HOMENET | W. Cloetens |
Internet-Draft | SoftAtHome |
Intended status: Standards Track | P. Lemordant |
Expires: December 31, 2012 | D. Migault (Ed) |
Francetelecom - Orange | |
July 2012 |
IPv6 Home Network Front End Naming Delegation
draft-mglt-homenet-front-end-naming-delegation-00.txt
This document proposes a Naming Delegation Architecture that makes possible End Users to reach the hosts or services of their Home Network using Names instead of IP addresses.
This document shows how the Naming Delegation between the CPE and the ISP can be set so the CPE is not exposed on the Internet. This document describes an Naming Architecture where ISPs provide Front End Delegating DNS Servers whereas the CPEs constitute a Back End Network of Delegated DNS Servers. All DNS queries for any Home Network are addressed to the Delegating Front End Server. The response is expected to be stored on a CPE, and the Front End Delegating DNS Server sends a DNS Query to that CPE before answering to the initial DNS query.
The negotiation between the CPE and the ISP is using DHCP Options. This document provides options so Front End Delegating and the Delegated DNS Servers configure their respective Zone files and so that CPEs restrict access and protect themselves from unauthorized DNS Queries.
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http:/⁠/⁠datatracker.ietf.org/⁠drafts/⁠current/⁠.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."
This Internet-Draft will expire on December 31, 2012.
Copyright (c) 2012 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http:/⁠/⁠trustee.ietf.org/⁠license-⁠info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].
[I-D.mglt-homenet-naming-delegation] describes the Naming Delegation Architecture that makes possible Services and Objects of a Home Network to be globally reachable with Names on the Internet. For that purpose, the Costumer Premise Equipment (CPE) hosts the authoritative DNS Server of the Home Network. The zone associated to the Home Network ("my-homenet") is a subzone of a zone managed by the ISP ("example."). This zone is attached to the global DNS Architecture. Because the ISP delegates the Naming service to the CPE, we call the DNS server responsible for "example." the Delegating DNS Server, and the DNS server responsible for "my-homenet.example." the Delegated DNS Server. The Delegated DNS Server runs on the CPE, and [I-D.mglt-homenet-naming-delegation] describes how the CPE can automatically set the Naming Delegation between the Delegated and the Delegating DNS Server. Necessary pieces of information to configure the respective DNS Zones are exchanged between the DHCP client of the CPE and the ISP DHCP Server through DHCP Options.
The resulting Naming Delegation Architecture [I-D.mglt-homenet-naming-delegation] results in a CPE hosting a Service on the Internet. CPEs have not been designed for heavy load, and, as a result, the Delegating exposes the Home Network to potential Deny of Service attacks. The Front End Naming Delegation Architecture proposed in this document is an alternative to the Naming Delegation Architecture [I-D.mglt-homenet-naming-delegation] where the ISP provides Front End Delegating Servers that handles the whole DNS traffic. The CPE remains responsible for the zone "my-homenet.example.", but only responds to DNS queries sent by the Front End Delegating Servers. For this reason we call the CPE Delegated DNS Server the Back End Delegated DNS Server.
The Front End Naming Delegation Architecture can be seen as providing a Authoritative DNS Server for all the Home Networks: the Front End Delegating DNS Server. However this Authoritative Server distributes the Zone between multiple nodes (the CPE). The CPE constitutes the Back End Network. The Front End Delegating DNS Server receives DNS query from the Internet, and to respond requires to retrieve this information on the CPE hosting this information. In this document, the Front End Delegating DNS Server uses the DNS protocol to retrieve this information from the CPE. Other protocols may have been chosen.
The Front End Naming Delegation Architecture is based on the Naming Delegation Architecture [I-D.mglt-homenet-naming-delegation] and addresses the same requirements. It addresses the Deny of Service Security issue. On the other hand, it requires the ISP to provide an adapted infrastructure, and that all DNS traffic is (partly) handled by the ISP. The document shows how the CPE can be configured automatically and be part of the Front End Naming Delegation Architecture.
In this document we only considered IPv6 and DHCP. As such DHCP MUST be understood as DHCPv6. We also assume the reader has read [I-D.mglt-homenet-naming-delegation]
This document uses the terminology defined in [I-D.mglt-homenet-naming-delegation], and introduces the following terminology:
The Home Network Naming Requirements for the Naming Delegation listed in [I-D.mglt-homenet-naming-delegation] are:
The Naming Delegation Architecture fulfills these requirements, and we consider this architecture as the base architecture. However, this architecture major drawback is that the CPE hosts the Delegated DNS Server. CPE are usually not designed to handle heavy traffic, and thus are sensitive to DoS attacks. The Front End Naming Delegation Architecture adds one requirement to the currently designed Naming Delegation Architecture [I-D.mglt-homenet-naming-delegation]:
In order to match Requirement 6, the Front End Naming delegation Architecture introduces Front End DNS Delegating Server that handles with all DNS traffic. This means that all DNS queries that concern the Home Network are addressed to the Front End DNS Delegating Server of the ISP and are not addressed to the CPE. CPEs belong to the Back End DNS Network.
The Front End DNS Naming Delegation Architecture fulfills all the above Requirements. However, Requirement 4 needs to be balanced against Requirement 6. Requirement 6 requires the ISP to handle all DNS queries that concern the Home Network. This makes the ISP aware of all queried Services, Objects and hosts in the Home Network. This may, in that sense, reduces the Privacy of the Home Network compared to the Naming Delegation Architecture. In fact with the Naming Delegation Architecture, the DNS query is directly sent to the CPE when the DNS client has the IP address of the CPE in its cache. In that case, the ISP is not aware of the existence of the queried FQDN. However, if the DNS client does not have the IP address of the CPE, then the DNS query is sent first to the ISP Delegating Server. In this latter case, the Front End DNS Naming Delegation Architecture does not provide less privacy.
Figure 1 shows how the Resolution is performed. In [1], the Resolver sends a DNS query to the Front End Delegated Server for the host "hots1.my-homenet.example.". The Front End Delegated Server does not have the response in its cache or in its zone file. The Front End Delegating DNS Server MUST send a query to the Back End Delegated DNS Sever. The IP address of the Back End Delegated DNS Sever MUST NOT be revealed to the Resolver, for example by setting the NS field in the DNS Zone File. In Figure 1, we mentioned the Delegated Server Information Database where this IP address is stored. The Front End Delegating Server sends the DNS(SEC) query to the Back End Delegated Server hosting the zone "my-homenet.example.". The source IP address used is one the Delegating Authorized Resolvers IP addresses. This query is represented in [2]. The Back End Delegated Server responds in [3] with the DNS(SEC) Response. Note that the "AUTHORITY" and "ADDITIONAL SECTION" of the DNS response MUST indicate the FQDN and the IP addresses of the Front End Delegated DNS Server. These pieces of information have been provided by the ISP DHCP Server with the Front End Delegating Information DHCP Option. The CPE can also be configured to respond without these fields. Finally in [4], the Front End Delegating Server forwards the DNS(SEC) response to the Resolver. "AUTHORITY" and "ADDITIONAL SECTION" fields MUST be filled in appropriately.
+--------------------------+ [1] DNS Query +---+ | ZONE "example.": | hots1.my-homenet.example. AAAA | R | | Front End Delegating | <------------------------------- | E | | Servers | [4] DNS Response: | S | +----------------------+ | my-homenet.example. AAAA IP6 | O | | Delegated Server | | [my-homenet.example. RRSIG [...] ] | L | | Info Database | | -------------------------------> | V | +----------------------+---+ | E | | [2] DNS Query ^ | R | | hots1.my-homenet.example. AAAA +---+ | | [3] DNS Response: | | my-homenet.example. AAAA IP6 v | [my-homenet.example. RRSIG [...] ] +-----------------------------+ | CPE | | Back End Delegated Server | | ZONE "my-homenet.example." | | IP6 DELEGATED_DNS_ADDR_INFO | +-----------------------------+ | | +------------+ +------------+ | Host 1 | | Host n | +------------+ +------------+ Figure 1: DNS Resolution with the Home Network Front End Naming Delegation Architecture
Figure 2 describes the Interactions between the CPE and the ISP DHCP Server.
Similarly to [I-D.mglt-homenet-naming-delegation], the CPE hosts a DHCP Server (DHCP_SRV) that is used to assign IP addresses and FQDNs to the Hosts of the Home Network. In this document we considered DHCP, but other protocols can also be used in combination with DHCP or instead of DHCP. The CPE also has a DHCP Client (DHCP_CLT) that is used to exchange information with the ISP DHCP Server. This document describes how these exchanges properly configure the Front End Naming Delegation Architecture. The CPE also hosts a Authoritative DNS Server (DNS_SRV) that is responsible of the subzone associated to the Home Network. This Authoritative DNS Server is called the Back End Delegated Server. At last the CPE also has a Firewall (FIREWALL), that can be configured with security Policies. In this document, the CPE is not expected to received DNS queries from any other peer but the Front End Delegation DNS Servers, that are in the ISP Network.
In Figure 2. the CPE sends a DHCP Request for a Front End Naming Delegation Architecture (DELEGATED_DNS_ARCHITECTURE). Similarly to the Naming Delegation Architecture, the CPE provides the necessary information so the ISP can derive the IP address of the Back End Delegated DNS Server (DELEGATED_DNS_ADDR_INFO). If the CPE wants a DNSSEC Delegation to be set it also provides the Delegation of Signing Information (DS). In our case, the CPE also sends a request for a Prefix Delegation (IA_PD).
To the difference with [I-D.mglt-homenet-naming-delegation], the IP address of the Back End Delegated DNS Server is not mentioned in the Zone file of the Front End Delegating DNS Server. In this document, the Back End Delegated DNS Server is not expected to receive any DNS query from anyone but the Front End Delegating DNS Server. For DNS Resolvers, the only Authoritative DNS Server they are aware of is the Front End Delegating DNS Server.
Similarly to [I-D.mglt-homenet-naming-delegation], the ISP DHCP Server provides the CPE the IP Prefix so the CPE can configure its Prefix Delegation. To set the DNS(SEC) Naming Delegation the ISP DHCP Server indicates the type of Naming Delegation Architecture agreed between the CPE and the ISP DHCP Server (DELEGATED_DNS_ARCHITECTURE). In addition, the ISP DHCP Server, provides the Delegated Domain (DELEGATED_DOMAIN) as well as the IP addresses and FQDNs of the Front End Delegating DNS Servers (FRONT_END_DELEGATING_INFO). These pieces of information are necessary to configure the zone file of the Home Network. In fact the zone file MUST be configured with the Front End Delegating Server as the authoritative servers. In addition, the ISP DHCP Server may also provide the IP addresses or subnet prefix of the Delegating Authorized Resolvers (DELEGATING_AUTH_RESOLVERS). These Resolvers are the only hosts supposed to send DNS queries to the CPE. DNS queries from any other IP address MUST be discarded.
Upon receiving these pieces of information, the Front End Delegating Server and the Back End Delegated Server configure their Zones. In addition the CPE also configures its Firewall, so to discard any DNS queries but those emitted from the Delegating Authorized Resolvers.
<--------- Home Network ----------> <--------- ISP ---------> +--------+ +---------------------+ +-----------------------+ | Host 1 +--+ CPE | | ISP DHCP | +--------+ +----------+----------+ +-----------------------+ . | DHCP_SRV | DHCP_CLT | | | . | v | | | | . | v | DHCP Request ----------------------> | . | v | DELEGATED_DNS_ARCHITECTURE, | . +----------| DELEGATED_DNS_ADDR_INFO, | . | DNS_SRV | ORO(IA_PD) [DS] | . +----------| | | | . | ^ | <---------------------- DHCP Reply | . | ^ | DELEGATED_DNS_ARCHITECTURE, | . | < < < DHCP_CLT DELEGATED_DOMAIN, IA_PD, | . | v | FRONT_END_DELEGATING_INFO, | +--------+ +----------+ DELEGATING_AUTH_RESOLVERS, | | Host n +--| FIREWALL | | | | +--------+ +----------+--------- + +-----------------------+ Figure 2: Front End Naming Delegation Architecture
From Figure 1, one may assimilate the Front End Delegating DNS Server to a Recursive DNS Resolver. The main differences are:
As a result, the Front End Delegating DNS Server is a mixed mode between Authoritative and Recursive DNS Server. As an Authoritative Server, the Response [4] in figure 1 MUST have a Authoritative Answer (AA) bit set, which indicates the Response is from an Authoritative Server. Then the Resolution [2] and [3] in figure 1 MUST be processed even if the Recursion Desired (RD) bit is not set in the DNS query [1].
It is also recommended that the Front End Delegating DNS Server provides the Authoritative and Additional Section of the Response in [4], without considering the sections of [3]. In other word, it is recommended not to forward these section from [3], and the CPE should be configured not to provide these sections in [3].
Figure 2 shows that the ISP DHCP Server provides the IP addresses of the Front End Delegating DNS Server as well as the Name of the Front End Delegating DNS Server. These are the information the Back End Delegated DNS Server MUST put in its Zone file. More especially in the NS fields.
Figure 2 also shows that the ISP DHCP Server provides the CPE the IP addresses or subnet prefix of the Authorized Delegating Resolvers. These are the IP addresses authorized to send DNS queries that should not be discarded on the WAN Interface. Any other DNS query on the WAN should be discarded. These rules are set by the Firewall as represented in Figure 2.
The Firewall rules does not prevent the CPE to be a DNS forwarder or a DNS Resolver for the hosts of the Home Network. In fact the CPE can still receive DNS queries from the LAN Interface. The issue is that the CPE may provide Multiple DNS Services. In this document, we consider the CPE provides at least a DNS Authoritative servers on its WAN Interface for the Authorized Delegating Resolvers. For the LAN Interface, the CPE may be configured in various ways, depending on the ISP DNS Infrastructure. A first configuration consists in configuring the CPE LAN DNS Service into a DNS forwarder. In that case, the CPE DHCP server of the Home Network provides an IP address of the CPE for the DNS Resolver. DNS queries for the Home Network are answered by the CPE, others are forwarded to the Resolver of the ISP. This resolver is provided via DHCP. Another alternative consists in configuring the CPE as a Recursive DNS Server. Without any specific configurations, DNS queries for the Home Network are sent to the Front End Delegating DNS Server. Optimization may be done to bypass the Front End Delegating DNS Server for the Home Network Zone and are CPE or software implementation specific.
When the CPE wants to set a Front End Naming Delegation Architecture, it requests this set up to the ISP DHCP Server. For that purpose, we consider two new naming-delegation-action: SET_FRONT_END_NAMING_DELEGATION_WITH_DNS when the delegation is only performed with DNS or SET_FRONT_END_NAMING_DELEGATION_WITH_DNSSEC if the CPE wants a DNSSEC delegation. These naming-delegation-actions are proposed in the Delegated DNS Architecture DHCP Option (OPTION_DELEGATED_DNS_ARCHITECTURE). Then, the CPE proceeds as described in [I-D.mglt-homenet-naming-delegation].
When the DHCP Server receives a Delegated DNS Architecture DHCP Option (OPTION_DELEGATED_DNS_ARCHITECTURE), Delegated DNS Address Information DHCP Option (OPTION_DELEGATED_DNS_ADDR_INFO) or a Delegation of Signing DHCP Option (OPTION_DS), the DHCP Server proceeds as described in [I-D.mglt-homenet-naming-delegation].
In addition, when the naming-delegation-action is set to SET_FRONT_END_NAMING_DELEGATION_WITH_DNS or SET_FRONT_END_NAMING_DELEGATION_WITH_DNSSEC, the DHCP Server MUST include in the Response the two additional DCHP Options. The Front End Delegating Information DHCP Option (OPTION_FRONT_END_DELEGATING_INFO) which indicates the FQDNs of the Front End Delegating Servers and their associated IP addresses. Then, it also MUST include the Delegating Authorized Resolvers DHCP Option (OPTION_DELEGATING_AUTH_RESOLVERS) which indicates the IP addresses or subnet prefixes of the Authorized Delegating Resolvers.
Note that Naming Delegation is set differently for the Front End Naming Delegation Architecture and for the Naming Delegation Architecture. More specifically, in the Front End Naming Delegation, the ISP DHCP Server MUST NOT make the IP address of the Delegated DNS Server public in its zone file.
Similarly to [I-D.mglt-homenet-naming-delegation], if the CPE has not received all expected DHCP Options, or cannot proceed to the configuration of the Naming Delegation Architecture, it MUST either clear the Naming Delegation settings or proceed to the appropriated settings.
When the CPE receives the Delegating Authorized Resolvers DHCP Option (OPTION_DELEGATING_AUTH_RESOLVERS), the CPE may update its Firewall rules. The Front End Delegating Information DHCP Option (OPTION_FRONT_END_DELEGATING_INFO) is used to configure the DNS zone of the Home Network.
The CPE may receive the Delegating Authorized Resolvers or the Front End Delegating Information DHCP Option from the ISP DHCP Server that are not the response to a Delegated DNS Architecture DHCP Option. This may happen if the ISP DHCP Server is updating or modifying its Front End Delegating DNS Server or the associated Delegating Authorized Resolvers. In that case, the CPE MUST make sure the message provides from the ISP DHCP Server and updates its Firewall rules as well as its DNS zone file.
The options detailed in this section are
The Delegated DNS Architecture DHCP Option is defined in [I-D.mglt-homenet-naming-delegation]. This document adds two new naming-delegation-actions defined below:
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | OPT_FRONT_END_DELEGATING_INFO | option-len | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | front-end-length | front-end-fqdn-length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | / front-end-delegating-fqdn / | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | | ipv6-address | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | | ipv6-address | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |OPTION_DELEGATED_AUTH_RESOLVERS| option-len | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | prefix-length | | +-+-+-+-+-+-+-+-+ | | | | ipv6-prefix | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | prefix-length | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | / ipv6-prefix / | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
This document adds two new DHCP Options:
This document addresses the DoS security issue of [I-D.mglt-homenet-naming-delegation]. Other security considerations remains as described in [I-D.mglt-homenet-naming-delegation].
The authors wish to thank Ole Troan for pointing out issues with the IPv6 routed home concept and placing the scope of this document in a wider picture, Mark Townsley for encouragement and injecting a healthy debate on the merits of the idea, Ulrik de Bie for providing alternative solutions, Paul Mockapetris for pointing out issues of the trustworthiness of a reverse lookup, and Christian Jacquenet for seeing the value from a Service Provider point of view.
[RFC2119] | Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. |
[I-D.mglt-homenet-naming-delegation] | Cloetens, W, Lemordant, P and D Migault, "IPv6 Home Network Naming Delegation Architecture", Internet-Draft draft-mglt-homenet-naming-delegation-00, July 2012. |