| draft-ietf-hip-rfc5205-bis-02.txt | draft-ietf-hip-rfc5205-bis-03.txt | |||
|---|---|---|---|---|
| Network Working Group J. Laganier | Network Working Group J. Laganier | |||
| Internet-Draft Juniper Networks | Internet-Draft Luminate Wireless, Inc. | |||
| Obsoletes: 5205 (if approved) September 22, 2012 | Obsoletes: 5205 (if approved) December 11, 2013 | |||
| Intended status: Standards Track | Intended status: Standards Track | |||
| Expires: March 26, 2013 | Expires: June 14, 2014 | |||
| Host Identity Protocol (HIP) Domain Name System (DNS) Extension | Host Identity Protocol (HIP) Domain Name System (DNS) Extension | |||
| draft-ietf-hip-rfc5205-bis-02 | draft-ietf-hip-rfc5205-bis-03 | |||
| Abstract | Abstract | |||
| This document specifies a new resource record (RR) for the Domain | This document specifies a new resource record (RR) for the Domain | |||
| Name System (DNS), and how to use it with the Host Identity Protocol | Name System (DNS), and how to use it with the Host Identity Protocol | |||
| (HIP). This RR allows a HIP node to store in the DNS its Host | (HIP). This RR allows a HIP node to store in the DNS its Host | |||
| Identity (HI, the public component of the node public-private key | Identity (HI, the public component of the node public-private key | |||
| pair), Host Identity Tag (HIT, a truncated hash of its public key), | pair), Host Identity Tag (HIT, a truncated hash of its public key), | |||
| and the Domain Names of its rendezvous servers (RVSs). | and the Domain Names of its rendezvous servers (RVSs). This document | |||
| obsoletes RFC5205. | ||||
| Status of This Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| provisions of BCP 78 and BCP 79. | provisions of BCP 78 and BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on March 26, 2013. | This Internet-Draft will expire on June 14, 2014. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2012 IETF Trust and the persons identified as the | Copyright (c) 2013 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| described in the Simplified BSD License. | described in the Simplified BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 2. Conventions Used in This Document . . . . . . . . . . . . . . 3 | 2. Conventions Used in This Document . . . . . . . . . . . . . . 3 | |||
| 3. Usage Scenarios . . . . . . . . . . . . . . . . . . . . . . . 4 | 3. Usage Scenarios . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 3.1. Simple Static Singly Homed End-Host . . . . . . . . . . . 5 | 3.1. Simple Static Singly Homed End-Host . . . . . . . . . . . 5 | |||
| 3.2. Mobile end-host . . . . . . . . . . . . . . . . . . . . . 6 | 3.2. Mobile end-host . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 4. Overview of Using the DNS with HIP . . . . . . . . . . . . . . 8 | 4. Overview of Using the DNS with HIP . . . . . . . . . . . . . 7 | |||
| 4.1. Storing HI, HIT, and RVS in the DNS . . . . . . . . . . . 8 | 4.1. Storing HI, HIT, and RVS in the DNS . . . . . . . . . . . 8 | |||
| 4.2. Initiating Connections Based on DNS Names . . . . . . . . 8 | 4.2. Initiating Connections Based on DNS Names . . . . . . . . 8 | |||
| 5. HIP RR Storage Format . . . . . . . . . . . . . . . . . . . . 9 | 5. HIP RR Storage Format . . . . . . . . . . . . . . . . . . . . 9 | |||
| 5.1. HIT Length Format . . . . . . . . . . . . . . . . . . . . 9 | 5.1. HIT Length Format . . . . . . . . . . . . . . . . . . . . 9 | |||
| 5.2. PK Algorithm Format . . . . . . . . . . . . . . . . . . . 9 | 5.2. PK Algorithm Format . . . . . . . . . . . . . . . . . . . 9 | |||
| 5.3. PK Length Format . . . . . . . . . . . . . . . . . . . . . 10 | 5.3. PK Length Format . . . . . . . . . . . . . . . . . . . . 10 | |||
| 5.4. HIT Format . . . . . . . . . . . . . . . . . . . . . . . . 10 | 5.4. HIT Format . . . . . . . . . . . . . . . . . . . . . . . 10 | |||
| 5.5. Public Key Format . . . . . . . . . . . . . . . . . . . . 10 | 5.5. Public Key Format . . . . . . . . . . . . . . . . . . . . 10 | |||
| 5.6. Rendezvous Servers Format . . . . . . . . . . . . . . . . 10 | 5.6. Rendezvous Servers Format . . . . . . . . . . . . . . . . 10 | |||
| 6. HIP RR Presentation Format . . . . . . . . . . . . . . . . . . 10 | 6. HIP RR Presentation Format . . . . . . . . . . . . . . . . . 10 | |||
| 7. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 | 7. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 11 | |||
| 8. Security Considerations . . . . . . . . . . . . . . . . . . . 12 | 8. Security Considerations . . . . . . . . . . . . . . . . . . . 12 | |||
| 8.1. Attacker Tampering with an Insecure HIP RR . . . . . . . . 12 | 8.1. Attacker Tampering with an Insecure HIP RR . . . . . . . 12 | |||
| 8.2. Hash and HITs Collisions . . . . . . . . . . . . . . . . . 13 | 8.2. Hash and HITs Collisions . . . . . . . . . . . . . . . . 13 | |||
| 8.3. DNSSEC . . . . . . . . . . . . . . . . . . . . . . . . . . 13 | 8.3. DNSSEC . . . . . . . . . . . . . . . . . . . . . . . . . 13 | |||
| 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13 | 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13 | |||
| 10. Contributors . . . . . . . . . . . . . . . . . . . . . . . . . 14 | 10. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 14 | |||
| 11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 14 | 11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 14 | |||
| 12. References . . . . . . . . . . . . . . . . . . . . . . . . . . 14 | 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 14 | |||
| 12.1. Normative references . . . . . . . . . . . . . . . . . . . 14 | 12.1. Normative references . . . . . . . . . . . . . . . . . . 14 | |||
| 12.2. Informative references . . . . . . . . . . . . . . . . . . 15 | 12.2. Informative references . . . . . . . . . . . . . . . . . 15 | |||
| Appendix A. Changes from RFC 5205 . . . . . . . . . . . . . . . . 16 | Appendix A. Changes from RFC 5205 . . . . . . . . . . . . . . . 15 | |||
| 1. Introduction | 1. Introduction | |||
| This document specifies a new resource record (RR) for the Domain | This document specifies a new resource record (RR) for the Domain | |||
| Name System (DNS) [RFC1034], and how to use it with the Host Identity | Name System (DNS) [RFC1034], and how to use it with the Host Identity | |||
| Protocol (HIP) [I-D.ietf-hip-rfc5201-bis]. This RR allows a HIP node | Protocol (HIP) [I-D.ietf-hip-rfc5201-bis]. This RR allows a HIP node | |||
| to store in the DNS its Host Identity (HI, the public component of | to store in the DNS its Host Identity (HI, the public component of | |||
| the node public-private key pair), Host Identity Tag (HIT, a | the node public-private key pair), Host Identity Tag (HIT, a | |||
| truncated hash of its HI), and the Domain Names of its rendezvous | truncated hash of its HI), and the Domain Names of its rendezvous | |||
| servers (RVSs) [I-D.ietf-hip-rfc5204-bis]. | servers (RVSs) [I-D.ietf-hip-rfc5204-bis]. | |||
| skipping to change at page 4, line 27 | skipping to change at page 4, line 15 | |||
| In these situations, for a node to be reachable by reference to its | In these situations, for a node to be reachable by reference to its | |||
| Fully Qualified Domain Name (FQDN), the following information should | Fully Qualified Domain Name (FQDN), the following information should | |||
| be stored in the DNS: | be stored in the DNS: | |||
| o A set of IP address(es) via A [RFC1035] and AAAA [RFC3596] RR sets | o A set of IP address(es) via A [RFC1035] and AAAA [RFC3596] RR sets | |||
| (RRSets [RFC2181]). | (RRSets [RFC2181]). | |||
| o A Host Identity (HI), Host Identity Tag (HIT), and possibly a set | o A Host Identity (HI), Host Identity Tag (HIT), and possibly a set | |||
| of rendezvous servers (RVS) through HIP RRs. | of rendezvous servers (RVS) through HIP RRs. | |||
| The HIP RR is class independent. | ||||
| When a HIP node wants to initiate communication with another HIP | When a HIP node wants to initiate communication with another HIP | |||
| node, it first needs to perform a HIP base exchange to set up a HIP | node, it first needs to perform a HIP base exchange to set up a HIP | |||
| association towards its peer. Although such an exchange can be | association towards its peer. Although such an exchange can be | |||
| initiated opportunistically, i.e., without prior knowledge of the | initiated opportunistically, i.e., without prior knowledge of the | |||
| Responder's HI, by doing so both nodes knowingly risk man-in-the- | Responder's HI, by doing so both nodes knowingly risk man-in-the- | |||
| middle attacks on the HIP exchange. To prevent these attacks, it is | middle attacks on the HIP exchange. To prevent these attacks, it is | |||
| recommended that the Initiator first obtain the HI of the Responder, | recommended that the Initiator first obtain the HI of the Responder, | |||
| and then initiate the exchange. This can be done, for example, | and then initiate the exchange. This can be done, for example, | |||
| through manual configuration or DNS lookups. Hence, a new HIP RR is | through manual configuration or DNS lookups. Hence, a new HIP RR is | |||
| introduced. | introduced. | |||
| skipping to change at page 5, line 4 | skipping to change at page 4, line 43 | |||
| server as a rendezvous point to maintain reachability with possible | server as a rendezvous point to maintain reachability with possible | |||
| HIP initiators while moving [RFC5206]. Such a HIP node would publish | HIP initiators while moving [RFC5206]. Such a HIP node would publish | |||
| in the DNS its RVS domain name(s) in a HIP RR, while keeping its RVS | in the DNS its RVS domain name(s) in a HIP RR, while keeping its RVS | |||
| up-to-date with its current set of IP addresses. | up-to-date with its current set of IP addresses. | |||
| When a HIP node wants to initiate a HIP exchange with a Responder, it | When a HIP node wants to initiate a HIP exchange with a Responder, it | |||
| will perform a number of DNS lookups. Depending on the type of | will perform a number of DNS lookups. Depending on the type of | |||
| implementation, the order in which those lookups will be issued may | implementation, the order in which those lookups will be issued may | |||
| vary. For instance, implementations using HIT in APIs may typically | vary. For instance, implementations using HIT in APIs may typically | |||
| first query for HIP resource records at the Responder FQDN, while | first query for HIP resource records at the Responder FQDN, while | |||
| those using an IP address in APIs may typically first query for A | those using an IP address in APIs may typically first query for A and | |||
| and/or AAAA resource records. | /or AAAA resource records. | |||
| In the following, we assume that the Initiator first queries for HIP | In the following, we assume that the Initiator first queries for HIP | |||
| resource records at the Responder FQDN. | resource records at the Responder FQDN. | |||
| If the query for the HIP type was responded to with a DNS answer with | If the query for the HIP type was responded to with a DNS answer with | |||
| RCODE=3 (Name Error), then the Responder's information is not present | RCODE=3 (Name Error), then the Responder's information is not present | |||
| in the DNS and further queries for the same owner name SHOULD NOT be | in the DNS and further queries for the same owner name SHOULD NOT be | |||
| made. | made. | |||
| In case the query for the HIP records returned a DNS answer with | In case the query for the HIP records returned a DNS answer with | |||
| skipping to change at page 14, line 34 | skipping to change at page 14, line 34 | |||
| have helped improve this document: Jeff Ahrenholz, Rob Austein, Hannu | have helped improve this document: Jeff Ahrenholz, Rob Austein, Hannu | |||
| Flinck, Olafur Gudmundsson, Tom Henderson, Peter Koch, Olaf Kolkman, | Flinck, Olafur Gudmundsson, Tom Henderson, Peter Koch, Olaf Kolkman, | |||
| Miika Komu, Andrew McGregor, Erik Nordmark, and Gabriel Montenegro. | Miika Komu, Andrew McGregor, Erik Nordmark, and Gabriel Montenegro. | |||
| Some parts of this document stem from the HIP specification | Some parts of this document stem from the HIP specification | |||
| [I-D.ietf-hip-rfc5201-bis]. | [I-D.ietf-hip-rfc5201-bis]. | |||
| 12. References | 12. References | |||
| 12.1. Normative references | 12.1. Normative references | |||
| [I-D.ietf-hip-rfc5201-bis] Moskowitz, R., Heer, T., Jokela, P., and | [I-D.ietf-hip-rfc5201-bis] | |||
| T. Henderson, "Host Identity Protocol | Moskowitz, R., Heer, T., Jokela, P., and T. Henderson, | |||
| Version 2 (HIPv2)", | "Host Identity Protocol Version 2 (HIPv2)", draft-ietf- | |||
| draft-ietf-hip-rfc5201-bis-09 (work in | hip-rfc5201-bis-14 (work in progress), October 2013. | |||
| progress), July 2012. | ||||
| [I-D.ietf-hip-rfc5204-bis] Laganier, J. and L. Eggert, "Host | [I-D.ietf-hip-rfc5204-bis] | |||
| Identity Protocol (HIP) Rendezvous | Laganier, J. and L. Eggert, "Host Identity Protocol (HIP) | |||
| Extension", draft-ietf-hip-rfc5204-bis-01 | Rendezvous Extension", draft-ietf-hip-rfc5204-bis-02 (work | |||
| (work in progress), March 2011. | in progress), September 2012. | |||
| [RFC1034] Mockapetris, P., "Domain names - concepts | [RFC1034] Mockapetris, P., "Domain names - concepts and facilities", | |||
| and facilities", STD 13, RFC 1034, | STD 13, RFC 1034, November 1987. | |||
| November 1987. | ||||
| [RFC1035] Mockapetris, P., "Domain names - | [RFC1035] Mockapetris, P., "Domain names - implementation and | |||
| implementation and specification", | specification", STD 13, RFC 1035, November 1987. | |||
| STD 13, RFC 1035, November 1987. | ||||
| [RFC2119] Bradner, S., "Key words for use in RFCs | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| to Indicate Requirement Levels", BCP 14, | Requirement Levels", BCP 14, RFC 2119, March 1997. | |||
| RFC 2119, March 1997. | ||||
| [RFC2181] Elz, R. and R. Bush, "Clarifications to | [RFC2181] Elz, R. and R. Bush, "Clarifications to the DNS | |||
| the DNS Specification", RFC 2181, | Specification", RFC 2181, July 1997. | |||
| July 1997. | ||||
| [RFC3596] Thomson, S., Huitema, C., Ksinant, V., | [RFC3596] Thomson, S., Huitema, C., Ksinant, V., and M. Souissi, | |||
| and M. Souissi, "DNS Extensions to | "DNS Extensions to Support IP Version 6", RFC 3596, | |||
| Support IP Version 6", RFC 3596, | October 2003. | |||
| October 2003. | ||||
| [RFC4025] Richardson, M., "A Method for Storing | [RFC4025] Richardson, M., "A Method for Storing IPsec Keying | |||
| IPsec Keying Material in DNS", RFC 4025, | Material in DNS", RFC 4025, March 2005. | |||
| March 2005. | ||||
| [RFC4033] Arends, R., Austein, R., Larson, M., | [RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S. | |||
| Massey, D., and S. Rose, "DNS Security | Rose, "DNS Security Introduction and Requirements", RFC | |||
| Introduction and Requirements", RFC 4033, | 4033, March 2005. | |||
| March 2005. | ||||
| [RFC4034] Arends, R., Austein, R., Larson, M., | [RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S. | |||
| Massey, D., and S. Rose, "Resource | Rose, "Resource Records for the DNS Security Extensions", | |||
| Records for the DNS Security Extensions", | RFC 4034, March 2005. | |||
| RFC 4034, March 2005. | ||||
| [RFC4035] Arends, R., Austein, R., Larson, M., | [RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S. | |||
| Massey, D., and S. Rose, "Protocol | Rose, "Protocol Modifications for the DNS Security | |||
| Modifications for the DNS Security | Extensions", RFC 4035, March 2005. | |||
| Extensions", RFC 4035, March 2005. | ||||
| [RFC4648] Josefsson, S., "The Base16, Base32, and | [RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data | |||
| Base64 Data Encodings", RFC 4648, | Encodings", RFC 4648, October 2006. | |||
| October 2006. | ||||
| 12.2. Informative references | 12.2. Informative references | |||
| [RFC2536] Eastlake, D., "DSA KEYs and SIGs in the | [RFC2536] Eastlake, D., "DSA KEYs and SIGs in the Domain Name System | |||
| Domain Name System (DNS)", RFC 2536, | (DNS)", RFC 2536, March 1999. | |||
| March 1999. | ||||
| [RFC3110] Eastlake, D., "RSA/SHA-1 SIGs and RSA | [RFC3110] Eastlake, D., "RSA/SHA-1 SIGs and RSA KEYs in the Domain | |||
| KEYs in the Domain Name System (DNS)", | Name System (DNS)", RFC 3110, May 2001. | |||
| RFC 3110, May 2001. | ||||
| [RFC3833] Atkins, D. and R. Austein, "Threat | [RFC3833] Atkins, D. and R. Austein, "Threat Analysis of the Domain | |||
| Analysis of the Domain Name System | Name System (DNS)", RFC 3833, August 2004. | |||
| (DNS)", RFC 3833, August 2004. | ||||
| [RFC4423] Moskowitz, R. and P. Nikander, "Host | [RFC4423] Moskowitz, R. and P. Nikander, "Host Identity Protocol | |||
| Identity Protocol (HIP) Architecture", | (HIP) Architecture", RFC 4423, May 2006. | |||
| RFC 4423, May 2006. | ||||
| [RFC5205] Nikander, P. and J. Laganier, "Host | [RFC5205] Nikander, P. and J. Laganier, "Host Identity Protocol | |||
| Identity Protocol (HIP) Domain Name | (HIP) Domain Name System (DNS) Extensions", RFC 5205, | |||
| System (DNS) Extensions", RFC 5205, | April 2008. | |||
| April 2008. | ||||
| [RFC5206] Henderson, T., Ed., "End-Host Mobility | [RFC5206] Henderson, T., Ed., "End-Host Mobility and Multihoming | |||
| and Multihoming with the Host Identity | with the Host Identity Protocol", RFC 5206, April 2008. | |||
| Protocol", RFC 5206, April 2008. | ||||
| Appendix A. Changes from RFC 5205 | Appendix A. Changes from RFC 5205 | |||
| o Updated HIP references to revised HIP specifications. | o Updated HIP references to revised HIP specifications. | |||
| Author's Address | Author's Address | |||
| Julien Laganier | Julien Laganier | |||
| Juniper Networks | Luminate Wireless, Inc. | |||
| 1094 North Mathilda Avenue | Cupertino, CA | |||
| Sunnyvale, CA 94089 | ||||
| USA | USA | |||
| Phone: +1 408 936 0385 | ||||
| EMail: julien.ietf@gmail.com | EMail: julien.ietf@gmail.com | |||
| End of changes. 30 change blocks. | ||||
| 104 lines changed or deleted | 87 lines changed or added | |||
This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||