idnits 2.17.1 draft-pauly-ipsecme-split-dns-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (May 27, 2016) is 2891 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'TBD IANA' is mentioned on line 284, but not defined == Missing Reference: 'TBD' is mentioned on line 387, but not defined Summary: 0 errors (**), 0 flaws (~~), 3 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network T. Pauly 3 Internet-Draft Apple Inc. 4 Intended status: Standards Track P. Wouters 5 Expires: November 28, 2016 Red Hat 6 May 27, 2016 8 Split-DNS Configuration for IKEv2 9 draft-pauly-ipsecme-split-dns-01 11 Abstract 13 This document defines two Configuration Payload Attribute Types for 14 the IKEv2 protocol that define sets of private DNS domains which 15 should be resolved by DNS servers reachable through an IPsec 16 connection, while leaving all other DNS resolution unchanged. The 17 options define the set of DNS domains, DNS nameserver IP addresses 18 and DNSSEC trust anchors to use for these DNS domains. This approach 19 of resolving a subset of domains using an IPSec connection is 20 referred to as "split-DNS". The information obtained via these 21 attribute types can be used to reconfigure the local DNS resolution 22 to use DNS forwarding for specific private domains. 24 Status of This Memo 26 This Internet-Draft is submitted in full conformance with the 27 provisions of BCP 78 and BCP 79. 29 Internet-Drafts are working documents of the Internet Engineering 30 Task Force (IETF). Note that other groups may also distribute 31 working documents as Internet-Drafts. The list of current Internet- 32 Drafts is at http://datatracker.ietf.org/drafts/current/. 34 Internet-Drafts are draft documents valid for a maximum of six months 35 and may be updated, replaced, or obsoleted by other documents at any 36 time. It is inappropriate to use Internet-Drafts as reference 37 material or to cite them other than as "work in progress." 39 This Internet-Draft will expire on November 28, 2016. 41 Copyright Notice 43 Copyright (c) 2016 IETF Trust and the persons identified as the 44 document authors. All rights reserved. 46 This document is subject to BCP 78 and the IETF Trust's Legal 47 Provisions Relating to IETF Documents 48 (http://trustee.ietf.org/license-info) in effect on the date of 49 publication of this document. Please review these documents 50 carefully, as they describe your rights and restrictions with respect 51 to this document. Code Components extracted from this document must 52 include Simplified BSD License text as described in Section 4.e of 53 the Trust Legal Provisions and are provided without warranty as 54 described in the Simplified BSD License. 56 Table of Contents 58 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 59 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 60 2. Background . . . . . . . . . . . . . . . . . . . . . . . . . 3 61 3. Protocol Exchange . . . . . . . . . . . . . . . . . . . . . . 3 62 3.1. Configuration Request . . . . . . . . . . . . . . . . . . 3 63 3.2. Configuration Reply . . . . . . . . . . . . . . . . . . . 4 64 3.3. Mapping DNS Servers to Domains . . . . . . . . . . . . . 4 65 3.4. Example Exchanges . . . . . . . . . . . . . . . . . . . . 4 66 3.4.1. Simple Case . . . . . . . . . . . . . . . . . . . . . 4 67 3.4.2. Requesting Limited Domains . . . . . . . . . . . . . 5 68 4. Payload Formats . . . . . . . . . . . . . . . . . . . . . . . 6 69 4.1. INTERNAL_DNS_DOMAIN Configuration Attribute Type . . . . 6 70 4.2. INTERNAL_DNSSEC_TA Configuration Attribute . . . . . . . 6 71 5. Split-DNS Usage Guidelines . . . . . . . . . . . . . . . . . 7 72 6. Security Considerations . . . . . . . . . . . . . . . . . . . 8 73 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 74 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 9 75 8.1. Normative References . . . . . . . . . . . . . . . . . . 9 76 8.2. Informative References . . . . . . . . . . . . . . . . . 10 77 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 10 79 1. Introduction 81 The Internet Key Exchange protocol version 2 [RFC7296] negotiates 82 configuration parameters using Configuration Payload Attribute Types. 83 This document defines two Configuration Payload Attribute Types that 84 add support for trusted split-DNS domains. The INTERNAL_DNS_DOMAIN 85 attribute type is used to convey one or more DNS domains that should 86 be resolved only using the provided DNS nameserver IP addresses, 87 causing these requests to use the IPSec connection. The 88 INTERNAL_DNSSEC_TA attribute type is used to convey DNSSEC trust 89 anchors for those domains. When only a subset of traffic is routed 90 into a private network using an IPSec SA, this Configuration Payload 91 option can be used to define which private domains should be resolved 92 through the IPSec connection without affecting the client's global 93 DNS resolution. For the purposes of this document, DNS servers 94 accessible through an IPsec connection will be referred to as 95 "internal DNS servers", and other DNS servers will be referred to as 96 "external DNS servers". 98 A client using these configuration payloads will be able to request 99 and receive split-DNS configurations using the INTERNAL_DNS_DOMAIN 100 and INTERNAL_DNSSEC_TA configuration attributes. The client device 101 can use the internal DNS server(s) for any DNS queries within the 102 assigned domains, while routing other DNS queries to its regular 103 external DNS server. 105 1.1. Requirements Language 107 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 108 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 109 document are to be interpreted as described in RFC 2119 [RFC2119]. 111 2. Background 113 Split-DNS is a common configuration for enterprise VPN deployments, 114 in which only one or a few private DNS domains are accessible and 115 resolvable via an IPsec based VPN connection. 117 Other tunnel-establishment protocols already support the assignment 118 of split-DNS domains. For example, there are proprietary extensions 119 to IKEv1 that allow a server to assign split-DNS domains to a client. 120 However, the IKEv2 standard does not include a method to configure 121 this option. This document defines a standard way to negotiate this 122 option for IKEv2. 124 3. Protocol Exchange 126 3.1. Configuration Request 128 To indicate support for split-DNS, an initiator sending a CFG_REQUEST 129 payload MAY include one or more INTERNAL_DNS_DOMAIN attributes as 130 defined in Section 4. If an INTERNAL_DNS_DOMAIN attribute is 131 included in the CFG_REQUEST, the initiator SHOULD also include one or 132 both of the INTERNAL_IP4_DNS and INTERNAL_IP6_DNS attributes in its 133 CFG_REQUEST. 135 If the length of the INTERNAL_DNS_DOMAIN attribute is zero, then the 136 initiator is requesting that the attribute be assigned without 137 restricting the subdomains that it will accept. 139 If the length of the INTERNAL_DNS_DOMAIN is greater than zero, the 140 value is a single DNS domain. The initiator is indicating that it 141 will only allow this domain and any sub-domains within this domain to 142 be resolved using the internal DNS servers. The list of 143 INTERNAL_DNS_DOMAIN attributes in the CFG_REQUEST defines the full 144 set of domains the intiator is willing to resolve using the internal 145 DNS servers. 147 The absence of INTERNAL_DNS_DOMAIN attributes in the CFG_REQUEST 148 payload indicates that the initiator does not support or is unwilling 149 to accept split-DNS configuration. 151 3.2. Configuration Reply 153 Responders MAY send one or more INTERNAL_DNS_DOMAIN attributes in 154 their CFG_REPLY payload if the CFG_REQUEST contained at least one 155 INTERNAL_DNS_DOMAIN attribute. If the CFG_REQUEST did not contain an 156 INTERNAL_DNS_DOMAIN attribute, the responder MUST NOT include an 157 INTERNAL_DNS_DOMAIN attribute in the CFG_REPLY. If an 158 INTERNAL_DNS_DOMAIN attribute is included in the CFG_REPLY, the 159 responder SHOULD also include one or both of the INTERNAL_IP4_DNS and 160 INTERNAL_IP6_DNS attributes in its CFG_REPLY. If the CFG_REQUEST 161 included an INTERNAL_DNS_DOMAIN attribute, but the CFG_REPLY does not 162 include an INTERNAL_DNS_DOMAIN attribute, the initiator should behave 163 as if split-DNS configurations are not supported by the server. 165 Each INTERNAL_DNS_DOMAIN represents a domain that the DNS servers 166 address listed in INTERNAL_IP4_DNS and INTERNAL_IP6_DNS can resolve. 168 If the CFG_REQUEST included INTERNAL_DNS_DOMAIN attributes with non- 169 zero lengths, the CFG_REPLY MUST NOT assign any domains in its 170 INTERNAL_DNS_DOMAIN attributes that are not contained within the 171 requested domains. The initiator SHOULD ignore any domains beyond 172 its requested list. 174 For each DNS domain specified in an INTERNAL_DNS_DOMAIN attribute, an 175 INTERNAL_DNSSEC_TA attribute may be included by the responder. This 176 attribute lists the corresponding DSSNEC trust anchor in the 177 presentation format of a DS record as specified in [RFC4034]. 179 3.3. Mapping DNS Servers to Domains 181 All DNS servers provided in the CFG_REPLY MUST support resolving 182 hostnames within all INTERNAL_DNS_DOMAIN domains. In other words, 183 the INTERNAL_DNS_DOMAIN attributes in a CFG_REPLY payload form a 184 single list of split-DNS domains that applies to the entire list of 185 INTERNAL_IP4_DNS and INTERNAL_IP6_DNS attributes. 187 3.4. Example Exchanges 189 3.4.1. Simple Case 191 In this example exchange, the initiator requests INTERNAL_IP4_DNS and 192 INTERNAL_DNS_DOMAIN attributes in its CFG_REQUEST, but does not 193 specify any value for either. This indicates that it supports split- 194 DNS, but has no preference for which DNS requests should be routed 195 through the tunnel. 197 The responder replies with two DNS server addresses, and one internal 198 domain, "example.com". 200 Any subsequent DNS queries from the initiator for domains such as 201 "www.example.com" should use 198.51.100.2 or 198.51.100.4 to resolve. 203 CP(CFG_REQUEST) = 204 INTERNAL_IP4_ADDRESS() 205 INTERNAL_IP4_DNS() 206 INTERNAL_DNS_DOMAIN() 208 CP(CFG_REPLY) = 209 INTERNAL_IP4_ADDRESS(198.51.100.234) 210 INTERNAL_IP4_DNS(198.51.100.2) 211 INTERNAL_IP4_DNS(198.51.100.4) 212 INTERNAL_DNS_DOMAIN(example.com) 214 3.4.2. Requesting Limited Domains 216 In this example exchange, the initiator requests INTERNAL_IP4_DNS and 217 INTERNAL_DNS_DOMAIN attributes in its CFG_REQUEST, specifically 218 requesting only "example.com" and "other.com". The responder replies 219 with two DNS server addresses, 198.51.100.2 and 198.51.100.4, and two 220 domains, "example.com" and "city.other.com". Note that one of the 221 domains in the CFG_REPLY, "city.other.com", is a subset of the 222 requested domain, "other.com". This indicates that hosts within 223 "other.com" that are not within "city.other.com" should be resolved 224 using an external DNS server. The CFG_REPLY would not be allowed to 225 respond with "com" or "example.net", however, since these were 226 contained within the limited set of requested domains. 228 Any subsequent DNS queries from the initiator for domains such as 229 "www.example.com" or "city.other.com" should use 198.51.100.2 or 230 198.51.100.4 to resolve. 232 CP(CFG_REQUEST) = 233 INTERNAL_IP4_ADDRESS() 234 INTERNAL_IP4_DNS() 235 INTERNAL_DNS_DOMAIN(example.com) 236 INTERNAL_DNS_DOMAIN(other.com) 238 CP(CFG_REPLY) = 239 INTERNAL_IP4_ADDRESS(198.51.100.234) 240 INTERNAL_IP4_DNS(198.51.100.2) 241 INTERNAL_IP4_DNS(198.51.100.4) 242 INTERNAL_DNS_DOMAIN(example.com) 243 INTERNAL_DNS_DOMAIN(city.other.com) 245 4. Payload Formats 247 4.1. INTERNAL_DNS_DOMAIN Configuration Attribute Type 249 1 2 3 250 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 251 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 252 |R| Attribute Type | Length | 253 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 254 | | 255 ~ Domain Name ~ 256 | | 257 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 259 o Reserved (1 bit) - Defined in IKEv2 RFC [RFC7296]. 261 o Attribute Type (15 bits) [TBD IANA] - INTERNAL_DNS_DOMAIN. 263 o Length (2 octets, unsigned integer) - Length of domain name. 265 o Domain Name (0 or more octets) - A domain or subdomain used for 266 split-DNS rules, such as example.com. This is a string of ASCII 267 characters with labels separated by dots, with no trailing dot, 268 using IDNA [RFC5890] for non-ASCII DNS domains. The value is NOT 269 null-terminated. 271 4.2. INTERNAL_DNSSEC_TA Configuration Attribute 272 1 2 3 273 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 274 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 275 |R| Attribute Type | Length | 276 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 277 | | 278 ~ DNSSEC TRUST ANCHOR ~ 279 | | 280 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 282 o Reserved (1 bit) - Defined in IKEv2 RFC [RFC7296]. 284 o Attribute Type (15 bits) [TBD IANA] - INTERNAL_DNSSEC_TA. 286 o Length (2 octets, unsigned integer) - Length of DNSSEC Trust 287 Anchor data. 289 o DNSSEC Trust anchor (multiple octets) - The presentation format of 290 one DS record as specified in [RFC4034]. The TTL value MAY be 291 omited and when present MUST be ignored. The domain name is 292 specified as a Fully Qualified Domain Name (FQDN) - irrespective 293 of the presence of a trailing dot, and consits of a string of 294 ASCII characters with labels separated by dots and uses IDNA 295 [RFC5890] for non-ASCII DNS domains. The value is NOT null- 296 terminated. 298 5. Split-DNS Usage Guidelines 300 If a CFG_REPLY payload contains no INTERNAL_DNS_DOMAIN attributes, 301 the client MAY use the provided INTERNAL_IP4_DNS or INTERNAL_IP6_DNS 302 servers as the default DNS server(s) for all queries. 304 For each INTERNAL_DNS_DOMAIN entry in a CFG_REPLY payload, the client 305 SHOULD use the provided INTERNAL_IP4_DNS or INTERNAL_IP6_DNS DNS 306 servers as the only resolvers for the listed domains and its sub- 307 domains and it SHOULD NOT attempt to resolve the provided DNS domains 308 using its external DNS servers. 310 If the initiator host is configured to block DNS answers containing 311 IP addresses from special IP address ranges such as those of 312 [RFC1918], the initiator SHOULD allow the DNS domains listed in the 313 INTERNAL_DNS_DOMAIN attributes to contain these IP addresses. 315 If a CFG_REPLY contains one or more INTERNAL_DNS_DOMAIN attributes, 316 the client SHOULD configure its DNS resolver to resolve those domains 317 and all their subdomains using only the DNS resolver(s) listed in 318 that CFG_REPLY message. If those resolvers fail, those names SHOULD 319 NOT be resolved using any other DNS resolvers. All other domain 320 names MUST be resolved using some other external DNS resolver(s), 321 configured independently, and SHOULD NOT be sent to the internal DNS 322 resolver(s) listed in that CFG_REPLY message. For example, if the 323 INTERNAL_DNS_DOMAIN attribute specifies "example.com", then 324 "example.com", "www.example.com" and "mail.eng.example.com" MUST be 325 resolved using the internal DNS resolver(s), but "anotherexample.com" 326 and "ample.com" MUST be resolved using the system's external DNS 327 resolver(s). 329 An initiator SHOULD ignore INTERNAL_DNS_DOMAIN attributes containing 330 domains that are designated Special Use Domain Names in [RFC6761], 331 such as "local", "localhost", "invalid", etc. Although it may 332 explicitly wish to support some Special Use Domain Names. 334 When an IPsec connection is terminated, the DNS forwarding must be 335 unconfigured. The DNS forwarding itself MUST be be deleted. All 336 cached data of the INTERNAL_DNS_DOMAIN provided DNS domainis MUST be 337 flushed. This includes negative cache entries. Obtained DNSSEC 338 trust anchors MUST be removed from the list of trust anchors. The 339 outstanding DNS request queue MAY be cleared. 341 A domain that is served via INTERNAL_DNS_DOMAIN MUST NOT have 342 indirect references to DNS records that point to other split-DNS 343 domains that are not served via INTERNAL_DNS_DOMAIN attributes. 344 Indirect reference RRtypes include CNAME, DNAME, MX and SRV RR's. 346 INTERNAL_DNS_DOMAIN and INTERNAL_DNSSEC_TA attributes SHOULD only be 347 used on split-tunnel configurations where only a subset of traffic is 348 routed into a private remote network using the IPSec connection. If 349 all traffic is routed over the IPsec connection, the existing global 350 INTERNAL_IP4_DNS and INTERNAL_IP6_DNS can be used without creating 351 specific DNS exemptions. 353 6. Security Considerations 355 The use of split-DNS configurations assigned by an IKEv2 responder is 356 predicated on the trust established during IKE SA authentication. 357 However, if IKEv2 is being negotiated with an anonymous or unknown 358 endpoint (such as for Opportunistic Security [RFC7435]), the 359 initiator MUST ignore split-DNS configurations assigned by the 360 responder. 362 If a host connected to an authenticated IKE peer is connecting to 363 another IKE peer that attempts to claim the same domain via the 364 INTERNAL_DNS_DOMAIN attribute, the IKE connection should be 365 terminated. 367 If the IP address value of the received INTERNAL_IP4_DNS or 368 INTERNAL_IP6_DNS attribute is not covered by the proposed IPsec 369 connection, then the local DNS should not be reconfigured until a 370 CREATE_CHILD Exchange is received that covers these IP addresses. 372 INTERNAL_DNSSEC_TA directives MUST have an accompanying 373 INTERNAL_DNS_DOMAIN directive. This prevents the insertion of rogue 374 DNSSEC trust anchors for domains that have not been configured to use 375 the IPsec connection. 377 7. IANA Considerations 379 This document defines two new IKEv2 Configuration Payload Attribute 380 Types, which are allocated from the "IKEv2 Configuration Payload 381 Attribute Types" namespace. 383 Multi- 384 Value Attribute Type Valued Length Reference 385 ------ ------------------- ------ ---------- --------------- 386 [TBD] INTERNAL_DNS_DOMAIN YES 0 or more [this document] 387 [TBD] INTERNAL_DNSSEC_TA YES 0 or more [this document] 389 Figure 1 391 8. References 393 8.1. Normative References 395 [RFC1918] Rekhter, Y., Moskowitz, B., Karrenberg, D., de Groot, G., 396 and E. Lear, "Address Allocation for Private Internets", 397 BCP 5, RFC 1918, DOI 10.17487/RFC1918, February 1996, 398 . 400 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 401 Requirement Levels", BCP 14, RFC 2119, 402 DOI 10.17487/RFC2119, March 1997, 403 . 405 [RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S. 406 Rose, "Resource Records for the DNS Security Extensions", 407 RFC 4034, DOI 10.17487/RFC4034, March 2005, 408 . 410 [RFC5890] Klensin, J., "Internationalized Domain Names for 411 Applications (IDNA): Definitions and Document Framework", 412 RFC 5890, DOI 10.17487/RFC5890, August 2010, 413 . 415 [RFC7296] Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., and T. 416 Kivinen, "Internet Key Exchange Protocol Version 2 417 (IKEv2)", STD 79, RFC 7296, DOI 10.17487/RFC7296, October 418 2014, . 420 8.2. Informative References 422 [RFC6761] Cheshire, S. and M. Krochmal, "Special-Use Domain Names", 423 RFC 6761, DOI 10.17487/RFC6761, February 2013, 424 . 426 [RFC7435] Dukhovni, V., "Opportunistic Security: Some Protection 427 Most of the Time", RFC 7435, DOI 10.17487/RFC7435, 428 December 2014, . 430 Authors' Addresses 432 Tommy Pauly 433 Apple Inc. 434 1 Infinite Loop 435 Cupertino, California 95014 436 US 438 Email: tpauly@apple.com 440 Paul Wouters 441 Red Hat 443 Email: pwouters@redhat.com