[Docs] [txt|pdf|xml|html] [Tracker] [WG] [Email] [Nits]

Versions: 00 01 02 03 04 draft-ietf-homenet-front-end-naming-delegation

HOMENET                                                      W. Cloetens
Internet-Draft                                                SoftAtHome
Intended status: Standards Track                            P. Lemordant
Expires: December 31, 2012                               D. Migault (Ed)
                                                  Francetelecom - Orange
                                                               July 2012


             IPv6 Home Network Front End Naming Delegation
         draft-mglt-homenet-front-end-naming-delegation-00.txt

Abstract

   This document proposes a Naming Delegation Architecture that makes
   possible End Users to reach the hosts or services of their Home
   Network using Names instead of IP addresses.

   This document shows how the Naming Delegation between the CPE and the
   ISP can be set so the CPE is not exposed on the Internet.  This
   document describes an Naming Architecture where ISPs provide Front
   End Delegating DNS Servers whereas the CPEs constitute a Back End
   Network of Delegated DNS Servers.  All DNS queries for any Home
   Network are addressed to the Delegating Front End Server.  The
   response is expected to be stored on a CPE, and the Front End
   Delegating DNS Server sends a DNS Query to that CPE before answering
   to the initial DNS query.

   The negotiation between the CPE and the ISP is using DHCP Options.
   This document provides options so Front End Delegating and the
   Delegated DNS Servers configure their respective Zone files and so
   that CPEs restrict access and protect themselves from unauthorized
   DNS Queries.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on December 31, 2012.

Copyright Notice


Cloetens, et al.       Expires December 31, 2012                [Page 1]


Internet-DrafIPv6 Home Network Front End Naming Delegation     July 2012


   Copyright (c) 2012 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Requirements notation  . . . . . . . . . . . . . . . . . . . .  2
   2.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  2
   3.  Terminology  . . . . . . . . . . . . . . . . . . . . . . . . .  4
   4.  Front End Naming Delegation Architecture Overview  . . . . . .  4
     4.1.  Home Network Naming Architecture Requirements  . . . . . .  4
     4.2.  Front End Naming Delegation Architecture Description . . .  6
     4.3.  Front End Naming Delegation Configuration  . . . . . . . .  6
     4.4.  Difference between the Front End Delegating DNS Server and
           traditional DNS Recursive DNS Server . . . . . . . . . . .  8
     4.5.  How the Front End Configuration impacts the CPE  . . . . .  9
   5.  Protocol Exchange  . . . . . . . . . . . . . . . . . . . . . . 10
     5.1.  CPE Request Creation and Transmission for the Front End
           Naming Delegation Architecture . . . . . . . . . . . . . . 10
     5.2.  ISP DHCP Server Responding to the CPE Request for the Front
           End Naming Delegation Architecture . . . . . . . . . . . . 10
     5.3.  CPE Receiving the ISP DHCP Response for the Front End Naming
           Delegation Architecture  . . . . . . . . . . . . . . . . . 11
   6.  DHCP Options . . . . . . . . . . . . . . . . . . . . . . . . . 11
     6.1.  Delegated DNS Architecture Option  . . . . . . . . . . . . 11
     6.2.  Front End Delegating Information Option  . . . . . . . . . 12
     6.3.  Delegating Authorized Resolvers Option . . . . . . . . . . 12
   7.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 13
   8.  Security Considerations  . . . . . . . . . . . . . . . . . . . 13
   9.  Acknowledgment . . . . . . . . . . . . . . . . . . . . . . . . 13
   10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 13
     10.1.  Normative References  . . . . . . . . . . . . . . . . . . 14
     10.2.  Informational References  . . . . . . . . . . . . . . . . 14
   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 14

1.  Requirements notation

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [RFC2119].





Cloetens, et al.       Expires December 31, 2012                [Page 2]


Internet-DrafIPv6 Home Network Front End Naming Delegation     July 2012

2.  Introduction

   [I-D.mglt-homenet-naming-delegation] describes the Naming Delegation
   Architecture that makes possible Services and Objects of a Home
   Network to be globally reachable with Names on the Internet.  For
   that purpose, the Costumer Premise Equipment (CPE) hosts the
   authoritative DNS Server of the Home Network.  The zone associated to
   the Home Network ("my-homenet") is a subzone of a zone managed by the
   ISP ("example."). This zone is attached to the global DNS
   Architecture.  Because the ISP delegates the Naming service to the
   CPE, we call the DNS server responsible for "example."  the
   Delegating DNS Server, and the DNS server responsible for "my-
   homenet.example."  the Delegated DNS Server.  The Delegated DNS
   Server runs on the CPE, and [I-D.mglt-homenet-naming-delegation]
   describes how the CPE can automatically set the Naming Delegation
   between the Delegated and the Delegating DNS Server.  Necessary
   pieces of information to configure the respective DNS Zones are
   exchanged between the DHCP client of the CPE and the ISP DHCP Server
   through DHCP Options.

   The resulting Naming Delegation Architecture  [I-D.mglt-homenet-
   naming-delegation] results in a CPE hosting a Service on the
   Internet.  CPEs have not been designed for heavy load, and, as a
   result, the Delegating exposes the Home Network to potential Deny of
   Service attacks.  The Front End Naming Delegation Architecture
   proposed in this document is an alternative to the  Naming Delegation
   Architecture [I-D.mglt-homenet-naming-delegation] where the ISP
   provides Front End Delegating Servers that handles the whole DNS
   traffic.  The CPE remains responsible for the zone "my-
   homenet.example.", but only responds to DNS queries sent by the Front
   End Delegating Servers.  For this reason we call the CPE Delegated
   DNS Server the Back End Delegated DNS Server.

   The Front End Naming Delegation Architecture can be seen as
   providing a Authoritative DNS Server for all the Home Networks: the
   Front End Delegating DNS Server.  However this Authoritative Server
   distributes the Zone between multiple nodes (the CPE). The CPE
   constitutes the Back End Network.  The Front End Delegating DNS
   Server receives DNS query from the Internet, and to respond requires
   to retrieve this information on the CPE hosting this information.  In
   this document, the  Front End Delegating DNS Server uses the DNS
   protocol to retrieve this information from the CPE. Other protocols
   may have been chosen.

   The Front End Naming Delegation Architecture is based on the Naming
   Delegation Architecture  [I-D.mglt-homenet-naming-delegation] and
   addresses the same requirements.  It addresses the Deny of Service
   Security issue.  On the other hand, it requires the ISP to provide an
   adapted infrastructure, and that all DNS traffic is (partly) handled
   by the ISP.  The document shows how the CPE can be configured





Cloetens, et al.       Expires December 31, 2012                [Page 3]


Internet-DrafIPv6 Home Network Front End Naming Delegation     July 2012

   automatically and be part of the Front End Naming Delegation
   Architecture.

   In this document we only considered IPv6 and DHCP. As such DHCP MUST
   be understood as DHCPv6. We also assume the reader has read [I-D
   .mglt-homenet-naming-delegation]

3.  Terminology

   This document uses the terminology defined in [I-D.mglt-homenet-
   naming-delegation], and introduces the following terminology:

   - Front End Delegating DNS Server or Delegating DNS Server: The DNS
         Server of the ISP that handles with the DNS queries addressed
         to the Home Network.

   - Back End Delegated DNS Server or Delegated DNS Server: CPE are
         hosting a DNS Service

   - Front End Delegating Information: Information like FQDNs and IP
         addresses of the Front End Delegating DNS Servers.  These
         pieces of information are provided from the ISP DHCP Server to
         the CPE so it can properly configure its DNS zone file.

   - Delegating Authorized Resolvers: The hosts that are authorized to
         send DNS queries to the CPE. These Resolvers can be the Front
         End Delegating DNS Servers, but we keep these functions
         independent since some ISP may use dedicated Interfaces for the
         Front End Delegating DNS Server and for the Delegating
         Authorized Resolvers.

4.  Front End Naming Delegation Architecture Overview

4.1.  Home Network Naming Architecture Requirements

   The Home Network Naming Requirements for the Naming Delegation listed
   in [I-D.mglt-homenet-naming-delegation] are:


















Cloetens, et al.       Expires December 31, 2012                [Page 4]


Internet-DrafIPv6 Home Network Front End Naming Delegation     July 2012

   - 1: Centralized Naming Configuration: The CPE is responsible to bind
         Names and IP addresses for the whole Home Network.

   - 2: Automatic Configuration: The CPE MUST be able to set the Naming
         architecture when plugged, with minimum configuration from the
         End User.

   - 3: Advanced Configuration enable: The CPE enables advanced specific
         configurations.

   - 4: Privacy Protection By Design: The Names and the Home Network IP
         address plan is administrated by the CPE and are not
         communicated to the ISP. This prevents the ISP to be aware of
         the hosts, Services and Objects that compose the Home Network.

   - 5: Make the Home Network Naming Architecture Scalable: The Naming
         Architecture MUST be scalable and designed to handle a large
         increase of Objects, Services and hosts in each Home Networks.

   The Naming Delegation Architecture fulfills these requirements, and
   we consider this architecture as the base architecture.  However,
   this architecture major drawback is that the CPE hosts the Delegated
   DNS Server.  CPE are usually not designed to handle heavy traffic,
   and thus are sensitive to DoS attacks.  The Front End Naming
   Delegation Architecture adds one requirement to the currently
   designed Naming Delegation Architecture [I-D.mglt-homenet-naming-
   delegation]:

   - 6: ISP Infrastructure MUST protect the Naming Architecture: The CPE
         MUST NOT expose the Home Network Naming service to DoS attacks.
         The ISP MUST be able to provide the necessary infrastructure
         that handle DoS attacks, or heavy loads.

   In order to match Requirement 6, the Front End Naming delegation
   Architecture introduces Front End DNS Delegating Server that handles
   with all DNS traffic.  This means that all DNS queries that concern
   the Home Network are addressed to the Front End DNS Delegating Server
   of the ISP and are not addressed to the CPE. CPEs belong to the Back
   End DNS Network.

   The Front End DNS Naming Delegation Architecture fulfills all the
   above Requirements.  However, Requirement 4 needs to be balanced
   against Requirement 6. Requirement 6 requires the ISP to handle all
   DNS queries that concern the Home Network.  This makes the ISP aware
   of all queried Services, Objects and hosts in the Home Network.  This
   may, in that sense, reduces the Privacy of the Home Network compared
   to the Naming Delegation Architecture.  In fact with the Naming
   Delegation Architecture, the DNS query is directly sent to the CPE
   when the DNS client has the IP address of the CPE in its cache.  In
   that case, the ISP is not aware of the existence of the queried FQDN.
   However, if the DNS client does not have the IP address of the CPE,
   then the DNS query is sent first to the ISP Delegating Server.  In
   this latter case, the  Front End DNS Naming Delegation Architecture
   does not provide less privacy.

Cloetens, et al.       Expires December 31, 2012                [Page 5]


Internet-DrafIPv6 Home Network Front End Naming Delegation     July 2012


4.2.  Front End Naming Delegation Architecture Description

   Figure 1 shows how the Resolution is performed.  In [1], the Resolver
   sends a DNS query to the Front End Delegated Server for the host
   "hots1.my-homenet.example.".  The Front End Delegated Server does not
   have the response in its cache or in its zone file.  The Front End
   Delegating DNS Server MUST send a query to the Back End Delegated DNS
   Sever.  The IP address of the Back End Delegated DNS Sever MUST NOT
   be revealed to the Resolver, for example by setting the NS field in
   the DNS Zone File.  In Figure 1, we mentioned the Delegated Server
   Information Database where this IP address is stored.  The Front End
   Delegating Server sends the DNS(SEC) query to the  Back End Delegated
   Server hosting the zone "my-homenet.example.".  The source IP address
   used is one the Delegating Authorized Resolvers IP addresses.  This
   query is represented in [2].  The Back End Delegated Server responds
   in [3] with the DNS(SEC) Response.  Note that the "AUTHORITY" and
   "ADDITIONAL SECTION" of the DNS response MUST indicate the FQDN and
   the IP addresses of the Front End Delegated DNS Server.  These pieces
   of information have been provided by the ISP DHCP Server with the
   Front End Delegating Information DHCP Option.  The CPE can also be
   configured to respond without these fields.  Finally in [4], the
   Front End Delegating Server forwards the DNS(SEC) response to the
   Resolver.  "AUTHORITY" and "ADDITIONAL SECTION" fields MUST be filled
   in appropriately.

   +--------------------------+  [1] DNS Query                     +---+
   | ZONE "example.":         |  hots1.my-homenet.example.  AAAA   | R |
   | Front End Delegating     | <-------------------------------   | E |
   | Servers                  |  [4] DNS Response:                 | S |
   +----------------------+   |  my-homenet.example. AAAA IP6      | O |
   | Delegated Server     |   | [my-homenet.example. RRSIG [...] ] | L |
   | Info Database        |   | ------------------------------->   | V |
   +----------------------+---+                                    | E |
     | [2] DNS Query        ^                                      | R |
     | hots1.my-homenet.example.  AAAA                             +---+
     |                      | [3] DNS Response:
     |                      | my-homenet.example. AAAA IP6
     v                      | [my-homenet.example. RRSIG [...] ]
   +-----------------------------+
   | CPE                         |
   | Back End Delegated Server   |
   | ZONE "my-homenet.example."  |
   | IP6 DELEGATED_DNS_ADDR_INFO |
   +-----------------------------+
          |               |
   +------------+   +------------+
   |   Host 1   |   |   Host n   |
   +------------+   +------------+

   Figure 1: DNS Resolution with the Home Network Front End Naming
             Delegation Architecture

4.3.  Front End Naming Delegation Configuration

Cloetens, et al.       Expires December 31, 2012                [Page 6]


Internet-DrafIPv6 Home Network Front End Naming Delegation     July 2012


   Figure 2 describes the Interactions between the CPE and the ISP DHCP
   Server.

   Similarly to [I-D.mglt-homenet-naming-delegation], the CPE hosts a
   DHCP Server (DHCP_SRV) that is used to assign IP addresses and FQDNs
   to the Hosts of the Home Network.  In this document we considered
   DHCP, but other protocols can also be used in combination with DHCP
   or instead of DHCP. The CPE also has a DHCP Client (DHCP_CLT) that is
   used to exchange information with the ISP DHCP Server.  This document
   describes how these exchanges properly configure the Front End Naming
   Delegation Architecture.  The CPE also hosts a Authoritative DNS
   Server (DNS_SRV) that is responsible of the subzone associated to the
   Home Network.  This Authoritative DNS Server is called the Back End
   Delegated Server.  At last the CPE also has a Firewall (FIREWALL),
   that can be configured with security Policies.  In this document, the
   CPE is not expected to received DNS queries from any other peer but
   the Front End Delegation DNS Servers, that are in the ISP Network.

   In Figure 2. the CPE sends a DHCP Request for a Front End Naming
   Delegation Architecture (DELEGATED_DNS_ARCHITECTURE). Similarly to
   the Naming Delegation Architecture, the CPE provides the necessary
   information so the ISP can derive the IP address of the Back End
   Delegated DNS Server (DELEGATED_DNS_ADDR_INFO). If the CPE wants a
   DNSSEC Delegation to be set it also provides the Delegation of
   Signing Information (DS). In our case, the CPE also sends a request
   for a Prefix Delegation (IA_PD).

   To the difference with [I-D.mglt-homenet-naming-delegation], the IP
   address of the Back End Delegated DNS Server is not mentioned in the
   Zone file of the Front End Delegating DNS Server.  In this document,
   the Back End Delegated DNS Server is not expected to receive any DNS
   query from anyone but the  Front End Delegating DNS Server.  For DNS
   Resolvers, the only Authoritative DNS Server they are aware of is the
   Front End Delegating DNS Server.




















Cloetens, et al.       Expires December 31, 2012                [Page 7]


Internet-DrafIPv6 Home Network Front End Naming Delegation     July 2012

   Similarly to  [I-D.mglt-homenet-naming-delegation], the ISP DHCP
   Server provides the CPE the IP Prefix so the CPE can configure its
   Prefix Delegation.  To set the DNS(SEC) Naming Delegation the ISP
   DHCP Server indicates the type of Naming Delegation Architecture
   agreed between the CPE and the ISP DHCP Server
   (DELEGATED_DNS_ARCHITECTURE). In addition, the ISP DHCP Server,
   provides the Delegated Domain (DELEGATED_DOMAIN) as well as the IP
   addresses and FQDNs of the Front End Delegating DNS Servers
   (FRONT_END_DELEGATING_INFO). These pieces of information are
   necessary to configure the zone file of the Home Network.  In fact
   the zone file MUST be configured with the Front End Delegating Server
   as the authoritative servers.  In addition, the ISP DHCP Server may
   also provide the IP addresses or subnet prefix of the Delegating
   Authorized Resolvers (DELEGATING_AUTH_RESOLVERS). These Resolvers are
   the only hosts supposed to send DNS queries to the CPE. DNS queries
   from any other IP address MUST be discarded.

   Upon receiving these pieces of information, the Front End Delegating
   Server and the Back End Delegated Server configure their Zones.  In
   addition the CPE also configures its Firewall, so to discard any DNS
   queries but those emitted from the Delegating Authorized Resolvers.

   <--------- Home Network ---------->     <--------- ISP --------->
   +--------+  +---------------------+     +-----------------------+
   | Host 1 +--+    CPE              |     |       ISP DHCP        |
   +--------+  +----------+----------+     +-----------------------+
        .      | DHCP_SRV | DHCP_CLT |     |                       |
        .      |     v    |          |     |                       |
        .      |     v    | DHCP Request  ---------------------->  |
        .      |     v    |   DELEGATED_DNS_ARCHITECTURE,          |
        .      +----------|   DELEGATED_DNS_ADDR_INFO,             |
        .      | DNS_SRV  |   ORO(IA_PD) [DS]                      |
        .      +----------|          |     |                       |
        .      |     ^    |   <----------------------  DHCP Reply  |
        .      |     ^    |          DELEGATED_DNS_ARCHITECTURE,   |
        .      |      < < < DHCP_CLT DELEGATED_DOMAIN, IA_PD,      |
        .      |     v    |          FRONT_END_DELEGATING_INFO,    |
   +--------+  +----------+          DELEGATING_AUTH_RESOLVERS,    |
   | Host n +--| FIREWALL |          |     |                       |
   +--------+  +----------+--------- +     +-----------------------+

   Figure 2:  Front End Naming Delegation Architecture

4.4.  Difference between the Front End Delegating DNS Server and
      traditional DNS Recursive DNS Server

   From Figure 1, one may assimilate the Front End Delegating DNS Server
   to a Recursive DNS Resolver.  The main differences are:

   - 1.  The Front End Delegating DNS Server only proceeds to Resolution
         for the FQDNs that are hosted in one of the Back End Delegated
         DNS Servers.



Cloetens, et al.       Expires December 31, 2012                [Page 8]


Internet-DrafIPv6 Home Network Front End Naming Delegation     July 2012


   - 2.  The  Back End Delegated DNS Servers are not Public DNS. More
         especially, the Delegated DNS Server may have a public IP
         address, but the DNS Service is not provided for any Resolver
         but the authorized Resolvers.

   As a result, the  Front End Delegating DNS Server is a mixed mode
   between Authoritative and Recursive DNS Server.  As an Authoritative
   Server, the Response [4] in figure 1 MUST have a Authoritative Answer
   (AA) bit set, which indicates the Response is from an Authoritative
   Server.  Then the Resolution [2] and [3] in figure 1 MUST be
   processed even if the Recursion Desired (RD) bit is not set in the
   DNS query [1].

   It is also recommended that the  Front End Delegating DNS Server
   provides the Authoritative and Additional Section of the Response in
   [4], without considering the sections of [3].  In other word, it is
   recommended not to forward these section from [3], and the CPE should
   be configured not to provide these sections in [3].

4.5.  How the Front End Configuration impacts the CPE

   Figure 2 shows that the ISP DHCP Server provides the IP addresses of
   the Front End Delegating  DNS Server as well as the Name of the Front
   End Delegating DNS Server.  These are the information the Back End
   Delegated DNS Server MUST put in its Zone file.  More especially in
   the NS fields.

   Figure 2 also shows that the ISP DHCP Server provides the CPE the IP
   addresses or subnet prefix of the  Authorized Delegating Resolvers.
   These are the IP addresses authorized to send DNS queries that
   should not be discarded on the WAN Interface.  Any other DNS query on
   the WAN should be discarded.  These rules are set by the Firewall as
   represented in Figure 2.

   The Firewall rules does not prevent the CPE to be a DNS forwarder or
   a DNS Resolver for the hosts of the Home Network.  In fact the CPE
   can still receive DNS queries from the LAN Interface.  The issue is
   that the CPE may provide Multiple DNS Services.  In this document, we
   consider the CPE provides at least a DNS Authoritative servers on its
   WAN Interface for the Authorized Delegating Resolvers.  For the LAN
   Interface, the CPE may be configured in various ways, depending on
   the ISP DNS Infrastructure.  A first configuration consists in
   configuring the CPE LAN DNS Service into a DNS forwarder.  In that
   case, the CPE DHCP server of the Home Network provides an IP address
   of the CPE for the DNS Resolver.  DNS queries for the Home Network
   are answered by the CPE, others are forwarded to the Resolver of the
   ISP. This resolver is provided via DHCP. Another alternative consists
   in configuring the CPE as a Recursive DNS Server.  Without any
   specific configurations, DNS queries for the Home Network are sent to
   the Front End Delegating DNS Server.  Optimization may be done to
   bypass the Front End Delegating DNS Server for the Home Network Zone
   and are CPE or software implementation specific.


Cloetens, et al.       Expires December 31, 2012                [Page 9]


Internet-DrafIPv6 Home Network Front End Naming Delegation     July 2012


5.  Protocol Exchange

5.1.  CPE Request Creation and Transmission for the Front End Naming
      Delegation Architecture

   When the CPE wants to set a Front End Naming Delegation Architecture,
   it requests this set up to the ISP DHCP Server.  For that purpose, we
   consider two new naming-delegation-action:
   SET_FRONT_END_NAMING_DELEGATION_WITH_DNS  when the delegation is only
   performed with DNS or SET_FRONT_END_NAMING_DELEGATION_WITH_DNSSEC if
   the CPE wants a DNSSEC delegation.  These naming-delegation-actions
   are proposed in the Delegated DNS Architecture DHCP Option
   (OPTION_DELEGATED_DNS_ARCHITECTURE). Then, the CPE proceeds as
   described in [I-D.mglt-homenet-naming-delegation].

5.2.  ISP DHCP Server Responding to the CPE Request for the Front End
      Naming Delegation Architecture

   When the DHCP Server receives a Delegated DNS Architecture DHCP
   Option (OPTION_DELEGATED_DNS_ARCHITECTURE), Delegated DNS Address
   Information DHCP Option (OPTION_DELEGATED_DNS_ADDR_INFO) or a
   Delegation of Signing DHCP Option (OPTION_DS), the DHCP Server
   proceeds as described in [I-D.mglt-homenet-naming-delegation].

   In addition, when the naming-delegation-action is set to
   SET_FRONT_END_NAMING_DELEGATION_WITH_DNS or
   SET_FRONT_END_NAMING_DELEGATION_WITH_DNSSEC, the DHCP Server MUST
   include in the Response the two additional DCHP Options.  The Front
   End Delegating Information DHCP Option
   (OPTION_FRONT_END_DELEGATING_INFO) which indicates the FQDNs of the
   Front End Delegating Servers and their associated IP addresses.
   Then, it also MUST include the Delegating Authorized Resolvers DHCP
   Option (OPTION_DELEGATING_AUTH_RESOLVERS) which indicates the IP
   addresses or subnet prefixes of the Authorized Delegating Resolvers.

   Note that Naming Delegation is set differently for the Front End
   Naming Delegation Architecture and for the Naming Delegation
   Architecture.  More specifically, in the Front End Naming Delegation,
















Cloetens, et al.       Expires December 31, 2012               [Page 10]


Internet-DrafIPv6 Home Network Front End Naming Delegation     July 2012

   the ISP DHCP Server MUST NOT make the IP address of the Delegated DNS
   Server public in its zone file.

5.3.  CPE Receiving the ISP DHCP Response for the Front End Naming
      Delegation Architecture

   Similarly to [I-D.mglt-homenet-naming-delegation], if the CPE has not
   received all expected DHCP Options, or cannot proceed to the
   configuration of the Naming Delegation Architecture, it MUST either
   clear the Naming Delegation settings or proceed to the appropriated
   settings.

   When the CPE receives the Delegating Authorized Resolvers DHCP Option
   (OPTION_DELEGATING_AUTH_RESOLVERS), the CPE may update its Firewall
   rules.  The Front End Delegating Information DHCP Option
   (OPTION_FRONT_END_DELEGATING_INFO) is used to configure the DNS zone
   of the Home Network.

   The CPE may receive the Delegating Authorized Resolvers or the Front
   End Delegating Information DHCP Option from the ISP DHCP Server that
   are not the response to a Delegated DNS Architecture DHCP Option.
   This may happen if the ISP DHCP Server is updating or modifying its
   Front End Delegating DNS Server or the associated Delegating
   Authorized Resolvers.  In that case, the CPE MUST make sure the
   message provides from the ISP DHCP Server and updates its Firewall
   rules as well as its DNS zone file.

6.  DHCP Options

   The options detailed in this section are

   - Delegated DNS Architecture: (OPTION_DELEGATED_DNS_ARCHITECTURE) is
         used by the DHCP Client on the CPE to inform how the Naming
         Delegation Architecture should be configured.  In return, it is
         used by the ISP DHCP Server to report the Status Code.

   - Front End Delegating Information DHCP Option: (OPTION_FRONT_END_DEL
         EGATING_INFO) is used by the ISP DHCP Server to provide the CPE
         the FQDN and IP addresses of the Authoritative DNS Server of
         the Home Network Zone file.  These Authoritative DNS Servers
         are the Front End DNS Server.

   - Delegating Authorized Resolvers DHCP Option: (OPTION_DELEGATING_AUT
         H_RESOLVERS) is used by the DHCP Server to provide the CPE the
         IP addresses or subnet prefixes of the Delegating Authorized
         Resolvers.  These are the resolvers authorized to send DNS(SEC)
         queries.

6.1.  Delegated DNS Architecture Option

   The Delegated DNS Architecture DHCP Option is defined in [I-D.mglt-
   homenet-naming-delegation].  This document adds two new naming-
   delegation-actions defined below:


Cloetens, et al.       Expires December 31, 2012               [Page 11]


Internet-DrafIPv6 Home Network Front End Naming Delegation     July 2012


   - SET_FRONT_END_NAMING_DELEGATION_WITH_DNS - 2 - : Indicates that the
         DHCP Server MUST set the Front End Naming Delegation
         Architecture with only DNS, and MUST NOT consider DNSSEC
         Delegation.

   - SET_FRONT_END_NAMING_DELEGATION_WITH_DNSSEC - 3 - : Indicates that
         the DHCP Server MUST set the Front End Naming Delegation
         Architecture with DNSSEC.

6.2.  Front End Delegating Information Option

    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   | OPT_FRONT_END_DELEGATING_INFO |          option-len           |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |       front-end-length        |      front-end-fqdn-length    |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                                                               |
   /          front-end-delegating-fqdn                            /
   |                                                               |
   |                               +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                               |                               |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+                               |
   |                                                               |
   |                   ipv6-address                                |
   |                                                               |
   |                               +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                               |                               |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+                               |
   |                                                               |
   |                   ipv6-address                                |
   |                                                               |
   |                               +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                               |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   - option-code: OPT_FRONT_END_DELEGATING_INFO (16 bits)

   - option-len: Length (16 bits) of the Front End Delegating
         Information Option in octets.

   - front-end-length: Length (16 bits) of the Front End Delegating
         Server.

   - front-end-fqdn-length: Length (16 bits) of the Front End Delegating
         Server FQDN.

   - ipv6-address: IPv6 Address (128 bits).

6.3.  Delegating Authorized Resolvers Option



Cloetens, et al.       Expires December 31, 2012               [Page 12]


Internet-DrafIPv6 Home Network Front End Naming Delegation     July 2012


    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |OPTION_DELEGATED_AUTH_RESOLVERS|          option-len           |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   | prefix-length |                                               |
   +-+-+-+-+-+-+-+-+                                               |
   |                                                               |
   |                   ipv6-prefix                                 |
   |                                                               |
   |               +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |               | prefix-length |                               |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+                               |
   |                                                               |
   /                   ipv6-prefix                                 /
   |                                                               |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   - option-code: OPTION_DELEGATED_AUTH_RESOLVERS (16 bits)

   - option-len: Length (16 bits) of the Delegating Authorized Resolvers
         Option in octets.

   - prefix-length: Length (8 bits) for this prefix in bits.

   - ipv6-prefix: IPv6 address or IPv6 prefix used by the authoritative
         DNS server to send DNS queries to the delegated domain name.

7.  IANA Considerations

   This document adds two new DHCP Options:

   - OPTION_FRONT_END_DELEGATING_INFO: TBD

   - OPTION_DELEGATING_AUTH_RESOLVERS: TBD

8.  Security Considerations

   This document addresses the DoS security issue of [I-D.mglt-homenet-
   naming-delegation].  Other security considerations remains as
   described in [I-D.mglt-homenet-naming-delegation].

9.  Acknowledgment

   The authors wish to thank Ole Troan for pointing out issues with the
   IPv6 routed home concept and placing the scope of this document in a
   wider picture, Mark Townsley for encouragement and injecting a
   healthy debate on the merits of the idea, Ulrik de Bie for providing
   alternative solutions, Paul Mockapetris for pointing out issues of
   the trustworthiness of a reverse lookup, and Christian Jacquenet for
   seeing the value from a Service Provider point of view.

10.  References

Cloetens, et al.       Expires December 31, 2012               [Page 13]


Internet-DrafIPv6 Home Network Front End Naming Delegation     July 2012


10.1.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.

10.2.  Informational References

   [I-D.mglt-homenet-naming-delegation]
              Cloetens, W., Lemordant, P. and D. Migault, "IPv6 Home
              Network Naming Delegation Architecture", Internet-Draft
              draft-mglt-homenet-naming-delegation-00, July 2012.

Authors' Addresses

   Wouter Cloetens
   SoftAtHome
   vaartdijk 3 701
   3018 Wijgmaal
   Belgium

   Email: wouter.cloetens@softathome.com


   Philippe Lemordant
   Francetelecom - Orange
   2 avenue Pierre Marzin
   22300  Lannion
   France

   Phone: +33 2 96 05 35 11
   Email: philippe.lemordant@orange.com


   Daniel Migault
   Francetelecom - Orange
   38 rue du General Leclerc
   92794 Issy-les-Moulineaux Cedex 9
   France

   Phone: +33 1 45 29 60 52
   Email: mglt.ietf@gmail.com












Cloetens, et al.       Expires December 31, 2012               [Page 14]


Html markup produced by rfcmarkup 1.129c, available from https://tools.ietf.org/tools/rfcmarkup/