summaryrefslogtreecommitdiff
path: root/doc/rfc/rfc2230.txt
diff options
context:
space:
mode:
Diffstat (limited to 'doc/rfc/rfc2230.txt')
-rw-r--r--doc/rfc/rfc2230.txt619
1 files changed, 619 insertions, 0 deletions
diff --git a/doc/rfc/rfc2230.txt b/doc/rfc/rfc2230.txt
new file mode 100644
index 00000000..03995fe2
--- /dev/null
+++ b/doc/rfc/rfc2230.txt
@@ -0,0 +1,619 @@
+
+
+
+
+
+
+Network Working Group R. Atkinson
+Request for Comments: 2230 NRL
+Category: Informational November 1997
+
+
+ Key Exchange Delegation Record for the DNS
+
+Status of this Memo
+
+ This memo provides information for the Internet community. It does
+ not specify an Internet standard of any kind. Distribution of this
+ memo is unlimited.
+
+Copyright Notice
+
+ Copyright (C) The Internet Society (1997). All Rights Reserved.
+
+ABSTRACT
+
+ This note describes a mechanism whereby authorisation for one node to
+ act as key exchanger for a second node is delegated and made
+ available via the Secure DNS. This mechanism is intended to be used
+ only with the Secure DNS. It can be used with several security
+ services. For example, a system seeking to use IP Security [RFC-
+ 1825, RFC-1826, RFC-1827] to protect IP packets for a given
+ destination can use this mechanism to determine the set of authorised
+ remote key exchanger systems for that destination.
+
+1. INTRODUCTION
+
+
+ The Domain Name System (DNS) is the standard way that Internet nodes
+ locate information about addresses, mail exchangers, and other data
+ relating to remote Internet nodes. [RFC-1035, RFC-1034] More
+ recently, Eastlake and Kaufman have defined standards-track security
+ extensions to the DNS. [RFC-2065] These security extensions can be
+ used to authenticate signed DNS data records and can also be used to
+ store signed public keys in the DNS.
+
+ The KX record is useful in providing an authenticatible method of
+ delegating authorisation for one node to provide key exchange
+ services on behalf of one or more, possibly different, nodes. This
+ note specifies the syntax and semantics of the KX record, which is
+ currently in limited deployment in certain IP-based networks. The
+
+
+
+
+
+
+
+Atkinson Informational [Page 1]
+
+RFC 2230 DNS Key Exchange Delegation Record November 1997
+
+
+ reader is assumed to be familiar with the basics of DNS, including
+ familiarity with [RFC-1035, RFC-1034]. This document is not on the
+ IETF standards-track and does not specify any level of standard.
+ This document merely provides information for the Internet community.
+
+1.1 Identity Terminology
+
+ This document relies upon the concept of "identity domination". This
+ concept might be new to the reader and so is explained in this
+ section. The subject of endpoint naming for security associations
+ has historically been somewhat contentious. This document takes no
+ position on what forms of identity should be used. In a network,
+ there are several forms of identity that are possible.
+
+ For example, IP Security has defined notions of identity that
+ include: IP Address, IP Address Range, Connection ID, Fully-Qualified
+ Domain Name (FQDN), and User with Fully Qualified Domain Name (USER
+ FQDN).
+
+ A USER FQDN identity dominates a FQDN identity. A FQDN identity in
+ turn dominates an IP Address identity. Similarly, a Connection ID
+ dominates an IP Address identity. An IP Address Range dominates each
+ IP Address identity for each IP address within that IP address range.
+ Also, for completeness, an IP Address identity is considered to
+ dominate itself.
+
+2. APPROACH
+
+ This document specifies a new kind of DNS Resource Record (RR), known
+ as the Key Exchanger (KX) record. A Key Exchanger Record has the
+ mnemonic "KX" and the type code of 36. Each KX record is associated
+ with a fully-qualified domain name. The KX record is modeled on the
+ MX record described in [Part86]. Any given domain, subdomain, or host
+ entry in the DNS might have a KX record.
+
+2.1 IPsec Examples
+
+ In these two examples, let S be the originating node and let D be the
+ destination node. S2 is another node on the same subnet as S. D2 is
+ another node on the same subnet as D. R1 and R2 are IPsec-capable
+ routers. The path from S to D goes via first R1 and later R2. The
+ return path from D to S goes via first R2 and later R1.
+
+ IETF-standard IP Security uses unidirectional Security Associations
+ [RFC-1825]. Therefore, a typical IP session will use a pair of
+ related Security Associations, one in each direction. The examples
+ below talk about how to setup an example Security Association, but in
+ practice a pair of matched Security Associations will normally be
+
+
+
+Atkinson Informational [Page 2]
+
+RFC 2230 DNS Key Exchange Delegation Record November 1997
+
+
+ used.
+
+2.1.1 Subnet-to-Subnet Example
+
+ If neither S nor D implements IPsec, security can still be provided
+ between R1 and R2 by building a secure tunnel. This can use either
+ AH or ESP.
+
+ S ---+ +----D
+ | |
+ +- R1 -----[zero or more routers]-------R2-+
+ | |
+ S2---+ +----D2
+
+ Figure 1: Network Diagram for Subnet-to-Subnet Example
+
+ In this example, R1 makes the policy decision to provide the IPsec
+ service for traffic from R1 destined for R2. Once R1 has decided
+ that the packet from S to D should be protected, it performs a secure
+ DNS lookup for the records associated with domain D. If R1 only
+ knows the IP address for D, then a secure reverse DNS lookup will be
+ necessary to determine the domain D, before that forward secure DNS
+ lookup for records associated with domain D. If these DNS records of
+ domain D include a KX record for the IPsec service, then R1 knows
+ which set of nodes are authorised key exchanger nodes for the
+ destination D.
+
+ In this example, let there be at least one KX record for D and let
+ the most preferred KX record for D point at R2. R1 then selects a
+ key exchanger (in this example, R2) for D from the list obtained from
+ the secure DNS. Then R1 initiates a key management session with that
+ key exchanger (in this example, R2) to setup an IPsec Security
+ Association between R1 and D. In this example, R1 knows (either by
+ seeing an outbound packet arriving from S destined to D or via other
+ methods) that S will be sending traffic to D. In this example R1's
+ policy requires that traffic from S to D should be segregated at
+ least on a host-to-host basis, so R1 desires an IPsec Security
+ Association with source identity that dominates S, proxy identity
+ that dominates R1, and destination identity that dominates R2.
+
+ In turn, R2 is able to authenticate the delegation of Key Exchanger
+ authorisation for target S to R1 by making an authenticated forward
+ DNS lookup for KX records associated with S and verifying that at
+ least one such record points to R1. The identity S is typically
+ given to R2 as part of the key management process between R1 and R2.
+
+
+
+
+
+
+Atkinson Informational [Page 3]
+
+RFC 2230 DNS Key Exchange Delegation Record November 1997
+
+
+ If D initially only knows the IP address of S, then it will need to
+ perform a secure reverse DNS lookup to obtain the fully-qualified
+ domain name for S prior to that secure forward DNS lookup.
+
+ If R2 does not receive an authenticated DNS response indicating that
+ R1 is an authorised key exchanger for S, then D will not accept the
+ SA negotiation from R1 on behalf of identity S.
+
+ If the proposed IPsec Security Association is acceptable to both R1
+ and R2, each of which might have separate policies, then they create
+ that IPsec Security Association via Key Management.
+
+ Note that for unicast traffic, Key Management will typically also
+ setup a separate (but related) IPsec Security Association for the
+ return traffic. That return IPsec Security Association will have
+ equivalent identities. In this example, that return IPsec Security
+ Association will have a source identity that dominates D, a proxy
+ identity that dominates R2, and a destination identity that dominates
+ R1.
+
+ Once the IPsec Security Association has been created, then R1 uses it
+ to protect traffic from S destined for D via a secure tunnel that
+ originates at R1 and terminates at R2. For the case of unicast, R2
+ will use the return IPsec Security Association to protect traffic
+ from D destined for S via a secure tunnel that originates at R2 and
+ terminates at R1.
+
+2.1.2 Subnet-to-Host Example
+
+ Consider the case where D and R1 implement IPsec, but S does not
+ implement IPsec, which is an interesting variation on the previous
+ example. This example is shown in Figure 2 below.
+
+ S ---+
+ |
+ +- R1 -----[zero or more routers]-------D
+ |
+ S2---+
+
+ Figure 2: Network Diagram for Subnet-to-Host Example
+
+ In this example, R1 makes the policy decision that IP Security is
+ needed for the packet travelling from S to D. Then, R1 performs the
+ secure DNS lookup for D and determines that D is its own key
+ exchanger, either from the existence of a KX record for D pointing to
+ D or from an authenticated DNS response indicating that no KX record
+ exists for D. If R1 does not initially know the domain name of D,
+ then prior to the above forward secure DNS lookup, R1 performs a
+
+
+
+Atkinson Informational [Page 4]
+
+RFC 2230 DNS Key Exchange Delegation Record November 1997
+
+
+ secure reverse DNS lookup on the IP address of D to determine the
+ fully-qualified domain name for that IP address. R1 then initiates
+ key management with D to create an IPsec Security Association on
+ behalf of S.
+
+ In turn, D can verify that R1 is authorised to create an IPsec
+ Security Association on behalf of S by performing a DNS KX record
+ lookup for target S. R1 usually provides identity S to D via key
+ management. If D only has the IP address of S, then D will need to
+ perform a secure reverse lookup on the IP address of S to determine
+ domain name S prior to the secure forward DNS lookup on S to locate
+ the KX records for S.
+
+ If D does not receive an authenticated DNS response indicating that
+ R1 is an authorised key exchanger for S, then D will not accept the
+ SA negotiation from R1 on behalf of identity S.
+
+ If the IPsec Security Association is successfully established between
+ R1 and D, that IPsec Security Association has a source identity that
+ dominates S's IP address, a proxy identity that dominates R1's IP
+ address, and a destination identity that dominates D's IP address.
+
+ Finally, R1 begins providing the security service for packets from S
+ that transit R1 destined for D. When D receives such packets, D
+ examines the SA information during IPsec input processing and sees
+ that R1's address is listed as valid proxy address for that SA and
+ that S is the source address for that SA. Hence, D knows at input
+ processing time that R1 is authorised to provide security on behalf
+ of S. Therefore packets coming from R1 with valid IP security that
+ claim to be from S are trusted by D to have really come from S.
+
+2.1.3 Host to Subnet Example
+
+ Now consider the above case from D's perspective (i.e. where D is
+ sending IP packets to S). This variant is sometimes known as the
+ Mobile Host or "roadwarrier" case. The same basic concepts apply, but
+ the details are covered here in hope of improved clarity.
+
+ S ---+
+ |
+ +- R1 -----[zero or more routers]-------D
+ |
+ S2---+
+
+ Figure 3: Network Diagram for Host-to-Subnet Example
+
+
+
+
+
+
+Atkinson Informational [Page 5]
+
+RFC 2230 DNS Key Exchange Delegation Record November 1997
+
+
+ In this example, D makes the policy decision that IP Security is
+ needed for the packets from D to S. Then D performs the secure DNS
+ lookup for S and discovers that a KX record for S exists and points
+ at R1. If D only has the IP address of S, then it performs a secure
+ reverse DNS lookup on the IP address of S prior to the forward secure
+ DNS lookup for S.
+
+ D then initiates key management with R1, where R1 is acting on behalf
+ of S, to create an appropriate Security Association. Because D is
+ acting as its own key exchanger, R1 does not need to perform a secure
+ DNS lookup for KX records associated with D.
+
+ D and R1 then create an appropriate IPsec Security Security
+ Association. This IPsec Security Association is setup as a secure
+ tunnel with a source identity that dominates D's IP Address and a
+ destination identity that dominates R1's IP Address. Because D
+ performs IPsec for itself, no proxy identity is needed in this IPsec
+ Security Association. If the proxy identity is non-null in this
+ situation, then the proxy identity must dominate D's IP Address.
+
+ Finally, D sends secured IP packets to R1. R1 receives those
+ packets, provides IPsec input processing (including appropriate
+ inner/outer IP address validation), and forwards valid packets along
+ to S.
+
+2.2 Other Examples
+
+ This mechanism can be extended for use with other services as well.
+ To give some insight into other possible uses, this section discusses
+ use of KX records in environments using a Key Distribution Center
+ (KDC), such as Kerberos [KN93], and a possible use of KX records in
+ conjunction with mobile nodes accessing the network via a dialup
+ service.
+
+2.2.1 KDC Examples
+
+ This example considers the situation of a destination node
+ implementing IPsec that can only obtain its Security Association
+ information from a Key Distribution Center (KDC). Let the KDC
+ implement both the KDC protocol and also a non-KDC key management
+ protocol (e.g. ISAKMP). In such a case, each client node of the KDC
+ might have its own KX record pointing at the KDC so that nodes not
+ implementing the KDC protocol can still create Security Associations
+ with each of the client nodes of the KDC.
+
+ In the event the session initiator were not using the KDC but the
+ session target was an IPsec node that only used the KDC, the
+ initiator would find the KX record for the target pointing at the
+
+
+
+Atkinson Informational [Page 6]
+
+RFC 2230 DNS Key Exchange Delegation Record November 1997
+
+
+ KDC. Then, the external key management exchange (e.g. ISAKMP) would
+ be between the initiator and the KDC. Then the KDC would distribute
+ the IPsec SA to the KDC-only IPsec node using the KDC. The IPsec
+ traffic itself could travel directly between the initiator and the
+ destination node.
+
+ In the event the initiator node could only use the KDC and the target
+ were not using the KDC, the initiator would send its request for a
+ key to the KDC. The KDC would then initiate an external key
+ management exchange (e.g. ISAKMP) with a node that the target's KX
+ record(s) pointed to, on behalf of the initiator node.
+
+ The target node could verify that the KDC were allowed to proxy for
+ the initiator node by looking up the KX records for the initiator
+ node and finding a KX record for the initiator that listed the KDC.
+
+ Then the external key exchange would be performed between the KDC and
+ the target node. Then the KDC would distribute the resulting IPsec
+ Security Association to the initiator. Again, IPsec traffic itself
+ could travel directly between the initiator and the destination.
+
+2.2.2 Dial-Up Host Example
+
+ This example outlines a possible use of KX records with mobile hosts
+ that dial into the network via PPP and are dynamically assigned an IP
+ address and domain-name at dial-in time.
+
+ Consider the situation where each mobile node is dynamically assigned
+ both a domain name and an IP address at the time that node dials into
+ the network. Let the policy require that each mobile node act as its
+ own Key Exchanger. In this case, it is important that dial-in nodes
+ use addresses from one or more well known IP subnets or address pools
+ dedicated to dial-in access. If that is true, then no KX record or
+ other action is needed to ensure that each node will act as its own
+ Key Exchanger because lack of a KX record indicates that the node is
+ its own Key Exchanger.
+
+ Consider the situation where the mobile node's domain name remains
+ constant but its IP address changes. Let the policy require that
+ each mobile node act as its own Key Exchanger. In this case, there
+ might be operational problems when another node attempts to perform a
+ secure reverse DNS lookup on the IP address to determine the
+ corresponding domain name. The authenticated DNS binding (in the
+ form of a PTR record) between the mobile node's currently assigned IP
+ address and its permanent domain name will need to be securely
+ updated each time the node is assigned a new IP address. There are
+ no mechanisms for accomplishing this that are both IETF-standard and
+ widely deployed as of the time this note was written. Use of Dynamic
+
+
+
+Atkinson Informational [Page 7]
+
+RFC 2230 DNS Key Exchange Delegation Record November 1997
+
+
+ DNS Update without authentication is a significant security risk and
+ hence is not recommended for this situation.
+
+3. SYNTAX OF KX RECORD
+
+ A KX record has the DNS TYPE of "KX" and a numeric value of 36. A KX
+ record is a member of the Internet ("IN") CLASS in the DNS. Each KX
+ record is associated with a <domain-name> entry in the DNS. A KX
+ record has the following textual syntax:
+
+ <domain-name> IN KX <preference> <domain-name>
+
+ For this description, let the <domain-name> item to the left of the
+ "KX" string be called <domain-name 1> and the <domain-name> item to
+ the right of the "KX" string be called <domain-name 2>. <preference>
+ is a non-negative integer.
+
+ Internet nodes about to initiate a key exchange with <domain-name 1>
+ should instead contact <domain-name 2> to initiate the key exchange
+ for a security service between the initiator and <domain-name 2>. If
+ more than one KX record exists for <domain-name 1>, then the
+ <preference> field is used to indicate preference among the systems
+ delegated to. Lower values are preferred over higher values. The
+ <domain-name 2> is authorised to provide key exchange services on
+ behalf of <domain-name 1>. The <domain-name 2> MUST have a CNAME
+ record, an A record, or an AAAA record associated with it.
+
+3.1 KX RDATA format
+
+ The KX DNS record has the following RDATA format:
+
+ +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+ | PREFERENCE |
+ +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+ / EXCHANGER /
+ / /
+ +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+ where:
+
+ PREFERENCE A 16 bit non-negative integer which specifies the
+ preference given to this RR among other KX records
+ at the same owner. Lower values are preferred.
+
+ EXCHANGER A <domain-name> which specifies a host willing to
+ act as a mail exchange for the owner name.
+
+
+
+
+
+Atkinson Informational [Page 8]
+
+RFC 2230 DNS Key Exchange Delegation Record November 1997
+
+
+ KX records MUST cause type A additional section processing for the
+ host specified by EXCHANGER. In the event that the host processing
+ the DNS transaction supports IPv6, KX records MUST also cause type
+ AAAA additional section processing.
+
+ The KX RDATA field MUST NOT be compressed.
+
+4. SECURITY CONSIDERATIONS
+
+ KX records MUST always be signed using the method(s) defined by the
+ DNS Security extensions specified in [RFC-2065]. All unsigned KX
+ records MUST be ignored because of the security vulnerability caused
+ by assuming that unsigned records are valid. All signed KX records
+ whose signatures do not correctly validate MUST be ignored because of
+ the potential security vulnerability in trusting an invalid KX
+ record.
+
+ KX records MUST be ignored by systems not implementing Secure DNS
+ because such systems have no mechanism to authenticate the KX record.
+
+ If a node does not have a permanent DNS entry and some form of
+ Dynamic DNS Update is in use, then those dynamic DNS updates MUST be
+ fully authenticated to prevent an adversary from injecting false DNS
+ records (especially the KX, A, and PTR records) into the Domain Name
+ System. If false records were inserted into the DNS without being
+ signed by the Secure DNS mechanisms, then a denial-of-service attack
+ results. If false records were inserted into the DNS and were
+ (erroneously) signed by the signing authority, then an active attack
+ results.
+
+ Myriad serious security vulnerabilities can arise if the restrictions
+ throuhout this document are not strictly adhered to. Implementers
+ should carefully consider the openly published issues relating to DNS
+ security [Bell95,Vixie95] as they build their implementations.
+ Readers should also consider the security considerations discussed in
+ the DNS Security Extensions document [RFC-2065].
+
+5. REFERENCES
+
+
+ [RFC-1825] Atkinson, R., "IP Authentication Header", RFC 1826,
+ August 1995.
+
+ [RFC-1827] Atkinson, R., "IP Encapsulating Security Payload",
+ RFC 1827, August 1995.
+
+
+
+
+
+
+Atkinson Informational [Page 9]
+
+RFC 2230 DNS Key Exchange Delegation Record November 1997
+
+
+ [Bell95] Bellovin, S., "Using the Domain Name System for System
+ Break-ins", Proceedings of 5th USENIX UNIX Security
+ Symposium, USENIX Association, Berkeley, CA, June 1995.
+ ftp://ftp.research.att.com/dist/smb/dnshack.ps
+
+ [RFC-2065] Eastlake, D., and C. Kaufman, "Domain Name System
+ Security Extensions", RFC 2065, January 1997.
+
+ [RFC-1510] Kohl J., and C. Neuman, "The Kerberos Network
+ Authentication Service", RFC 1510, September 1993.
+
+ [RFC-1035] Mockapetris, P., "Domain names - implementation and
+ specification", STD 13, RFC 1035, November 1987.
+
+ [RFC-1034] Mockapetris, P., "Domain names - concepts and
+ facilities", STD 13, RFC 1034, November 1987.
+
+ [Vixie95] P. Vixie, "DNS and BIND Security Issues", Proceedings of
+ the 5th USENIX UNIX Security Symposium, USENIX
+ Association, Berkeley, CA, June 1995.
+ ftp://ftp.vix.com/pri/vixie/bindsec.psf
+
+ACKNOWLEDGEMENTS
+
+ Development of this DNS record was primarily performed during 1993
+ through 1995. The author's work on this was sponsored jointly by the
+ Computing Systems Technology Office (CSTO) of the Advanced Research
+ Projects Agency (ARPA) and by the Information Security Program Office
+ (PD71E), Space & Naval Warface Systems Command (SPAWAR). In that
+ era, Dave Mihelcic and others provided detailed review and
+ constructive feedback. More recently, Bob Moscowitz and Todd Welch
+ provided detailed review and constructive feedback of a work in
+ progress version of this document.
+
+AUTHOR'S ADDRESS
+
+ Randall Atkinson
+ Code 5544
+ Naval Research Laboratory
+ 4555 Overlook Avenue, SW
+ Washington, DC 20375-5337
+
+ Phone: (DSN) 354-8590
+ EMail: atkinson@itd.nrl.navy.mil
+
+
+
+
+
+
+
+Atkinson Informational [Page 10]
+
+RFC 2230 DNS Key Exchange Delegation Record November 1997
+
+
+Full Copyright Statement
+
+ Copyright (C) The Internet Society (1997). All Rights Reserved.
+
+ This document and translations of it may be copied and furnished to
+ others, and derivative works that comment on or otherwise explain it
+ or assist in its implmentation may be prepared, copied, published
+ andand distributed, in whole or in part, without restriction of any
+ kind, provided that the above copyright notice and this paragraph are
+ included on all such copies and derivative works. However, this
+ document itself may not be modified in any way, such as by removing
+ the copyright notice or references to the Internet Society or other
+ Internet organizations, except as needed for the purpose of
+ developing Internet standards in which case the procedures for
+ copyrights defined in the Internet Standards process must be
+ followed, or as required to translate it into languages other than
+ English.
+
+ The limited permissions granted above are perpetual and will not be
+ revoked by the Internet Society or its successors or assigns.
+
+ This document and the information contained herein is provided on an
+ "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+ TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+ BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+ HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+ MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Atkinson Informational [Page 11]
+