Internet Engineering Task Force (IETF)                          T. Pauly
Request for Comments: 8598                                    Apple Inc.
Category: Standards Track                                     P. Wouters
ISSN: 2070-1721                                                  Red Hat
                                                                May 2019
        
Internet Engineering Task Force (IETF)                          T. Pauly
Request for Comments: 8598                                    Apple Inc.
Category: Standards Track                                     P. Wouters
ISSN: 2070-1721                                                  Red Hat
                                                                May 2019
        

Split DNS Configuration for the Internet Key Exchange Protocol Version 2 (IKEv2)

Internet密钥交换协议版本2(IKEv2)的拆分DNS配置

Abstract

摘要

This document defines two Configuration Payload Attribute Types (INTERNAL_DNS_DOMAIN and INTERNAL_DNSSEC_TA) for the Internet Key Exchange Protocol version 2 (IKEv2). These payloads add support for private (internal-only) DNS domains. These domains are intended to be resolved using non-public DNS servers that are only reachable through the IPsec connection. DNS resolution for other domains remains unchanged. These Configuration Payloads only apply to split-tunnel configurations.

本文档为Internet密钥交换协议版本2(IKEv2)定义了两种配置有效负载属性类型(INTERNAL_DNS_DOMAIN和INTERNAL_DNSSEC_TA)。这些有效负载增加了对私有(仅限内部)DNS域的支持。这些域打算使用只能通过IPsec连接访问的非公共DNS服务器来解析。其他域的DNS解析保持不变。这些配置有效载荷仅适用于拆分隧道配置。

Status of This Memo

关于下段备忘

This is an Internet Standards Track document.

这是一份互联网标准跟踪文件。

This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 7841.

本文件是互联网工程任务组(IETF)的产品。它代表了IETF社区的共识。它已经接受了公众审查,并已被互联网工程指导小组(IESG)批准出版。有关互联网标准的更多信息,请参见RFC 7841第2节。

Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at https://www.rfc-editor.org/info/rfc8598.

有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问https://www.rfc-editor.org/info/rfc8598.

Copyright Notice

版权公告

Copyright (c) 2019 IETF Trust and the persons identified as the document authors. All rights reserved.

版权(c)2019 IETF信托基金和被确定为文件作者的人员。版权所有。

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.

本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(https://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。从本文件中提取的代码组件必须包括信托法律条款第4.e节中所述的简化BSD许可证文本,并提供简化BSD许可证中所述的无担保。

Table of Contents

目录

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   3
     1.1.  Requirements Language . . . . . . . . . . . . . . . . . .   4
   2.  Applicability . . . . . . . . . . . . . . . . . . . . . . . .   4
   3.  Protocol Exchange . . . . . . . . . . . . . . . . . . . . . .   5
     3.1.  Configuration Request . . . . . . . . . . . . . . . . . .   5
     3.2.  Configuration Reply . . . . . . . . . . . . . . . . . . .   6
     3.3.  Mapping DNS Servers to Domains  . . . . . . . . . . . . .   7
     3.4.  Example Exchanges . . . . . . . . . . . . . . . . . . . .   7
       3.4.1.  Simple Case . . . . . . . . . . . . . . . . . . . . .   7
       3.4.2.  Requesting Domains and DNSSEC Trust Anchors . . . . .   7
   4.  Payload Formats . . . . . . . . . . . . . . . . . . . . . . .   9
     4.1.  INTERNAL_DNS_DOMAIN Configuration Attribute Type Request
           and Reply . . . . . . . . . . . . . . . . . . . . . . . .   9
     4.2.  INTERNAL_DNSSEC_TA Configuration Attribute  . . . . . . .   9
   5.  INTERNAL_DNS_DOMAIN Usage Guidelines  . . . . . . . . . . . .  11
   6.  INTERNAL_DNSSEC_TA Usage Guidelines . . . . . . . . . . . . .  12
   7.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .  13
   8.  Security Considerations . . . . . . . . . . . . . . . . . . .  14
   9.  References  . . . . . . . . . . . . . . . . . . . . . . . . .  15
     9.1.  Normative References  . . . . . . . . . . . . . . . . . .  15
     9.2.  Informative References  . . . . . . . . . . . . . . . . .  16
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  16
        
   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   3
     1.1.  Requirements Language . . . . . . . . . . . . . . . . . .   4
   2.  Applicability . . . . . . . . . . . . . . . . . . . . . . . .   4
   3.  Protocol Exchange . . . . . . . . . . . . . . . . . . . . . .   5
     3.1.  Configuration Request . . . . . . . . . . . . . . . . . .   5
     3.2.  Configuration Reply . . . . . . . . . . . . . . . . . . .   6
     3.3.  Mapping DNS Servers to Domains  . . . . . . . . . . . . .   7
     3.4.  Example Exchanges . . . . . . . . . . . . . . . . . . . .   7
       3.4.1.  Simple Case . . . . . . . . . . . . . . . . . . . . .   7
       3.4.2.  Requesting Domains and DNSSEC Trust Anchors . . . . .   7
   4.  Payload Formats . . . . . . . . . . . . . . . . . . . . . . .   9
     4.1.  INTERNAL_DNS_DOMAIN Configuration Attribute Type Request
           and Reply . . . . . . . . . . . . . . . . . . . . . . . .   9
     4.2.  INTERNAL_DNSSEC_TA Configuration Attribute  . . . . . . .   9
   5.  INTERNAL_DNS_DOMAIN Usage Guidelines  . . . . . . . . . . . .  11
   6.  INTERNAL_DNSSEC_TA Usage Guidelines . . . . . . . . . . . . .  12
   7.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .  13
   8.  Security Considerations . . . . . . . . . . . . . . . . . . .  14
   9.  References  . . . . . . . . . . . . . . . . . . . . . . . . .  15
     9.1.  Normative References  . . . . . . . . . . . . . . . . . .  15
     9.2.  Informative References  . . . . . . . . . . . . . . . . .  16
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  16
        
1. Introduction
1. 介绍

Split-tunnel Virtual Private Network (VPN) configurations only send packets with a specific destination IP range, usually chosen from [RFC1918], via the VPN. All other traffic is not sent via the VPN. This allows an enterprise deployment to offer remote access VPN services without needing to accept and forward all the non-enterprise-related network traffic generated by their remote users. Resources within the enterprise can be accessed by the user via the VPN, while all other traffic generated by the user is not sent over the VPN.

拆分隧道虚拟专用网络(VPN)配置仅通过VPN发送具有特定目标IP范围的数据包,通常从[RFC1918]中选择。所有其他流量都不会通过VPN发送。这允许企业部署提供远程访问VPN服务,而无需接受和转发其远程用户生成的所有与企业无关的网络流量。用户可以通过VPN访问企业内的资源,而用户生成的所有其他流量都不会通过VPN发送。

These internal resources tend to only have internal-only DNS names and require the use of special internal-only DNS servers to get resolved. Split DNS [RFC2775] is commonly configured as part of split-tunnel VPN configurations to allow remote access users to use special internal-only domain names.

这些内部资源往往只有内部专有DNS名称,需要使用特殊的内部专有DNS服务器才能解析。拆分DNS[RFC2775]通常被配置为拆分隧道VPN配置的一部分,以允许远程访问用户使用特殊的仅限内部的域名。

The IKEv2 protocol [RFC7296] negotiates configuration parameters using Configuration Payload Attribute Types. This document defines two Configuration Payload Attribute Types that add support for trusted Split DNS domains.

IKEv2协议[RFC7296]使用配置有效负载属性类型协商配置参数。本文档定义了两种配置有效负载属性类型,它们添加了对受信任的拆分DNS域的支持。

The INTERNAL_DNS_DOMAIN attribute type is used to convey that the specified DNS domain MUST be resolved using the provided DNS nameserver IP addresses as specified in the INTERNAL_IP4_DNS and INTERNAL_IP6_DNS Configuration Payloads, causing these requests to use the IPsec connection.

INTERNAL_DNS_DOMAIN属性类型用于表示必须使用在INTERNAL_IP4_DNS和INTERNAL_IP6_DNS配置有效负载中指定的提供的DNS名称服务器IP地址解析指定的DNS域,从而导致这些请求使用IPsec连接。

The INTERNAL_DNSSEC_TA attribute type is used to convey a DNSSEC trust anchor for such a domain. This is required if the external view uses DNSSEC, which would prove the internal view does not exist or would expect a different DNSSEC key on the different versions (internal and external) of the enterprise domain.

内部_DNSSEC_TA属性类型用于为此类域传递DNSSEC信任锚。如果外部视图使用DNSSEC,这将证明内部视图不存在,或者希望在企业域的不同版本(内部和外部)上使用不同的DNSSEC密钥,则需要执行此操作。

If an INTERNAL_DNS_DOMAIN is sent by the responder, the responder MUST also include one or more INTERNAL_IP4_DNS or INTERNAL_IP6_DNS attributes that contain the IPv4 or IPv6 address of the internal DNS server.

如果响应程序发送内部_DNS_域,则响应程序还必须包括一个或多个包含内部DNS服务器IPv4或IPv6地址的内部_IP4_DNS或内部_IP6_DNS属性。

For the purposes of this document, DNS resolution servers accessible through an IPsec connection will be referred to as "internal DNS servers", and other DNS servers will be referred to as "external DNS servers".

在本文档中,可通过IPsec连接访问的DNS解析服务器称为“内部DNS服务器”,其他DNS服务器称为“外部DNS服务器”。

Other tunnel-establishment protocols already support the assignment of Split DNS domains. For example, there are proprietary extensions to IKEv1 that allow a server to assign Split DNS domains to a client.

其他隧道建立协议已经支持分割DNS域的分配。例如,IKEv1有一些专有扩展,允许服务器将拆分的DNS域分配给客户端。

However, the IKEv2 standard does not include a method to configure this option. This document defines a standard way to negotiate this option for IKEv2.

但是,IKEv2标准不包括配置此选项的方法。本文件定义了协商IKEv2此选项的标准方法。

1.1. Requirements Language
1.1. 需求语言

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.

本文件中的关键词“必须”、“不得”、“必需”、“应”、“不应”、“建议”、“不建议”、“可”和“可选”在所有大写字母出现时(如图所示)应按照BCP 14[RFC2119][RFC8174]所述进行解释。

2. Applicability
2. 适用性

If the negotiated IPsec connection is not a split-tunnel configuration, the INTERNAL_DNS_DOMAIN and INTERNAL_DNSSEC_TA Configuration Payloads MUST be ignored. This prevents generic (non-enterprise) VPN services from overriding the public DNS hierarchy, which could lead to malicious overrides of DNS and DNSSEC.

如果协商的IPsec连接不是拆分隧道配置,则必须忽略内部DNS域和内部DNSSEC TA配置有效负载。这可防止通用(非企业)VPN服务覆盖公共DNS层次结构,从而导致恶意覆盖DNS和DNSSEC。

Such configurations SHOULD instead use only the INTERNAL_IP4_DNS and INTERNAL_IP6_DNS Configuration Payloads to ensure all of the user's DNS traffic is sent through the IPsec connection and does not leak unencrypted information onto the local network, as the local network is often explicitly exempted from IPsec encryption.

此类配置应仅使用内部_IP4_DNS和内部_IP6_DNS配置有效负载,以确保通过IPsec连接发送用户的所有DNS流量,并且不会将未加密的信息泄漏到本地网络,因为本地网络通常明确免除IPsec加密。

For split-tunnel configurations, an enterprise can require one or more DNS domains to be resolved via internal DNS servers. This can be a special domain, such as "corp.example.com" for an enterprise that is publicly known to use "example.com". In this case, the remote user needs to be informed what the internal-only domain names are and what the IP addresses of the internal DNS servers are. An enterprise can also run a different version of its public domain on its internal network. In that case, the VPN client is instructed to send DNS queries for the enterprise public domain (e.g., "example.com") to the internal DNS servers. A configuration for this deployment scenario is referred to as a Split DNS configuration.

对于拆分隧道配置,企业可以要求通过内部DNS服务器解析一个或多个DNS域。这可以是一个特殊的域,例如“corp.example.com”,供公开使用“example.com”的企业使用。在这种情况下,需要通知远程用户仅内部域名是什么以及内部DNS服务器的IP地址是什么。企业还可以在其内部网络上运行其公共域的不同版本。在这种情况下,VPN客户端被指示向内部DNS服务器发送企业公共域(例如,“example.com”)的DNS查询。此部署方案的配置称为拆分DNS配置。

Split DNS configurations are often preferable to sending all DNS queries to the enterprise. This allows the remote user to only send DNS queries for the enterprise to the internal DNS servers. The enterprise remains unaware of all non-enterprise (DNS) activity of the user. It also allows the enterprise DNS servers to only be configured for the enterprise DNS domains, which removes the legal and technical responsibility of the enterprise to resolve every DNS domain potentially asked for by the remote user.

拆分DNS配置通常比向企业发送所有DNS查询更可取。这允许远程用户仅向内部DNS服务器发送企业的DNS查询。企业仍然不知道用户的所有非企业(DNS)活动。它还允许仅为企业DNS域配置企业DNS服务器,从而免除了企业解析远程用户可能要求的每个DNS域的法律和技术责任。

A client using these Configuration Payloads will be able to request and receive Split DNS configurations using the INTERNAL_DNS_DOMAIN and INTERNAL_DNSSEC_TA configuration attributes. These attributes MUST be accompanied by one or more INTERNAL_IP4_DNS or INTERNAL_IP6_DNS configuration attributes. The client device can then use the internal DNS server(s) for any DNS queries within the assigned domains. DNS queries for other domains SHOULD be sent to the regular DNS service of the client unless it prefers to use the IPsec tunnel for all its DNS queries. For example, the client could trust the IPsec-provided DNS servers more than the locally provided DNS servers, especially in the case of connecting to unknown or untrusted networks (e.g., coffee shops or hotel networks). Or the client could prefer the IPsec-based DNS servers because they provide additional features compared to the local DNS servers.

使用这些配置有效负载的客户端将能够使用内部\u DNS\u域和内部\u DNSSEC\u TA配置属性请求和接收拆分DNS配置。这些属性必须附带一个或多个内部_IP4_DNS或内部_IP6_DNS配置属性。然后,客户端设备可以使用内部DNS服务器进行分配域内的任何DNS查询。其他域的DNS查询应发送到客户端的常规DNS服务,除非它更愿意使用IPsec隧道进行所有DNS查询。例如,客户端可以比本地提供的DNS服务器更信任IPsec提供的DNS服务器,尤其是在连接到未知或不受信任的网络(例如咖啡店或酒店网络)的情况下。或者,客户机可能更喜欢基于IPsec的DNS服务器,因为与本地DNS服务器相比,它们提供了额外的功能。

3. Protocol Exchange
3. 协议交换

In order to negotiate which domains are considered internal to an IKEv2 tunnel, initiators indicate support for Split DNS in their CFG_REQUEST payloads, and responders assign internal domains (and DNSSEC trust anchors) in their CFG_REPLY payloads. When Split DNS has been negotiated, the INTERNAL_IP4_DNS and INTERNAL_IP6_DNS DNS server configuration attributes will be interpreted as internal DNS servers that can resolve hostnames within the internal domains.

为了协商哪些域被视为IKEv2隧道的内部域,发起方在其CFG_请求有效载荷中表示支持拆分DNS,响应方在其CFG_回复有效载荷中分配内部域(和DNSSEC信任锚)。协商拆分DNS后,内部_IP4_DNS和内部_IP6_DNS DNS服务器配置属性将被解释为可以解析内部域内主机名的内部DNS服务器。

3.1. Configuration Request
3.1. 配置请求

To indicate support for Split DNS, an initiator includes one or more INTERNAL_DNS_DOMAIN attributes as defined in Section 4 as part of the CFG_REQUEST payload. If an INTERNAL_DNS_DOMAIN attribute is included in the CFG_REQUEST, the initiator MUST also include one or more INTERNAL_IP4_DNS or INTERNAL_IP6_DNS attributes in the CFG_REQUEST.

为了表示对拆分DNS的支持,启动器包括一个或多个内部\u DNS\u域属性,如第4节中定义的,作为CFG\u请求有效负载的一部分。如果CFG_请求中包含内部_DNS_域属性,则发起方还必须在CFG_请求中包含一个或多个内部_IP4_DNS或内部_IP6_DNS属性。

The INTERNAL_DNS_DOMAIN attribute sent by the initiator is usually empty but MAY contain a suggested domain name.

发起方发送的内部\u DNS\u域属性通常为空,但可能包含建议的域名。

The absence of INTERNAL_DNS_DOMAIN attributes in the CFG_REQUEST payload indicates that the initiator does not support or is unwilling to accept a Split DNS configuration.

CFG_请求有效负载中缺少内部_DNS_域属性表示发起程序不支持或不愿意接受拆分DNS配置。

To indicate support for receiving DNSSEC trust anchors for Split DNS domains, an initiator includes one or more INTERNAL_DNSSEC_TA attributes as defined in Section 4 as part of the CFG_REQUEST payload. If an INTERNAL_DNSSEC_TA attribute is included in the CFG_REQUEST, the initiator MUST also include one or more INTERNAL_DNS_DOMAIN attributes in the CFG_REQUEST. If the initiator

为了表示支持接收分割DNS域的DNSSEC信任锚,启动器包括一个或多个内部DNSSEC TA属性,如第4节所定义,作为CFG_请求有效负载的一部分。如果CFG_请求中包含内部_DNSSEC_TA属性,则发起方还必须在CFG_请求中包含一个或多个内部_DNS_域属性。如果发起者

includes an INTERNAL_DNSSEC_TA attribute but does not include an INTERNAL_DNS_DOMAIN attribute, the responder MAY still respond with both INTERNAL_DNSSEC_TA and INTERNAL_DNS_DOMAIN attributes.

包括内部\u DNSSEC_TA属性但不包括内部\u DNS_域属性,响应者仍可使用内部\u DNSSEC_TA和内部\u DNS_域属性进行响应。

An initiator MAY convey its current DNSSEC trust anchors for the domain specified in the INTERNAL_DNS_DOMAIN attribute. A responder can use this information to determine that it does not need to send a different trust anchor. If the initiator does not wish to convey this information, it MUST use a length of 0.

发起者可以为内部DNS域属性中指定的域传递其当前DNSSEC信任锚。响应者可以使用此信息来确定不需要发送其他信任锚。如果发起者不希望传递此信息,则必须使用长度0。

The absence of INTERNAL_DNSSEC_TA attributes in the CFG_REQUEST payload indicates that the initiator does not support or is unwilling to accept the DNSSEC trust anchor configuration.

CFG_请求有效负载中缺少内部_DNSSEC_TA属性表示启动器不支持或不愿意接受DNSSEC信任锚配置。

3.2. Configuration Reply
3.2. 配置回复

Responders MAY send one or more INTERNAL_DNS_DOMAIN attributes in their CFG_REPLY payload. If an INTERNAL_DNS_DOMAIN attribute is included in the CFG_REPLY, the responder MUST also include one or both of the INTERNAL_IP4_DNS and INTERNAL_IP6_DNS attributes in the CFG_REPLY. These DNS server configurations are necessary to define which servers can receive queries for hostnames in internal domains. If the CFG_REQUEST included an INTERNAL_DNS_DOMAIN attribute but the CFG_REPLY does not include an INTERNAL_DNS_DOMAIN attribute, the initiator MUST behave as if Split DNS configurations are not supported by the server, unless the initiator has been configured with local policy to define a set of Split DNS domains to use by default.

响应者可以在其CFG_应答有效负载中发送一个或多个内部_DNS_域属性。如果CFG_回复中包含内部_DNS_域属性,则响应者还必须在CFG_回复中包含一个或两个内部_IP4_DNS和内部_IP6_DNS属性。这些DNS服务器配置对于定义哪些服务器可以接收内部域中主机名的查询是必需的。如果CFG_请求包含内部_DNS_域属性,但CFG_回复不包含内部_DNS_域属性,则发起程序必须表现为服务器不支持拆分DNS配置,除非已使用本地策略配置发起程序以定义一组默认使用的拆分DNS域。

Each INTERNAL_DNS_DOMAIN represents a domain that the DNS server addresses listed in INTERNAL_IP4_DNS and INTERNAL_IP6_DNS can resolve.

每个INTERNAL_DNS_域表示INTERNAL_IP4_DNS和INTERNAL_IP6_DNS中列出的DNS服务器地址可以解析的域。

If the CFG_REQUEST included INTERNAL_DNS_DOMAIN attributes with non-zero lengths, the content MAY be ignored or be interpreted as a suggestion by the responder.

如果CFG_请求包含长度非零的内部_DNS_域属性,则响应者可能会忽略该内容或将其解释为建议。

For each DNS domain specified in an INTERNAL_DNS_DOMAIN attribute, one or more INTERNAL_DNSSEC_TA attributes MAY be included by the responder. This attribute lists the corresponding internal DNSSEC trust anchor information of a DS record (see [RFC4034]). The INTERNAL_DNSSEC_TA attribute MUST immediately follow the INTERNAL_DNS_DOMAIN attribute that it applies to.

对于在内部DNS域属性中指定的每个DNS域,响应者可以包括一个或多个内部DNS域属性。此属性列出DS记录的相应内部DNSSEC信任锚信息(请参见[RFC4034])。内部_DNSSEC_TA属性必须紧跟在其应用的内部_DNS_域属性之后。

3.3. Mapping DNS Servers to Domains
3.3. 将DNS服务器映射到域

All DNS servers provided in the CFG_REPLY MUST support resolving hostnames within all INTERNAL_DNS_DOMAIN domains. In other words, the INTERNAL_DNS_DOMAIN attributes in a CFG_REPLY payload form a single list of Split DNS domains that applies to the entire list of INTERNAL_IP4_DNS and INTERNAL_IP6_DNS attributes.

CFG_回复中提供的所有DNS服务器必须支持解析所有内部_DNS_域中的主机名。换句话说,CFG_应答有效负载中的内部_DNS_域属性形成一个单独的分割DNS域列表,该列表应用于内部_IP4_DNS和内部_IP6_DNS属性的整个列表。

3.4. Example Exchanges
3.4. 范例交流
3.4.1. Simple Case
3.4.1. 简单案例

In this example exchange, the initiator requests INTERNAL_IP4_DNS, INTERNAL_IP6_DNS, and INTERNAL_DNS_DOMAIN attributes in the CFG_REQUEST but does not specify any value for either. This indicates that it supports Split DNS but has no preference for which DNS requests will be routed through the tunnel.

在此示例交换中,发起方请求CFG_请求中的内部_IP4_DNS、内部_IP6_DNS和内部_DNS_域属性,但未指定任何值。这表示它支持拆分DNS,但不首选通过隧道路由哪些DNS请求。

The responder replies with two DNS server addresses and two internal domains, "example.com" and "city.other.test".

响应者使用两个DNS服务器地址和两个内部域“example.com”和“city.other.test”进行回复。

Any subsequent DNS queries from the initiator for domains such as "www.example.com" SHOULD use 198.51.100.2 or 198.51.100.4 to resolve.

发起方对“www.example.com”等域的任何后续DNS查询应使用198.51.100.2或198.51.100.4进行解析。

CP(CFG_REQUEST) = INTERNAL_IP4_ADDRESS() INTERNAL_IP4_DNS() INTERNAL_IP6_ADDRESS() INTERNAL_IP6_DNS() INTERNAL_DNS_DOMAIN()

CP(CFG_请求)=内部_IP4_地址()内部_IP4_DNS()内部_IP6_地址()内部_IP6_DNS()内部_DNS_域()

   CP(CFG_REPLY) =
     INTERNAL_IP4_ADDRESS(198.51.100.234)
     INTERNAL_IP4_DNS(198.51.100.2)
     INTERNAL_IP4_DNS(198.51.100.4)
     INTERNAL_IP6_ADDRESS(2001:DB8:0:1:2:3:4:5/64)
     INTERNAL_IP6_DNS(2001:DB8:99:88:77:66:55:44)
     INTERNAL_DNS_DOMAIN(example.com)
     INTERNAL_DNS_DOMAIN(city.other.test)
        
   CP(CFG_REPLY) =
     INTERNAL_IP4_ADDRESS(198.51.100.234)
     INTERNAL_IP4_DNS(198.51.100.2)
     INTERNAL_IP4_DNS(198.51.100.4)
     INTERNAL_IP6_ADDRESS(2001:DB8:0:1:2:3:4:5/64)
     INTERNAL_IP6_DNS(2001:DB8:99:88:77:66:55:44)
     INTERNAL_DNS_DOMAIN(example.com)
     INTERNAL_DNS_DOMAIN(city.other.test)
        
3.4.2. Requesting Domains and DNSSEC Trust Anchors
3.4.2. 请求域和DNSSEC信任锚

In this example exchange, the initiator requests INTERNAL_IP4_DNS, INTERNAL_IP6_DNS, INTERNAL_DNS_DOMAIN and INTERNAL_DNSSEC_TA attributes in the CFG_REQUEST.

在此示例交换中,启动器请求CFG_请求中的内部_IP4_DNS、内部_IP6_DNS、内部_DNS_域和内部_DNSSEC_TA属性。

Any subsequent DNS queries from the initiator for domains such as "www.example.com" or "city.other.test" would be DNSSEC validated using the DNSSEC trust anchor received in the CFG_REPLY.

发起人对“www.example.com”或“city.other.test”等域的任何后续DNS查询都将使用在CFG_回复中收到的DNSSEC信任锚进行DNSSEC验证。

In this example, the initiator has no existing DNSSEC trust anchors for the requested domain. The "example.com" domain has DNSSEC trust anchors that are returned, while the "other.test" domain has no DNSSEC trust anchors.

在本例中,发起程序没有请求域的现有DNSSEC信任锚。“example.com”域具有返回的DNSSEC信任锚,而“other.test”域没有DNSSEC信任锚。

CP(CFG_REQUEST) = INTERNAL_IP4_ADDRESS() INTERNAL_IP4_DNS() INTERNAL_IP6_ADDRESS() INTERNAL_IP6_DNS() INTERNAL_DNS_DOMAIN() INTERNAL_DNSSEC_TA()

CP(CFG_请求)=内部_IP4_地址()内部_IP4_DNS()内部_IP6_地址()内部_IP6_DNS()内部_DNS_域()内部_DNSSEC_TA()

   CP(CFG_REPLY) =
     INTERNAL_IP4_ADDRESS(198.51.100.234)
     INTERNAL_IP4_DNS(198.51.100.2)
     INTERNAL_IP4_DNS(198.51.100.4)
     INTERNAL_IP6_ADDRESS(2001:DB8:0:1:2:3:4:5/64)
     INTERNAL_IP6_DNS(2001:DB8:99:88:77:66:55:44)
     INTERNAL_DNS_DOMAIN(example.com)
     INTERNAL_DNSSEC_TA(43547,8,1,B6225AB2CC613E0DCA7962BDC2342EA4...)
     INTERNAL_DNSSEC_TA(31406,8,2,F78CF3344F72137235098ECBBD08947C...)
     INTERNAL_DNS_DOMAIN(city.other.test)
        
   CP(CFG_REPLY) =
     INTERNAL_IP4_ADDRESS(198.51.100.234)
     INTERNAL_IP4_DNS(198.51.100.2)
     INTERNAL_IP4_DNS(198.51.100.4)
     INTERNAL_IP6_ADDRESS(2001:DB8:0:1:2:3:4:5/64)
     INTERNAL_IP6_DNS(2001:DB8:99:88:77:66:55:44)
     INTERNAL_DNS_DOMAIN(example.com)
     INTERNAL_DNSSEC_TA(43547,8,1,B6225AB2CC613E0DCA7962BDC2342EA4...)
     INTERNAL_DNSSEC_TA(31406,8,2,F78CF3344F72137235098ECBBD08947C...)
     INTERNAL_DNS_DOMAIN(city.other.test)
        
4. Payload Formats
4. 有效载荷格式

All multi-octet fields representing integers are laid out in big-endian order (also known as "most significant byte first" or "network byte order").

所有表示整数的多个八位字节字段均按大端顺序排列(也称为“最高有效字节优先”或“网络字节顺序”)。

4.1. INTERNAL_DNS_DOMAIN Configuration Attribute Type Request and Reply
4.1. 内部\u DNS\u域配置属性类型请求和回复
                        1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-----------------------------+-------------------------------+
   |R|         Attribute Type      |            Length             |
   +-+-----------------------------+-------------------------------+
   |                                                               |
   ~             Domain Name in DNS presentation format            ~
   |                                                               |
   +---------------------------------------------------------------+
        
                        1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-----------------------------+-------------------------------+
   |R|         Attribute Type      |            Length             |
   +-+-----------------------------+-------------------------------+
   |                                                               |
   ~             Domain Name in DNS presentation format            ~
   |                                                               |
   +---------------------------------------------------------------+
        

o Reserved (1 bit) - Defined in IKEv2 RFC [RFC7296].

o 保留(1位)-在IKEv2 RFC[RFC7296]中定义。

o Attribute Type (15 bits) - set to value 25 for INTERNAL_DNS_DOMAIN.

o 属性类型(15位)-对于内部\u DNS\u域,设置为值25。

o Length (2 octets) - Length of domain name.

o 长度(2个八位字节)-域名的长度。

o Domain Name (0 or more octets) - A Fully Qualified Domain Name used for Split DNS rules, such as "example.com", in DNS presentation format and using an Internationalized Domain Names for Applications (IDNA) A-label [RFC5890]. Implementors need to be careful that this value is not null terminated.

o 域名(0个或多个八位字节)-用于拆分DNS规则的完全限定域名,如“example.com”,采用DNS表示格式,并使用应用程序国际化域名(IDNA)A标签[RFC5890]。实现者需要注意,这个值不是以null结尾的。

4.2. INTERNAL_DNSSEC_TA Configuration Attribute
4.2. 内部配置属性

An INTERNAL_DNSSEC_TA Configuration Attribute can either be empty, or it can contain one trust anchor by containing a non-zero Length with a DNSKEY Key Tag, DNSKEY Algorithm, Digest Type and Digest Data fields.

内部_DNSSEC_TA配置属性可以为空,也可以通过包含长度为非零的DNSKEY密钥标记、DNSKEY算法、摘要类型和摘要数据字段来包含一个信任锚。

An empty INTERNAL_DNSSEC_TA CFG attribute:

空的内部\u DNSSEC \u TA CFG属性:

                        1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-----------------------------+-------------------------------+
   |R|       Attribute Type        |       Length (set to 0)       |
   +-+-----------------------------+-------------------------------+
        
                        1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-----------------------------+-------------------------------+
   |R|       Attribute Type        |       Length (set to 0)       |
   +-+-----------------------------+-------------------------------+
        

o Reserved (1 bit) - Defined in IKEv2 RFC [RFC7296].

o 保留(1位)-在IKEv2 RFC[RFC7296]中定义。

o Attribute Type (15 bits) - set to value 26 for INTERNAL_DNSSEC_TA.

o 属性类型(15位)-为内部数据设置为26。

o Length (2 octets) - Set to 0 for an empty attribute.

o 长度(2个八位字节)-为空属性设置为0。

A non-empty INTERNAL_DNSSEC_TA CFG attribute:

非空的内部\u DNSSEC\u TA CFG属性:

                        1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-----------------------------+-------------------------------+
   |R|       Attribute Type        |            Length             |
   +-+-----------------------------+---------------+---------------+
   |        DNSKEY Key Tag         |  DNSKEY Alg   |  Digest Type  |
   +-------------------------------+---------------+---------------+
   |                                                               |
   ~                         Digest Data                           ~
   |                                                               |
   +---------------------------------------------------------------+
        
                        1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-----------------------------+-------------------------------+
   |R|       Attribute Type        |            Length             |
   +-+-----------------------------+---------------+---------------+
   |        DNSKEY Key Tag         |  DNSKEY Alg   |  Digest Type  |
   +-------------------------------+---------------+---------------+
   |                                                               |
   ~                         Digest Data                           ~
   |                                                               |
   +---------------------------------------------------------------+
        

o Reserved (1 bit) - Defined in IKEv2 RFC [RFC7296].

o 保留(1位)-在IKEv2 RFC[RFC7296]中定义。

o Attribute Type (15 bits) - set to value 26 for INTERNAL_DNSSEC_TA.

o 属性类型(15位)-为内部数据设置为26。

o Length (2 octets) - Length of DNSSEC trust anchor data (4 octets plus the length of the Digest Data).

o 长度(2个八位字节)-DNSSEC信任锚数据的长度(4个八位字节加上摘要数据的长度)。

o DNSKEY Key Tag (2 octets) - Delegation Signer (DS) Key Tag as specified in Section 5.1 of [RFC4034].

o DNSKEY密钥标签(2个八位字节)-[RFC4034]第5.1节规定的委托签名人(DS)密钥标签。

o DNSKEY Algorithm (1 octet) - DNSKEY algorithm value from the IANA DNS Security Algorithm Numbers Registry.

o DNSKEY算法(1个八位组)-IANA DNS安全算法编号注册表中的DNSKEY算法值。

o Digest Type (1 octet) - DS algorithm value from the IANA Delegation Signer (DS) Resource Record (RR) Type Digest Algorithms Registry.

o 摘要类型(1个八位字节)-IANA委派签名者(DS)资源记录(RR)类型摘要算法注册表中的DS算法值。

o Digest Data (1 or more octets) - The DNSKEY digest as specified in Section 5.1 of [RFC4034] in presentation format.

o 摘要数据(1个或多个八位字节)-[RFC4034]第5.1节中规定的DNSKEY摘要,采用表示格式。

Each INTERNAL_DNSSEC_TA attribute in the CFG_REPLY payload MUST immediately follow a corresponding INTERNAL_DNS_DOMAIN attribute. As the INTERNAL_DNSSEC_TA format itself does not contain the domain name, it relies on the preceding INTERNAL_DNS_DOMAIN to provide the domain for which it specifies the trust anchor. Any INTERNAL_DNSSEC_TA attribute that is not immediately preceded by an INTERNAL_DNS_DOMAIN or another INTERNAL_DNSSEC_TA attribute applying to the same domain name MUST be ignored.

CFG_应答有效负载中的每个内部_DNSSEC_TA属性必须紧跟在相应的内部_DNS_域属性之后。由于内部_DNSSEC_TA格式本身不包含域名,因此它依赖于前面的内部_DNS_域来提供它指定信任锚的域。必须忽略任何未紧跟内部域名或应用于同一域名的另一个内部域名属性之前的内部域名属性。

5. INTERNAL_DNS_DOMAIN Usage Guidelines
5. 内部\u DNS\u域使用指南

If a CFG_REPLY payload contains no INTERNAL_DNS_DOMAIN attributes, the client MAY use the provided INTERNAL_IP4_DNS or INTERNAL_IP6_DNS servers as the default DNS server(s) for all queries.

如果CFG_应答有效负载不包含内部_DNS_域属性,则客户端可以使用提供的内部_IP4_DNS或内部_IP6_DNS服务器作为所有查询的默认DNS服务器。

If a client is configured by local policy to only accept a limited set of INTERNAL_DNS_DOMAIN values, the client MUST ignore any other INTERNAL_DNS_DOMAIN values.

如果客户端由本地策略配置为仅接受一组有限的内部\u DNS \u域值,则客户端必须忽略任何其他内部\u DNS \u域值。

For each INTERNAL_DNS_DOMAIN entry in a CFG_REPLY payload that is not prohibited by local policy, the client MUST use the provided INTERNAL_IP4_DNS or INTERNAL_IP6_DNS DNS servers as the only resolvers for the listed domains and its subdomains, and it MUST NOT attempt to resolve the provided DNS domains using its external DNS servers. Other domain names SHOULD be resolved using some other external DNS resolver(s) that are configured independently from IKE. Queries for these other domains MAY be sent to the internal DNS resolver(s) listed in that CFG_REPLY message, but they have no guarantee of being answered. For example, if the INTERNAL_DNS_DOMAIN attribute specifies "example.test", then "example.test", "www.example.test", and "mail.eng.example.test" MUST be resolved using the internal DNS resolver(s), but "otherexample.test" and "ple.test" MUST NOT be resolved using the internal resolver and MUST use the system's external DNS resolver(s).

对于本地策略未禁止的CFG_回复有效负载中的每个内部_DNS_域条目,客户端必须使用提供的内部_IP4_DNS或内部_IP6_DNS服务器作为列出的域及其子域的唯一解析程序,并且不得尝试使用其外部DNS服务器解析提供的DNS域。其他域名应使用一些独立于IKE配置的其他外部DNS解析程序进行解析。对这些其他域的查询可能会发送到该CFG_回复消息中列出的内部DNS解析程序,但它们不能保证得到答复。例如,如果INTERNAL_DNS_DOMAIN属性指定了“example.test”,则必须使用内部DNS解析程序解析“example.test”、“www.example.test”和“mail.eng.example.test”,但“otherexample.test”和“ple.test”不能使用内部解析程序解析,必须使用系统的外部DNS解析程序。

The initiator SHOULD allow the DNS domains listed in the INTERNAL_DNS_DOMAIN attributes to resolve to special IP address ranges, such as those of [RFC1918], even if the initiator host is otherwise configured to block a DNS answer containing these special IP address ranges.

启动器应允许内部\u DNS\u域属性中列出的DNS域解析为特殊IP地址范围,例如[RFC1918]的IP地址范围,即使启动器主机以其他方式配置为阻止包含这些特殊IP地址范围的DNS应答。

When an IKE Security Association (SA) is terminated, the DNS forwarding MUST be unconfigured. This includes deleting the DNS forwarding rules; flushing all cached data for DNS domains provided by the INTERNAL_DNS_DOMAIN attribute, including negative cache entries; removing any obtained DNSSEC trust anchors from the list of trust anchors; and clearing the outstanding DNS request queue.

当IKE安全关联(SA)终止时,必须取消DNS转发的配置。这包括删除DNS转发规则;刷新内部_DNS_DOMAIN属性提供的DNS域的所有缓存数据,包括负缓存项;从信任锚列表中删除任何获得的DNSSEC信任锚;以及清除未完成的DNS请求队列。

INTERNAL_DNS_DOMAIN attributes SHOULD only be used on split-tunnel configurations where only a subset of traffic is routed into a private remote network using the IPsec connection. If all traffic is routed over the IPsec connection, the existing global INTERNAL_IP4_DNS and INTERNAL_IP6_DNS can be used without creating specific DNS or DNSSEC exemptions.

内部\u DNS \u域属性仅应在拆分隧道配置上使用,其中只有一部分流量使用IPsec连接路由到专用远程网络。如果所有流量都通过IPsec连接路由,则可以使用现有的全局内部_IP4_DNS和内部_IP6_DNS,而无需创建特定的DNS或DNSSEC豁免。

6. INTERNAL_DNSSEC_TA Usage Guidelines
6. 内部DNSSEC TA使用指南

DNS records can be used to publish specific records containing trust anchors for applications. The most common record type is the TLSA record specified in [RFC6698]. This DNS record type publishes which Certification Authority (CA) certificate or End Entity (EE) certificate to expect for a certain host name. These records are protected by DNSSEC and thus are trustable by the application. Whether to trust TLSA records instead of the traditional Web PKI depends on the local policy of the client. By accepting an INTERNAL_DNSSEC_TA trust anchor via IKE from the remote IKE server, the IPsec client might be allowing the remote IKE server to override the trusted certificates for TLS. Similar override concerns apply to other public key or fingerprint-based DNS records, such as OPENPGPKEY, SMIMEA, or IPSECKEY records.

DNS记录可用于发布包含应用程序信任锚的特定记录。最常见的记录类型是[RFC6698]中指定的TLSA记录。此DNS记录类型发布特定主机名所需的证书颁发机构(CA)证书或最终实体(EE)证书。这些记录受DNSSEC保护,因此应用程序可信任。是否信任TLSA记录而不是传统的Web PKI取决于客户端的本地策略。通过从远程IKE服务器通过IKE接受内部信任锚,IPsec客户端可能允许远程IKE服务器覆盖TLS的受信任证书。类似的覆盖问题也适用于其他公钥或基于指纹的DNS记录,如OPENPGPKEY、SMIMEA或IPSECKEY记录。

Thus, installing an INTERNAL_DNSSEC_TA trust anchor can be seen as the equivalent of installing an Enterprise CA certificate. It allows the remote IKE/IPsec server to modify DNS answers, including DNSSEC cryptographic signatures, by overriding existing DNS information with a trust anchor conveyed via IKE and (temporarily) installed on the IKE client. Of specific concern is the overriding of TLSA records based on [RFC6698], which represents a confirmation or override of an existing Web PKI TLS certificate. Other DNS record types that convey cryptographic materials (public keys or fingerprints) are OPENPGPKEY, SMIMEA, SSHP, and IPSECKEY records.

因此,安装内部信任锚可以看作是安装企业CA证书的等价物。它允许远程IKE/IPsec服务器修改DNS应答,包括DNSSEC加密签名,方法是使用通过IKE传输的信任锚覆盖现有DNS信息,并(临时)安装在IKE客户端上。特别值得关注的是基于[RFC6698]的TLSA记录覆盖,这表示对现有Web PKI TLS证书的确认或覆盖。传递加密材料(公钥或指纹)的其他DNS记录类型有OPENPGPKEY、SMIMEA、SSHP和IPSECKEY记录。

IKE clients willing to accept INTERNAL_DNSSEC_TA attributes MUST use a whitelist of one or more domains that can be updated out of band. IKE clients with an empty whitelist MUST NOT use any INTERNAL_DNSSEC_TA attributes received over IKE. Such clients MAY interpret receiving an INTERNAL_DNSSEC_TA attribute for a non-whitelisted domain as an indication that their local configuration may need to be updated out of band.

愿意接受内部DNSSEC TA属性的IKE客户端必须使用一个或多个可在带外更新的域的白名单。白名单为空的IKE客户端不得使用通过IKE接收的任何内部属性。此类客户端可能会将接收非白名单域的内部\u DNSSEC_TA属性解释为其本地配置可能需要在带外更新的指示。

IKE clients should take care to only whitelist domains that apply to internal or managed domains rather than to generic Internet traffic. The DNS root zone (".") MUST be ignored if it appears in a whitelist. Other generic or public domains, such as Top-Level Domains (TLDs), similarly MUST be ignored if they appear in a whitelist unless the entity actually is the operator of the TLD. To determine this, an

IKE客户端应该只注意应用于内部或托管域的白名单域,而不是一般的Internet流量。如果DNS根区域(“.”)出现在白名单中,则必须忽略它。如果其他通用域或公共域(如顶级域(TLD))出现在白名单中,则它们同样必须被忽略,除非实体实际上是TLD的操作员。要确定这一点,需要一个

implementation MAY interactively ask the user when a VPN profile is installed or activated to confirm this. Alternatively, it MAY provide a special override keyword in its provisioning configuration to ensure non-interactive agreement can be achieved only by the party provisioning the VPN client, who presumably is a trusted entity by the end user. Similarly, an entity might be using a special domain name, such as ".internal", for its internal-only view and might wish to force its provisioning system to accept such a domain in a Split DNS configuration.

当安装或激活VPN配置文件时,实现可能会以交互方式询问用户以确认这一点。或者,它可以在其设置配置中提供一个特殊的覆盖关键字,以确保只有设置VPN客户端的一方才能实现非交互式协议,该方可能是最终用户信任的实体。类似地,实体可能使用特殊域名(如“.internal”)作为其仅内部视图,并且可能希望强制其配置系统在拆分DNS配置中接受此类域。

Any updates to this whitelist of domain names MUST happen via explicit human interaction or by a trusted automated provision system to prevent malicious invisible installation of trust anchors in case of an IKE server compromise.

此域名白名单的任何更新必须通过显式人工交互或受信任的自动供应系统进行,以防止在IKE服务器受损的情况下恶意安装不可见的信任锚。

IKE clients SHOULD accept any INTERNAL_DNSSEC_TA updates for subdomain names of the whitelisted domain names. For example, if "example.net" is whitelisted, then INTERNAL_DNSSEC_TA received for "antartica.example.net" SHOULD be accepted.

IKE客户端应接受白名单域名的子域名的任何内部更新。例如,如果“example.net”被列入白名单,则应接受为“antartica.example.net”收到的内部数据。

IKE clients MUST ignore any received INTERNAL_DNSSEC_TA attributes for a Fully Qualified Domain Name (FQDN) for which it did not receive and accept an INTERNAL_DNS_DOMAIN Configuration Payload.

IKE客户端必须忽略接收到的完全限定域名(FQDN)的任何内部\u DNSSEC_TA属性,该完全限定域名(FQDN)没有接收到该属性,并且必须接受内部\u DNS_域配置负载。

In most deployment scenarios, the IKE client has an expectation that it is connecting to a specific organization or enterprise using a split-network setup. A recommended policy would be to only accept INTERNAL_DNSSEC_TA directives from that organization's DNS names. However, this might not be possible in all deployment scenarios, such as one where the IKE server is handing out a number of domains that are not within one parent domain.

在大多数部署场景中,IKE客户机期望使用拆分网络设置连接到特定的组织或企业。建议的策略是只接受来自该组织DNS名称的内部DNSSEC TA指令。但是,这在所有部署场景中都是不可能的,例如IKE服务器分发的多个域不在一个父域内。

7. IANA Considerations
7. IANA考虑

This document defines two new IKEv2 Configuration Payload Attribute Types, which are allocated from the "IKEv2 Configuration Payload Attribute Types" namespace.

本文档定义了两种新的IKEv2配置有效负载属性类型,它们是从“IKEv2配置有效负载属性类型”命名空间分配的。

                                 Multi-
   Value    Attribute Type       Valued  Length      Reference
   ------   -------------------  ------  ----------  ---------------
   25       INTERNAL_DNS_DOMAIN   YES     0 or more  RFC 8598
   26       INTERNAL_DNSSEC_TA    YES     0 or more  RFC 8598
        
                                 Multi-
   Value    Attribute Type       Valued  Length      Reference
   ------   -------------------  ------  ----------  ---------------
   25       INTERNAL_DNS_DOMAIN   YES     0 or more  RFC 8598
   26       INTERNAL_DNSSEC_TA    YES     0 or more  RFC 8598
        

Figure 1

图1

8. Security Considerations
8. 安全考虑

As stated in Section 2, if the negotiated IPsec connection is not a split-tunnel configuration, the INTERNAL_DNS_DOMAIN and INTERNAL_DNSSEC_TA Configuration Payloads MUST be ignored. Otherwise, generic VPN service providers could maliciously override DNSSEC-based trust anchors of public DNS domains.

如第2节所述,如果协商的IPsec连接不是拆分隧道配置,则必须忽略内部_DNS_域和内部_DNSSEC_TA配置有效负载。否则,通用VPN服务提供商可能恶意覆盖公共DNS域的基于DNSSEC的信任锚。

An initiator MUST only accept INTERNAL_DNSSEC_TAs for which it has a whitelist, since this mechanism allows the credential used to authenticate an IKEv2 association to be leveraged into authenticating credentials for other connections. Initiators should ensure that they have sufficient trust in the responder when using this mechanism. An initiator MAY treat a received INTERNAL_DNSSEC_TA for a non-whitelisted domain as a signal to update the whitelist via a non-IKE provisioning mechanism. See Section 6 for additional security considerations for DNSSEC trust anchors.

启动器必须只接受其具有白名单的内部\u DNSSEC \u TA,因为此机制允许用于验证IKEv2关联的凭据用于验证其他连接的凭据。启动器应确保在使用此机制时对响应者有足够的信任。发起者可以将接收到的非白名单域的内部数据作为通过非IKE供应机制更新白名单的信号。有关DNSSEC信任锚的其他安全注意事项,请参见第6节。

The use of Split DNS configurations assigned by an IKEv2 responder is predicated on the trust established during IKE SA authentication. However, if IKEv2 is being negotiated with an anonymous or unknown endpoint (such as for Opportunistic Security [RFC7435]), the initiator MUST ignore Split DNS configurations assigned by the responder.

IKEv2响应程序分配的拆分DNS配置的使用基于IKE SA身份验证期间建立的信任。但是,如果IKEv2正在与匿名或未知端点协商(例如为了机会主义安全[RFC7435]),则发起方必须忽略响应方分配的拆分DNS配置。

If a host connected to an authenticated IKE peer is connecting to another IKE peer that attempts to claim the same domain via the INTERNAL_DNS_DOMAIN attribute, the IKE connection SHOULD only process the DNS information if the two connections are part of the same logical entity. Otherwise, the client SHOULD refuse the DNS information and potentially warn the end user. For example, if a VPN profile for "Example Corporation" is installed that provides two IPsec connections, one covering 192.168.100.0/24 and one covering 10.13.14.0/24, it could be that both connections negotiate the same INTERNAL_DNS_DOMAIN and INTERNAL_DNSSEC_TA values. Since these are part of the same remote organization (or provisioning profile), the Configuration Payloads can be used. However, if a user installs two VPN profiles from two different unrelated independent entities, both could be configured to use the same domain -- for example, ".internal". These two connections MUST NOT be allowed to be active at the same time.

如果连接到经过身份验证的IKE对等方的主机正在连接到另一个试图通过内部_DNS_domain属性声明同一域的IKE对等方,则IKE连接仅应在两个连接是同一逻辑实体的一部分时处理DNS信息。否则,客户端应拒绝DNS信息,并可能警告最终用户。例如,如果安装了“example Corporation”的VPN配置文件,该配置文件提供两个IPsec连接,一个覆盖192.168.100.0/24,另一个覆盖10.13.14.0/24,则可能是两个连接协商相同的内部_DNS_域和内部_DNSSEC_TA值。由于它们是同一远程组织(或配置配置文件)的一部分,因此可以使用配置有效负载。但是,如果用户从两个不同的不相关的独立实体安装两个VPN配置文件,则可以将这两个配置文件配置为使用同一个域,例如,“.internal”。不得允许这两个连接同时处于活动状态。

If the initiator is using DNSSEC validation for a domain in its public DNS view and it requests and receives an INTERNAL_DNS_DOMAIN attribute without an INTERNAL_DNSSEC_TA, it will need to reconfigure its DNS resolver to allow for an insecure delegation. It SHOULD NOT accept insecure delegations for domains that are DNSSEC signed in the

如果启动器在其公共DNS视图中对域使用DNSSEC验证,并且它请求并接收一个没有内部\u DNSSEC \u TA的内部\u DNS \u域属性,则它需要重新配置其DNS解析程序以允许不安全的委派。它不应接受在中签名为DNSSEC的域的不安全委托

public DNS view for which it has not explicitly requested such delegation, i.e., for which it has not used an INTERNAL_DNS_DOMAIN request to specify the domain.

未明确请求此类委托的公共DNS视图,即未使用内部_DNS_DOMAIN请求指定域。

Deployments that configure INTERNAL_DNS_DOMAIN domains should pay close attention to their use of indirect reference RRtypes in their internal-only domain names. Examples of such RRtypes are NS, CNAME, DNAME, MX, or SRV records. For example, if the MX record for "internal.example.com" points to "mx.internal.example.net", then both "internal.example.com" and "internal.example.net" should be sent using an INTERNAL_DNS_DOMAIN Configuration Payload.

配置内部\u DNS\u域名的部署应密切注意在其仅内部域名中使用间接引用RRTYPE。此类RRV类型的示例包括NS、CNAME、DNAME、MX或SRV记录。例如,如果“internal.example.com”的MX记录指向“MX.internal.example.net”,则“internal.example.com”和“internal.example.net”都应使用内部DNS\u域配置负载发送。

IKE clients MAY want to require whitelisted domains for Top-Level Domains (TLDs) and Second-Level Domains (SLDs) to further prevent malicious DNS redirections for well-known domains. This prevents users from unknowingly giving DNS queries to third parties. This is even more important if those well-known domains are not deploying DNSSEC, as the VPN service provider could then even modify the DNS answers without detection.

IKE客户端可能需要顶级域(TLD)和二级域(SLD)的白名单域,以进一步防止恶意DNS重定向到已知域。这可以防止用户在不知情的情况下向第三方提供DNS查询。如果那些知名域没有部署DNSSEC,这一点就更为重要,因为VPN服务提供商甚至可以在没有检测的情况下修改DNS应答。

The content of INTERNAL_DNS_DOMAIN and INTERNAL_DNSSEC_TA may be passed to another (DNS) program for processing. As with any network input, the content SHOULD be considered untrusted and handled accordingly.

内部域名和内部域名的内容可以传递给另一个(DNS)程序进行处理。与任何网络输入一样,内容应被视为不可信,并进行相应处理。

9. References
9. 工具书类
9.1. Normative References
9.1. 规范性引用文件

[RFC1918] Rekhter, Y., Moskowitz, B., Karrenberg, D., de Groot, G., and E. Lear, "Address Allocation for Private Internets", BCP 5, RFC 1918, DOI 10.17487/RFC1918, February 1996, <https://www.rfc-editor.org/info/rfc1918>.

[RFC1918]Rekhter,Y.,Moskowitz,B.,Karrenberg,D.,de Groot,G.,和E.Lear,“私人互联网地址分配”,BCP 5,RFC 1918,DOI 10.17487/RFC1918,1996年2月<https://www.rfc-editor.org/info/rfc1918>.

[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, <https://www.rfc-editor.org/info/rfc2119>.

[RFC2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,DOI 10.17487/RFC2119,1997年3月<https://www.rfc-editor.org/info/rfc2119>.

[RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, "Resource Records for the DNS Security Extensions", RFC 4034, DOI 10.17487/RFC4034, March 2005, <https://www.rfc-editor.org/info/rfc4034>.

[RFC4034]Arends,R.,Austein,R.,Larson,M.,Massey,D.,和S.Rose,“DNS安全扩展的资源记录”,RFC 4034,DOI 10.17487/RFC4034,2005年3月<https://www.rfc-editor.org/info/rfc4034>.

[RFC5890] Klensin, J., "Internationalized Domain Names for Applications (IDNA): Definitions and Document Framework", RFC 5890, DOI 10.17487/RFC5890, August 2010, <https://www.rfc-editor.org/info/rfc5890>.

[RFC5890]Klensin,J.,“应用程序的国际化域名(IDNA):定义和文档框架”,RFC 5890,DOI 10.17487/RFC5890,2010年8月<https://www.rfc-editor.org/info/rfc5890>.

[RFC6698] Hoffman, P. and J. Schlyter, "The DNS-Based Authentication of Named Entities (DANE) Transport Layer Security (TLS) Protocol: TLSA", RFC 6698, DOI 10.17487/RFC6698, August 2012, <https://www.rfc-editor.org/info/rfc6698>.

[RFC6698]Hoffman,P.和J.Schlyter,“基于DNS的命名实体认证(DANE)传输层安全(TLS)协议:TLSA”,RFC 6698,DOI 10.17487/RFC6698,2012年8月<https://www.rfc-editor.org/info/rfc6698>.

[RFC7296] Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., and T. Kivinen, "Internet Key Exchange Protocol Version 2 (IKEv2)", STD 79, RFC 7296, DOI 10.17487/RFC7296, October 2014, <https://www.rfc-editor.org/info/rfc7296>.

[RFC7296]Kaufman,C.,Hoffman,P.,Nir,Y.,Eronen,P.,和T.Kivinen,“互联网密钥交换协议版本2(IKEv2)”,STD 79,RFC 7296,DOI 10.17487/RFC72962014年10月<https://www.rfc-editor.org/info/rfc7296>.

[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, <https://www.rfc-editor.org/info/rfc8174>.

[RFC8174]Leiba,B.,“RFC 2119关键词中大写与小写的歧义”,BCP 14,RFC 8174,DOI 10.17487/RFC8174,2017年5月<https://www.rfc-editor.org/info/rfc8174>.

9.2. Informative References
9.2. 资料性引用

[RFC2775] Carpenter, B., "Internet Transparency", RFC 2775, DOI 10.17487/RFC2775, February 2000, <https://www.rfc-editor.org/info/rfc2775>.

[RFC2775]Carpenter,B.,“互联网透明度”,RFC 2775,DOI 10.17487/RFC2775,2000年2月<https://www.rfc-editor.org/info/rfc2775>.

[RFC7435] Dukhovni, V., "Opportunistic Security: Some Protection Most of the Time", RFC 7435, DOI 10.17487/RFC7435, December 2014, <https://www.rfc-editor.org/info/rfc7435>.

[RFC7435]Dukhovni,V.,“机会主义安全:大部分时间的一些保护”,RFC 7435,DOI 10.17487/RFC7435,2014年12月<https://www.rfc-editor.org/info/rfc7435>.

Authors' Addresses

作者地址

Tommy Pauly Apple Inc. One Apple Park Way Cupertino, California 95014 United States of America

Tommy Pauly Apple Inc.美国加利福尼亚州库比蒂诺苹果公园大道一号,邮编95014

   Email: tpauly@apple.com
        
   Email: tpauly@apple.com
        

Paul Wouters Red Hat

保罗·沃特斯红帽

   Email: pwouters@redhat.com
        
   Email: pwouters@redhat.com