[Search] [txt|pdf|bibtex] [Tracker] [WG] [Email] [Nits]

Versions: 00 01 02 03                                                   
     ROAMOPS Working Group                                    Bernard Aboba
     INTERNET-DRAFT                                   Microsoft Corporation
     <draft-ietf-roamops-dnsrr-00.txt >
     25 February 1997
     
     
                The Roaming Relationship (RR) Record in the DNS
     
     
     1.  Status of this Memo
     
     This document is an Internet-Draft.  Internet-Drafts are working docu-
     ments of the Internet Engineering Task Force (IETF),  its  areas,  and
     its  working groups.  Note that other groups may also distribute work-
     ing documents as Internet-Drafts.
     
     Internet-Drafts are draft documents valid for a maximum of six  months
     and  may  be updated, replaced, or obsoleted by other documents at any
     time.  It is inappropriate to use Internet-Drafts as  reference  mate-
     rial or to cite them other than as ``work in progress.''
     
     To  learn  the  current status of any Internet-Draft, please check the
     ``1id-abstracts.txt'' listing contained in the Internet-Drafts  Shadow
     Directories   on   ds.internic.net   (US  East  Coast),  nic.nordu.net
     (Europe), ftp.isi.edu (US West Coast), or munnari.oz.au (Pacific Rim).
     
     The  distribution  of  this memo is unlimited.  It is filed as <draft-
     ietf-roamops-dnsrr-00.txt>, and  expires September  1,  1997.   Please
     send comments to the authors.
     
     
     2.  Abstract
     
     This  document  describes  the  use  of  the Roaming Relationship (RR)
     record in the DNS for the description of inter-domain  business  rela-
     tionships,  as required for enabling of roaming. In the absence of DNS
     security, RR records may be used for determining the  existence  of  a
     business  relationship  between  the  local  ISP  and  the user's home
     domain, as well as the location of an  appropriate  settlement  agent.
     However,  since the RR records are not secured, other methods (such as
     hierarchical authentication routing) must be used in order to validate
     the  business relationship path. When DNS security is implemented, the
     business relationship path is authenticated  via  digital  signatures,
     and  as  a  result,  additional services may be provided, such as non-
     repudiation  of  proxied  authentications  and  signed  receipts   for
     accounting record transfers.
     
     
     3.  Introduction
     
     Considerable  interest  has  arisen recently in a set of features that
     fit within the general category of  "roaming  capability"  for  dialup
     Internet users.  Interested parties have included:
     
     
     
     
     Aboba                                                         [Page 1]


     INTERNET-DRAFT                                        25 February 1997
     
     
          Regional  Internet  Service  Providers  (ISPs) operating within a
          particular state or province, looking to  combine  their  efforts
          with  those  of  other regional providers to offer dialup service
          over a wider area.
     
          National ISPs wishing to combine their operations with  those  of
          one  or  more  ISPs in another nation to offer more comprehensive
          dialup service in a group of countries or on a continent.
     
          Businesses desiring to  offer  their  employees  a  comprehensive
          package of dialup services on a global basis.  Those services may
          include Internet access as well as  secure  access  to  corporate
          intranets via a Virtual Private Network (VPN), enabled by tunnel-
          ing protocols such as PPTP, L2F, or L2TP.
     
     This document describes the  use  of  the  Roaming  Relationship  (RR)
     record  in  the DNS for the description of inter-domain business rela-
     tionships, as required  for  enabling  of  roaming  and  other  inter-
     provider  services.  In the absence of DNS security, RR records may be
     used for determining the existence of a business relationship  between
     the  local  ISP and the user's home domain, as well as the location of
     an appropriate settlement agent. However, since the RR records are not
     secured,  other  methods (such as hierarchical authentication routing)
     must be used in order to validate the business relationship path. When
     DNS  security  is implemented as described in [13], the business rela-
     tionship path is  authenticated  via  digital  signatures,  and  as  a
     result,  additional  services may be provided, such as non-repudiation
     of proxied authentications and signed receipts for  accounting  record
     transfers.  The  latter  capability  is  described in references [5] -
     [11].
     
     
     3.1.  Terminology
     
     This document frequently uses the following terms:
     
     phone book
               This is a database or document containing data pertaining to
               dialup  access,  including  phone numbers and any associated
               attributes.
     
     phone book server
               This is a server that maintains the latest  version  of  the
               phone  book.  Clients communicate with phone book servers in
               order to keep their phone books up to date.
     
     Network Access Server
               The Network Access Server (NAS) is the device  that  clients
               dial in order to get access to the network.
     
     RADIUS server
               This  is  a  server which provides for authentication/autho-
               rization via the protocol described in [3], and for account-
               ing as described in [4].
     
     
     
     Aboba                                                         [Page 2]


     INTERNET-DRAFT                                        25 February 1997
     
     
     RADIUS proxy
               In order to provide for the routing of RADIUS authentication
               and accounting requests, a RADIUS proxy may employed. To the
               NAS, the RADIUS proxy appears to act as a RADIUS server, and
               to the RADIUS server, the proxy appears to act as  a  RADIUS
               client.
     
     RADIUS domain
               In order to provide for the routing of RADIUS authentication
               and accounting requests, the userID field used in PPP and in
               the   subsequent   RADIUS   authentication   and  accounting
               requests, may contain structure. This structure  provides  a
               means  by  which  the  RADIUS  proxy  will locate the RADIUS
               server that is to receive the request.
     
     
     3.2.  Requirements language
     
     This specification uses the same words as [14] for defining  the  sig-
     nificance of each particular requirement.  These words are:
     
     
     MUST      This  word,  or  the adjectives "REQUIRED" or "SHALL", means
               that the definition is an absolute requirement of the speci-
               fication.
     
     MUST NOT  This phrase, or the phrase "SHALL NOT", means that the defi-
               nition is an absolute prohibition of the specification.
     
     SHOULD    This word, or the adjective "RECOMMENDED", means that  there
               may  exist  valid  reasons  in  particular  circumstances to
               ignore a particular item, but the full implications must  be
               understood and carefully weighed before choosing a different
               course.
     
     SHOULD NOT
               This phrase means that there may exist valid reasons in par-
               ticular   circumstances  when  the  particular  behavior  is
               acceptable or even useful, but the full implications  should
               be  understood  and the case carefully weighed before imple-
               menting any behavior described with this label.
     
     MAY       This word, or the adjective "OPTIONAL", means that  an  item
               is  truly  optional.   One  vendor may choose to include the
               item because a particular marketplace requires it or because
               the  vendor feels that it enhances the product while another
               vendor may omit the same item.  An implementation which does
               not include a particular option MUST be prepared to interop-
               erate with another implementation  which  does  include  the
               option,  though  perhaps  with reduced functionality. In the
               same vein an implementation which does include a  particular
               option  MUST be prepared to interoperate with another imple-
               mentation which does  not  include  the  option.(except,  of
               course, for the feature the option provides)
     
     
     
     Aboba                                                         [Page 3]


     INTERNET-DRAFT                                        25 February 1997
     
     
     An  implementation is not compliant if it fails to satisfy one or more
     of the must or must not requirements for the protocols it  implements.
     An  implementation  that  satisfies all the must, must not, should and
     should not requirements for its protocols is said to be  "uncondition-
     ally compliant"; one that satisfies all the must and must not require-
     ments but not all the should or should not requirements for its proto-
     cols is said to be "conditionally compliant."
     
     
     4.  The Roaming Relationship (RR) Record
     
     In order to enable roaming, it is necessary for a local provider to be
     able to determine  whether  a  business  relationship  exists  between
     itself  and the user's home domain, so as to enable the local provider
     to be paid for the use of its resources. These business  relationships
     are  typically  of  two  types:  the relationship between a firm and a
     provider, in  which  the  firm  delegates  roaming  authority  to  the
     provider; or the relationship between a provider and a roaming associ-
     ation, in which the provider agrees to allow members of the consortium
     to  access  its  network resources, in exchange for compensation. How-
     ever, it is also possible for a company or even an individual to  form
     a  direct  relationship  with a roaming consortia, or for consortia to
     form a relationship with another consortia.
     
     Inter-domain business relationships may extend to several levels.  For
     example, BIGCO may delegate roaming authority to ISPA, who may in turn
     join roaming association ISPGROUP.  When  Fred  dials  into  ISPB  and
     attempts  to  authenticate as fred@bigco.com, it is necessary for ISPB
     to determine whether it has a means for being paid for  the  resources
     consumed  by Fred. This is accomplished by tracing the web of business
     relationships backwards from the bigco.com domain, in order to  deter-
     mine  whether a path of business relationships exists between ISPB and
     BIGCO.
     
     Please note that the task of determining the path  of  business  rela-
     tionships  is orthogonal to the issue of authentication routing. Where
     authentication proxy  chaining  is  used,  authentication  routing  is
     required  in  order  to  improve scalability. However, when public key
     authentication is available, it  is  possible  for  an  authentication
     proxy  to  directly  contact  a  home authentication server.  However,
     regardless of how the authentication is routed, it is still  necessary
     for  the  local ISP to determine the path of business relationships so
     that it can determine whether it can be paid for the transaction.
     
     The purpose of the Roaming Relationship (RR)  record  is  to  document
     inter-domain business relationships. Where DNS Security is enabled, it
     is possible for these relationships to be authenticated via use of the
     KEY  and  SIG RRs. In order to authenticate the existence of an inter-
     domain roaming relationship, the domain to which roaming authority has
     been delegated signs the KEY RR of the domain which has done the dele-
     gation. The signature includes an expiration date, as well as the  KEY
     RR  itself, and it is expected that the expiration dates SHOULD NOT be
     far in the future. As a  result,  it  is  expected  that  the  roaming
     authority  will  update the SIG RR periodically in order to enable the
     
     
     
     Aboba                                                         [Page 4]


     INTERNET-DRAFT                                        25 February 1997
     
     
     relationship to continue.
     
     Please note that Roaming Relationship (RR) records may be retrieved in
     a  variety  of ways. When hierarchical authentication routing is being
     used, RR records are typically retrieved by the local ISP's  authenti-
     cation  proxy, and used both for the determination of a business rela-
     tionship, and for use in  authentication  routing.   When  public  key
     authentication,  IPSEC and DNS security are available, then it is pos-
     sible for the local ISP's authentication proxy  to  contact  the  home
     domain's  authentication  server  directly. In this case, hierarchical
     authentication routing is not necessary, and it is  possible  for  the
     home domain's authentication server to return signed RR records to the
     local ISP's authentication proxy as attributes within the  authentica-
     tion reply. If this is done, then the local ISP's authentication proxy
     may not need to look up any RR records itself, and as  a  result,  the
     total  time  required  for  the authentication will be decreased. This
     will lessen the probability of a timeout.
     
     
     4.1.  Roaming Relationship Record RDATA format
     
     The RDATA for a Roaming Relationship resource record is as follows:
     
     0                   1                   2                   3
     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |              Preference       |              Flags            |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     /                                                               /
     /                            Domain                             /
     /                                                               /
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     
     
     4.1.1.  Preference
     
     The Preference field, which is two octets,  specifies  the  preference
     given  to this record versus other records of the same type and owner.
     Lower values are preferred.
     
     
     4.1.2.  Flags
     
     The flags field, which is two octets, is as follows:
     0                   1
     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |U P C S I F H R R R R R R R R R|
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     
     U = User. If U=1, then the Roaming Relationship record  represents  an
     individual  user or account. The user name is represented the same way
     as in the SOA or RP resource records. As a result, fred@bigco.com will
     be  represented  as fred.bigco.com. Since the DNS was not intended for
     
     
     
     Aboba                                                         [Page 5]


     INTERNET-DRAFT                                        25 February 1997
     
     
     use as a user database, it is expected that this flag will only be set
     on rare occasions.
     
     P  = Provider. If P=1, then the Roaming Relationship record represents
     delegation of roaming authority from a non-ISP to an ISP or a  roaming
     consortia.
     
     C = Consortia. If C=1, then the Roaming Relationship record represents
     delegation of roaming authority from an ISP to a roaming consortia.
     
     S = Settlement agent. If S=1, then a settlement  agent  exists  within
     the domain.
     
     I  = Internet access. If I=1, then the Roaming Relationship record may
     be used for provisioning of Internet access. In  roaming  applications
     this bit MUST be set.
     
     F  = Fax. If F=1, then the Roaming Relationship record may be used for
     provisioning of Internet fax.
     
     H = H.323. If H=1, then the Roaming Relationship may be used for  pro-
     visioning of H.323 conferencing.
     
     R = Reserved.
     
     
     4.1.3.  Domain
     
     The domain field represents the domain name to which roaming authority
     has been delegated by the owner name.
     
     
     4.2.  Use of the Roaming Relationship (RR) Record
     
     The Roaming Relationship (RR) record uses semantics similar to that of
     the  Mail Exchange (MX) record, in that it includes a priority as well
     as the domain to which roaming authority has been  delegated.  The  RR
     record is of the form:
     
     bigco.com.  IN RR
                    10          ;priority
                    P I         ;flags. P = Provider, I = Internet Access
                    ispa.com.   ;domain with roaming authority
     
     Here  10  refers to the priority of the RR record, and ispa.com is the
     domain to which BIGCO has delegated roaming responsibilities. The  use
     of  a  priority field allows multiple relationships to be represented,
     with authenticating ISPs checking the relationships in ascending order
     of priority. Thus, an RR record of priority 10 would be checked before
     a record of priority 20. As described in the previous section, letters
     are used to denote flag bits.
     
     Routes  for a given domain SHOULD be given different priorities, so as
     to allow for predictable behavior. Since routes at the  same  priority
     
     
     
     Aboba                                                         [Page 6]


     INTERNET-DRAFT                                        25 February 1997
     
     
     will  be  round-robined,  this  will  result in alternation of routes.
     Unless there is a good reason for balancing the load  this  way,  this
     approach SHOULD NOT be used.
     
     
     5.  Examples
     
     
     5.1.  Example One
     
     Let  us  assume that Fred is an employee of BIGCO, who has established
     roaming relationships with ISPA and ISPC, both of which are members of
     roaming consortia ISPGROUP1. BIGCO also has a relationship with clear-
     ing houses ISPGROUP2 and ISPGROUP3. ISPB is a member of the  ISPGROUP1
     roaming consortia.
     
     The Roaming Relationship records for BIGCO appear as follows:
     
     bigco.com. IN RR 10 P I ispa.com.
     bigco.com. IN RR 20 P I ispc.com.
     bigco.com. IN RR 30 P I ispgroup3.com.
     bigco.com. IN RR 40 P I ispgroup2.com.
     
     The  RR  records  for  ISPA, ISPB, ISPC, ISPGROUP1, ISPGROUP2 and ISP-
     GROUP3 appear as follows:
     
     ispa.com. IN RR 10 C I ispgroup1.com.
     
     ispb.com. IN RR 10 C I ispgroup1.com.
     
     ispc.com. IN RR 10 C I ispgroup1.com.
     
     ispgroup1.com. IN RR 10 C I S ispgroup1.com.
     
     ispgroup2.com. IN RR 10 C I S ispgroup2.com.
     
     ispgroup3.com. IN RR 10 C I S ispgroup3.com.
     
     
     5.1.1.  Sequence of events
     
     Fred logs into ISPB as fred@bigco.com; as a result the ISPB  authenti-
     cation  proxy  receives  this  NAI.  ISPB's authentication proxy first
     checks for the presence of a user record for  fred.bigco.com.  If  so,
     then  it retrieves the RR resource records for the domain to whom Fred
     has delegated roaming authority. If there is no user record,  then  it
     checks  its configuration files to see whether bigco.com is one of the
     domains with whom it has a direct business  relationship.  This  check
     will  fail  since BIGCO has no direct business relationship with ISPB.
     As a  result,  ISPB's  authentication  proxy  will  need  to  retrieve
     resource records either from its own cache or from the bigco.com zone.
     
     Assuming that ISPB's authentication proxy does not support public  key
     authentication  and  IPSEC,  then  hierarchical authentication routing
     
     
     
     Aboba                                                         [Page 7]


     INTERNET-DRAFT                                        25 February 1997
     
     
     will be used. In this case, ISPB's authentication proxy will  need  to
     retrieve  RR  resource  records  from  the  bigco.com zone.  If ISPB's
     authentication proxy supports public  key  authentication  and  ISPEC,
     then  rather  than immediately retrieving RR resource records, it will
     retrieve the SRV, KEY and SIG resource records for the bigco.com zone.
     Using  the SRV resource record, ISPB's authentication proxy can locate
     the authentication proxy for the bigco.com domain.  The  SIG  resource
     records  for  the  bigco.com  zone  can  then be retrieved in order to
     determine whether the bigco.com authentication server supports  IPSEC.
     If  so,  then  ISPB's  authentication  proxy may contact the bigco.com
     authentication server directly. In this case, only the IPSEC AH header
     need  be used, since only authentication services are required. In its
     authentication reply, the bigco.com authentication server  may  return
     the  RR records for its zone as well as those of the zones to which it
     has delegated roaming authority, in the form of attributes within  the
     Access-Reply.  If  so,  then ISPB's authentication proxy will be saved
     the work of having to retrieve these resource records itself prior  to
     forwarding the authentication reply on to the NAS.
     
     Once  the  RR resource records have been retrieved by one mechanism or
     another, a depth first search is performed  in  order  to  select  the
     business  relationship  path. In this case, ISPB determines whether it
     has a direct business relationship with ISPA (priority 10 record  from
     the  bigco.com  zone). If not, then it looks at the RR records for the
     ispa.com domain, and determines whether it has a direct business rela-
     tionship  with  any  of the domains to whom ISPA has delegated roaming
     responsibility. In this case, ISPB determines that  it  has  a  direct
     business  relationship  with  ISPGROUP1  (priority  10 record from the
     ispa.com  zone).  As  a  result,  the   business   relationship   path
     bigco.com/ispa.com/ispgroup1.com/ispb.com is selected. Since ISPGROUP1
     operates a settlement agent within its domain, accounting records  for
     the transaction will be sent to ISPGROUP1's settlement agent.
     
     If ISPA had not been a member of the ISPGROUP1 roaming consortia, then
     the depth-first search would have terminated, and ISPB  would  proceed
     to  check for a business relationship on the branch represented by the
     priority 20 record in the bigco.com zone (ispc.com). In this case  the
     business  relationship  path bigco.com/ispc.com/ispgroup1.com/ispb.com
     would have been selected.
     
     If ISPB were a member of the ISPGROUP3 roaming consortia,  and  not  a
     member of the ISPGROUP1 or ISPGROUP2 consortia, then the breadth-first
     search would fail on both the priority  10  and  20  branches  of  the
     bigco.com   tree.   In  this  case,  the  business  relationship  path
     bigco.com/ispgroup3.com/ispb.com would have been selected.
     
     
     5.2.  Example Two
     
     Let us assume that BIGCO has branch offices in multiple locations. The
     BIGCO  branch  office in Illinois has a contract with ISPA, which is a
     member of ISPGROUP1 while the branch office in Israel has  a  contract
     with  ISPC, which is a member of ISPGROUP2. As a result, it is desired
     that Fred be able to login either from Illinois or from  Israel,  with
     
     
     
     Aboba                                                         [Page 8]


     INTERNET-DRAFT                                        25 February 1997
     
     
     the  authentication being done by the appropriate ISP. When logging in
     from Illinois, Fred uses the POPs of ISPB, while in  Israel,  he  uses
     the POPs of ISPD.
     
     In this case, the RR records for BIGCO will appear as follows:
     
     bigco.com. IN RR 10 P I ispa.com.
     bigco.com. IN RR 20 P I ispc.com.
     
     The records for ISPA, ISPB, ISPC, ISPD, ISPGROUP1 and ISPGROUP2 appear
     as follows:
     
     ispa.com.  IN RR 10 C I ispgroup1.com.
     
     ispb.com.  IN RR 10 C I ispgroup1.com.
     
     ispc.com.  IN RR 10 C I ispgroup2.com.
     
     ispd.com.  IN RR 10 C I ispgroup2.com.
     
     ispgroup1.com.  IN RR 10 C I S ispgroup1.com.
     
     ispgroup2.com.  IN RR 10 C I S ispgroup2.com.
     
     
     5.2.1.  Sequence of events
     
     While in the United States, Fred logs into ISPB as fred@bigco.com;  as
     a  result  the  ISPB  authentication  proxy  receives this NAI. ISPB's
     authentication proxy first checks for the presence of  a  user  record
     for  fred.bigco.com.  If so, then it retrieves the RR resource records
     for the domain to whom Fred has delegated roaming authority. If  there
     is  no  user  record,  then  it  checks its configuration files to see
     whether bigco.com is one of the domains with  whom  it  has  a  direct
     business  relationship. This check will fail since BIGCO has no direct
     business relationship with ISPB. As a  result,  ISPB's  authentication
     proxy will need to retrieve resource records either from its own cache
     or from the bigco.com zone.
     
     Once the RR resource records have been retrieved by one  mechanism  or
     another,  a  depth  first  search  is performed in order to select the
     business relationship path. In this case, ISPB determines  whether  it
     has  a direct business relationship with ISPA (priority 10 record from
     the bigco.com zone). If not, then it looks at the RR records  for  the
     ispa.com domain, and determines whether it has a direct business rela-
     tionship with any of the domains to whom ISPA  has  delegated  roaming
     responsibility.  In  this  case,  ISPB determines that it has a direct
     business relationship with ISPGROUP1  (priority  10  record  from  the
     ispa.com   zone).   As   a  result,  the  business  relationship  path
     bigco.com/ispa.com/ispgroup1.com/ispb.com is selected. Since ISPGROUP1
     operates  a settlement agent within its domain, accounting records for
     the transaction will be sent to ISPGROUP1's settlement agent.
     
     
     
     
     
     Aboba                                                         [Page 9]


     INTERNET-DRAFT                                        25 February 1997
     
     
     While in Israel, Fred logs into ISPD as fred@bigco.com; as  a  result,
     the ISPD authentication proxy receives this NAI. ISPD's authentication
     proxy then checks its configuration files to see whether bigco.com  is
     one  of  the  domains with whom it has a direct business relationship.
     This check will fail since BIGCO has no direct  business  relationship
     with  ISPD.  As  a  result,  ISPD's  authentication proxy will need to
     retrieve resource records either  from  its  own  cache  or  from  the
     bigco.com zone.
     
     Once  the  RR resource records have been retrieved by one mechanism or
     another, a depth first search is performed  in  order  to  select  the
     business  relationship  path. In this case, ISPD determines whether it
     has a direct business relationship with ISPA (priority 10 record  from
     the  bigco.com  zone). If not, then it looks at the RR records for the
     ispa.com domain, and etermines whether it has a direct business  rela-
     tionship  with  any  of the domains to whom ISPA has delegated roaming
     responsibility. In this case, ISPD determines that no  business  rela-
     tionship path exists going through ISPA.
     
     As  a  result,  ISPD  checks  for  a business relationship on the ISPC
     branch (priority 20 record from the bigco.com zone). First, it  deter-
     mines whether there is a direct business relationship between ISPD and
     ISPC (there is not). Then it looks at the RR records for the  ispc.com
     domain,  and  determines whether it has a direct business relationship
     with any of the domains to whom ISPC has delegated  roaming  responsi-
     bility.  In  this  case, ISPD determines that it has a direct business
     relationship with ISPGROUP2 (priority  10  record  from  the  ispc.com
     zone).    As    a    result,    the    business    relationship   path
     bigco.com/ispc.com/ispgroup2.com/ispd.com is selected. Since ISPGROUP2
     operates  a settlement agent within its domain, accounting records for
     the transaction will be sent to ISPGROUP2's settlement agent.
     
     
     
     5.3.  Example Three
     
     Let us assume that Fred wishes to travel to a  country  which  is  not
     served by the roaming consortia that BIGCO's provider ISPA has joined.
     In this case, Fred will wish to make use of the user roaming relation-
     ship resource record.
     
     In this case, the RR records for BIGCO will appear as follows:
     
     bigco.com.      IN RR 10 P I   ispa.com.
     fred.bigco.com. IN RR 10 U I   ispe.com.
     
     The  records  for  ISPA, ISPB, ISPD, ISPGROUP1 and ISPGROUP2 appear as
     follows:
     
     ispa.com.  IN RR 10 C I ispgroup1.com.
     
     ispb.com.  IN RR 10 C I ispgroup1.com.
     ispb.com.  IN RR 10 C I ispgroup2.com.
     
     
     
     
     Aboba                                                        [Page 10]


     INTERNET-DRAFT                                        25 February 1997
     
     
     ispe.com.  IN RR 10 C I ispgroup2.com.
     
     ispgroup1.com.  IN RR 10 C I S ispgroup1.com.
     
     ispgroup2.com.  IN RR 10 C I S ispgroup2.com.
     
     
     5.3.1.  Sequence of events
     
     While traveling, Fred logs into ISPB as fred@bigco.com;  as  a  result
     the ISPB authentication proxy receives this NAI. ISPB's authentication
     proxy  first  checks  for  the  presence  of   a   user   record   for
     fred.bigco.com.  If  so, then it retrieves the RR resource records for
     the domain to whom Fred has delegated roaming authority. In this case,
     a  user  record  exists for fred@bigco.com, so that the authentication
     proxy determines whether it has a direct  business  relationship  with
     ISPE  (priority  10 record from the fred.bigco.com zone). If not, then
     it looks at the RR records for the  ispe.com  domain,  and  determines
     whether  it has a direct business relationship with any of the domains
     to whom ISPE has delegated roaming responsibility. In this case,  ISPB
     determines  that  it has a direct business relationship with ISPGROUP2
     (priority 10 record from the ispe.com zone). As a result, the business
     relationship  path  fred.bigco.com/ispe.com/ispgroup2.com/ispb.com  is
     selected. Since ISPGROUP2  operates  a  settlement  agent  within  its
     domain,  accounting  records  for the transaction will be sent to ISP-
     GROUP2's settlement agent.
     
     Please note that even though Fred  has  a  user  Roaming  Relationship
     record,  the  authentication  conversation  will  still  be  conducted
     between ISPB's authentication proxy and BIGCO's authentication server.
     
     
     6.  Prevention of looping topologies
     
     Since  it is possible to create looping topologies using Roaming Rela-
     tionship records, a mechanism must  be  provided  to  prevent  endless
     loops.  As  a result, it is recommended that authentication proxies be
     configured with a default maximum of four hops. This would support the
     scenario  of an authentication passing from a NAS to an authentication
     proxy, from the proxy to ISPGROUP, from ISPGROUP  to  ISPA,  and  from
     ISPA to BIGCO.
     
     
     7.  Use of the RR Record Without DNS Security
     
     When  Roaming  Relationship  resource records are utilized without DNS
     security, no assurance can be provided as to the authenticity  of  the
     business  relationships  represented by these records. As a result, it
     is necessary to verify the validity of the business relationship  path
     by  another means. This can be accomplished by causing the authentica-
     tion to be routed along the business relationship path.
     
     As an example, let us  assume  that  the  business  relationship  path
     bigco.com/ispc.com/ispgroup2.com/ispd.com  is  selected.  If this path
     
     
     
     Aboba                                                        [Page 11]


     INTERNET-DRAFT                                        25 February 1997
     
     
     has not been authenticated via DNS Security, then  ISPD's  authentica-
     tion  proxy  will  forward  it's  authentication request to ISPGROUP2,
     including the business relationship path as a source route.  ISPGROUP2
     will then in turn forward the authentication to ISPC, who will forward
     it to BIGCO. At each step of the way, a pre-existing relationship will
     need to exist between hops in order for this authentication forwarding
     to proceed. As a result, the act of authenticating Fred via the  busi-
     ness  relationship  path acts to validate the business relationship as
     determined from the RR resource records.
     
     Note that such hop by hop forwarding is required  even  if  IPSEC  and
     public key authentication is available for use between the local ISP's
     authentication proxy and the home authentication server,  as  long  as
     the  business  relationship  path  has  not been authenticated via DNS
     Security. This is because while the authentication end-points might be
     able to communicate securely without need for hierarchical authentica-
     tion routing, the local ISP still needs to validate the business rela-
     tionship path.
     
     Please  also  note  that  DNS  Security will also typically be used in
     order to enable signed receipts to be returned by the settlement agent
     in  response to receipt of digitally signed accounting record bundles.
     Settlement agent support for MIME Security Multiparts is indicated via
     use  of  the  Email bit within the KEY resource record flag field. DNS
     Security may also be used  to  indicate  that  a  home  authentication
     server  supports  IPSEC.  This  is  indicated via use of the IPSEC bit
     within the KEY resource record flag field.
     
     
     8.  Use of the RR Record With DNS Security
     
     When used in concert with DNS Security, RR  resource  records  may  be
     authenticated.  When used along with IPSEC, this permits direct commu-
     nication between the local ISP's authentication  proxy  and  the  home
     authentication  server.  In  addition, support for DNS Security allows
     for provision of  additional  services,  such  as  non-repudiation  of
     authentication  replies,  as well as for return of signed receipts for
     accounting record transfers. This is accomplished via use of the  KEY,
     and SIG resource records.
     
     
     8.1.  Use of KEY Resource Record
     
     The  KEY  resource record is used in order to allow a public key to be
     associated with a zone.
     
     
     8.1.1.  Flag Field
     
     No additional flags need to be defined for use in roaming.  When  used
     to  secure  Roaming  Relationship  resource  records, bit 0 of the Key
     resource record flag field MUST be cleared, indicating that use of the
     key  is  allowed  for  authentication.  Bit 1 may or may not be set to
     indicate use for confidentiality. If the Roaming  Relationship  record
     
     
     
     Aboba                                                        [Page 12]


     INTERNET-DRAFT                                        25 February 1997
     
     
     is  for  a user, then bit 5 will be set, indicating the use of the KEY
     for a user or account. Bits 6 and 7 (none-zone entity and  zone  bits)
     may  or may not be set. If the KEY resource record is for an authenti-
     cation server supporting IPSEC, then bit 8 will be  set.  If  the  KEY
     resource  record  is  for a settlement server supporting MIME Security
     Multiparts, then bit 9 will be set. Bits 12-15,  the  signatory  bits,
     may or may not be set.
     
     
     8.1.2.  Protocol field
     
     When  used  to secure Roaming Relationship resource records, the value
     192 will be used in the protocol octet, in order to denote  experimen-
     tal  use. Should roaming technology be deployed on a widespread basis,
     then a value between 1 and 191 will be assigned by IANA.
     
     
     8.2.  Use of the SIG Resource Record
     
     Since the Roaming Relationship record is signed by the  zone  to  whom
     roaming  authority  has been delegated, rather than the parent zone, a
     zone that has delegated roaming responsibility will typically have  at
     least  two  SIG records, one signed by the superzone, and at least one
     additional SIG record,  signed  by  the  provider(s)  to  who  roaming
     authority has been delegated.
     
     The  SIG  resource record used for roaming will have a type covered of
     RR. It will also contain a signature expiration date and the time when
     the  record was signed. Since the roaming relationship will be assumed
     to be in force until the signature expiration, ISPs or roaming consor-
     tia  will  typically  only  sign  records  for  short periods of time.
     Finally, the SIG resource record will contain the domain to whom roam-
     ing  responsibility  has  been  delegated,  and will be signed by that
     domain.
     
     
     8.2.1.  Example
     
     BIGCO delegates roaming authority to ISPA. As a result, ISPA  provides
     the following SIG resource record in the bigco.com zone:
     
     bigco.com.      SIG RR 1 2 (; type-cov=RR, alg=1, labels=2
                     1997040102030405    ; signature expiration
                     1997030112130408    ; time signed
                     31273               ; key footprint
                     ispa.com.           ; signer
     Z2fWBj8L=wevdKjOwJbakr2s4Ns=/Mox32X1rQntZPud1Fws/yIpbj7WBtIBug2w5ZrN
     2sWgTDnrOZd9=/U94gor9k8XCsV5gOr1+2SuGnU/ ;signature (640 bits)
     
     In  order  to  secure the bigco.com zone, there will also be other SIG
     resource records. Given the size of these records, it is possible that
     the  resource records will exceed the maximum DNS UDP packet size, and
     a TCP transfer will be required to return all of the  associated  zone
     records.
     
     
     
     Aboba                                                        [Page 13]


     INTERNET-DRAFT                                        25 February 1997
     
     
     9.  Acknowledgements
     
     Thanks  to  Glen  Zorn  of  Microsoft, Pat Calhoun of USR, and Michael
     Robinson of Asiainfo for  many  useful  discussions  of  this  problem
     space.
     
     
     10.  References
     
     [1]  B. Aboba, J. Lu, J. Alsop, J. Ding.  "Review of Roaming Implemen-
     tations." draft-ietf-roamops-imprev-01.txt, Microsoft, Aimnet,  i-Pass
     Alliance, Asiainfo, January, 1997.
     
     [2]   B.  Aboba, G. Zorn.  "Dialing Roaming Requirements." draft-ietf-
     roamops-roamreq-02.txt, Microsoft, January, 1997.
     
     [3]  C. Rigney, A. Rubens, W. Simpson, S. Willens.  "Remote  Authenti-
     cation  Dial  In  User Service (RADIUS)." RFC 2058, Livingston, Merit,
     Daydreamer, January, 1997.
     
     [4]  C. Rigney.  "RADIUS Accounting." RFC 2059,  Livingston,  January,
     1997.
     
     [5]   R. Fajman. "An Extensible Message Format for Message Disposition
     Notifications."  draft-ietf-receipt-mdn-02.txt, National Institute  of
     Health, November, 1996.
     
     [6]  M.  Elkins.  "MIME  Security with Pretty Good Privacy (PGP)." RFC
     2015, The Aerospace Corporation, October, 1996.
     
     [7] G. Vaudreuil. "The Multipart/Report Content Type for the Reporting
     of  Mail System Administrative Messages." RFC 1892, Octel Network Ser-
     vices, January, 1996.
     
     [8] J. Galvin., et al. "Security Multiparts for MIME: Multipart/Signed
     and Multipart/Encrypted." RFC 1847, Trusted Information Systems, Octo-
     ber, 1995.
     
     [9] D. Crocker. "MIME Encapsulation of EDI Objects." RFC  1767,  Bran-
     denburg Consulting, March, 1995.
     
     [10]  M.  Jansson,  C. Shih, N. Turaj, R. Drummond. "MIME-based Secure
     EDI." draft-ietf-ediint-as1-02.txt, LiNK, Actra, Mitre Corp,  Drummond
     Group, November, 1996.
     
     [11] C. Shih, M. Jansson, R. Drummond, L. Yarbrough. "Requirements for
     Inter-operable  Internet  EDI."  draft-ietf-ediint-req-01.txt,  Actra,
     LiNK, Drummond Group, May, 1995.
     
     [12]  A. Gulbrandsen, P. Vixie.  "A DNS RR for specifying the location
     of services (DNS SRV)." RFC 2052,  Troll  Technologies,  Vixie  Enter-
     prises, October 1996.
     
     [13]  D.  Eastlake,  3rd, C. W. Kaufman.  "Domain Name System Security
     
     
     
     Aboba                                                        [Page 14]


     INTERNET-DRAFT                                        25 February 1997
     
     
     Extensions." Draft-ietf-dnnsec-secext-10.txt, CyberCash, Iris, August,
     1996.
     
     [14]  S.  Bradner.  "Key words for use in RFCs to Indicate Requirement
     Levels." draft-bradner-key-words-02.txt, Harvard  University,  August,
     1996.
     
     [15]  C.  Malmud,  M.  Rose.  "Principles of Operation for the TPC.INT
     Subdomain: General Principles and Policy."  RFC 1530, Internet  Multi-
     casting Service, Dover Beach Consulting, Inc., October, 1993.
     
     
     
     
     11.  Authors' Addresses
     
     Bernard Aboba
     Microsoft Corporation
     One Microsoft Way
     Redmond, WA 98052
     
     Phone: 206-936-6605
     EMail: bernarda@microsoft.com
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     Aboba                                                        [Page 15]