January 3, 2013. 55 Copyright Notice 57 Copyright (c) 2012 IETF Trust and the persons identified as the 58 document authors. All rights reserved. 60 This document is subject to BCP 78 and the IETF Trust's Legal 61 Provisions Relating to IETF Documents 62 (http://trustee.ietf.org/license-info) in effect on the date of 63 publication of this document. Please review these documents 64 carefully, as they describe your rights and restrictions with respect 65 to this document. Code Components extracted from this document must 66 include Simplified BSD License text as described in Section 4.e of 67 the Trust Legal Provisions and are provided without warranty as 68 described in the Simplified BSD License. 70 Table of Contents 72 1. Requirements notation . . . . . . . . . . . . . . . . . . . . 4 73 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 74 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 6 75 4. Home Network Naming Architecture Requirements . . . . . . . . 7 76 5. Home Network Delegating Architecture Overview . . . . . . . . 8 77 5.1. Fulfilling Home Network Naming Architecture 78 Requirements . . . . . . . . . . . . . . . . . . . . . . . 8 79 5.2. Naming Delegation Architecture Description . . . . . . . . 9 80 5.3. Naming Delegation Configuration Environment Description . 11 81 5.4. Naming Delegation DHCP Configuration Description . . . . . 13 82 6. Protocol Exchange . . . . . . . . . . . . . . . . . . . . . . 15 83 6.1. CPE Request Creation and Transmission for Naming 84 Delegation Architecture . . . . . . . . . . . . . . . . . 15 85 6.2. ISP DHCP Server Responding to the CPE Request for 86 Naming Delegation Architecture . . . . . . . . . . . . . . 16 87 6.2.1. Case 1: No Delegated DNS Architecture DHCP Option 88 in conjunction with Delegated Address Information 89 or Delegated Domain DHCP Option . . . . . . . . . . . 16 90 6.2.2. Case 2: No Delegated DNS Architecture DHCP Option 91 in conjunction with Option Request DHCP Option 92 for a Delegated Domain DHCP Option . . . . . . . . . . 16 93 6.2.3. Case 3: Delegated DNS Architecture DHCP Option . . . . 16 94 6.2.4. Processing the Delegated DNS Address Information 95 DHCP Option . . . . . . . . . . . . . . . . . . . . . 19 96 6.2.5. Processing the Delegation of Signing DHCP Option . . . 19 97 6.3. CPE Receiving the ISP DHCP Response for the Naming 98 Delegation Architecture . . . . . . . . . . . . . . . . . 19 99 7. DHCP Options . . . . . . . . . . . . . . . . . . . . . . . . . 19 100 7.1. Delegated DNS Architecture Option . . . . . . . . . . . . 20 101 7.2. Delegated Domain Option . . . . . . . . . . . . . . . . . 22 102 7.3. Delegated DNS Address Information Option . . . . . . . . . 23 103 7.4. Delegated Delegation of Signing Option . . . . . . . . . . 23 104 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 24 105 9. Security Considerations . . . . . . . . . . . . . . . . . . . 24 106 9.1. Names are less secured than IP addresses . . . . . . . . . 24 107 9.2. Names are less volatile than IP address . . . . . . . . . 25 108 9.3. DNSSEC is recommended to authenticate DNS hosted data . . 25 109 9.4. Channel between the CPE and ISP DHCP Server MUST be 110 secured . . . . . . . . . . . . . . . . . . . . . . . . . 26 111 9.5. CPEs are sensitive to DoS . . . . . . . . . . . . . . . . 26 112 10. Acknowledgment . . . . . . . . . . . . . . . . . . . . . . . . 26 113 11. References . . . . . . . . . . . . . . . . . . . . . . . . . . 27 114 11.1. Normative References . . . . . . . . . . . . . . . . . . . 27 115 11.2. Informational References . . . . . . . . . . . . . . . . . 27 116 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 28 118 1. Requirements notation 120 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 121 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 122 document are to be interpreted as described in [RFC2119]. 124 2. Introduction 126 Home Networks used to be composed of a single or a set of PCs 127 connected to a CPE to access the Internet. Now they have evolved to 128 a large set of applications and objects or devices managed by the 129 CPE. Among these applications are Media applications like Video, 130 Music and Photos Stations, Backup applications, File sharing 131 applications with FTP and Web Stations, Access applications with VPN 132 Stations, and others like Surveillance Station, Printing Stations. 133 With the Internet of Things (IoT) the number of objects attached to 134 the CPE is expected to increase in the coming years. 136 Then, services and objects in the Home Networks should be made 137 reachable from anywhere on the Internet. IPv6 removes the need for 138 NAT and makes this possible with a global reachability. But IPv6 139 addresses remain inconvenient. In fact, most End Users prefer using 140 Names to access these services. Furthermore Names make 141 communications independent from IP renumbering, or changes of IP 142 addresses. Then, if IP addresses plan remains opaque for End Users, 143 on the other hand, they easily understand the Naming hierarchical 144 model. More specifically, if "my-homenet" is the Delegated Domain 145 associated to my Home Network, it makes sense that "my-service.my- 146 homenet" is the "my-service" in "my-homenet". 148 To assign Names to objects and services of the Home Network, the Home 149 Network should be provided a Naming Architecture. For most End 150 Users, the CPE manages the Home Network, that is to say, it provides 151 access to the Internet, discovers the devices, and interconnects them 152 between each other. As a result, the CPE is the natural device to 153 centralize the Naming service of the Home Network. 155 Home Networks should be operational with the least configuration. 156 End Users, expect to subscribe to an ISP, plug with minimum 157 configuration the CPE and access to the Internet and to their 158 services from anywhere on the Internet. The CPE interconnects the 159 Home Network to the ISP's Network, and the CPE gets from the ISP all 160 the necessary pieces of information to set up the connectivity. In 161 some cases, the CPE is even provided by the ISP. In order to make 162 services and objects of the Home Network reachable with Names, the 163 ISP is likely to provide the CPE the Delegated Domain associated to 164 the Home Network, and set up the necessary delegation to make the 165 Home Network DNS Zone reachable from the Internet. More 166 specifically, the End User subscribes its ISP an Internet 167 connectivity, and registered its Home Network Delegated Domain "my- 168 homenet". When the CPE is plugged, as it requests an IP prefix, it 169 also requests the Delegated Domain - like "my-homenet.example.". 170 From then, all devices requesting IP addresses via DHCP or using 171 alternative protocols are registered by the CPE in the zone "my- 172 homenet.example.". When a communication is initiated with 173 "a-device.my-homenet.example.", a DNS query is sent to the ISP 174 authoritative DNS server of the zone "example.". This server is 175 called the Delegating DNS Server and delegates the query to the CPE 176 which acts as the authoritative server of "my-homenet.example." and 177 sends back the response. 179 This architecture is called the "Home Network Naming Delegation 180 Architecture" because, the ISP is not hosting the DNS zone of the 181 Home Network but is delegating the Home Network zone to the CPE. 182 There are multiple motivations for this delegation architecture. 183 First delegation preserves the Home Network privacy, by avoiding ISPs 184 to know the Home Network hosts. Furthermore, ISP are unlikely to be 185 able to scale their Naming infrastructure for all services and 186 devices of the Home Networks. As a result, ISPs are looking to 187 distribute the Naming service between the CPEs, and delegate to each 188 CPE their associated Home Network zone. 190 The purpose of this document is to describe an architecture that 191 automatically configures the Naming architecture of the Home Network. 192 More specifically, when the End User plugs its CPE, the CPE is being 193 assigned by the ISP a Delegated Domain that has been pre-registered 194 by the End User to the ISP. This Delegated Domain designates the 195 Home Network, and the CPE is expected to act as an authoritative DNS 196 server of this Zone. When a node of the Home Network is requesting 197 using DHCP an IP address, the CPE can provide the node the IP address 198 and updates the zone file of the Home Network. 200 This document assumes that the communication between the CPE and the 201 ISP DHCP Server is protected. This document does not specify which 202 mechanism should be used. [RFC3315] proposes a DHCP authentication 203 and message exchange protection, [RFC4301], [RFC5996] proposes to 204 secure the channel at the IP layer. 206 This document does not provide any mechanism that protects the CPE 207 from being exposed on the Internet. In fact, CPE are low power 208 devices, and the Naming Delegation described in this document exposes 209 the CPE on the Internet by publishing its IP address and making the 210 DNS Service hosted on the CPE. This issue is addressed in 211 [I-D.mglt-front-end-naming-delegation] which describes the Front End 212 Naming Delegation Architecture. In this architecture, the ISP's 213 infrastructure protects the CPE from heavy load. 215 This document only deals with IPv6 IP addresses and DHCPv6 [RFC3315]. 216 When we mention DHCP, it MUST be understood as DHCPv6. 218 3. Terminology 220 This sections defines terminology specific to IPv6 and DHCP used in 221 this document. 223 - Home Network: Designates the objects and Services that are 224 hosted in the Home Network of the End User. 226 - Home Network Naming Architecture: Designates the Architecture 227 that makes possible to reach a device, an object or a service 228 in the Home Network by using Names like Fully Qualified Domain 229 Names. 231 - Home Network Naming Delegation Architecture or Naming Delegation 232 Architecture: Designates the Naming Architecture Described in this 233 document. The ISP delegates the Naming management of the Home 234 Network to the Delegated DNS Servers. Consistency with the 235 Global Naming Architecture is provided by the ISP. The 236 Delegation occurs between Delegating DNS Servers hosted by the 237 ISP and Delegated DNS Servers hosted in the Home Network. 239 - Internet Service Provider (ISP): The End User has subscribed to 240 the ISP. The ISP is aware of End User credential and the 241 Delegated Domain of the Home Network. The ISP is expected to 242 provide the CPE the required information to properly configure 243 the DNS Zone. 245 - Delegating DNS Server: Designates the Authoritative DNS Server 246 of the ISP. The Home Network is a subzone of the Delegating 247 DNS Server. This subzone is handled by the Delegated DNS 248 Server. 250 - Customer Premise Equipment (CPE): Designates the device that 251 hosts the DNS and DHCP Service in the Home Network. This 252 device sets the IP and Naming interconnection between the ISP 253 Network and Home Network. 255 - Delegated DNS Server: Designates the DNS Authoritative Server 256 that handles the Hosts of the Home Network. 258 - Delegated Delegation of Signing Option: Designates the DHCP 259 Option that makes possible the DNSSEC Delegation between the 260 Delegated DNS Server and the Delegating DNS Server. 262 - Delegated DNS Addressing Information Option: Designates the DHCP 263 Option that makes possible the Delegation between the Delegated 264 DNS Server and the Delegating DNS Server for both DNS and 265 DNSSEC. With this option, the Delegating DNS Server is 266 informed of the IP addressing information - the interface and 267 the subnet identifier - used by the Delegated DNS Server. 269 - Delegated Domain: Designates the domain Name associated to the 270 Home Network. In this document, the Delegated Domain is 271 reserved by the End User to the ISP at the subscription of the 272 Internet Access. It is then communicated to the CPE by the 273 ISP, so the CPE configures properly its Delegated DNS Server. 275 - Fully Qualified Domain Name (FQDN): Name that fits the general 276 DNS requirements. 278 4. Home Network Naming Architecture Requirements 280 The Home Network Naming Architecture is defined by two parties the 281 End User and the ISP. Both of them have specific requirements. 283 The End User requirements we are considering are the following: 285 - 1: Centralized Naming Configuration: Configuring a Network, is 286 most of the time more convenient when done in a centralized 287 way. Home Networks now may have only a few nodes, which makes 288 a per-node configuration possible, for example using DynDNS 289 like service, to assign a FQDN to each node. However, the 290 number of nodes is expected to grow in the next future, and we 291 recommend now to specify a centralized way for configuring the 292 Home Network Naming Architecture. 294 - 2: Automatic Configuration: Most End User do not want to 295 configure, their Home Network, and configuration MUST be 296 minimal. The procedure should consider those 90% of End Users 298 - 3: Advanced Configuration enable: Some End Users have various 299 specific requirements, and they SHOULD be able to match these 300 requirements. This means that the Automatic Configuration may 301 be disable. 303 - 4: Privacy Protection By Design: Most End User does not want to 304 provide anyone, including their ISP, the content of their zone, 305 like network topology, or the devices and services hosted in 306 the Home Network. On the other hand the content of the zone 307 should be publicly published. DNS makes this possible for two 308 reasons. First, DNS makes the content of the zone public, 309 without publishing the whole zone - at least AXFR queries must 310 be disabled. Then, DNS is a distributed databases with 311 delegation mechanisms, that preserves the privacy of subzones 312 toward upper zones. Note that as explained in Section 9 the 313 Naming Delegation Architecture described in this document 314 protects the End User's privacy by not providing the complete 315 DNS zone. However, one MUST be aware that using Names exposes 316 their Home Networks to the Internet since names are expected to 317 provide less randomness than the standard IPv6 numbering. Then 318 Names are more associated to an identity than IP addresses are. 319 Thus, allowing PTR DNS queries may also affect the End User's 320 privacy. 322 The ISP requirements, other than fulfilling the End Users' 323 requirements are the following: 325 - 1: Make the Home Network Naming Architecture Scalable: ISPs can 326 hardly foresee the evolution of Home Networks, that is to say 327 the number of devices that will belong to them, or the number 328 of requests, updates associated to each FQDN. Architectures 329 that would make the ISP deal with all FQDNs is definitively out 330 of scope. Delegation management of the Zone to CPE makes local 331 management handled locally, and Delegating the zone makes CPE 332 dealing with their zone traffic. 334 5. Home Network Delegating Architecture Overview 336 5.1. Fulfilling Home Network Naming Architecture Requirements 338 The CPE is designed to provide connectivity to the Home Network, to 339 discover and connect all Hosts of the Home Network. As such, it is a 340 good candidate to bind FQDNs and IP addresses. In this document, we 341 consider the CPE as the device that centralizes the configuration of 342 the Delegation Home Network Naming Architecture. This fulfills the 343 End User Requirement 1. 345 The CPE should not be configured, and should get the necessary 346 information to properly configure the Delegation Home Network Naming 347 Architecture. These pieces of information, like the Delegated Domain 348 assigned to the Home Network are provided by the ISP. On the other 349 hand, the CPE may also be able to provide information to the ISP. 351 For example, the CPE may provide the ISP the Delegated DNS IP Address 352 Information, that is to say the Interface and Subnet Identifier of 353 the Home Network Authoritative DNS, or the Delegated Delegation of 354 Signing which is the hash of public key of the Home Network 355 Authoritative DNS server. In this document, we call the Home Network 356 Authoritative DNS server the Delegated DNS Server. These pieces of 357 information are device related and local information. They are not 358 related to the configuration of the Delegation Home Network Naming 359 Architecture. This fulfills the End User Requirement 2. 361 The CPE should set the Naming Delegation Architecture by requesting 362 for it. The CPE can be configured to not request these pieces of 363 information so the Home Network can have a specific Naming 364 configuration. A specific Naming configuration could be for example, 365 that the FQDN assigned to the Home Network is different from the one 366 attributed by the ISP. This fulfills the End User Requirement 3. 368 The CPE acts as an authoritative DNS server for the Home Network. 369 This prevents communication of the DNS zone to any third party. As a 370 result, this makes the DNS zone publicly available, while protecting 371 the privacy of the Home Network. This fulfills the End User 372 Requirement 4. 374 The CPE provides the Home Network Authoritative DNS server or 375 Delegated DNS Server. This function is an added function to the 376 service/device discovery, routing service, DHCP service, Naming 377 resolution service, provided by the CPE. The CPE seems to be the 378 most adapted device, for most End Users cases, to host the Delegated 379 DNS Server. This service includes handling with the DNS queries 380 concerning the Home Network and updating the zone for the various 381 devices. The load generated by the Delegated DNS Server is expected 382 to be handled by the CPE, and CPE may be designed to handle such 383 traffic. On the other hand, it is hardly possible ISPs can handle 384 with this traffic for all Home Networks. The Delegation Home Network 385 Naming Architecture is adopted for its scalability. This fulfills 386 the ISP Requirement 1. 388 5.2. Naming Delegation Architecture Description 390 Figure 1 describes a DNS resolution with the Naming Delegation 391 Architecture. The resolution can be done using DNS or DNSSEC. In 392 the Architecture described in figure 1, the IPv6 address MUST be 393 global. 395 In the example below, the Zone of the ISP is called "example.". The 396 End User of the CPE has registered to the ISP the Delegated Domain 397 "my-homenet", and the Home Network can be globally reachable under 398 the name "my-homenet.example.". A host in the Home Network "host1" 399 has been assigned an IPv6, and has been registered in the Home 400 Network with the name "host1.my-homenet.example.". Note that the 401 architecture makes host1 globally reachable under the name "host1.my- 402 homenet.example.". 404 The End User is likely to use alternate names which will require the 405 use of DNAME [RFC6672] and CNAME [RFC2118] . In other words, the 406 Naming Delegation Architecture described in this document does not 407 prevent the End User to register a service or a host under an 408 alternative name such as "host1-alternative-name.example.net". For 409 that purpose, the End User may redirect manually "host1-alternative- 410 name.example.net" to "host1.my-homenet.example." using CNAME 411 [RFC2118]. Similarly, the Home Network can also be registered under 412 an alternate domain name such as "my-alternate-homenet.net". 413 Redirecting the zone requires to use DNAME. In both case, the 414 configuration is performed by the End User, and is independent to the 415 configuration between the ISP and the End User. 417 In figure 1, the Resolver is getting the IP address of "host1.my- 418 homenet.example.". A DNS(SEC) Query is sent to the Delegating DNS 419 Server responsible of "example.". Then "example." responds with the 420 delegating information, so the resolver can send the DNS Query to the 421 Delegated DNS Server responsible of "my-homenet.example.". The 422 delegating pieces of information are, the Name and IP address of the 423 Delegated DNS Server, and if DNSSEC is available and requested the 424 Delegation of Signing. These pieces of information may have been 425 provided by the Delegated DNS Address Information and Delegated 426 Delegation of Signing DHCP Options. 428 Then, the Resolver sends the DNS(SEC) Query to the Home Network 429 Delegated DNS Server which responds with the requested DNS(SEC) 430 information. 432 +----------------------------+ DNS Query +---+ 433 | ISP DNS Server | hots1.my-homenet.example. AAAA | | 434 | Delegating Servers | <---------------------------------- | | 435 | ZONE "example." | DNS Response: | | 436 | | my-homenet.example. NS IP6 | R | 437 | | [my-homenet.example. DS [...]] | E | 438 +----------------------------+ ----------------------------------> | S | 439 +----------------------------+ DNS Query | O | 440 | CPE DNS Server | host1.my-homenet.example. AAAA | L | 441 | Delegating Server | <---------------------------------- | V | 442 | ZONE "my-homenet.example." | DNS Response: | E | 443 | | my-homenet.example. NS IP6 | R | 444 | | [my-homenet.example. RRSIG [...]] | | 445 +----------------------------+ ----------------------------------> | | 446 | | | | 447 +------------+ +------------+ +---+ 448 | Host 1 | | Host n | 449 +------------+ +------------+ 451 Figure 1: DNS Resolution with the Home Network Delegating Architecture 453 5.3. Naming Delegation Configuration Environment Description 455 Figure 2 shows the DHCP exchange between the CPE and the ISP DHCP 456 Server. This exchange sets the Home Network Naming Delegation 457 Architecture. 459 As mentioned in figure 2, the CPE is in the Home Network and 460 implements three functions: the DHCP Client (DHCP_CLT), the DHCP 461 Server (DHCP_SRV) and the Delegated DNS Server (DNS_SRV). 463 - CPE DHCP Client (DHCP_CLT): is responsible for getting parameters 464 from the ISP. In figure 2, the CPE DHCP Client requests the 465 ISP an IPv6 Prefix Delegation (IA_PD) [RFC3633]. The CPE DHCP 466 Client also requests to set a Naming Delegation Architecture 467 (DELEGATED_DNS_ARCHITECTURE), and provides the necessary pieces 468 of information to set up the Naming Delegation Architecture 469 (DELEGATED_DNS_ADDR_INFO, DELEGATED_DNSSEC_DS). In return, the 470 CPE DHCP Client (DHCP_CLT) is expected to receive from the ISP 471 DHCP Server, the Delegated Domain Name (DELEGATED_DOMAIN) and 472 the IPv6 Prefix Delegation (IA_PD). These pieces of 473 information are useful to configure the Home Network DNS Zone 474 file, of the CPE Delegated DNS Server (DNS_SRV). 476 - CPE DHCP Server (DHCP_SRV): The CPE DHCP server hosted by the CPE 477 is not mandatory for the Naming Delegation Architecture. We 478 mentioned it in Figure 2 as most of the CPEs are responsible 479 for assigning IPv6 Addresses to the Hosts of the Home Network. 481 Figure 2 considers that the IPv6 Address of the Hosts are 482 assigned via DHCP, and that while assigning the IPv6 prefixes, 483 the DHCP Server populates the Home Network DNS Zone file of the 484 CPE Delegated DNS Server (DNS_SRV). 486 - CPE Delegated DNS Server (DNS_SRV): The CPE Delegated DNS Server 487 hosts the Naming Service of the Home Network. The DNS Server 488 can implement DNS or DNSSEC. This function interacts with the 489 CPE DHCP Client (DHCP_CLT) so the Naming Delegation is properly 490 set with the ISP, and the CPE DHCP Server (DHCP_SRV) which 491 manages names for the hosts of the Home Network. 493 The ISP DHCP Server is in the ISP Network and is the counter part of 494 the CPE DHCP Client (DHCP_CLT). As the CPE DHCP Client (DHCP_CLT) 495 interacts with the Delegated DNS Server, the ISP DHCP Server also 496 interact with the ISP Delegating DNS Server. In fact the ISP DHCP 497 Server is in charge of setting the Naming Delegation upon request of 498 the CPE DHCP Client (DHCP_CLT). Furthermore, when the Home Network 499 Prefix Delegation is not any more active, the ISP DHCP Server MUST 500 remove the Naming Delegation settings. 502 Hosts are the devices of the Home Network. Figure 2, illustrates the 503 case, where these hosts have been assigned an IPv6 prefix from the 504 DHCP Server of the CPE. We use the "stateful address 505 autoconfiguration protocol", as defined in [RFC3315] but other 506 protocols like "IPv6 Stateless Address Autoconfiguration" [RFC4862] 507 may also be used. This will not affect the Naming Delegation 508 Architecture. 510 <--------- Home Network ----------> <--------- ISP ---------> 511 +--------+ +---------------------+ +-----------------------+ 512 | Host 1 +--+ CPE | | ISP DHCP | 513 +--------+ +----------+----------+ +-----------------------+ 514 . | DHCP_SRV | DHCP_CLT | | | 515 . | v | | | | 516 . | v | DHCP Request ----------------------> | 517 . | v | DELEGATED_DNS_ARCHITECTURE, | 518 . +----------| DELEGATED_DNS_ADDR_INFO, | 519 . | DNS_SRV | ORO(IA_PD) | 520 . +----------| [DS, ORO(DELEGATED_DOMAIN)] | 521 . | ^ | | | | 522 . | ^ | <---------------------- DHCP Reply | 523 . | ^ | DELEGATED_DNS_ARCHITECTURE, | 524 | ^ | DELEGATED_DOMAIN, | 525 +--------+ | ^ | IA_PD | 526 | Host n +--| < < < DHCP_CLT | | | 527 +--------+ +----------+--------- + +-----------------------+ 529 Figure 2: Naming Delegation Architecture 531 5.4. Naming Delegation DHCP Configuration Description 533 Figure 2 illustrates how the CPE provides and get the necessary 534 information to set the Naming Delegation. In this document, all 535 parameters are provided and received using DHCP Options. 537 First of all, in order to set the Home Network Naming Delegation, the 538 CPE MUST have a Delegated Prefix. In our case, the CPE is requesting 539 the Delegated Prefix to the ISP DHCP Server with the Identity 540 Association Prefix Delegation DHCP Option (IA_PD), as defined in 541 [RFC3633], [RFC3769]. To Request the Option from the ISP DHCP 542 Server, the CPE uses the Option Request DHCP Option (ORO) [RFC3315]. 544 The CPE uses the Delegated DNS Architecture DHCP Option 545 (OPTION_DELEGATED_DNS_ARCHITECTURE) to specify the naming-delegation- 546 action to perform. The CPE provides a ordered list of alternative 547 naming-delegation-actions. One of these actions will be chosen by 548 the ISP DHCP Server. The naming-delegation-actions considered in 549 this document are Clear the Naming Delegation Settings, Set it with 550 DNS or Set is with DNSSEC. Figure 2 illustrates the case where the 551 CPE Sets the Naming Delegation Architecture with DNS or with DNSSEC. 553 In order to set the Naming Delegation Architecture between the 554 Delegating DNS Server and the Delegated DNS Server, the CPE MUST 555 provide some pieces of information. First the Delegating DNS Server 556 MUST be aware of the IP address used for the Delegated DNS Server. 558 Since the CPE is requesting a Prefix Delegation, it is not aware of 559 the IP address. That is why, the CPE MUST provide pieces of 560 information that enables the ISP DHCP Server to derive the IP 561 address. In fact the CPE provides the Subnet Identifier and the 562 Interface Identifier using the Delegated Address Information DHCP 563 Option (OPTION_DELEGATED_DNS_ADDR_INFO). The ISP DHCP Server is 564 aware of the assigned prefix, and thus can derive the IP address of 565 the Delegated DNS Server. 567 The calculation of the CPE IPv6 address used for the delegated DNS 568 server is done as follows: 570 0 63|64 127 571 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 572 | IPv6 prefix | subnet-ID | interface-ID | 573 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 574 subnet-ID length = 64 - IPv6 prefix length 576 Figure 3: CPE IP address Format 578 If DNSSEC is used, the CPE MUST also provide the Delegation of 579 Signing (DS) Information [RFC4034]. This is done using the 580 Delegation of Signing DHCP Option (OPTION_DS) 582 In figure 2, we mentioned the Delegated Domain DHCP Option that can 583 optionally be requested. In fact, with Delegated DNS Architecture 584 DHCP Option requesting the ISP to Set the Naming Delegation 585 Architecture, the ISP is expected to send back the Delegated Domain. 586 However, in some cases, for example if the CPE wants to checks the 587 ISP has provisioned a Delegated Domain, the CPE may request the 588 Delegated Domain without setting the Naming Delegation Architecture. 589 In that case, the CPE, MUST request the Delegated Domain DHCP Option 590 (OPTION_DELEGATED_DOMAIN). 592 The ISP DHCP Server processes the various DHCP Options, and provides 593 the Prefix Delegation, the Delegated DNS Architecture, and the 594 Delegated Domain DHCP Options. The Prefix Delegation Option provides 595 the IPv6 Prefix assigned to the Home Network. The Delegated DNS 596 Architecture DHCP Option indicates the Naming Delegation set by the 597 ISP, as well as Status Code. The Delegated Domain DHCP Option 598 provides the Domain the owner of the CPE has registered. 600 The ISP DHCP Server MUST keep the Naming Delegation Architecture 601 coherent with the Prefix Delegation. If the Prefix Delegation is 602 using DHCP, then, the ISP DHCP Server MUST unset the Naming 603 Delegation Architecture when the Prefix Delegation expires. How the 604 DHCP Server should proceed is out of scope of this document. 606 6. Protocol Exchange 608 In this document, we do not consider the CPE and the ISP have pre- 609 agreed on some parameters. In other words, all necessary information 610 for configuring the Home Network Naming Delegation Architecture are 611 sent via DHCP Options. The ISP is in charge of identifying the CPE 612 owner - that is to say the End User - and is aware of the Delegated 613 Domain the End User has subscribed for. 615 For clarity, we designated the CPE DHCP Client by the CPE. 617 6.1. CPE Request Creation and Transmission for Naming Delegation 618 Architecture 620 The CPE provides the ISP DHCP Server an ordered list of naming- 621 delegation-actions which starts with the most most preferred action. 622 The ISP DHCP Server can chose one of these actions and process it. 623 Theses naming-delegation-actions are carried by the Delegated DNS 624 Architecture DHCP Option (OPTION_DELEGATED_DNS_ARCHITECTURE). If the 625 CPE wants to remove the Naming Delegation Architecture, it sets the 626 action to CLEAR. Otherwise, it sets the action to 627 SET_NAMING_DELEGATION_WITH_DNS or SET_NAMING_DELEGATION_WITH_DNSSEC. 629 The Naming Delegation cannot be set if the CPE has not been provided 630 a Prefix Delegation. So, if the CPE has not been assigned a Prefix, 631 it MUST either get first a prefix before setting the Naming 632 Delegation Architecture. If the Prefix Delegation is provided via 633 the ISP DHCP Server, then the CPE can simultaneously send a DHCP 634 Request for a Prefix Delegation with the Identity Association Prefix 635 Delegation DHCP Option and for setting the Naming Delegation 636 Architecture. 638 If SET_NAMING_DELEGATION_WITH_DNS or 639 SET_NAMING_DELEGATION_WITH_DNSSEC is one of the naming-delegation- 640 action carried by the Delegated DNS Architecture DHCP Option, then 641 the CPE MUST provide the Delegated Address Information DHCP Option 642 (OPTION_DELEGATED_DNS_ADDR_INFO). 644 If SET_NAMING_DELEGATION_WITH_DNSSEC is one of the naming-delegation- 645 action carried by the Delegated DNS Architecture DHCP Option, then 646 the CPE MUST provide the Delegation of Signing DHCP Option 647 (OPTION_DS). 649 If the CPE does not want to set the Naming Delegation Architecture, 650 but wants to known the Delegated Domain, then, the CPE MUST send a 651 Delegated Domain DHCP Option (OPTION_DELEGATED_DOMAIN) with no 652 Delegated DNS Architecture DHCP Option 653 (OPTION_DELEGATED_DNS_ARCHITECTURE). 655 6.2. ISP DHCP Server Responding to the CPE Request for Naming 656 Delegation Architecture 658 6.2.1. Case 1: No Delegated DNS Architecture DHCP Option in conjunction 659 with Delegated Address Information or Delegated Domain DHCP 660 Option 662 When the DHCP Server receives a Delegated Address Information DHCP 663 Option or a Delegated Domain DHCP Option it MUST check if there is a 664 Delegated DNS Architecture DHCP Option. If not, these DHCP Options 665 MUST be discarded. 667 6.2.2. Case 2: No Delegated DNS Architecture DHCP Option in conjunction 668 with Option Request DHCP Option for a Delegated Domain DHCP 669 Option 671 If the DHCP Server receives an Option Request DHCP Option for a 672 Delegated Domain DHCP Option, but no Delegated DNS Architecture DHCP 673 Option. The DHCP Server MUST NOT proceed to any configuration 674 settings. The ISP DHCP Server returns the Delegated Domain DHCP 675 Option. Otherwise, it MUST return a Delegated DNS Architecture DHCP 676 Option with a single action set to NONE and the Status Code 677 indicating the reason of failure. 679 Possible failure reasons are: If the DHCP Server understands the 680 Delegated Domain DHCP Option but does not provide the Naming 681 Delegation Service, the DHCP Server MUST return a Status Code set to 682 NamingDelegationUnavailable. Then, if the Naming Delegation Service 683 is Available, the DHCP MUST check if the CPE has been identified or 684 authenticated according to local policies. If that is not the case, 685 the DHCP Server MUST return a Status Code set to 686 UnauthorizedRequester. If the CPE is authorized to request a 687 Delegated Domain DHCP Option, the DHCP Server MUST check the 688 Delegated Domain has been provisioned, and if that is not the case, 689 if MUST send a Status Code set to UnprovisionedDelegatedDomain. For 690 any other failure, the DHCP Server MUST send a Status Code 691 UnspecFail. 693 In case of success the DHCP Server does not return Delegated DNS 694 Architecture DHCP Option or Status Code. 696 6.2.3. Case 3: Delegated DNS Architecture DHCP Option 698 When a Delegated DNS Architecture DHCP Option is received, the DHCP 699 Server MUST check an Option Request for Identity Association Prefix 700 Delegation (IA_PD) has not been provided. If that is the case, the 701 DHCP Server MUST proceed first to this Option. Then, the Delegated 702 DNS Architecture DHCP Option should only be processed, if the 703 Identity Association Prefix Delegation has been processed 704 successfully. If no Identity Association Prefix Delegation has been 705 requested the DHCP Server may consider the CPE has no Prefix and send 706 a Delegated DNS Architecture DHCP Option with the status code 707 MissingPrefixDelegationRequest. On the other hand, the DHCP Server 708 may also assume the CPE got a Prefix from another way and proceeds to 709 the Delegated DNS Architecture DHCP Option. 711 When a Delegated DNS Architecture DHCP Option is received and the 712 Naming Delegation is already set. If the naming-delegation-action is 713 set to NONE, the packet do not proceed to any change. For all other 714 naming-delegation-action, the ISP DHCP Server MUST process the DHCP 715 Option. In case of success, the Naming Delegation MUST be updated. 716 In any other case, the ISP DHCP Server MUST clear the Naming 717 Delegation settings. 719 From now, the DHCP processes the Delegated DNS Architecture DHCP 720 Option. Preliminary checks are performed in case of failure, the 721 DHCP Server sends a Delegated DNS Architecture DHCP Option with a 722 single naming-delegation-action set to NONE and the Status Code 723 indicating the reason of failure. If the DHCP Server understands 724 this Option, but does not provide the Naming Delegation Service, the 725 DHCP Server MUST return a Status Code set to 726 NamingDelegationUnavailable. Then the DHCP MUST check the CPE is 727 authorized for this Option. If not, the DHCP Server sends a Status 728 Code set to UnauthorizedRequester. At last, it MUST check if 729 Delegated Domain has been provisioned otherwise the DHCP Server MUST 730 send a Status Code set to UnprovisionedDelegatedDomain. For any 731 other reasons, a Status Code set to UnspecFail MUST be sent. 733 The DHCP Server then looks at the naming-delegation-actions mentioned 734 by the CPE. The CPE has ordered these actions according to their 735 preference, and the most preferred naming-delegation-action is put 736 first. Naming-delegation-actions are proposed by the CPE, thus the 737 DHCP Server MUST skip any naming-delegation-action it does not 738 understand or its local policies prevent to apply for the CPE. Note 739 that the ordered list is only used to chose a naming-delegation- 740 action to be applied. If the chosen naming-delegation-action fails, 741 the DHCP Server does not have to try other naming-delegation-action 742 with lower preference. 744 To prevent long proposition lists of naming-delegation-actions, the 745 DHCP Server may send a Status Code TooManyNamingDelegationActions. 746 If the naming-delegation-actions list is void, the DHCP MUST send a 747 Status Code set to VoidNamindDelegationActionList. If none of the 748 naming-delegation-action is acceptable, the DHCP Server MUST send a 749 Status Code of NoApplicableNamingDelegationAction. These Status Code 750 are reported in a Delegated DNS Architecture DHCP Option with naming- 751 delegation-action set to NONE. 753 In this document, the naming-delegation-action considered can be 754 CLEAR, SET_NAMING_DELEGATION_WITH_DNS, 755 SET_NAMING_DELEGATION_WITH_DNSSEC. Any other proposition is skipped 756 by the DHCP Server. 758 If CLEAR is the chosen naming-delegation-action, there not reason the 759 DHCP Server cannot remove the configurations settings. In response, 760 the DHCP Server MUST send a Delegated DNS Architecture with a single 761 naming-delegation-action set CLEAR. In case of success, the Status 762 Code MUST be set to Success, otherwise, it MUST be set to UnspecFail. 764 For both SET_NAMING_DELEGATION_WITH_DNS and 765 SET_NAMING_DELEGATION_WITH_DNSSEC naming-delegation-actions, the DHCP 766 MUST have an IP address for the Delegated DNS Server. This IP 767 address can be pre-agreed. In this document we consider that this IP 768 address can be derived from the parameters provided by the Delegated 769 DNS Address Information DHCP Option. It is up to the DHCP Server to 770 define how to proceed between the pre-agreed IP address and the one 771 derived from the Delegated DNS Address Information DHCP Option. 772 There may be multiple Delegated DNS Address Information DHCP Options, 773 and the DHCP Server may chose to consider all of these IP Addresses. 774 On the other hand, the DHCP Server may also chose to send a Status 775 Code set to DelegatedIPAddressConflict. This Status Code is sent in 776 a Delegated DNS Architecture DHCP Option with naming-delegation- 777 action set to the corresponding naming-delegation-action. 779 The DHCP Server accepts the Delegated DNS Address Information DHCP 780 Options it should first proceed to it. If there are multiple 781 Delegated DNS Address Information DHCP Options, the DHCP Server may 782 process to all of them. It may proceed to the Naming Delegation 783 Architecture Configuration if at least one IP address is valid or if 784 all IP addresses are valid. 786 For the SET_NAMING_DELEGATION_WITH_DNSSEC naming-delegation-action, 787 the DHCP Server MUST check a Delegation of Signing DHCP Option has 788 been provided. If not a Status Code set to 789 MissingDNSSECDelegationOfSigning. 791 If the Delegated DNS Address Information and the Delegation of 792 Signing DHCP Options have been processed successfully, the DHCP 793 Server MUST configure the Delegating Server, with the IP address(es) 794 and DS record in its zone. Values for the TTL are defined according 795 to the DHCP Timer. The TTL value MUST NOT be greater than the valid- 796 lifetime of the Prefix [RFC3633]. Then, the DHCP Server sends back 797 the Delegated DNS Architecture DHCP Option with a Status Code set to 798 Success. 800 6.2.4. Processing the Delegated DNS Address Information DHCP Option 802 Global Unicast IPv6 Addresses are composed of the ISP assigned 803 prefix, that is usually composed of 56 bits, followed by the 804 subnet-ID, typically composed of 8 bits and the interface-ID composed 805 of 64 bits. 807 In order to set properly the Naming delegation, one MUST make sure 808 the DHCP Server and the CPE agree on the IP address of the Delegated 809 DNS Server. The CPE may not be aware of its ISP assigned prefix and 810 has requested an Identity Association Prefix Delegation DHCP Option 811 for it. The CPE may also have pre-agreed a ISP assigned prefix. In 812 both cases, the CPE and the DHCP Server MUST make sure they agree on 813 the same subnet-ID, that is to say with the same length. The 814 subnet-ID is defined by setting all unknown bits of the ISP assigned 815 prefix to zero. If the number of zeros does not match the size of 816 the ISP assigned prefix, the DHCP Server MUST send a Delegated DNS 817 Architecture DHCP Option with a Status Code set to 818 SubnetIDNonMatchingISPDelegatedPrefixLength Status Code. 820 For clarification on the agreed IP address of the Delegated DNS 821 Server, the DHCP Server may send in the DHCP Reply the Delegated DNS 822 Address Information DHCP Option with the complete information. In 823 that case, the DHCP Server MUST add a Status Code set to Success. 825 6.2.5. Processing the Delegation of Signing DHCP Option 827 The Format of the DS RDATA is defined in [RFC4034]. 829 6.3. CPE Receiving the ISP DHCP Response for the Naming Delegation 830 Architecture 832 The Delegated DNS Architecture DHCP Option 833 (OPTION_DELEGATED_DNS_ARCHITECTURE) informs the CPE whether the 834 Naming Delegation Architecture has been set as well as the 835 configuration used by the ISP. 837 7. DHCP Options 839 The options detailed in this section are 841 - Delegated DNS Architecture (OPTION_DELEGATED_DNS_ARCHITECTURE): is 842 used by the DHCP Client on the CPE to inform how the Naming 843 Delegation Architecture should be configured. In return, it is 844 used by the ISP DHCP Server to report the Status Code. 846 - Delegated Domain (OPTION_DELEGATED_DOMAIN): is used by the DHCP 847 Server to advertise the CPE the Delegated Domain of the Home 848 Network. This Delegated Domain has been reserved and assigned 849 by the End User during the subscription. This option is used 850 to configure properly the DNS zone file of the CPE. 852 - Delegated DNS Address Information 853 (OPTION_DELEGATED_DNS_ADDR_INFO): is used by the CPE to advertise 854 the DHCP Server which interface and subnet identifier is used 855 by the CPE to build the IPv6 address using the delegated IPv6 856 prefix to host the DNS Server. This option is used so the 857 DELEGATING_SERVERS can properly fix the delegation. 859 - Delegated Delegation of Signing (OPTION_DELEGATED_DNSSEC_DS): is 860 used by the CPE so the DELEGATING_SERVERS can properly fix the 861 DNSSEC Naming Delegation. 863 7.1. Delegated DNS Architecture Option 865 0 1 2 3 866 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 867 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 868 | OPTION_DELEGATED_DNS_ARCH. | option-len | 869 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 870 | | 871 / naming-delegation-action-list / 872 | | 873 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 874 | | 875 | status-code | 876 | | 877 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 879 - option-code: OPTION_DELEGATED_DNS_ARCHITECTURE. 881 - option-len: Length of the delegated-naming-action-list field, the 882 status-code and the status-message in octets. 884 - naming-delegation-action-list: The list of the actions the CPE is 885 ready to accept. 887 - status-code: The Status Code of the operation as specified in 888 [RFC3315]. This option may be absent if operation is 889 successful. 891 The naming-delegation-action-list is encoded as follows: 893 0 1 2 3 894 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 895 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 896 | list length | | 897 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 898 | | 899 | naming-delegation-action-list | 900 | | 901 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 903 - list length: Length of the 'naming-delegation-action-list' field 904 in octets 906 - naming-delegation-action-list: List of proposed actions by the CPE 907 to the ISP DHCP Server. 909 The naming-delegation-actions are 1 octet length, and the following 910 values are considered in this document: 912 - NONE - 0 - : Indicates that the DHCP Server MUST remove the Naming 913 Delegation Architecture Configuration settings on the 914 Delegating DNS Server. 916 - CLEAR - 1 - : Indicates that the DHCP Server MUST remove the 917 Naming Delegation Architecture Configuration settings on the 918 Delegating DNS Server. 920 - SET_NAMING_DELEGATION_WITH_DNS - 2 - : Indicates that the DHCP 921 Server MUST set the Naming Delegation Architecture with only 922 DNS, and MUST NOT consider DNSSEC Delegation. 924 - SET_NAMING_DELEGATION_WITH_DNSSEC - 3 - : Indicates that the DHCP 925 Server MUST set the Naming Delegation Architecture with DNSSEC. 927 The Status code 1 octet length and this section considers the 928 following values: 930 - Success - 0 - : 932 - UnspecFail - 1 - : 934 - MissingPrefixDelegationRequest - TBD - : 936 - NamingDelegationUnavailable - TBD - : 938 - UnauthorizedRequester - TBD - : 940 - UnprovisionedDelegatedDomain - TBD - : 942 - TooManyNamingDelegationActions - TBD - : 944 - VoidNamindDelegationActionList - TBD - : 946 - NoApplicableNamingDelegationAction - TBD - : 948 - SubnetIDNonMatchingISPDelegatedPrefixLength - TBD - : 950 - DelegatedIPAddressConflict - TBD - : 952 - MissingDNSSECDelegationOfSigning - TBD - : 954 7.2. Delegated Domain Option 956 0 1 2 3 957 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 958 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 959 | OPTION_DELEGATED_DOMAIN | option-len | 960 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 961 | | 962 | delegated-domain | 963 | | 964 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 966 - option-code: OPTION_DELEGATED_DOMAIN 968 - option-len: Length of the 'Delegated Domain' field in octets. 970 - delegated-domain: The Delegated Domain encoded as specified in 971 [RFC1035] 973 7.3. Delegated DNS Address Information Option 975 0 1 2 3 976 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 977 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 978 | OPTION_DELEGATED_DNS_ADDR_INFO | option-len | 979 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 980 | | 981 | subnet-ID (8 octets) | 982 | | 983 |+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 984 | | 985 | interface-ID (8 octets) | 986 | | 987 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 989 - option-code: OPTION_DELEGATED_DNS_ADDR_INFO 991 - option-len: Length (16) of the Delegated DNS addressing 992 information. 994 - subnet-ID: The identifier of a subnet used by the authoritative 995 DNS server for the delegated domain name. Only the last 'm' 996 bits are significant. The 'm' value is equal to (64 - 'n') 997 where 'n' is the delegated prefix length. The subnet-ID may be 998 dynamically truncated by the DHCP server and client to match 999 the 'm' size (depending on the delegated prefix length). 1001 - interface-ID: The interface-ID of the IPv6 address used by the 1002 authoritative DNS server for the delegated domain name. 1004 7.4. Delegated Delegation of Signing Option 1006 0 1 2 3 1007 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1008 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1009 | OPTION_DELEGATED_DNSSEC_DS | option-len | 1010 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1011 | | 1012 | Delegation of Signing Resource Record | 1013 | ... | 1014 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1016 - option-code: OPTION_DELEGATED_DNSSEC_DS 1017 - option-len: Length of the 'Delegated Domain' field in octets. 1019 - DS Resource Record: The DS Resource Record as defined in 1020 [RFC4034], Section 5. 1022 8. IANA Considerations 1024 This document introduces Status Code that are carried in the DHCP 1025 Options defined in this document. The Status Code detailed in this 1026 document are: 1028 - NamingDelegationServiceNotProvided TBD 1030 - UnauthorizedForNamingDelegationService TBD 1032 - NoDelegatedDomainProvisionned TBD 1034 - NoDelegatedDnsAddrInfo TBD 1036 - DelegationSetWithDns TBD 1038 - DelegationSetWithDnssec TBD 1040 - AcceptingOnlyDnssecNamingDelegation TBD 1042 - UnableToSetNamingDelegation TBD 1044 - SubnetIDNonMatchingISPDelegatedPrefixLength TBD 1046 The DHCP options detailed in this document are: 1048 - OPTION_DELEGATED_DNS_ARCHITECTURE: TBD 1050 - OPTION_DELEGATED_DOMAIN: TBD 1052 - OPTION_DELEGATED_DNS_ADDR_INFO: TBD 1054 - OPTION_DELEGATED_DNSSEC_DS: TBD 1056 9. Security Considerations 1058 9.1. Names are less secured than IP addresses 1060 This document describes how an End User can make its services and 1061 devices from its Home Network reachable on the Internet with Names 1062 rather than IP addresses. This exposes the Home Network to attacker 1063 since names are expected to provide less randomness than IP 1064 addresses. The naming delegation protects the End User's privacy by 1065 not providing the complete zone of the Home Network to the ISP. 1066 However, using the DNS with names for the Home Network exposes the 1067 Home Network and its components to dictionary attacks. In fact, with 1068 IP addresses, the Interface Identifier is 64 bit length leading to 1069 2^64 possibilities for a given subnetwork. This is not to mention 1070 that the subnet prefix is also of 64 bit length, thus providing 1071 another 2^64 possibilities. On the other hand, names use either for 1072 the Home Network domain or for the devices presents less randomness 1073 (livebox, router, printer, nicolas, jennifer, ...) and thus exposes 1074 the devices to dictionary attacks. 1076 9.2. Names are less volatile than IP address 1078 IP addresses may be used to locate a device, a host or a Service. 1079 However, Home Network are not expected to be assigned the same Prefix 1080 over time. As a result observing IP addresses provides some 1081 ephemeral information about who is accessing the service. On the 1082 other hand, Names are not expected to be has volatile as IP 1083 addresses. As a result, logging Names, over time, may be more 1084 valuable that logging IP addresses, especially to profile End User's 1085 characteristics. 1087 PTR provides a way to bind an IP address to a Name. In that sense 1088 responding to PTR DNS Queries may affect the End User's Privacy. For 1089 that reason we recommend that End Users may choose to respond or not 1090 to PTR DNS queries 1092 9.3. DNSSEC is recommended to authenticate DNS hosted data 1094 The document describes how the Secure Delegation can be set between 1095 the Delegating DNS Server and the Delegated DNS Server. 1097 Deploying DNSSEC is recommended since in some cases the information 1098 stored in the DNS is used by the ISP or an IT department to grant 1099 access. For example some Servers may performed a PTR DNS query to 1100 grant access based on host names. With the described Delegating 1101 Naming Architecture, the ISP or the IT department MUST take into 1102 consideration that the CPE is outside its area of control. As such, 1103 with DNS, DNS responses may be forged, resulting in isolating a 1104 Service, or not enabling a host to access a service. ISPs or IT 1105 department may not base their access policies on PTR or any DNS 1106 information. DNSSEC fulfills the DNS lack of trust, and we recommend 1107 to deploy DNSSEC on CPEs. 1109 9.4. Channel between the CPE and ISP DHCP Server MUST be secured 1111 In the document we consider that the channel between the CPE and the 1112 ISP DHCP Server is trusted. More specifically, we suppose the CPE is 1113 authenticated and the exchanged messages are protected. The current 1114 document does not specify how to secure the channel. [RFC3315] 1115 proposes a DHCP authentication and message exchange protection, 1116 [RFC4301], [RFC5996] propose to secure the channel at the IP layer. 1118 In fact, the channel MUST be secured because the CPE provides 1119 necessary information for the configuration of the Naming Delegation. 1120 Unsecure channel may result in setting the Naming Delegation with an 1121 non legitimate CPE. The non legitimate CPE would then be redirected 1122 the DNS traffic that is intended for the legitimate CPE. This makes 1123 the CPE sensitive to three types of attacks. The first one is the 1124 Deny Of Service Attack, if for example DNS traffic for a lot of CPEs 1125 are redirected to a single CPE. CPE are even more sensitive to this 1126 attack since they have been designed for low traffic. The other type 1127 of traffic is the DNS traffic hijacking. A malicious CPE may 1128 redirect the DNS traffic of the legitimate CPE to one of its server. 1129 In return, the DNS Servers would be able to provide DNS Responses and 1130 redirect the End Users on malicious Servers. This is particularly 1131 used in Pharming Attacks. A third attack may consists in isolating a 1132 Home Network by misconfiguring the Naming Delegation for example to a 1133 non-existing DNS Server, or with a bad DS value. 1135 9.5. CPEs are sensitive to DoS 1137 The Naming Delegation Architecture involves the CPE that hosts a DNS 1138 Server for the Home Network. CPE have not been designed for handling 1139 heavy load. The CPE are exposed on the Internet, and their IP 1140 address is publicly published on the Internet via the DNS. This 1141 makes the Home Network sensitive to Deny of Service Attacks. The 1142 Naming Delegation Architecture described in this document does not 1143 address this issue. The issue is addressed in the Front End Naming 1144 Delegation Architecture described in 1145 [I-D.mglt-front-end-naming-delegation]. 1147 10. Acknowledgment 1149 The authors wish to thank Ole Troan for pointing out issues with the 1150 IPv6 routed home concept and placing the scope of this document in a 1151 wider picture, Mark Townsley for encouragement and injecting a 1152 healthy debate on the merits of the idea, Ulrik de Bie for providing 1153 alternative solutions, Paul Mockapetris for pointing out issues of 1154 the trustworthiness of a reverse lookup, and Christian Jacquenet for 1155 seeing the value from a Service Provider point of view. 1157 11. References 1159 11.1. Normative References 1161 [RFC1035] Mockapetris, P., "Domain names - implementation and 1162 specification", STD 13, RFC 1035, November 1987. 1164 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1165 Requirement Levels", BCP 14, RFC 2119, March 1997. 1167 [RFC3315] Droms, R., Bound, J., Volz, B., Lemon, T., Perkins, C., 1168 and M. Carney, "Dynamic Host Configuration Protocol for 1169 IPv6 (DHCPv6)", RFC 3315, July 2003. 1171 [RFC3633] Troan, O. and R. Droms, "IPv6 Prefix Options for Dynamic 1172 Host Configuration Protocol (DHCP) version 6", RFC 3633, 1173 December 2003. 1175 [RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S. 1176 Rose, "Resource Records for the DNS Security Extensions", 1177 RFC 4034, March 2005. 1179 [RFC4301] Kent, S. and K. Seo, "Security Architecture for the 1180 Internet Protocol", RFC 4301, December 2005. 1182 [RFC4862] Thomson, S., Narten, T., and T. Jinmei, "IPv6 Stateless 1183 Address Autoconfiguration", RFC 4862, September 2007. 1185 [RFC5996] Kaufman, C., Hoffman, P., Nir, Y., and P. Eronen, 1186 "Internet Key Exchange Protocol Version 2 (IKEv2)", 1187 RFC 5996, September 2010. 1189 [RFC6672] Rose, S. and W. Wijngaards, "DNAME Redirection in the 1190 DNS", RFC 6672, June 2012. 1192 11.2. Informational References 1194 [I-D.mglt-front-end-naming-delegation] 1195 Cloetens, C., Lemordant, P., and D. Migault (Ed), "IPv6 1196 Home Network Front End Naming Delegation", 1197 draft-mglt-front-end-naming-delegation-00 (work in 1198 progress), June 2012. 1200 [RFC2118] Pall, G., "Microsoft Point-To-Point Compression (MPPC) 1201 Protocol", RFC 2118, March 1997. 1203 [RFC3769] Miyakawa, S. and R. Droms, "Requirements for IPv6 Prefix 1204 Delegation", RFC 3769, June 2004. 1206 Authors' Addresses 1208 Wouter Cloetens 1209 SoftAtHome 1210 vaartdijk 3 701 1211 3018 Wijgmaal 1212 Belgium 1214 Phone: 1215 Email: wouter.cloetens@softathome.com 1217 Philippe Lemordant 1218 Francetelecom - Orange 1219 2, avenue Pierre Marzin 1220 22300 Lannion 1221 France 1223 Phone: +33 2 96 05 35 11 1224 Email: philippe.lemordant@orange.com 1226 Daniel Migault 1227 Francetelecom - Orange 1228 38, rue du General Leclerc 1229 92794 Issy-les-Moulineaux Cedex 9 1230 France 1232 Phone: +33 1 45 29 60 52 1233 Email: mglt.ietf@gmail.com