| rfc8598v2.txt | rfc8598.txt | |||
|---|---|---|---|---|
| Internet Engineering Task Force (IETF) T. Pauly | Internet Engineering Task Force (IETF) T. Pauly | |||
| Request for Comments: 8598 Apple Inc. | Request for Comments: 8598 Apple Inc. | |||
| Category: Standards Track P. Wouters | Category: Standards Track P. Wouters | |||
| ISSN: 2070-1721 Red Hat | ISSN: 2070-1721 Red Hat | |||
| May 2019 | May 2019 | |||
| Split DNS Configuration for Internet Key Exchange Protocol Version 2 | Split DNS Configuration | |||
| (IKEv2) | for the Internet Key Exchange Protocol Version 2 (IKEv2) | |||
| Abstract | Abstract | |||
| This document defines two Configuration Payload Attribute Types | This document defines two Configuration Payload Attribute Types | |||
| (INTERNAL_DNS_DOMAIN and INTERNAL_DNSSEC_TA) for the Internet Key | (INTERNAL_DNS_DOMAIN and INTERNAL_DNSSEC_TA) for the Internet Key | |||
| Exchange Protocol version 2 (IKEv2). These payloads add support for | Exchange Protocol version 2 (IKEv2). These payloads add support for | |||
| private (internal-only) DNS domains. These domains are intended to | private (internal-only) DNS domains. These domains are intended to | |||
| be resolved using non-public DNS servers that are only reachable | be resolved using non-public DNS servers that are only reachable | |||
| through the IPsec connection. DNS resolution for other domains | through the IPsec connection. DNS resolution for other domains | |||
| remains unchanged. These Configuration Payloads only apply to split- | remains unchanged. These Configuration Payloads only apply to split- | |||
| skipping to change at page 2, line 9 ¶ | skipping to change at page 2, line 22 ¶ | |||
| (https://trustee.ietf.org/license-info) in effect on the date of | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| described in the Simplified BSD License. | described in the Simplified BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 | 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 4 | |||
| 2. Applicability . . . . . . . . . . . . . . . . . . . . . . . . 3 | 2. Applicability . . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 3. Protocol Exchange . . . . . . . . . . . . . . . . . . . . . . 4 | 3. Protocol Exchange . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 3.1. Configuration Request . . . . . . . . . . . . . . . . . . 5 | 3.1. Configuration Request . . . . . . . . . . . . . . . . . . 5 | |||
| 3.2. Configuration Reply . . . . . . . . . . . . . . . . . . . 5 | 3.2. Configuration Reply . . . . . . . . . . . . . . . . . . . 6 | |||
| 3.3. Mapping DNS Servers to Domains . . . . . . . . . . . . . 6 | 3.3. Mapping DNS Servers to Domains . . . . . . . . . . . . . 7 | |||
| 3.4. Example Exchanges . . . . . . . . . . . . . . . . . . . . 6 | 3.4. Example Exchanges . . . . . . . . . . . . . . . . . . . . 7 | |||
| 3.4.1. Simple Case . . . . . . . . . . . . . . . . . . . . . 6 | 3.4.1. Simple Case . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 3.4.2. Requesting Domains and DNSSEC Trust Anchors . . . . . 7 | 3.4.2. Requesting Domains and DNSSEC Trust Anchors . . . . . 7 | |||
| 4. Payload Formats . . . . . . . . . . . . . . . . . . . . . . . 8 | 4. Payload Formats . . . . . . . . . . . . . . . . . . . . . . . 9 | |||
| 4.1. INTERNAL_DNS_DOMAIN Configuration Attribute Type Request | 4.1. INTERNAL_DNS_DOMAIN Configuration Attribute Type Request | |||
| and Reply . . . . . . . . . . . . . . . . . . . . . . . . 8 | and Reply . . . . . . . . . . . . . . . . . . . . . . . . 9 | |||
| 4.2. INTERNAL_DNSSEC_TA Configuration Attribute . . . . . . . 9 | 4.2. INTERNAL_DNSSEC_TA Configuration Attribute . . . . . . . 9 | |||
| 5. INTERNAL_DNS_DOMAIN Usage Guidelines . . . . . . . . . . . . 10 | 5. INTERNAL_DNS_DOMAIN Usage Guidelines . . . . . . . . . . . . 11 | |||
| 6. INTERNAL_DNSSEC_TA Usage Guidelines . . . . . . . . . . . . . 11 | 6. INTERNAL_DNSSEC_TA Usage Guidelines . . . . . . . . . . . . . 12 | |||
| 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13 | 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13 | |||
| 8. Security Considerations . . . . . . . . . . . . . . . . . . . 13 | 8. Security Considerations . . . . . . . . . . . . . . . . . . . 14 | |||
| 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 14 | 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 15 | |||
| 9.1. Normative References . . . . . . . . . . . . . . . . . . 14 | 9.1. Normative References . . . . . . . . . . . . . . . . . . 15 | |||
| 9.2. Informative References . . . . . . . . . . . . . . . . . 15 | 9.2. Informative References . . . . . . . . . . . . . . . . . 16 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 15 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 16 | |||
| 1. Introduction | 1. Introduction | |||
| Split-tunnel Virtual Private Network (VPN) configurations only send | Split-tunnel Virtual Private Network (VPN) configurations only send | |||
| packets with a specific destination IP range, usually chosen from | packets with a specific destination IP range, usually chosen from | |||
| [RFC1918], via the VPN. All other traffic is not sent via the VPN. | [RFC1918], via the VPN. All other traffic is not sent via the VPN. | |||
| This allows an enterprise deployment to offer remote access VPN | This allows an enterprise deployment to offer remote access VPN | |||
| services without needing to accept and forward all the non- | services without needing to accept and forward all the non- | |||
| enterprise-related network traffic generated by their remote users. | enterprise-related network traffic generated by their remote users. | |||
| Resources within the enterprise can be accessed by the user via the | Resources within the enterprise can be accessed by the user via the | |||
| skipping to change at page 8, line 32 ¶ | skipping to change at page 9, line 13 ¶ | |||
| INTERNAL_DNS_DOMAIN(city.other.test) | INTERNAL_DNS_DOMAIN(city.other.test) | |||
| 4. Payload Formats | 4. Payload Formats | |||
| All multi-octet fields representing integers are laid out in big- | All multi-octet fields representing integers are laid out in big- | |||
| endian order (also known as "most significant byte first" or "network | endian order (also known as "most significant byte first" or "network | |||
| byte order"). | byte order"). | |||
| 4.1. INTERNAL_DNS_DOMAIN Configuration Attribute Type Request and Reply | 4.1. INTERNAL_DNS_DOMAIN Configuration Attribute Type Request and Reply | |||
| 1 2 3 | 1 2 3 | |||
| 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | |||
| +-+-----------------------------+-------------------------------+ | +-+-----------------------------+-------------------------------+ | |||
| |R| Attribute Type | Length | | |R| Attribute Type | Length | | |||
| +-+-----------------------------+-------------------------------+ | +-+-----------------------------+-------------------------------+ | |||
| | | | | | | |||
| ~ Domain Name in DNS presentation format ~ | ~ Domain Name in DNS presentation format ~ | |||
| | | | | | | |||
| +---------------------------------------------------------------+ | +---------------------------------------------------------------+ | |||
| o Reserved (1 bit) - Defined in IKEv2 RFC [RFC7296]. | o Reserved (1 bit) - Defined in IKEv2 RFC [RFC7296]. | |||
| skipping to change at page 9, line 16 ¶ | skipping to change at page 10, line 7 ¶ | |||
| 4.2. INTERNAL_DNSSEC_TA Configuration Attribute | 4.2. INTERNAL_DNSSEC_TA Configuration Attribute | |||
| An INTERNAL_DNSSEC_TA Configuration Attribute can either be empty, or | An INTERNAL_DNSSEC_TA Configuration Attribute can either be empty, or | |||
| it can contain one trust anchor by containing a non-zero Length with | it can contain one trust anchor by containing a non-zero Length with | |||
| a DNSKEY Key Tag, DNSKEY Algorithm, Digest Type and Digest Data | a DNSKEY Key Tag, DNSKEY Algorithm, Digest Type and Digest Data | |||
| fields. | fields. | |||
| An empty INTERNAL_DNSSEC_TA CFG attribute: | An empty INTERNAL_DNSSEC_TA CFG attribute: | |||
| 1 2 3 | 1 2 3 | |||
| 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | |||
| +-+-----------------------------+-------------------------------+ | +-+-----------------------------+-------------------------------+ | |||
| |R| Attribute Type | Length (set to 0) | | |R| Attribute Type | Length (set to 0) | | |||
| +-+-----------------------------+-------------------------------+ | +-+-----------------------------+-------------------------------+ | |||
| o Reserved (1 bit) - Defined in IKEv2 RFC [RFC7296]. | o Reserved (1 bit) - Defined in IKEv2 RFC [RFC7296]. | |||
| o Attribute Type (15 bits) - set to value 26 for INTERNAL_DNSSEC_TA. | o Attribute Type (15 bits) - set to value 26 for INTERNAL_DNSSEC_TA. | |||
| o Length (2 octets) - Set to 0 for an empty attribute. | o Length (2 octets) - Set to 0 for an empty attribute. | |||
| A non-empty INTERNAL_DNSSEC_TA CFG attribute: | A non-empty INTERNAL_DNSSEC_TA CFG attribute: | |||
| 1 2 3 | 1 2 3 | |||
| 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | |||
| +-+-----------------------------+-------------------------------+ | +-+-----------------------------+-------------------------------+ | |||
| |R| Attribute Type | Length | | |R| Attribute Type | Length | | |||
| +-+-----------------------------+---------------+---------------+ | +-+-----------------------------+---------------+---------------+ | |||
| | DNSKEY Key Tag | DNSKEY Alg | Digest Type | | | DNSKEY Key Tag | DNSKEY Alg | Digest Type | | |||
| +-------------------------------+---------------+---------------+ | +-------------------------------+---------------+---------------+ | |||
| | | | | | | |||
| ~ Digest Data ~ | ~ Digest Data ~ | |||
| | | | | | | |||
| +---------------------------------------------------------------+ | +---------------------------------------------------------------+ | |||
| End of changes. 10 change blocks. | ||||
| 25 lines changed or deleted | 25 lines changed or added | |||
This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||