Opportunistic Encryption with DANE Semantics and IPsec: IPSECA
draft-osterweil-dane-ipsec-02

The information below is for an old version of the document
Document Type Active Internet-Draft (individual)
Last updated 2015-03-24
Stream (None)
Intended RFC status (None)
Formats plain text pdf html bibtex
Stream Stream state (No stream defined)
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state I-D Exists
Telechat date
Responsible AD (None)
Send notices to (None)
DANE                                                        E. Osterweil
Internet-Draft                                                  G. Wiley
Intended status: Standards Track                                T. Okubo
Expires: September 25, 2015                                      R. Lavu
                                                             A. Mohaisen
                                                          VeriSign, Inc.
                                                          March 24, 2015

     Opportunistic Encryption with DANE Semantics and IPsec: IPSECA
                     draft-osterweil-dane-ipsec-02

Abstract

   The query/response transactions of the Domain Name System (DNS) can
   disclose valuable meta-data about the online activities of DNS'
   users.  The DNS Security Extensions (DNSSEC) provide object-level
   security, but do not attempt to secure the DNS transaction itself.
   For example, DNSSEC does not protect against information leakage, and
   only protects DNS data until the last validating recursive resolver.
   Stub resolvers are vulnerable to adversaries in the network between
   themselves and their validating resolver ("the last mile").  This
   document details a new DANE-like DNS Resource Record (RR) type called
   IPSECA, and explains how to use it to bootstrap DNS transactions
   through informing entries in IPsec Security Policy Databases (SPDs)
   and to subsequently verifying Security Associations (SAs) for OE
   IPsec tunnels.

Status of this Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on September 25, 2015.

Copyright Notice

   Copyright (c) 2015 IETF Trust and the persons identified as the

Osterweil, et al.      Expires September 25, 2015               [Page 1]
Internet-Draft       OE with DANE and IPsec: IPSECA           March 2015

   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
     1.1.  What IPSECA Adds to DNSSEC Transactions  . . . . . . . . .  4
     1.2.  IP-Centric IPsec Tunnel Discovery Using IPSECKEY . . . . .  4
     1.3.  Service-Centric IPsec Tunnel Discovery Using IPSECA
           and DANE . . . . . . . . . . . . . . . . . . . . . . . . .  5
   2.  The IPSECA Resource Record . . . . . . . . . . . . . . . . . .  6
     2.1.  IPSECA RDATA Wire Format . . . . . . . . . . . . . . . . .  7
       2.1.1.  The Usage Field  . . . . . . . . . . . . . . . . . . .  7
       2.1.2.  The Selector Field . . . . . . . . . . . . . . . . . .  7
       2.1.3.  The Matching Field . . . . . . . . . . . . . . . . . .  8
       2.1.4.  The Certificate Assocation Data Field  . . . . . . . .  8
     2.2.  IPSECA RR Presentation Format  . . . . . . . . . . . . . .  9
     2.3.  Domain Names used for IPSEC Records  . . . . . . . . . . .  9
     2.4.  IPSECA RR Examples . . . . . . . . . . . . . . . . . . . .  9
       2.4.1.  OE to a DNS Name Server Example  . . . . . . . . . . .  9
   3.  Operational Considerations . . . . . . . . . . . . . . . . . . 11
   4.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 11
   5.  Security Considerations  . . . . . . . . . . . . . . . . . . . 12
     5.1.  Interactions . . . . . . . . . . . . . . . . . . . . . . . 12
     5.2.  Last Mile Security Analysis  . . . . . . . . . . . . . . . 12
   6.  Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 13
   7.  References . . . . . . . . . . . . . . . . . . . . . . . . . . 13
     7.1.  Normative References . . . . . . . . . . . . . . . . . . . 13
     7.2.  Informative References . . . . . . . . . . . . . . . . . . 14
   Appendix A.  Name Server OE Configuration Example  . . . . . . . . 15
   Appendix B.  Recursive Resolver OE Configuration Example . . . . . 16
   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 16
Show full document text