Internet DRAFT - draft-mglt-homenet-naming-delegation
draft-mglt-homenet-naming-delegation
HOMENET W. Cloetens
Internet-Draft SoftAtHome
Intended status: Standards Track P. Lemordant
Expires: January 31, 2013 D. Migault (Ed)
Francetelecom - Orange
July 30, 2012
IPv6 Home Network Naming Delegation Architecture
draft-mglt-homenet-naming-delegation-00.txt
Abstract
This document describes the Naming Delegation Architecture that makes
IPv6 Home Network globally reachable with Names or Fully Qualified
Domain Names (FQDN). In this architecture, the Customer Premise
Equipment (CPE) acts as the DNS Authoritative Server of the Home
Network also called the Delegated DNS Server. The Naming Delegation
is configured between the Delegated DNS Server and the Delegating DNS
Server managed by the ISP.
The use case considered in this document is an End User that
subscribes its ISP a specific Delegated Domain for its Home Network.
This document describes how the CPE automatically sets the Naming
Delegation between the Delegating and Delegated DNS Server.
The Naming Delegation is requested by the CPE. The CPE DHCP Client
and the ISP DHCP Server exchange DHCP Options to properly set the
Naming Delegation. More specifically, the CPE DHCP Client (resp. the
ISP DHCP Server) configures the DNS(SEC) Zones of the Delegated DNS
Server (resp. Delegating DNS Server). For the Delegating DNS Server,
the necessary pieces of information required to set the Naming
Delegation are the IP address of the Delegated DNS Server, and if
DNSSEC is used, the Delegation of Signing Information. For the
Delegated DNS Server, the necessary information is the Delegated
Domain associated to the Home Network.
Status of this Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
Cloetens, et al. Expires January 31, 2013 [Page 1]
�
Internet-Draft IPv6 Home Network Naming Delegation July 2012
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 31, 2013.
Copyright Notice
Copyright (c) 2012 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Cloetens, et al. Expires January 31, 2013 [Page 2]
�
Internet-Draft IPv6 Home Network Naming Delegation July 2012
Table of Contents
1. Requirements notation . . . . . . . . . . . . . . . . . . . . 4
2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4
3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 6
4. Home Network Naming Architecture Requirements . . . . . . . . 7
5. Home Network Delegating Architecture Overview . . . . . . . . 8
5.1. Fulfilling Home Network Naming Architecture
Requirements . . . . . . . . . . . . . . . . . . . . . . . 8
5.2. Naming Delegation Architecture Description . . . . . . . . 9
5.3. Naming Delegation Configuration Environment Description . 11
5.4. Naming Delegation DHCP Configuration Description . . . . . 13
6. Protocol Exchange . . . . . . . . . . . . . . . . . . . . . . 15
6.1. CPE Request Creation and Transmission for Naming
Delegation Architecture . . . . . . . . . . . . . . . . . 15
6.2. ISP DHCP Server Responding to the CPE Request for
Naming Delegation Architecture . . . . . . . . . . . . . . 16
6.2.1. Case 1: No Delegated DNS Architecture DHCP Option
in conjunction with Delegated Address Information
or Delegated Domain DHCP Option . . . . . . . . . . . 16
6.2.2. Case 2: No Delegated DNS Architecture DHCP Option
in conjunction with Option Request DHCP Option
for a Delegated Domain DHCP Option . . . . . . . . . . 16
6.2.3. Case 3: Delegated DNS Architecture DHCP Option . . . . 16
6.2.4. Processing the Delegated DNS Address Information
DHCP Option . . . . . . . . . . . . . . . . . . . . . 19
6.2.5. Processing the Delegation of Signing DHCP Option . . . 19
6.3. CPE Receiving the ISP DHCP Response for the Naming
Delegation Architecture . . . . . . . . . . . . . . . . . 19
7. DHCP Options . . . . . . . . . . . . . . . . . . . . . . . . . 19
7.1. Delegated DNS Architecture Option . . . . . . . . . . . . 20
7.2. Delegated Domain Option . . . . . . . . . . . . . . . . . 22
7.3. Delegated DNS Address Information Option . . . . . . . . . 23
7.4. Delegated Delegation of Signing Option . . . . . . . . . . 23
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 24
9. Security Considerations . . . . . . . . . . . . . . . . . . . 24
9.1. Names are less secured than IP addresses . . . . . . . . . 24
9.2. Names are less volatile than IP address . . . . . . . . . 25
9.3. DNSSEC is recommended to authenticate DNS hosted data . . 25
9.4. Channel between the CPE and ISP DHCP Server MUST be
secured . . . . . . . . . . . . . . . . . . . . . . . . . 26
9.5. CPEs are sensitive to DoS . . . . . . . . . . . . . . . . 26
10. Acknowledgment . . . . . . . . . . . . . . . . . . . . . . . . 26
11. References . . . . . . . . . . . . . . . . . . . . . . . . . . 27
11.1. Normative References . . . . . . . . . . . . . . . . . . . 27
11.2. Informational References . . . . . . . . . . . . . . . . . 27
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 28
Cloetens, et al. Expires January 31, 2013 [Page 3]
�
Internet-Draft IPv6 Home Network Naming Delegation July 2012
1. Requirements notation
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
2. Introduction
Home Networks used to be composed of a single or a set of PCs
connected to a CPE to access the Internet. Now they have evolved to
a large set of applications and objects or devices managed by the
CPE. Among these applications are Media applications like Video,
Music and Photos Stations, Backup applications, File sharing
applications with FTP and Web Stations, Access applications with VPN
Stations, and others like Surveillance Station, Printing Stations.
With the Internet of Things (IoT) the number of objects attached to
the CPE is expected to increase in the coming years.
Then, services and objects in the Home Networks should be made
reachable from anywhere on the Internet. IPv6 removes the need for
NAT and makes this possible with a global reachability. But IPv6
addresses remain inconvenient. In fact, most End Users prefer using
Names to access these services. Furthermore Names make
communications independent from IP renumbering, or changes of IP
addresses. Then, if IP addresses plan remains opaque for End Users,
on the other hand, they easily understand the Naming hierarchical
model. More specifically, if "my-homenet" is the Delegated Domain
associated to my Home Network, it makes sense that "my-service.my-
homenet" is the "my-service" in "my-homenet".
To assign Names to objects and services of the Home Network, the Home
Network should be provided a Naming Architecture. For most End
Users, the CPE manages the Home Network, that is to say, it provides
access to the Internet, discovers the devices, and interconnects them
between each other. As a result, the CPE is the natural device to
centralize the Naming service of the Home Network.
Home Networks should be operational with the least configuration.
End Users, expect to subscribe to an ISP, plug with minimum
configuration the CPE and access to the Internet and to their
services from anywhere on the Internet. The CPE interconnects the
Home Network to the ISP's Network, and the CPE gets from the ISP all
the necessary pieces of information to set up the connectivity. In
some cases, the CPE is even provided by the ISP. In order to make
services and objects of the Home Network reachable with Names, the
ISP is likely to provide the CPE the Delegated Domain associated to
the Home Network, and set up the necessary delegation to make the
Cloetens, et al. Expires January 31, 2013 [Page 4]
�
Internet-Draft IPv6 Home Network Naming Delegation July 2012
Home Network DNS Zone reachable from the Internet. More
specifically, the End User subscribes its ISP an Internet
connectivity, and registered its Home Network Delegated Domain "my-
homenet". When the CPE is plugged, as it requests an IP prefix, it
also requests the Delegated Domain - like "my-homenet.example.".
From then, all devices requesting IP addresses via DHCP or using
alternative protocols are registered by the CPE in the zone "my-
homenet.example.". When a communication is initiated with
"a-device.my-homenet.example.", a DNS query is sent to the ISP
authoritative DNS server of the zone "example.". This server is
called the Delegating DNS Server and delegates the query to the CPE
which acts as the authoritative server of "my-homenet.example." and
sends back the response.
This architecture is called the "Home Network Naming Delegation
Architecture" because, the ISP is not hosting the DNS zone of the
Home Network but is delegating the Home Network zone to the CPE.
There are multiple motivations for this delegation architecture.
First delegation preserves the Home Network privacy, by avoiding ISPs
to know the Home Network hosts. Furthermore, ISP are unlikely to be
able to scale their Naming infrastructure for all services and
devices of the Home Networks. As a result, ISPs are looking to
distribute the Naming service between the CPEs, and delegate to each
CPE their associated Home Network zone.
The purpose of this document is to describe an architecture that
automatically configures the Naming architecture of the Home Network.
More specifically, when the End User plugs its CPE, the CPE is being
assigned by the ISP a Delegated Domain that has been pre-registered
by the End User to the ISP. This Delegated Domain designates the
Home Network, and the CPE is expected to act as an authoritative DNS
server of this Zone. When a node of the Home Network is requesting
using DHCP an IP address, the CPE can provide the node the IP address
and updates the zone file of the Home Network.
This document assumes that the communication between the CPE and the
ISP DHCP Server is protected. This document does not specify which
mechanism should be used. [RFC3315] proposes a DHCP authentication
and message exchange protection, [RFC4301], [RFC5996] proposes to
secure the channel at the IP layer.
This document does not provide any mechanism that protects the CPE
from being exposed on the Internet. In fact, CPE are low power
devices, and the Naming Delegation described in this document exposes
the CPE on the Internet by publishing its IP address and making the
DNS Service hosted on the CPE. This issue is addressed in
[I-D.mglt-homenet-front-end-naming-delegation] which describes the
Front End Naming Delegation Architecture. In this architecture, the
Cloetens, et al. Expires January 31, 2013 [Page 5]
�
Internet-Draft IPv6 Home Network Naming Delegation July 2012
ISP's infrastructure protects the CPE from heavy load.
This document only deals with IPv6 IP addresses and DHCPv6 [RFC3315].
When we mention DHCP, it MUST be understood as DHCPv6.
3. Terminology
This sections defines terminology specific to IPv6 and DHCP used in
this document.
- Home Network: Designates the objects and Services that are
hosted in the Home Network of the End User.
- Home Network Naming Architecture: Designates the Architecture
that makes possible to reach a device, an object or a service
in the Home Network by using Names like Fully Qualified Domain
Names.
- Home Network Naming Delegation Architecture or Naming Delegation
Architecture: Designates the Naming Architecture Described in this
document. The ISP delegates the Naming management of the Home
Network to the Delegated DNS Servers. Consistency with the
Global Naming Architecture is provided by the ISP. The
Delegation occurs between Delegating DNS Servers hosted by the
ISP and Delegated DNS Servers hosted in the Home Network.
- Internet Service Provider (ISP): The End User has subscribed to
the ISP. The ISP is aware of End User credential and the
Delegated Domain of the Home Network. The ISP is expected to
provide the CPE the required information to properly configure
the DNS Zone.
- Delegating DNS Server: Designates the Authoritative DNS Server
of the ISP. The Home Network is a subzone of the Delegating
DNS Server. This subzone is handled by the Delegated DNS
Server.
- Customer Premise Equipment (CPE): Designates the device that
hosts the DNS and DHCP Service in the Home Network. This
device sets the IP and Naming interconnection between the ISP
Network and Home Network.
- Delegated DNS Server: Designates the DNS Authoritative Server
that handles the Hosts of the Home Network.
Cloetens, et al. Expires January 31, 2013 [Page 6]
�
Internet-Draft IPv6 Home Network Naming Delegation July 2012
- Delegated Delegation of Signing Option: Designates the DHCP
Option that makes possible the DNSSEC Delegation between the
Delegated DNS Server and the Delegating DNS Server.
- Delegated DNS Addressing Information Option: Designates the DHCP
Option that makes possible the Delegation between the Delegated
DNS Server and the Delegating DNS Server for both DNS and
DNSSEC. With this option, the Delegating DNS Server is
informed of the IP addressing information - the interface and
the subnet identifier - used by the Delegated DNS Server.
- Delegated Domain: Designates the domain Name associated to the
Home Network. In this document, the Delegated Domain is
reserved by the End User to the ISP at the subscription of the
Internet Access. It is then communicated to the CPE by the
ISP, so the CPE configures properly its Delegated DNS Server.
- Fully Qualified Domain Name (FQDN): Name that fits the general
DNS requirements.
4. Home Network Naming Architecture Requirements
The Home Network Naming Architecture is defined by two parties the
End User and the ISP. Both of them have specific requirements.
The End User requirements we are considering are the following:
- 1: Centralized Naming Configuration: Configuring a Network, is
most of the time more convenient when done in a centralized
way. Home Networks now may have only a few nodes, which makes
a per-node configuration possible, for example using DynDNS
like service, to assign a FQDN to each node. However, the
number of nodes is expected to grow in the next future, and we
recommend now to specify a centralized way for configuring the
Home Network Naming Architecture.
- 2: Automatic Configuration: Most End User do not want to
configure, their Home Network, and configuration MUST be
minimal. The procedure should consider those 90% of End Users
- 3: Advanced Configuration enable: Some End Users have various
specific requirements, and they SHOULD be able to match these
requirements. This means that the Automatic Configuration may
be disable.
Cloetens, et al. Expires January 31, 2013 [Page 7]
�
Internet-Draft IPv6 Home Network Naming Delegation July 2012
- 4: Privacy Protection By Design: Most End User does not want to
provide anyone, including their ISP, the content of their zone,
like network topology, or the devices and services hosted in
the Home Network. On the other hand the content of the zone
should be publicly published. DNS makes this possible for two
reasons. First, DNS makes the content of the zone public,
without publishing the whole zone - at least AXFR queries must
be disabled. Then, DNS is a distributed databases with
delegation mechanisms, that preserves the privacy of subzones
toward upper zones. Note that as explained in Section 9 the
Naming Delegation Architecture described in this document
protects the End User's privacy by not providing the complete
DNS zone. However, one MUST be aware that using Names exposes
their Home Networks to the Internet since names are expected to
provide less randomness than the standard IPv6 numbering. Then
Names are more associated to an identity than IP addresses are.
Thus, allowing PTR DNS queries may also affect the End User's
privacy.
The ISP requirements, other than fulfilling the End Users'
requirements are the following:
- 1: Make the Home Network Naming Architecture Scalable: ISPs can
hardly foresee the evolution of Home Networks, that is to say
the number of devices that will belong to them, or the number
of requests, updates associated to each FQDN. Architectures
that would make the ISP deal with all FQDNs is definitively out
of scope. Delegation management of the Zone to CPE makes local
management handled locally, and Delegating the zone makes CPE
dealing with their zone traffic.
5. Home Network Delegating Architecture Overview
5.1. Fulfilling Home Network Naming Architecture Requirements
The CPE is designed to provide connectivity to the Home Network, to
discover and connect all Hosts of the Home Network. As such, it is a
good candidate to bind FQDNs and IP addresses. In this document, we
consider the CPE as the device that centralizes the configuration of
the Delegation Home Network Naming Architecture. This fulfills the
End User Requirement 1.
The CPE should not be configured, and should get the necessary
information to properly configure the Delegation Home Network Naming
Architecture. These pieces of information, like the Delegated Domain
assigned to the Home Network are provided by the ISP. On the other
hand, the CPE may also be able to provide information to the ISP.
Cloetens, et al. Expires January 31, 2013 [Page 8]
�
Internet-Draft IPv6 Home Network Naming Delegation July 2012
For example, the CPE may provide the ISP the Delegated DNS IP Address
Information, that is to say the Interface and Subnet Identifier of
the Home Network Authoritative DNS, or the Delegated Delegation of
Signing which is the hash of public key of the Home Network
Authoritative DNS server. In this document, we call the Home Network
Authoritative DNS server the Delegated DNS Server. These pieces of
information are device related and local information. They are not
related to the configuration of the Delegation Home Network Naming
Architecture. This fulfills the End User Requirement 2.
The CPE should set the Naming Delegation Architecture by requesting
for it. The CPE can be configured to not request these pieces of
information so the Home Network can have a specific Naming
configuration. A specific Naming configuration could be for example,
that the FQDN assigned to the Home Network is different from the one
attributed by the ISP. This fulfills the End User Requirement 3.
The CPE acts as an authoritative DNS server for the Home Network.
This prevents communication of the DNS zone to any third party. As a
result, this makes the DNS zone publicly available, while protecting
the privacy of the Home Network. This fulfills the End User
Requirement 4.
The CPE provides the Home Network Authoritative DNS server or
Delegated DNS Server. This function is an added function to the
service/device discovery, routing service, DHCP service, Naming
resolution service, provided by the CPE. The CPE seems to be the
most adapted device, for most End Users cases, to host the Delegated
DNS Server. This service includes handling with the DNS queries
concerning the Home Network and updating the zone for the various
devices. The load generated by the Delegated DNS Server is expected
to be handled by the CPE, and CPE may be designed to handle such
traffic. On the other hand, it is hardly possible ISPs can handle
with this traffic for all Home Networks. The Delegation Home Network
Naming Architecture is adopted for its scalability. This fulfills
the ISP Requirement 1.
5.2. Naming Delegation Architecture Description
Figure 1 describes a DNS resolution with the Naming Delegation
Architecture. The resolution can be done using DNS or DNSSEC. In
the Architecture described in figure 1, the IPv6 address MUST be
global.
In the example below, the Zone of the ISP is called "example.". The
End User of the CPE has registered to the ISP the Delegated Domain
"my-homenet", and the Home Network can be globally reachable under
the name "my-homenet.example.". A host in the Home Network "host1"
Cloetens, et al. Expires January 31, 2013 [Page 9]
�
Internet-Draft IPv6 Home Network Naming Delegation July 2012
has been assigned an IPv6, and has been registered in the Home
Network with the name "host1.my-homenet.example.". Note that the
architecture makes host1 globally reachable under the name "host1.my-
homenet.example.".
The End User is likely to use alternate names which will require the
use of DNAME [RFC6672] and CNAME [RFC2118] . In other words, the
Naming Delegation Architecture described in this document does not
prevent the End User to register a service or a host under an
alternative name such as "host1-alternative-name.example.net". For
that purpose, the End User may redirect manually "host1-alternative-
name.example.net" to "host1.my-homenet.example." using CNAME
[RFC2118]. Similarly, the Home Network can also be registered under
an alternate domain name such as "my-alternate-homenet.net".
Redirecting the zone requires to use DNAME. In both case, the
configuration is performed by the End User, and is independent to the
configuration between the ISP and the End User.
In figure 1, the Resolver is getting the IP address of "host1.my-
homenet.example.". A DNS(SEC) Query is sent to the Delegating DNS
Server responsible of "example.". Then "example." responds with the
delegating information, so the resolver can send the DNS Query to the
Delegated DNS Server responsible of "my-homenet.example.". The
delegating pieces of information are, the Name and IP address of the
Delegated DNS Server, and if DNSSEC is available and requested the
Delegation of Signing. These pieces of information may have been
provided by the Delegated DNS Address Information and Delegated
Delegation of Signing DHCP Options.
Then, the Resolver sends the DNS(SEC) Query to the Home Network
Delegated DNS Server which responds with the requested DNS(SEC)
information.
Cloetens, et al. Expires January 31, 2013 [Page 10]
�
Internet-Draft IPv6 Home Network Naming Delegation July 2012
+----------------------------+ DNS Query +---+
| ISP DNS Server | hots1.my-homenet.example. AAAA | |
| Delegating Servers | <---------------------------------- | |
| ZONE "example." | DNS Response: | |
| | my-homenet.example. NS IP6 | R |
| | [my-homenet.example. DS [...]] | E |
+----------------------------+ ----------------------------------> | S |
+----------------------------+ DNS Query | O |
| CPE DNS Server | host1.my-homenet.example. AAAA | L |
| Delegating Server | <---------------------------------- | V |
| ZONE "my-homenet.example." | DNS Response: | E |
| | my-homenet.example. NS IP6 | R |
| | [my-homenet.example. RRSIG [...]] | |
+----------------------------+ ----------------------------------> | |
| | | |
+------------+ +------------+ +---+
| Host 1 | | Host n |
+------------+ +------------+
Figure 1: DNS Resolution with the Home Network Delegating Architecture
5.3. Naming Delegation Configuration Environment Description
Figure 2 shows the DHCP exchange between the CPE and the ISP DHCP
Server. This exchange sets the Home Network Naming Delegation
Architecture.
As mentioned in figure 2, the CPE is in the Home Network and
implements three functions: the DHCP Client (DHCP_CLT), the DHCP
Server (DHCP_SRV) and the Delegated DNS Server (DNS_SRV).
- CPE DHCP Client (DHCP_CLT): is responsible for getting parameters
from the ISP. In figure 2, the CPE DHCP Client requests the
ISP an IPv6 Prefix Delegation (IA_PD) [RFC3633]. The CPE DHCP
Client also requests to set a Naming Delegation Architecture
(DELEGATED_DNS_ARCHITECTURE), and provides the necessary pieces
of information to set up the Naming Delegation Architecture
(DELEGATED_DNS_ADDR_INFO, DELEGATED_DNSSEC_DS). In return, the
CPE DHCP Client (DHCP_CLT) is expected to receive from the ISP
DHCP Server, the Delegated Domain Name (DELEGATED_DOMAIN) and
the IPv6 Prefix Delegation (IA_PD). These pieces of
information are useful to configure the Home Network DNS Zone
file, of the CPE Delegated DNS Server (DNS_SRV).
- CPE DHCP Server (DHCP_SRV): The CPE DHCP server hosted by the CPE
is not mandatory for the Naming Delegation Architecture. We
mentioned it in Figure 2 as most of the CPEs are responsible
for assigning IPv6 Addresses to the Hosts of the Home Network.
Cloetens, et al. Expires January 31, 2013 [Page 11]
�
Internet-Draft IPv6 Home Network Naming Delegation July 2012
Figure 2 considers that the IPv6 Address of the Hosts are
assigned via DHCP, and that while assigning the IPv6 prefixes,
the DHCP Server populates the Home Network DNS Zone file of the
CPE Delegated DNS Server (DNS_SRV).
- CPE Delegated DNS Server (DNS_SRV): The CPE Delegated DNS Server
hosts the Naming Service of the Home Network. The DNS Server
can implement DNS or DNSSEC. This function interacts with the
CPE DHCP Client (DHCP_CLT) so the Naming Delegation is properly
set with the ISP, and the CPE DHCP Server (DHCP_SRV) which
manages names for the hosts of the Home Network.
The ISP DHCP Server is in the ISP Network and is the counter part of
the CPE DHCP Client (DHCP_CLT). As the CPE DHCP Client (DHCP_CLT)
interacts with the Delegated DNS Server, the ISP DHCP Server also
interact with the ISP Delegating DNS Server. In fact the ISP DHCP
Server is in charge of setting the Naming Delegation upon request of
the CPE DHCP Client (DHCP_CLT). Furthermore, when the Home Network
Prefix Delegation is not any more active, the ISP DHCP Server MUST
remove the Naming Delegation settings.
Hosts are the devices of the Home Network. Figure 2, illustrates the
case, where these hosts have been assigned an IPv6 prefix from the
DHCP Server of the CPE. We use the "stateful address
autoconfiguration protocol", as defined in [RFC3315] but other
protocols like "IPv6 Stateless Address Autoconfiguration" [RFC4862]
may also be used. This will not affect the Naming Delegation
Architecture.
Cloetens, et al. Expires January 31, 2013 [Page 12]
�
Internet-Draft IPv6 Home Network Naming Delegation July 2012
<--------- Home Network ----------> <--------- ISP --------->
+--------+ +---------------------+ +-----------------------+
| Host 1 +--+ CPE | | ISP DHCP |
+--------+ +----------+----------+ +-----------------------+
. | DHCP_SRV | DHCP_CLT | | |
. | v | | | |
. | v | DHCP Request ----------------------> |
. | v | DELEGATED_DNS_ARCHITECTURE, |
. +----------| DELEGATED_DNS_ADDR_INFO, |
. | DNS_SRV | ORO(IA_PD) |
. +----------| [DS, ORO(DELEGATED_DOMAIN)] |
. | ^ | | | |
. | ^ | <---------------------- DHCP Reply |
. | ^ | DELEGATED_DNS_ARCHITECTURE, |
| ^ | DELEGATED_DOMAIN, |
+--------+ | ^ | IA_PD |
| Host n +--| < < < DHCP_CLT | | |
+--------+ +----------+--------- + +-----------------------+
Figure 2: Naming Delegation Architecture
5.4. Naming Delegation DHCP Configuration Description
Figure 2 illustrates how the CPE provides and get the necessary
information to set the Naming Delegation. In this document, all
parameters are provided and received using DHCP Options.
First of all, in order to set the Home Network Naming Delegation, the
CPE MUST have a Delegated Prefix. In our case, the CPE is requesting
the Delegated Prefix to the ISP DHCP Server with the Identity
Association Prefix Delegation DHCP Option (IA_PD), as defined in
[RFC3633], [RFC3769]. To Request the Option from the ISP DHCP
Server, the CPE uses the Option Request DHCP Option (ORO) [RFC3315].
The CPE uses the Delegated DNS Architecture DHCP Option
(OPTION_DELEGATED_DNS_ARCHITECTURE) to specify the naming-delegation-
action to perform. The CPE provides a ordered list of alternative
naming-delegation-actions. One of these actions will be chosen by
the ISP DHCP Server. The naming-delegation-actions considered in
this document are Clear the Naming Delegation Settings, Set it with
DNS or Set is with DNSSEC. Figure 2 illustrates the case where the
CPE Sets the Naming Delegation Architecture with DNS or with DNSSEC.
In order to set the Naming Delegation Architecture between the
Delegating DNS Server and the Delegated DNS Server, the CPE MUST
provide some pieces of information. First the Delegating DNS Server
MUST be aware of the IP address used for the Delegated DNS Server.
Cloetens, et al. Expires January 31, 2013 [Page 13]
�
Internet-Draft IPv6 Home Network Naming Delegation July 2012
Since the CPE is requesting a Prefix Delegation, it is not aware of
the IP address. That is why, the CPE MUST provide pieces of
information that enables the ISP DHCP Server to derive the IP
address. In fact the CPE provides the Subnet Identifier and the
Interface Identifier using the Delegated Address Information DHCP
Option (OPTION_DELEGATED_DNS_ADDR_INFO). The ISP DHCP Server is
aware of the assigned prefix, and thus can derive the IP address of
the Delegated DNS Server.
The calculation of the CPE IPv6 address used for the delegated DNS
server is done as follows:
0 63|64 127
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| IPv6 prefix | subnet-ID | interface-ID |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
subnet-ID length = 64 - IPv6 prefix length
Figure 3: CPE IP address Format
If DNSSEC is used, the CPE MUST also provide the Delegation of
Signing (DS) Information [RFC4034]. This is done using the
Delegation of Signing DHCP Option (OPTION_DS)
In figure 2, we mentioned the Delegated Domain DHCP Option that can
optionally be requested. In fact, with Delegated DNS Architecture
DHCP Option requesting the ISP to Set the Naming Delegation
Architecture, the ISP is expected to send back the Delegated Domain.
However, in some cases, for example if the CPE wants to checks the
ISP has provisioned a Delegated Domain, the CPE may request the
Delegated Domain without setting the Naming Delegation Architecture.
In that case, the CPE, MUST request the Delegated Domain DHCP Option
(OPTION_DELEGATED_DOMAIN).
The ISP DHCP Server processes the various DHCP Options, and provides
the Prefix Delegation, the Delegated DNS Architecture, and the
Delegated Domain DHCP Options. The Prefix Delegation Option provides
the IPv6 Prefix assigned to the Home Network. The Delegated DNS
Architecture DHCP Option indicates the Naming Delegation set by the
ISP, as well as Status Code. The Delegated Domain DHCP Option
provides the Domain the owner of the CPE has registered.
The ISP DHCP Server MUST keep the Naming Delegation Architecture
coherent with the Prefix Delegation. If the Prefix Delegation is
using DHCP, then, the ISP DHCP Server MUST unset the Naming
Delegation Architecture when the Prefix Delegation expires. How the
DHCP Server should proceed is out of scope of this document.
Cloetens, et al. Expires January 31, 2013 [Page 14]
�
Internet-Draft IPv6 Home Network Naming Delegation July 2012
6. Protocol Exchange
In this document, we do not consider the CPE and the ISP have pre-
agreed on some parameters. In other words, all necessary information
for configuring the Home Network Naming Delegation Architecture are
sent via DHCP Options. The ISP is in charge of identifying the CPE
owner - that is to say the End User - and is aware of the Delegated
Domain the End User has subscribed for.
For clarity, we designated the CPE DHCP Client by the CPE.
6.1. CPE Request Creation and Transmission for Naming Delegation
Architecture
The CPE provides the ISP DHCP Server an ordered list of naming-
delegation-actions which starts with the most most preferred action.
The ISP DHCP Server can chose one of these actions and process it.
Theses naming-delegation-actions are carried by the Delegated DNS
Architecture DHCP Option (OPTION_DELEGATED_DNS_ARCHITECTURE). If the
CPE wants to remove the Naming Delegation Architecture, it sets the
action to CLEAR. Otherwise, it sets the action to
SET_NAMING_DELEGATION_WITH_DNS or SET_NAMING_DELEGATION_WITH_DNSSEC.
The Naming Delegation cannot be set if the CPE has not been provided
a Prefix Delegation. So, if the CPE has not been assigned a Prefix,
it MUST either get first a prefix before setting the Naming
Delegation Architecture. If the Prefix Delegation is provided via
the ISP DHCP Server, then the CPE can simultaneously send a DHCP
Request for a Prefix Delegation with the Identity Association Prefix
Delegation DHCP Option and for setting the Naming Delegation
Architecture.
If SET_NAMING_DELEGATION_WITH_DNS or
SET_NAMING_DELEGATION_WITH_DNSSEC is one of the naming-delegation-
action carried by the Delegated DNS Architecture DHCP Option, then
the CPE MUST provide the Delegated Address Information DHCP Option
(OPTION_DELEGATED_DNS_ADDR_INFO).
If SET_NAMING_DELEGATION_WITH_DNSSEC is one of the naming-delegation-
action carried by the Delegated DNS Architecture DHCP Option, then
the CPE MUST provide the Delegation of Signing DHCP Option
(OPTION_DS).
If the CPE does not want to set the Naming Delegation Architecture,
but wants to known the Delegated Domain, then, the CPE MUST send a
Delegated Domain DHCP Option (OPTION_DELEGATED_DOMAIN) with no
Delegated DNS Architecture DHCP Option
(OPTION_DELEGATED_DNS_ARCHITECTURE).
Cloetens, et al. Expires January 31, 2013 [Page 15]
�
Internet-Draft IPv6 Home Network Naming Delegation July 2012
6.2. ISP DHCP Server Responding to the CPE Request for Naming
Delegation Architecture
6.2.1. Case 1: No Delegated DNS Architecture DHCP Option in conjunction
with Delegated Address Information or Delegated Domain DHCP
Option
When the DHCP Server receives a Delegated Address Information DHCP
Option or a Delegated Domain DHCP Option it MUST check if there is a
Delegated DNS Architecture DHCP Option. If not, these DHCP Options
MUST be discarded.
6.2.2. Case 2: No Delegated DNS Architecture DHCP Option in conjunction
with Option Request DHCP Option for a Delegated Domain DHCP
Option
If the DHCP Server receives an Option Request DHCP Option for a
Delegated Domain DHCP Option, but no Delegated DNS Architecture DHCP
Option. The DHCP Server MUST NOT proceed to any configuration
settings. The ISP DHCP Server returns the Delegated Domain DHCP
Option. Otherwise, it MUST return a Delegated DNS Architecture DHCP
Option with a single action set to NONE and the Status Code
indicating the reason of failure.
Possible failure reasons are: If the DHCP Server understands the
Delegated Domain DHCP Option but does not provide the Naming
Delegation Service, the DHCP Server MUST return a Status Code set to
NamingDelegationUnavailable. Then, if the Naming Delegation Service
is Available, the DHCP MUST check if the CPE has been identified or
authenticated according to local policies. If that is not the case,
the DHCP Server MUST return a Status Code set to
UnauthorizedRequester. If the CPE is authorized to request a
Delegated Domain DHCP Option, the DHCP Server MUST check the
Delegated Domain has been provisioned, and if that is not the case,
if MUST send a Status Code set to UnprovisionedDelegatedDomain. For
any other failure, the DHCP Server MUST send a Status Code
UnspecFail.
In case of success the DHCP Server does not return Delegated DNS
Architecture DHCP Option or Status Code.
6.2.3. Case 3: Delegated DNS Architecture DHCP Option
When a Delegated DNS Architecture DHCP Option is received, the DHCP
Server MUST check an Option Request for Identity Association Prefix
Delegation (IA_PD) has not been provided. If that is the case, the
DHCP Server MUST proceed first to this Option. Then, the Delegated
DNS Architecture DHCP Option should only be processed, if the
Cloetens, et al. Expires January 31, 2013 [Page 16]
�
Internet-Draft IPv6 Home Network Naming Delegation July 2012
Identity Association Prefix Delegation has been processed
successfully. If no Identity Association Prefix Delegation has been
requested the DHCP Server may consider the CPE has no Prefix and send
a Delegated DNS Architecture DHCP Option with the status code
MissingPrefixDelegationRequest. On the other hand, the DHCP Server
may also assume the CPE got a Prefix from another way and proceeds to
the Delegated DNS Architecture DHCP Option.
When a Delegated DNS Architecture DHCP Option is received and the
Naming Delegation is already set. If the naming-delegation-action is
set to NONE, the packet do not proceed to any change. For all other
naming-delegation-action, the ISP DHCP Server MUST process the DHCP
Option. In case of success, the Naming Delegation MUST be updated.
In any other case, the ISP DHCP Server MUST clear the Naming
Delegation settings.
From now, the DHCP processes the Delegated DNS Architecture DHCP
Option. Preliminary checks are performed in case of failure, the
DHCP Server sends a Delegated DNS Architecture DHCP Option with a
single naming-delegation-action set to NONE and the Status Code
indicating the reason of failure. If the DHCP Server understands
this Option, but does not provide the Naming Delegation Service, the
DHCP Server MUST return a Status Code set to
NamingDelegationUnavailable. Then the DHCP MUST check the CPE is
authorized for this Option. If not, the DHCP Server sends a Status
Code set to UnauthorizedRequester. At last, it MUST check if
Delegated Domain has been provisioned otherwise the DHCP Server MUST
send a Status Code set to UnprovisionedDelegatedDomain. For any
other reasons, a Status Code set to UnspecFail MUST be sent.
The DHCP Server then looks at the naming-delegation-actions mentioned
by the CPE. The CPE has ordered these actions according to their
preference, and the most preferred naming-delegation-action is put
first. Naming-delegation-actions are proposed by the CPE, thus the
DHCP Server MUST skip any naming-delegation-action it does not
understand or its local policies prevent to apply for the CPE. Note
that the ordered list is only used to chose a naming-delegation-
action to be applied. If the chosen naming-delegation-action fails,
the DHCP Server does not have to try other naming-delegation-action
with lower preference.
To prevent long proposition lists of naming-delegation-actions, the
DHCP Server may send a Status Code TooManyNamingDelegationActions.
If the naming-delegation-actions list is void, the DHCP MUST send a
Status Code set to VoidNamindDelegationActionList. If none of the
naming-delegation-action is acceptable, the DHCP Server MUST send a
Status Code of NoApplicableNamingDelegationAction. These Status Code
are reported in a Delegated DNS Architecture DHCP Option with naming-
Cloetens, et al. Expires January 31, 2013 [Page 17]
�
Internet-Draft IPv6 Home Network Naming Delegation July 2012
delegation-action set to NONE.
In this document, the naming-delegation-action considered can be
CLEAR, SET_NAMING_DELEGATION_WITH_DNS,
SET_NAMING_DELEGATION_WITH_DNSSEC. Any other proposition is skipped
by the DHCP Server.
If CLEAR is the chosen naming-delegation-action, there not reason the
DHCP Server cannot remove the configurations settings. In response,
the DHCP Server MUST send a Delegated DNS Architecture with a single
naming-delegation-action set CLEAR. In case of success, the Status
Code MUST be set to Success, otherwise, it MUST be set to UnspecFail.
For both SET_NAMING_DELEGATION_WITH_DNS and
SET_NAMING_DELEGATION_WITH_DNSSEC naming-delegation-actions, the DHCP
MUST have an IP address for the Delegated DNS Server. This IP
address can be pre-agreed. In this document we consider that this IP
address can be derived from the parameters provided by the Delegated
DNS Address Information DHCP Option. It is up to the DHCP Server to
define how to proceed between the pre-agreed IP address and the one
derived from the Delegated DNS Address Information DHCP Option.
There may be multiple Delegated DNS Address Information DHCP Options,
and the DHCP Server may chose to consider all of these IP Addresses.
On the other hand, the DHCP Server may also chose to send a Status
Code set to DelegatedIPAddressConflict. This Status Code is sent in
a Delegated DNS Architecture DHCP Option with naming-delegation-
action set to the corresponding naming-delegation-action.
The DHCP Server accepts the Delegated DNS Address Information DHCP
Options it should first proceed to it. If there are multiple
Delegated DNS Address Information DHCP Options, the DHCP Server may
process to all of them. It may proceed to the Naming Delegation
Architecture Configuration if at least one IP address is valid or if
all IP addresses are valid.
For the SET_NAMING_DELEGATION_WITH_DNSSEC naming-delegation-action,
the DHCP Server MUST check a Delegation of Signing DHCP Option has
been provided. If not a Status Code set to
MissingDNSSECDelegationOfSigning.
If the Delegated DNS Address Information and the Delegation of
Signing DHCP Options have been processed successfully, the DHCP
Server MUST configure the Delegating Server, with the IP address(es)
and DS record in its zone. Values for the TTL are defined according
to the DHCP Timer. The TTL value MUST NOT be greater than the valid-
lifetime of the Prefix [RFC3633]. Then, the DHCP Server sends back
the Delegated DNS Architecture DHCP Option with a Status Code set to
Success.
Cloetens, et al. Expires January 31, 2013 [Page 18]
�
Internet-Draft IPv6 Home Network Naming Delegation July 2012
6.2.4. Processing the Delegated DNS Address Information DHCP Option
Global Unicast IPv6 Addresses are composed of the ISP assigned
prefix, that is usually composed of 56 bits, followed by the
subnet-ID, typically composed of 8 bits and the interface-ID composed
of 64 bits.
In order to set properly the Naming delegation, one MUST make sure
the DHCP Server and the CPE agree on the IP address of the Delegated
DNS Server. The CPE may not be aware of its ISP assigned prefix and
has requested an Identity Association Prefix Delegation DHCP Option
for it. The CPE may also have pre-agreed a ISP assigned prefix. In
both cases, the CPE and the DHCP Server MUST make sure they agree on
the same subnet-ID, that is to say with the same length. The
subnet-ID is defined by setting all unknown bits of the ISP assigned
prefix to zero. If the number of zeros does not match the size of
the ISP assigned prefix, the DHCP Server MUST send a Delegated DNS
Architecture DHCP Option with a Status Code set to
SubnetIDNonMatchingISPDelegatedPrefixLength Status Code.
For clarification on the agreed IP address of the Delegated DNS
Server, the DHCP Server may send in the DHCP Reply the Delegated DNS
Address Information DHCP Option with the complete information. In
that case, the DHCP Server MUST add a Status Code set to Success.
6.2.5. Processing the Delegation of Signing DHCP Option
The Format of the DS RDATA is defined in [RFC4034].
6.3. CPE Receiving the ISP DHCP Response for the Naming Delegation
Architecture
The Delegated DNS Architecture DHCP Option
(OPTION_DELEGATED_DNS_ARCHITECTURE) informs the CPE whether the
Naming Delegation Architecture has been set as well as the
configuration used by the ISP.
7. DHCP Options
The options detailed in this section are
- Delegated DNS Architecture (OPTION_DELEGATED_DNS_ARCHITECTURE): is
used by the DHCP Client on the CPE to inform how the Naming
Delegation Architecture should be configured. In return, it is
used by the ISP DHCP Server to report the Status Code.
Cloetens, et al. Expires January 31, 2013 [Page 19]
�
Internet-Draft IPv6 Home Network Naming Delegation July 2012
- Delegated Domain (OPTION_DELEGATED_DOMAIN): is used by the DHCP
Server to advertise the CPE the Delegated Domain of the Home
Network. This Delegated Domain has been reserved and assigned
by the End User during the subscription. This option is used
to configure properly the DNS zone file of the CPE.
- Delegated DNS Address Information
(OPTION_DELEGATED_DNS_ADDR_INFO): is used by the CPE to advertise
the DHCP Server which interface and subnet identifier is used
by the CPE to build the IPv6 address using the delegated IPv6
prefix to host the DNS Server. This option is used so the
DELEGATING_SERVERS can properly fix the delegation.
- Delegated Delegation of Signing (OPTION_DELEGATED_DNSSEC_DS): is
used by the CPE so the DELEGATING_SERVERS can properly fix the
DNSSEC Naming Delegation.
7.1. Delegated DNS Architecture Option
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| OPTION_DELEGATED_DNS_ARCH. | option-len |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
/ naming-delegation-action-list /
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| status-code |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- option-code: OPTION_DELEGATED_DNS_ARCHITECTURE.
- option-len: Length of the delegated-naming-action-list field, the
status-code and the status-message in octets.
- naming-delegation-action-list: The list of the actions the CPE is
ready to accept.
- status-code: The Status Code of the operation as specified in
[RFC3315]. This option may be absent if operation is
successful.
The naming-delegation-action-list is encoded as follows:
Cloetens, et al. Expires January 31, 2013 [Page 20]
�
Internet-Draft IPv6 Home Network Naming Delegation July 2012
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| list length | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
| |
| naming-delegation-action-list |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- list length: Length of the 'naming-delegation-action-list' field
in octets
- naming-delegation-action-list: List of proposed actions by the CPE
to the ISP DHCP Server.
The naming-delegation-actions are 1 octet length, and the following
values are considered in this document:
- NONE - 0 - : Indicates that the DHCP Server MUST remove the Naming
Delegation Architecture Configuration settings on the
Delegating DNS Server.
- CLEAR - 1 - : Indicates that the DHCP Server MUST remove the
Naming Delegation Architecture Configuration settings on the
Delegating DNS Server.
- SET_NAMING_DELEGATION_WITH_DNS - 2 - : Indicates that the DHCP
Server MUST set the Naming Delegation Architecture with only
DNS, and MUST NOT consider DNSSEC Delegation.
- SET_NAMING_DELEGATION_WITH_DNSSEC - 3 - : Indicates that the DHCP
Server MUST set the Naming Delegation Architecture with DNSSEC.
The Status code 1 octet length and this section considers the
following values:
- Success - 0 - :
- UnspecFail - 1 - :
- MissingPrefixDelegationRequest - TBD - :
- NamingDelegationUnavailable - TBD - :
Cloetens, et al. Expires January 31, 2013 [Page 21]
�
Internet-Draft IPv6 Home Network Naming Delegation July 2012
- UnauthorizedRequester - TBD - :
- UnprovisionedDelegatedDomain - TBD - :
- TooManyNamingDelegationActions - TBD - :
- VoidNamindDelegationActionList - TBD - :
- NoApplicableNamingDelegationAction - TBD - :
- SubnetIDNonMatchingISPDelegatedPrefixLength - TBD - :
- DelegatedIPAddressConflict - TBD - :
- MissingDNSSECDelegationOfSigning - TBD - :
7.2. Delegated Domain Option
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| OPTION_DELEGATED_DOMAIN | option-len |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| delegated-domain |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- option-code: OPTION_DELEGATED_DOMAIN
- option-len: Length of the 'Delegated Domain' field in octets.
- delegated-domain: The Delegated Domain encoded as specified in
[RFC1035]
Cloetens, et al. Expires January 31, 2013 [Page 22]
�
Internet-Draft IPv6 Home Network Naming Delegation July 2012
7.3. Delegated DNS Address Information Option
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| OPTION_DELEGATED_DNS_ADDR_INFO | option-len |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| subnet-ID (8 octets) |
| |
|+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| interface-ID (8 octets) |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- option-code: OPTION_DELEGATED_DNS_ADDR_INFO
- option-len: Length (16) of the Delegated DNS addressing
information.
- subnet-ID: The identifier of a subnet used by the authoritative
DNS server for the delegated domain name. Only the last 'm'
bits are significant. The 'm' value is equal to (64 - 'n')
where 'n' is the delegated prefix length. The subnet-ID may be
dynamically truncated by the DHCP server and client to match
the 'm' size (depending on the delegated prefix length).
- interface-ID: The interface-ID of the IPv6 address used by the
authoritative DNS server for the delegated domain name.
7.4. Delegated Delegation of Signing Option
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| OPTION_DELEGATED_DNSSEC_DS | option-len |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| Delegation of Signing Resource Record |
| ... |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- option-code: OPTION_DELEGATED_DNSSEC_DS
Cloetens, et al. Expires January 31, 2013 [Page 23]
�
Internet-Draft IPv6 Home Network Naming Delegation July 2012
- option-len: Length of the 'Delegated Domain' field in octets.
- DS Resource Record: The DS Resource Record as defined in
[RFC4034], Section 5.
8. IANA Considerations
This document introduces Status Code that are carried in the DHCP
Options defined in this document. The Status Code detailed in this
document are:
- NamingDelegationServiceNotProvided TBD
- UnauthorizedForNamingDelegationService TBD
- NoDelegatedDomainProvisionned TBD
- NoDelegatedDnsAddrInfo TBD
- DelegationSetWithDns TBD
- DelegationSetWithDnssec TBD
- AcceptingOnlyDnssecNamingDelegation TBD
- UnableToSetNamingDelegation TBD
- SubnetIDNonMatchingISPDelegatedPrefixLength TBD
The DHCP options detailed in this document are:
- OPTION_DELEGATED_DNS_ARCHITECTURE: TBD
- OPTION_DELEGATED_DOMAIN: TBD
- OPTION_DELEGATED_DNS_ADDR_INFO: TBD
- OPTION_DELEGATED_DNSSEC_DS: TBD
9. Security Considerations
9.1. Names are less secured than IP addresses
This document describes how an End User can make its services and
devices from its Home Network reachable on the Internet with Names
rather than IP addresses. This exposes the Home Network to attacker
Cloetens, et al. Expires January 31, 2013 [Page 24]
�
Internet-Draft IPv6 Home Network Naming Delegation July 2012
since names are expected to provide less randomness than IP
addresses. The naming delegation protects the End User's privacy by
not providing the complete zone of the Home Network to the ISP.
However, using the DNS with names for the Home Network exposes the
Home Network and its components to dictionary attacks. In fact, with
IP addresses, the Interface Identifier is 64 bit length leading to
2^64 possibilities for a given subnetwork. This is not to mention
that the subnet prefix is also of 64 bit length, thus providing
another 2^64 possibilities. On the other hand, names use either for
the Home Network domain or for the devices presents less randomness
(livebox, router, printer, nicolas, jennifer, ...) and thus exposes
the devices to dictionary attacks.
9.2. Names are less volatile than IP address
IP addresses may be used to locate a device, a host or a Service.
However, Home Network are not expected to be assigned the same Prefix
over time. As a result observing IP addresses provides some
ephemeral information about who is accessing the service. On the
other hand, Names are not expected to be has volatile as IP
addresses. As a result, logging Names, over time, may be more
valuable that logging IP addresses, especially to profile End User's
characteristics.
PTR provides a way to bind an IP address to a Name. In that sense
responding to PTR DNS Queries may affect the End User's Privacy. For
that reason we recommend that End Users may choose to respond or not
to PTR DNS queries
9.3. DNSSEC is recommended to authenticate DNS hosted data
The document describes how the Secure Delegation can be set between
the Delegating DNS Server and the Delegated DNS Server.
Deploying DNSSEC is recommended since in some cases the information
stored in the DNS is used by the ISP or an IT department to grant
access. For example some Servers may performed a PTR DNS query to
grant access based on host names. With the described Delegating
Naming Architecture, the ISP or the IT department MUST take into
consideration that the CPE is outside its area of control. As such,
with DNS, DNS responses may be forged, resulting in isolating a
Service, or not enabling a host to access a service. ISPs or IT
department may not base their access policies on PTR or any DNS
information. DNSSEC fulfills the DNS lack of trust, and we recommend
to deploy DNSSEC on CPEs.
Cloetens, et al. Expires January 31, 2013 [Page 25]
�
Internet-Draft IPv6 Home Network Naming Delegation July 2012
9.4. Channel between the CPE and ISP DHCP Server MUST be secured
In the document we consider that the channel between the CPE and the
ISP DHCP Server is trusted. More specifically, we suppose the CPE is
authenticated and the exchanged messages are protected. The current
document does not specify how to secure the channel. [RFC3315]
proposes a DHCP authentication and message exchange protection,
[RFC4301], [RFC5996] propose to secure the channel at the IP layer.
In fact, the channel MUST be secured because the CPE provides
necessary information for the configuration of the Naming Delegation.
Unsecure channel may result in setting the Naming Delegation with an
non legitimate CPE. The non legitimate CPE would then be redirected
the DNS traffic that is intended for the legitimate CPE. This makes
the CPE sensitive to three types of attacks. The first one is the
Deny Of Service Attack, if for example DNS traffic for a lot of CPEs
are redirected to a single CPE. CPE are even more sensitive to this
attack since they have been designed for low traffic. The other type
of traffic is the DNS traffic hijacking. A malicious CPE may
redirect the DNS traffic of the legitimate CPE to one of its server.
In return, the DNS Servers would be able to provide DNS Responses and
redirect the End Users on malicious Servers. This is particularly
used in Pharming Attacks. A third attack may consists in isolating a
Home Network by misconfiguring the Naming Delegation for example to a
non-existing DNS Server, or with a bad DS value.
9.5. CPEs are sensitive to DoS
The Naming Delegation Architecture involves the CPE that hosts a DNS
Server for the Home Network. CPE have not been designed for handling
heavy load. The CPE are exposed on the Internet, and their IP
address is publicly published on the Internet via the DNS. This
makes the Home Network sensitive to Deny of Service Attacks. The
Naming Delegation Architecture described in this document does not
address this issue. The issue is addressed in the Front End Naming
Delegation Architecture described in
[I-D.mglt-homenet-front-end-naming-delegation].
10. Acknowledgment
The authors wish to thank Ole Troan for pointing out issues with the
IPv6 routed home concept and placing the scope of this document in a
wider picture, Mark Townsley for encouragement and injecting a
healthy debate on the merits of the idea, Ulrik de Bie for providing
alternative solutions, Paul Mockapetris for pointing out issues of
the trustworthiness of a reverse lookup, and Christian Jacquenet for
seeing the value from a Service Provider point of view.
Cloetens, et al. Expires January 31, 2013 [Page 26]
�
Internet-Draft IPv6 Home Network Naming Delegation July 2012
11. References
11.1. Normative References
[RFC1035] Mockapetris, P., "Domain names - implementation and
specification", STD 13, RFC 1035, November 1987.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC3315] Droms, R., Bound, J., Volz, B., Lemon, T., Perkins, C.,
and M. Carney, "Dynamic Host Configuration Protocol for
IPv6 (DHCPv6)", RFC 3315, July 2003.
[RFC3633] Troan, O. and R. Droms, "IPv6 Prefix Options for Dynamic
Host Configuration Protocol (DHCP) version 6", RFC 3633,
December 2003.
[RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S.
Rose, "Resource Records for the DNS Security Extensions",
RFC 4034, March 2005.
[RFC4301] Kent, S. and K. Seo, "Security Architecture for the
Internet Protocol", RFC 4301, December 2005.
[RFC4862] Thomson, S., Narten, T., and T. Jinmei, "IPv6 Stateless
Address Autoconfiguration", RFC 4862, September 2007.
[RFC5996] Kaufman, C., Hoffman, P., Nir, Y., and P. Eronen,
"Internet Key Exchange Protocol Version 2 (IKEv2)",
RFC 5996, September 2010.
[RFC6672] Rose, S. and W. Wijngaards, "DNAME Redirection in the
DNS", RFC 6672, June 2012.
11.2. Informational References
[I-D.mglt-homenet-front-end-naming-delegation]
Cloetens, C., Lemordant, P., and D. Migault (Ed), "IPv6
Home Network Front End Naming Delegation",
draft-mglt-homenet-front-end-naming-delegation-00 (work in
progress), July 2012.
[RFC2118] Pall, G., "Microsoft Point-To-Point Compression (MPPC)
Protocol", RFC 2118, March 1997.
[RFC3769] Miyakawa, S. and R. Droms, "Requirements for IPv6 Prefix
Delegation", RFC 3769, June 2004.
Cloetens, et al. Expires January 31, 2013 [Page 27]
�
Internet-Draft IPv6 Home Network Naming Delegation July 2012
Authors' Addresses
Wouter Cloetens
SoftAtHome
vaartdijk 3 701
3018 Wijgmaal
Belgium
Phone:
Email: wouter.cloetens@softathome.com
Philippe Lemordant
Francetelecom - Orange
2, avenue Pierre Marzin
22300 Lannion
France
Phone: +33 2 96 05 35 11
Email: philippe.lemordant@orange.com
Daniel Migault
Francetelecom - Orange
38, rue du General Leclerc
92794 Issy-les-Moulineaux Cedex 9
France
Phone: +33 1 45 29 60 52
Email: mglt.ietf@gmail.com
Cloetens, et al. Expires January 31, 2013 [Page 28]
�
