[Docs] [txt|pdf|xml|html] [Tracker] [WG] [Email] [Diff1] [Diff2] [Nits]

Versions: (draft-pauly-ipsecme-split-dns) 00 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 RFC 8598

Network                                                         T. Pauly
Internet-Draft                                                Apple Inc.
Intended status: Standards Track                              P. Wouters
Expires: September 12, 2019                                      Red Hat
                                                          March 11, 2019


                   Split DNS Configuration for IKEv2
                    draft-ietf-ipsecme-split-dns-17

Abstract

   This document defines two Configuration Payload Attribute Types
   (INTERNAL_DNS_DOMAIN and INTERNAL_DNSSEC_TA) for the Internet Key
   Exchange Protocol Version 2 (IKEv2).  These payloads add support for
   private (internal-only) DNS domains.  These domains are intended to
   be resolved using non-public DNS servers that are only reachable
   through the IPsec connection.  DNS resolution for other domains
   remains unchanged.  These Configuration Payloads only apply to split
   tunnel configurations.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on September 12, 2019.

Copyright Notice

   Copyright (c) 2019 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (https://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect



Pauly & Wouters        Expires September 12, 2019               [Page 1]


Internet-Draft      Split DNS Configuration for IKEv2         March 2019


   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
     1.1.  Requirements Language . . . . . . . . . . . . . . . . . .   3
   2.  Applicability . . . . . . . . . . . . . . . . . . . . . . . .   3
   3.  Protocol Exchange . . . . . . . . . . . . . . . . . . . . . .   5
     3.1.  Configuration Request . . . . . . . . . . . . . . . . . .   5
     3.2.  Configuration Reply . . . . . . . . . . . . . . . . . . .   6
     3.3.  Mapping DNS Servers to Domains  . . . . . . . . . . . . .   6
     3.4.  Example Exchanges . . . . . . . . . . . . . . . . . . . .   6
       3.4.1.  Simple Case . . . . . . . . . . . . . . . . . . . . .   6
       3.4.2.  Requesting Domains and DNSSEC trust anchors . . . . .   7
   4.  Payload Formats . . . . . . . . . . . . . . . . . . . . . . .   8
     4.1.  INTERNAL_DNS_DOMAIN Configuration Attribute Type Request
           and Reply . . . . . . . . . . . . . . . . . . . . . . . .   8
     4.2.  INTERNAL_DNSSEC_TA Configuration Attribute  . . . . . . .   9
   5.  INTERNAL_DNS_DOMAIN Usage Guidelines  . . . . . . . . . . . .  10
   6.  INTERNAL_DNSSEC_TA Usage Guidelines . . . . . . . . . . . . .  11
   7.  Security Considerations . . . . . . . . . . . . . . . . . . .  12
   8.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .  14
   9.  References  . . . . . . . . . . . . . . . . . . . . . . . . .  14
     9.1.  Normative References  . . . . . . . . . . . . . . . . . .  14
     9.2.  Informative References  . . . . . . . . . . . . . . . . .  15
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  15

1.  Introduction

   Split tunnel Virtual Private Network ("VPN") configurations only send
   packets with a specific destination IP range, usually chosen from
   [RFC1918], via the VPN.  All other traffic is not sent via the VPN.
   This allows an enterprise deployment to offer Remote Access VPN
   services without needing to accept and forward all the non-enterprise
   related network traffic generated by their remote users.  Resources
   within the enterprise can be accessed by the user via the VPN, while
   all other traffic generated by the user is not send over the VPN.

   These internal resources tend to only have internal-only DNS names
   and require the use of special internal-only DNS servers to get
   resolved.  Split DNS [RFC2775] is a common configuration that is part
   of split tunnel VPN configurations to support configuring Remote
   Access users to use these special internal-only domain names.





Pauly & Wouters        Expires September 12, 2019               [Page 2]


Internet-Draft      Split DNS Configuration for IKEv2         March 2019


   The IKEv2 protocol [RFC7296] negotiates configuration parameters
   using Configuration Payload Attribute Types.  This document defines
   two Configuration Payload Attribute Types that add support for
   trusted Split DNS domains.

   The INTERNAL_DNS_DOMAIN attribute type is used to convey that the
   specified DNS domain MUST be resolved using the provided DNS
   nameserver IP addresses as specified in the INTERNAL_IP4_DNS and
   INTERNAL_IP6_DNS Configuration Payloads, causing these requests to
   use the IPsec connection.

   The INTERNAL_DNSSEC_TA attribute type is used to convey a DNSSEC
   trust anchor for such a domain.  This is required if the external
   view uses DNSSEC that would prove the internal view does not exist or
   would expect a different DNSSEC key on the different versions
   (internal and external) of the enterprise domain.

   If an INTERNAL_DNS_DOMAIN is sent by the responder, the responder
   MUST also include one or more INTERNAL_IP4_DNS or INTERNAL_IP6_DNS
   attributes that contain the IPv4 or IPv6 address of the internal DNS
   server.

   For the purposes of this document, DNS resolution servers accessible
   through an IPsec connection will be referred to as "internal DNS
   servers", and other DNS servers will be referred to as "external DNS
   servers".

   Other tunnel-establishment protocols already support the assignment
   of Split DNS domains.  For example, there are proprietary extensions
   to IKEv1 that allow a server to assign Split DNS domains to a client.
   However, the IKEv2 standard does not include a method to configure
   this option.  This document defines a standard way to negotiate this
   option for IKEv2.

1.1.  Requirements Language

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
   "OPTIONAL" in this document are to be interpreted as described in BCP
   14 [RFC2119] [RFC8174] when, and only when, they appear in all
   captials, as shown here.

2.  Applicability

   If the negotiated IPsec connection is not a split tunnel
   configuration, the INTERNAL_DNS_DOMAIN and INTERNAL_DNSSEC_TA
   Configuration Payloads MUST be ignored.  This prevents generic (non-




Pauly & Wouters        Expires September 12, 2019               [Page 3]


Internet-Draft      Split DNS Configuration for IKEv2         March 2019


   enterprise) VPN services from overriding the public DNS hierarchy,
   which could lead to malicious overrides of DNS and DNSSEC.

   Such configurations SHOULD instead use only the INTERNAL_IP4_DNS and
   INTERNAL_IP6_DNS Configuration Payloads to ensure all of the user's
   DNS traffic is send through the IPsec connection and does not leak
   unencrypted onto the local network, as the local network is often
   explicitely exempted from IPsec encryption.

   For split tunnel configurations, an enterprise can require one or
   more DNS domains to be resolved via internal DNS servers.  This can
   be a special domain, such as "corp.example.com" for an enterprise
   that is publicly known to use "example.com".  In this case, the
   remote user needs to be informed what the internal-only domain names
   are and what the IP addresses of the internal DNS servers are.  An
   enterprise can also run a different version of its public domain on
   its internal network.  In that case, the VPN client is instructed to
   send DNS queries for the enterprise public domain (eg "example.com")
   to the internal DNS servers.  A configuration for this deployment
   scenario is referred to as a Split DNS configuration.

   Split DNS configurations are often preferable to sending all DNS
   queries to the enterprise.  This allows the remote user to only send
   DNS queries for the enterprise to the internal DNS servers.  The
   enterprise remains unaware of all non-enterprise (DNS) activitiy of
   the user.  It also allows the enterprise DNS servers to only be
   configured for the enterprise DNS domains which removes the legal and
   technical responsibility of the enterprise to resolve every DNS
   domain potentially asked for by the remote user.

   A client using these configuration payloads will be able to request
   and receive Split DNS configurations using the INTERNAL_DNS_DOMAIN
   and INTERNAL_DNSSEC_TA configuration attributes.  These attributes
   MUST be accompanied by one or more INTERNAL_IP4_DNS or
   INTERNAL_IP6_DNS configuration attributes.  The client device can
   then use the internal DNS server(s) for any DNS queries within the
   assigned domains.  DNS queries for other domains SHOULD be sent to
   the regular DNS service of the client unless it prefers to use the
   IPsec tunnel for all its DNS queries.  For example, the client could
   trust the IPsec provided DNS servers more than the locally provided
   DNS servers especially in the case of connecting to unknown or
   untrusted networks (eg coffee shops or hotel networks).  Or the
   client could prefer the IPsec based DNS servers because those provide
   additional features over the local DNS servers.







Pauly & Wouters        Expires September 12, 2019               [Page 4]


Internet-Draft      Split DNS Configuration for IKEv2         March 2019


3.  Protocol Exchange

   In order to negotiate which domains are considered internal to an
   IKEv2 tunnel, initiators indicate support for Split DNS in their
   CFG_REQUEST payloads, and responders assign internal domains (and
   DNSSEC trust anchors) in their CFG_REPLY payloads.  When Split DNS
   has been negotiated, the INTERNAL_IP4_DNS and INTERNAL_IP6_DNS DNS
   server configuration attributes will be interpreted as internal DNS
   servers that can resolve hostnames within the internal domains.

3.1.  Configuration Request

   To indicate support for Split DNS, an initiator includes one or more
   INTERNAL_DNS_DOMAIN attributes as defined in Section 4 as part of the
   CFG_REQUEST payload.  If an INTERNAL_DNS_DOMAIN attribute is included
   in the CFG_REQUEST, the initiator MUST also include one or more
   INTERNAL_IP4_DNS or INTERNAL_IP6_DNS attributes in the CFG_REQUEST.

   The INTERNAL_DNS_DOMAIN attribute sent by the initiator is usually
   empty but MAY contain a suggested domain name.

   The absence of INTERNAL_DNS_DOMAIN attributes in the CFG_REQUEST
   payload indicates that the initiator does not support or is unwilling
   to accept Split DNS configuration.

   To indicate support for receiving DNSSEC trust anchors for Split DNS
   domains, an initiator includes one or more INTERNAL_DNSSEC_TA
   attributes as defined in Section 4 as part of the CFG_REQUEST
   payload.  If an INTERNAL_DNSSEC_TA attribute is included in the
   CFG_REQUEST, the initiator MUST also include one or more
   INTERNAL_DNS_DOMAIN attributes in the CFG_REQUEST.  If the initiator
   includes an INTERNAL_DNSSEC_TA attribute, but does not include an
   INTERNAL_DNS_DOMAIN attribute, the responder MAY still respond with
   both INTERNAL_DNSSEC_TA and INTERNAL_DNS_DOMAIN attributes.

   An initiator MAY convey its current DNSSEC trust anchors for the
   domain specified in the INTERNAL_DNS_DOMAIN attribute.  A responder
   can use this information to determine that it does not need to send a
   different trust anchor.  If the initiator does not wish to convey
   this information, it MUST use a length of 0.

   The absence of INTERNAL_DNSSEC_TA attributes in the CFG_REQUEST
   payload indicates that the initiator does not support or is unwilling
   to accept DNSSEC trust anchor configuration.







Pauly & Wouters        Expires September 12, 2019               [Page 5]


Internet-Draft      Split DNS Configuration for IKEv2         March 2019


3.2.  Configuration Reply

   Responders MAY send one or more INTERNAL_DNS_DOMAIN attributes in
   their CFG_REPLY payload.  If an INTERNAL_DNS_DOMAIN attribute is
   included in the CFG_REPLY, the responder MUST also include one or
   both of the INTERNAL_IP4_DNS and INTERNAL_IP6_DNS attributes in the
   CFG_REPLY.  These DNS server configurations are necessary to define
   which servers can receive queries for hostnames in internal domains.
   If the CFG_REQUEST included an INTERNAL_DNS_DOMAIN attribute, but the
   CFG_REPLY does not include an INTERNAL_DNS_DOMAIN attribute, the
   initiator MUST behave as if Split DNS configurations are not
   supported by the server, unless the initiator has been configured
   with local policy to define a set of Split DNS domains to use by
   default.

   Each INTERNAL_DNS_DOMAIN represents a domain that the DNS servers
   address listed in INTERNAL_IP4_DNS and INTERNAL_IP6_DNS can resolve.

   If the CFG_REQUEST included INTERNAL_DNS_DOMAIN attributes with non-
   zero lengths, the content MAY be ignored or be interpreted as a
   suggestion by the responder.

   For each DNS domain specified in an INTERNAL_DNS_DOMAIN attribute,
   one or more INTERNAL_DNSSEC_TA attributes MAY be included by the
   responder.  This attribute lists the corresponding internal DNSSEC
   trust anchor information of a DS record (see [RFC4034]).  The
   INTERNAL_DNSSEC_TA attribute MUST immediately follow the
   INTERNAL_DNS_DOMAIN attribute that it applies to.

3.3.  Mapping DNS Servers to Domains

   All DNS servers provided in the CFG_REPLY MUST support resolving
   hostnames within all INTERNAL_DNS_DOMAIN domains.  In other words,
   the INTERNAL_DNS_DOMAIN attributes in a CFG_REPLY payload form a
   single list of Split DNS domains that applies to the entire list of
   INTERNAL_IP4_DNS and INTERNAL_IP6_DNS attributes.

3.4.  Example Exchanges

3.4.1.  Simple Case

   In this example exchange, the initiator requests INTERNAL_IP4_DNS,
   INTERNAL_IP6_DNS, and INTERNAL_DNS_DOMAIN attributes in the
   CFG_REQUEST, but does not specify any value for either.  This
   indicates that it supports Split DNS, but has no preference for which
   DNS requests will be routed through the tunnel.





Pauly & Wouters        Expires September 12, 2019               [Page 6]


Internet-Draft      Split DNS Configuration for IKEv2         March 2019


   The responder replies with two DNS server addresses, and two internal
   domains, "example.com" and "city.other.test".

   Any subsequent DNS queries from the initiator for domains such as
   "www.example.com" SHOULD use 198.51.100.2 or 198.51.100.4 to resolve.

   CP(CFG_REQUEST) =
     INTERNAL_IP4_ADDRESS()
     INTERNAL_IP4_DNS()
     INTERNAL_IP6_ADDRESS()
     INTERNAL_IP6_DNS()
     INTERNAL_DNS_DOMAIN()

   CP(CFG_REPLY) =
     INTERNAL_IP4_ADDRESS(198.51.100.234)
     INTERNAL_IP4_DNS(198.51.100.2)
     INTERNAL_IP4_DNS(198.51.100.4)
     INTERNAL_IP6_ADDRESS(2001:DB8:0:1:2:3:4:5/64)
     INTERNAL_IP6_DNS(2001:DB8:99:88:77:66:55:44)
     INTERNAL_DNS_DOMAIN(example.com)
     INTERNAL_DNS_DOMAIN(city.other.test)

3.4.2.  Requesting Domains and DNSSEC trust anchors

   In this example exchange, the initiator requests INTERNAL_IP4_DNS,
   INTERNAL_IP6_DNS, INTERNAL_DNS_DOMAIN and INTERNAL_DNSSEC_TA
   attributes in the CFG_REQUEST.

   Any subsequent DNS queries from the initiator for domains such as
   "www.example.com" or "city.other.test" would be DNSSEC validated
   using the DNSSEC trust anchor received in the CFG_REPLY.

   In this example, the initiator has no existing DNSSEC trust anchors
   would the requested domain.  The "example.com" dommain has DNSSEC
   trust anchors that are returned, while the "other.test" domain has no
   DNSSEC trust anchors.















Pauly & Wouters        Expires September 12, 2019               [Page 7]


Internet-Draft      Split DNS Configuration for IKEv2         March 2019


   CP(CFG_REQUEST) =
     INTERNAL_IP4_ADDRESS()
     INTERNAL_IP4_DNS()
     INTERNAL_IP6_ADDRESS()
     INTERNAL_IP6_DNS()
     INTERNAL_DNS_DOMAIN()
     INTERNAL_DNSSEC_TA()

   CP(CFG_REPLY) =
     INTERNAL_IP4_ADDRESS(198.51.100.234)
     INTERNAL_IP4_DNS(198.51.100.2)
     INTERNAL_IP4_DNS(198.51.100.4)
     INTERNAL_IP6_ADDRESS(2001:DB8:0:1:2:3:4:5/64)
     INTERNAL_IP6_DNS(2001:DB8:99:88:77:66:55:44)
     INTERNAL_DNS_DOMAIN(example.com)
     INTERNAL_DNSSEC_TA(43547,8,1,B6225AB2CC613E0DCA7962BDC2342EA4...)
     INTERNAL_DNSSEC_TA(31406,8,2,F78CF3344F72137235098ECBBD08947C...)
     INTERNAL_DNS_DOMAIN(city.other.test)

4.  Payload Formats

   All multi-octet fields representing integers are laid out in big
   endian order (also known as "most significant byte first", or
   "network byte order").

4.1.  INTERNAL_DNS_DOMAIN Configuration Attribute Type Request and Reply

                       1                   2                   3
   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-----------------------------+-------------------------------+
   |R|         Attribute Type      |            Length             |
   +-+-----------------------------+-------------------------------+
   |                                                               |
   ~             Domain Name in DNS presentation format            ~
   |                                                               |
   +---------------------------------------------------------------+

   o  Reserved (1 bit) - Defined in IKEv2 RFC [RFC7296].

   o  Attribute Type (15 bits) set to value 25 for INTERNAL_DNS_DOMAIN.

   o  Length (2 octets) - Length of domain name.

   o  Domain Name (0 or more octets) - A Fully Qualified Domain Name
      used for Split DNS rules, such as "example.com", in DNS
      presentation format and using IDNA A-label [RFC5890] for
      Internationalized Domain Names.  Implementors need to be careful
      that this value is not null-terminated.



Pauly & Wouters        Expires September 12, 2019               [Page 8]


Internet-Draft      Split DNS Configuration for IKEv2         March 2019


4.2.  INTERNAL_DNSSEC_TA Configuration Attribute

   An INTERNAL_DNSSEC_TA Configuration Attribute can either be empty, or
   it can contain one Trust Anchor by containing a non-zero Length with
   a DNSKEY Key Tag, DNSKEY Algorithm, Digest Type and Digest Data
   fields.


   An empty INTERNAL_DNSSEC_TA CFG attribute:

                       1                   2                   3
   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-----------------------------+-------------------------------+
   |R|       Attribute Type        |       Length (set to 0)       |
   +-+-----------------------------+-------------------------------+


   o  Reserved (1 bit) - Defined in IKEv2 RFC [RFC7296].

   o  Attribute Type (15 bits) set to value 26 for INTERNAL_DNSSEC_TA.

   o  Length (2 octets) - Set to 0 for an empty attribute.


   A non-empty INTERNAL_DNSSEC_TA CFG attribute:

                       1                   2                   3
   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-----------------------------+-------------------------------+
   |R|       Attribute Type        |            Length             |
   +-+-----------------------------+---------------+---------------+
   |        DNSKEY Key Tag         |  DNSKEY Alg   |  Digest Type  |
   +-------------------------------+---------------+---------------+
   |                                                               |
   ~                         Digest Data                           ~
   |                                                               |
   +---------------------------------------------------------------+

   o  Reserved (1 bit) - Defined in IKEv2 RFC [RFC7296].

   o  Attribute Type (15 bits) set to value 26 for INTERNAL_DNSSEC_TA.

   o  Length (2 octets) - Length of DNSSEC Trust Anchor data (4 octets
      plus the length of the Digest Data).

   o  DNSKEY Key Tag value (2 octets) - Delegation Signer (DS) Key Tag
      as specified in [RFC4034] Section 5.1.




Pauly & Wouters        Expires September 12, 2019               [Page 9]


Internet-Draft      Split DNS Configuration for IKEv2         March 2019


   o  DNSKEY Algorithm (1 octet) - DNSKEY algorithm value from the IANA
      DNS Security Algorithm Numbers Registry.

   o  Digest Type (1 octet) - DS algorithm value from the IANA
      Delegation Signer (DS) Resource Record (RR) Type Digest Algorithms
      Registry.

   o  Digest Data (1 or more octets) - The DNSKEY digest as specified in
      [RFC4034] Section 5.1 in presentation format.

   Each INTERNAL_DNSSEC_TA attribute in the CFG_REPLY payload MUST
   immediately follow a corresponding INTERNAL_DNS_DOMAIN attribute.  As
   the INTERNAL_DNSSEC_TA format itself does not contain the domain
   name, it relies on the preceding INTERNAL_DNS_DOMAIN to provide the
   domain for which it specifies the trust anchor.  Any
   INTERNAL_DNSSEC_TA attribute that is not immediately preceded by an
   INTERNAL_DNS_DOMAIN or another INTERNAL_DNSSEC_TA attribute applying
   to the same domain name MUST be ignored.

5.  INTERNAL_DNS_DOMAIN Usage Guidelines

   If a CFG_REPLY payload contains no INTERNAL_DNS_DOMAIN attributes,
   the client MAY use the provided INTERNAL_IP4_DNS or INTERNAL_IP6_DNS
   servers as the default DNS server(s) for all queries.

   If a client is configured by local policy to only accept a limited
   set of INTERNAL_DNS_DOMAIN values, the client MUST ignore any other
   INTERNAL_DNS_DOMAIN values.

   For each INTERNAL_DNS_DOMAIN entry in a CFG_REPLY payload that is not
   prohibited by local policy, the client MUST use the provided
   INTERNAL_IP4_DNS or INTERNAL_IP6_DNS DNS servers as the only
   resolvers for the listed domains and its sub-domains and it MUST NOT
   attempt to resolve the provided DNS domains using its external DNS
   servers.  Other domain names SHOULD be resolved using some other
   external DNS resolver(s), configured independently from IKE.  Queries
   for these other domains MAY be sent to the internal DNS resolver(s)
   listed in that CFG_REPLY message, but have no guarantee of being
   answered.  For example, if the INTERNAL_DNS_DOMAIN attribute
   specifies "example.test", then "example.test", "www.example.test" and
   "mail.eng.example.test" MUST be resolved using the internal DNS
   resolver(s), but "otherexample.test" and "ple.test" MUST NOT be
   resolved using the internal resolver and MUST use the system's
   external DNS resolver(s).

   The initiator SHOULD allow the DNS domains listed in the
   INTERNAL_DNS_DOMAIN attributes to resolve to special IP address
   ranges, such as those of [RFC1918], even if the initiator host is



Pauly & Wouters        Expires September 12, 2019              [Page 10]


Internet-Draft      Split DNS Configuration for IKEv2         March 2019


   otherwise configured to block DNS answer containing these special IP
   address ranges.

   When an IKE SA is terminated, the DNS forwarding MUST be
   unconfigured.  This includes deleting the DNS forwarding rules;
   flushing all cached data for DNS domains provided by the
   INTERNAL_DNS_DOMAIN attribute, including negative cache entries;
   removing any obtained DNSSEC trust anchors from the list of trust
   anchors; and clearing the outstanding DNS request queue.

   INTERNAL_DNS_DOMAIN attributes SHOULD only be used on split tunnel
   configurations where only a subset of traffic is routed into a
   private remote network using the IPsec connection.  If all traffic is
   routed over the IPsec connection, the existing global
   INTERNAL_IP4_DNS and INTERNAL_IP6_DNS can be used without creating
   specific DNS or DNSSEC exemptions.

6.  INTERNAL_DNSSEC_TA Usage Guidelines

   DNS records can be used to publish specific records containing trust
   anchors for applications.  The most common record type is the TLSA
   record specified in [RFC6698].  This DNS record type publishes which
   Certificate Authority (CA) certificate or End Entity (EE) certificate
   to expect for a certain host name.  These records are protected by
   DNSSEC and thus are trustable by the application.  Whether to trust
   TLSA records instead of the traditional WebPKI depends on the local
   policy of the client.  By accepting an INTERNAL_DNSSEC_TA trust
   anchor via IKE from the remote IKE server, the IPsec client might be
   allowing the remote IKE server to override the trusted certificates
   for TLS.  Similar override concerns apply to other public key or
   fingerprint-based DNS records, such as OPENPGPKEY, SMIMEA or IPSECKEY
   records.

   Thus, installing an INTERNAL_DNSSEC_TA trust anchor can be seen as
   the equivalent of installing an Enterprise CA certificate.  It allows
   the remote IKE/IPsec server to modify DNS answers including DNSSEC
   cryptographic signatures by overriding existing DNS information with
   trust anchor conveyed via IKE and (temporarilly) installed on the IKE
   client.  Of specific concern is the overriding of [RFC6698] based
   TLSA records, which represent a confirmation or override of an
   existing WebPKI TLS certificate.  Other DNS record types that convey
   cryptographic materials (public keys or fingerprints) are OPENPGPKEY,
   SMIMEA, SSHP and IPSECKEY records.

   IKE clients willing to accept INTERNAL_DNSSEC_TA attributes MUST use
   a whitelist of one or more domains that can be updated out of band.
   IKE clients with an empty whitelist MUST NOT use any
   INTERNAL_DNSSEC_TA attributes received over IKE.  Such clients MAY



Pauly & Wouters        Expires September 12, 2019              [Page 11]


Internet-Draft      Split DNS Configuration for IKEv2         March 2019


   interpret receiving an INTERNAL_DNSSEC_TA attribute for a non-
   whitelisted domain as an indication that their local configuration
   may need to be updated out of band.

   IKE clients should take care to only whitelist domains that apply to
   internal or managed domains, rather than to generic Internet traffic.
   The DNS root zone (".") MUST be ignored if it appears in a whitelist.
   Other generic or public domains, such as top-level domains (TLDs),
   similarly MUST be ignored if these appear in a whitelist unless the
   entity actually is the operator of the TLD.  To determine this, an
   implementation MAY interactively ask the user when a VPN profile is
   installed or activated to confirm this.  Alternatively, it MAY
   provide a special override keyword in its provisioning configuration
   to ensure non-interactive agreement can be achieved only by the party
   provisioning the VPN client, who presumbly is a trusted entity by the
   end-user.  Similarly, an entity might be using a special domain name,
   such as ".internal", for its internal-only view and might wish to
   force its provisioning system to accept such a domain in a Split DNS
   configuration.

   Any updates to this whitelist of domain names MUST happen via
   explicit human interaction or by a trusted automated provision system
   to prevent malicious invisible installation of trust anchors in case
   of aIKE server compromise.

   IKE clients SHOULD accept any INTERNAL_DNSSEC_TA updates for
   subdomain names of the whitelisted domain names.  For example, if
   "example.net" is whitelisted, then INTERNAL_DNSSEC_TA received for
   "antartica.example.net" SHOULD be accepted.

   IKE clients MUST ignore any received INTERNAL_DNSSEC_TA attributes
   for a FDQN for which it did not receive and accept an
   INTERNAL_DNS_DOMAIN Configuration Payload.

   In most deployment scenarios, the IKE client has an expectation that
   it is connecting, using a split-network setup, to a specific
   organisation or enterprise.  A recommended policy would be to only
   accept INTERNAL_DNSSEC_TA directives from that organization's DNS
   names.  However, this might not be possible in all deployment
   scenarios, such as one where the IKE server is handing out a number
   of domains that are not within one parent domain.

7.  Security Considerations

   As stated in Section 2, if the negotiated IPsec connection is not a
   split tunnel configuration, the INTERNAL_DNS_DOMAIN and
   INTERNAL_DNSSEC_TA Configuration Payloads MUST be ignored.




Pauly & Wouters        Expires September 12, 2019              [Page 12]


Internet-Draft      Split DNS Configuration for IKEv2         March 2019


   Otherwise, generic VPN service providers could maliciously override
   DNSSEC based trust anchors of public DNS domains.

   An initiator MUST only accept INTERNAL_DNSSEC_TAs for which it has a
   whitelist, since this mechanism allows the credential used to
   authenticate an IKEv2 association to be leveraged into authenticating
   credentials for other connections.  Initiators should ensure that
   they have sufficient trust in the responder when using this
   mechanism.  An initiator MAY treat a received INTERNAL_DNSSEC_TA for
   an non-whitelisted domain as a signal to update the whitelist via a
   non-IKE provisioning mechanism.  See Section 6 for additional
   security considerations for DNSSEC trust anchors.

   The use of Split DNS configurations assigned by an IKEv2 responder is
   predicated on the trust established during IKE SA authentication.
   However, if IKEv2 is being negotiated with an anonymous or unknown
   endpoint (such as for Opportunistic Security [RFC7435]), the
   initiator MUST ignore Split DNS configurations assigned by the
   responder.

   If a host connected to an authenticated IKE peer is connecting to
   another IKE peer that attempts to claim the same domain via the
   INTERNAL_DNS_DOMAIN attribute, the IKE connection SHOULD only process
   the DNS information if the two connections are part of the same
   logical entity.  Otherwise, the client SHOULD refuse the DNS
   information and potentially warn the end-user.  For example, if a VPN
   profile for "Example Corporation" is installed that provides two
   IPsec connections, one covering 192.168.100.0/24 and one covering
   10.13.14.0/24 it could be that both connections negotiate the same
   INTERNAL_DNS_DOMAIN and INTERNAL_DNSSEC_TA values.  Since these are
   part of the same remote organisation (or provisioning profile), the
   Configuration Payloads can be used.  However, if a user installs two
   VPN profiles from two different unrelated independent entities, both
   of these could be configured to use the same domain, for example
   ".internal".  These two connections MUST NOT be allowed to be active
   at the same time.

   If the initiator is using DNSSEC validation for a domain in its
   public DNS view, and it requests and receives an INTERNAL_DNS_DOMAIN
   attribute without an INTERNAL_DNSSEC_TA, it will need to reconfigure
   its DNS resolver to allow for an insecure delegation.  It SHOULD NOT
   accept insecure delegations for domains that are DNSSEC signed in the
   public DNS view, for which it has not explicitly requested such
   deletation by specifying the domain specifically using a
   INTERNAL_DNS_DOMAIN request.

   Deployments that configure INTERNAL_DNS_DOMAIN domains should pay
   close attention to their use of indirect reference RRtypes in their



Pauly & Wouters        Expires September 12, 2019              [Page 13]


Internet-Draft      Split DNS Configuration for IKEv2         March 2019


   internal-only domain names.  Examples of such RRtypes are NS, CNAME,
   DNAME, MX or SRV records.  For example, if the MX record for
   "internal.example.com" points to "mx.internal.example.net", then both
   "internal.example.com" and "internal.example.net" should be sent
   using an INTERNAL_DNS_DOMAIN Configuration Payload.

   IKE clients MAY want to require whitelisted domains for Top Level
   Domains (TLDs) and Second Level Domains (SLDs) to further prevent
   malicious DNS redirections for well known domains.  This prevents
   users from unknowingly giving DNS queries to third parties.  This is
   even more important if those well known domains are not deploying
   DNSSEC, as the VPN service provider could then even modify the DNS
   answers without detection.

   The content of INTERNAL_DNS_DOMAIN and INTERNAL_DNSSEC_TA may be
   passed to another (DNS) program for processing.  As with any network
   input, the content SHOULD be considered untrusted and handled
   accordingly.

8.  IANA Considerations

   This document defines two new IKEv2 Configuration Payload Attribute
   Types, which are allocated from the "IKEv2 Configuration Payload
   Attribute Types" namespace.

                                    Multi-
   Value    Attribute Type       Valued  Length      Reference
   ------   -------------------  ------  ----------  ---------------
   25       INTERNAL_DNS_DOMAIN   YES     0 or more  [this document]
   26       INTERNAL_DNSSEC_TA    YES     0 or more  [this document]

                                 Figure 1

9.  References

9.1.  Normative References

   [RFC1918]  Rekhter, Y., Moskowitz, B., Karrenberg, D., de Groot, G.,
              and E. Lear, "Address Allocation for Private Internets",
              BCP 5, RFC 1918, DOI 10.17487/RFC1918, February 1996,
              <https://www.rfc-editor.org/info/rfc1918>.

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <https://www.rfc-editor.org/info/rfc2119>.





Pauly & Wouters        Expires September 12, 2019              [Page 14]


Internet-Draft      Split DNS Configuration for IKEv2         March 2019


   [RFC4034]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
              Rose, "Resource Records for the DNS Security Extensions",
              RFC 4034, DOI 10.17487/RFC4034, March 2005,
              <https://www.rfc-editor.org/info/rfc4034>.

   [RFC5890]  Klensin, J., "Internationalized Domain Names for
              Applications (IDNA): Definitions and Document Framework",
              RFC 5890, DOI 10.17487/RFC5890, August 2010,
              <https://www.rfc-editor.org/info/rfc5890>.

   [RFC6698]  Hoffman, P. and J. Schlyter, "The DNS-Based Authentication
              of Named Entities (DANE) Transport Layer Security (TLS)
              Protocol: TLSA", RFC 6698, DOI 10.17487/RFC6698, August
              2012, <https://www.rfc-editor.org/info/rfc6698>.

   [RFC7296]  Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., and T.
              Kivinen, "Internet Key Exchange Protocol Version 2
              (IKEv2)", STD 79, RFC 7296, DOI 10.17487/RFC7296, October
              2014, <https://www.rfc-editor.org/info/rfc7296>.

   [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
              2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
              May 2017, <https://www.rfc-editor.org/info/rfc8174>.

9.2.  Informative References

   [RFC2775]  Carpenter, B., "Internet Transparency", RFC 2775,
              DOI 10.17487/RFC2775, February 2000,
              <https://www.rfc-editor.org/info/rfc2775>.

   [RFC7435]  Dukhovni, V., "Opportunistic Security: Some Protection
              Most of the Time", RFC 7435, DOI 10.17487/RFC7435,
              December 2014, <https://www.rfc-editor.org/info/rfc7435>.

Authors' Addresses

   Tommy Pauly
   Apple Inc.
   One Apple Park Way
   Cupertino, California  95014
   US

   Email: tpauly@apple.com








Pauly & Wouters        Expires September 12, 2019              [Page 15]


Internet-Draft      Split DNS Configuration for IKEv2         March 2019


   Paul Wouters
   Red Hat

   Email: pwouters@redhat.com















































Pauly & Wouters        Expires September 12, 2019              [Page 16]


Html markup produced by rfcmarkup 1.129d, available from https://tools.ietf.org/tools/rfcmarkup/