IETF Logo Mail Archive

Re: [DNSOP] introducing a couple of RRTypes (CRC/CRS) for B2B applications

Mark Andrews <marka@isc.org> Tue, 12 April 2022 00:44 UTC

Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A22853A0541 for <dnsop@ietfa.amsl.com>; Mon, 11 Apr 2022 17:44:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isc.org header.b=DdpPcGL6; dkim=pass (1024-bit key) header.d=isc.org header.b=N4wsErJC
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J80tfr8w6abb for <dnsop@ietfa.amsl.com>; Mon, 11 Apr 2022 17:43:59 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B74743A0490 for <dnsop@ietf.org>; Mon, 11 Apr 2022 17:43:59 -0700 (PDT)
Received: from zimbrang.isc.org (zimbrang.isc.org [149.20.1.12]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx.pao1.isc.org (Postfix) with ESMTPS id E8A103AB008; Tue, 12 Apr 2022 00:43:57 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.10.3 mx.pao1.isc.org E8A103AB008
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=isc.org; s=ostpay; t=1649724237; bh=vW/m5YTREWUCuvqY/579rU99z69lVDARbT8EJC3G1A8=; h=Subject:From:In-Reply-To:Date:Cc:References:To; b=DdpPcGL6760dVqxw3Aw0mL4u0a594NT3KFx1/gQ6NjDcTr5mTrkw4t5XFM0XG+oNI 0Rtno8tF+TraTNEWXmJZ/Y+HO/7BTWpjWJdEHGmD9GCyib6ze0ILriN8fSfZPvZhcf UobJEiU7PMUI6e0JwlBQYsibKXIHNM9mLpVIEFZw=
Received: from zimbrang.isc.org (localhost.localdomain [127.0.0.1]) by zimbrang.isc.org (Postfix) with ESMTPS id D28A7A2133D; Tue, 12 Apr 2022 00:43:57 +0000 (UTC)
Received: from localhost (localhost.localdomain [127.0.0.1]) by zimbrang.isc.org (Postfix) with ESMTP id A2302A2133E; Tue, 12 Apr 2022 00:43:57 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.10.3 zimbrang.isc.org A2302A2133E
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=isc.org; s=05DFB016-56A2-11EB-AEC0-15368D323330; t=1649724237; bh=qDXRcCxDxxTIVVLQ+vfSrQU9tXP8GP2SniEX0F5b1K8=; h=Mime-Version:From:Date:Message-Id:To; b=N4wsErJC/y/7uYrqLhrrbbebMqxWVExDXqvhBcXZ9u/R/P4HYNIg3rnUt0YW/Hunh oIRtScqbFbkqKb1wkFrObNwB4j/R5LByzE0ubZXC+sZ+KS11ZI+3AIn4aIp+St8ICF Ospx93K/6RPKTy54WnCgOd3MZwoAbfEnowqNeFSM=
Received: from zimbrang.isc.org ([127.0.0.1]) by localhost (zimbrang.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id 4vL7dlbmNB82; Tue, 12 Apr 2022 00:43:57 +0000 (UTC)
Received: from smtpclient.apple (n114-74-26-107.bla4.nsw.optusnet.com.au [114.74.26.107]) by zimbrang.isc.org (Postfix) with ESMTPSA id C75C4A2133D; Tue, 12 Apr 2022 00:43:56 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.120.0.1.13\))
From: Mark Andrews <marka@isc.org>
In-Reply-To: <BC09F131-E098-45DF-8213-10732593A508@isc.org>
Date: Tue, 12 Apr 2022 10:43:54 +1000
Cc: dnsop@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <355263CA-10A6-4AED-8622-8336A94F069A@isc.org>
References: <CALY=zUfDcE-wQ3kwvSCTy+aWVAFs-ymdiFLF5xgYp2tOmhOt-Q@mail.gmail.com> <BC09F131-E098-45DF-8213-10732593A508@isc.org>
To: Eugène Adell <eugene.adell@gmail.com>
X-Mailer: Apple Mail (2.3654.120.0.1.13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/wztG4QImHvC14QBpQj7Hm4nXWtg>
Subject: Re: [DNSOP] introducing a couple of RRTypes (CRC/CRS) for B2B applications
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Apr 2022 00:44:06 -0000


> On 11 Apr 2022, at 17:57, Mark Andrews <marka@isc.org> wrote:
> 
> I don’t see why APL (RFC 3123) can’t be used for CRC give you need to construct an
> owner name anyway and have well known label to seperate the components of the name.
> I see no reason to re-invent the wheel here.
> 
> ftp.foo.com_21_bar.com,195.13.35.0/24,91.220.43.0/24
> 
> would be
> 
> ftp.foo.com._21._crc.bar.com APL 1:195.13.35.0/24 1:91.220.43.0/24


Additionally text is a really bad way to transmit IP address and prefixes
in the DNS.  DNS RRsets are resource constrained (maximum < 64k).  DNS caches
are resource constrained.  10-16 octets of text for an IPv4/24 vs 7 octets for APL.
An IPv4/8 is 9-11 vs 5 octets.  The :: improves this a little bit for IPv6 but in
general you will be dealing with /48’s or longer xxxx:xxxx:xxxx::/48 (19 octets)
vs 10 for APL.

>> On 5 Apr 2022, at 20:52, Eugène Adell <eugene.adell@gmail.com> wrote:
>> 
>> Hello,
>> 
>> I've been working on two new RRTypes described by a Draft, and as
>> suggested by our magnificent, incredibly brilliant and handsome AD
>> Warren "ACE" Kumari, I am posting here this idea and the material I
>> have written so far (the draft itself, and RFC 6895 components).
>> 
>> Briefly, one RRType (CRC : Client Roaming Control) contains a
>> whitelist of networks allowing a company employees to connect to a
>> specific application. The second RRType (CRS : Client Roaming Support)
>> is on the application side and informs what kind of restrictions are
>> applied (by saying if CRC is mandatory, optional or ignored).
>> This is not expected to be deployed broadly and everywhere as it is
>> designed to secure Business-To-Business applications.
>> 
>> The material (text XML2RFC draft + RFC 6895 components) written is
>> both incorporated below to this email and attached, for practical
>> reasons.
>> 
>> 
>> Regards
>> E.A.
>> 
>> 
>> 
>> 
>> 
>> Internet Engineering Task Force                                 E. Adell
>> Internet-Draft                                              5 April 2022
>> Intended status: Informational
>> Expires: 7 October 2022
>> 
>> 
>>                        Client Roaming Control
>>                    draft-adell-client-roaming-00
>> 
>> Abstract
>> 
>>  This document specifies the Client Roaming Control (CRC) DNS Resource
>>  Record allowing an organization to better control the access to
>>  third-party applications over Internet.  The applications
>>  implementing an authorization mechanism to honor the CRC, publish on
>>  their side the Client Roaming Support (CRS) Resource Record to inform
>>  of this support.
>> 
>> Status of This Memo
>> 
>>  This Internet-Draft is submitted in full conformance with the
>>  provisions of BCP 78 and BCP 79.
>> 
>>  Internet-Drafts are working documents of the Internet Engineering
>>  Task Force (IETF).  Note that other groups may also distribute
>>  working documents as Internet-Drafts.  The list of current Internet-
>>  Drafts is at https://datatracker.ietf.org/drafts/current/.
>> 
>>  Internet-Drafts are draft documents valid for a maximum of six months
>>  and may be updated, replaced, or obsoleted by other documents at any
>>  time.  It is inappropriate to use Internet-Drafts as reference
>>  material or to cite them other than as "work in progress."
>> 
>>  This Internet-Draft will expire on 7 October 2022.
>> 
>> Copyright Notice
>> 
>>  Copyright (c) 2022 IETF Trust and the persons identified as the
>>  document authors.  All rights reserved.
>> 
>>  This document is subject to BCP 78 and the IETF Trust's Legal
>>  Provisions Relating to IETF Documents (https://trustee.ietf.org/
>>  license-info) in effect on the date of publication of this document.
>>  Please review these documents carefully, as they describe your rights
>>  and restrictions with respect to this document.  Code Components
>>  extracted from this document must include Revised BSD License text as
>>  described in Section 4.e of the Trust Legal Provisions and are
>>  provided without warranty as described in the Revised BSD License.
>> 
>> 
>> 
>> Adell                    Expires 7 October 2022                 [Page 1]
>> 
>> Internet-Draft           Client Roaming Control               April 2022
>> 
>> 
>> Table of Contents
>> 
>>  1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
>>  2.  Conventions Used in This Document . . . . . . . . . . . . . .   3
>>  3.  The CRC Resource Record . . . . . . . . . . . . . . . . . . .   4
>>    3.1.  RR name field . . . . . . . . . . . . . . . . . . . . . .   4
>>    3.2.  CRC RDATA Wire Format . . . . . . . . . . . . . . . . . .   4
>>    3.3.  CRC Presentation Format . . . . . . . . . . . . . . . . .   4
>>  4.  The CRS Resource Record . . . . . . . . . . . . . . . . . . .   5
>>    4.1.  CRS RDATA Wire Format . . . . . . . . . . . . . . . . . .   5
>>    4.2.  CRS Presentation Format . . . . . . . . . . . . . . . . .   5
>>  5.  Examples  . . . . . . . . . . . . . . . . . . . . . . . . . .   6
>>    5.1.  Restricted Application  . . . . . . . . . . . . . . . . .   6
>>    5.2.  Controlled Application  . . . . . . . . . . . . . . . . .   7
>>    5.3.  Opened Application  . . . . . . . . . . . . . . . . . . .   8
>>  6.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   9
>>  7.  Security Considerations . . . . . . . . . . . . . . . . . . .   9
>>    7.1.  DNS misconfiguration  . . . . . . . . . . . . . . . . . .   9
>>    7.2.  DNS Security  . . . . . . . . . . . . . . . . . . . . . .  10
>>    7.3.  Application Security  . . . . . . . . . . . . . . . . . .  10
>>  8.  References  . . . . . . . . . . . . . . . . . . . . . . . . .  10
>>    8.1.  Normative References  . . . . . . . . . . . . . . . . . .  11
>>    8.2.  Informative References  . . . . . . . . . . . . . . . . .  11
>>  Author's Address  . . . . . . . . . . . . . . . . . . . . . . . .  11
>> 
>> 1.  Introduction
>> 
>>  Illegitimate access to professional restricted applications over
>>  Internet is a permanent threat for organizations and their staff.
>>  Different methods can be used to impersonate a user access, and in
>>  some cases an organization also wants to better prevent its own staff
>>  to access a third-party application from a network which is not under
>>  its control.  On the contrary, an organization maybe wants to allow
>>  roaming then its users can access from different known places.
>> 
>>  The Client Roaming Control (CRC) DNS Resource Record (RR) acts as a
>>  White-List and informs a compatible application from which networks
>>  its users are allowed to connect, be it a limited list of networks or
>>  broadly without any restriction.
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> Adell                    Expires 7 October 2022                 [Page 2]
>> 
>> Internet-Draft           Client Roaming Control               April 2022
>> 
>> 
>>  At the application level, the identification of the user's
>>  organization domain can be based on an information carried during the
>>  authentication process, or a lookup on an information already known
>>  by the application.  In both cases this information lets the
>>  application relate the user to its organization unequivocally.
>>  Finally, the corresponding user's domain DNS will be requested with
>>  the application's FQDN and port, and the application will know
>>  whether an authorization is expected or not.  Some examples will be
>>  given in this document.
>> 
>>  The applications implementing this authorization control let the
>>  client organizations know this feature is available by using the
>>  Client Roaming Support (CRS) RR.  The data associated with this
>>  record indicates if the client's organization expected support of the
>>  CRC is mandatory, optional, or ignored.  This information stored in
>>  the CRS can be confirmed at the application level by a redundant
>>  data.  The way the application handles the authorization mechanism,
>>  by consulting the associated CRS record or not, is left to the
>>  implementor.
>> 
>>  Although this mechanism is designed for improving the security
>>  between different organizations, there is no objection to use it for
>>  a same organization playing both roles of client and application , as
>>  an alternative or additional layer to a solution already in place,
>>  such as a firewall for example.
>> 
>> 2.  Conventions Used in This Document
>> 
>>  This specification uses definitions from Domain Name System
>>  [RFC1035], and readers unfamiliar with it can also check DNS
>>  Terminology [RFC8499].  The syntax specification uses the Augmented
>>  Backus-Naur Form (ABNF) notation as specified in [RFC5234], with some
>>  expressions being defined in "Uniform Resource Identifier (URI):
>>  Generic Syntax" [RFC3986] and "IP Version 6 Addressing Architecture"
>>  [RFC4291].
>> 
>>  The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
>>  "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
>>  "OPTIONAL" in this document are to be interpreted as described in BCP
>>  14 [RFC2119] [RFC8174] when, and only when, they appear in all
>>  capitals, as shown here.
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> Adell                    Expires 7 October 2022                 [Page 3]
>> 
>> Internet-Draft           Client Roaming Control               April 2022
>> 
>> 
>> 3.  The CRC Resource Record
>> 
>>  The CRC RR purpose is to provide a list of IP ranges authorized to
>>  use a particular application.  Each RR contains a list of either IPv4
>>  or IPv6 network address ranges.  These ranges MUST follow the CIDR
>>  notation.  A single CRC RR MAY contain ranges for different IP
>>  versions, but in the case of many ranges this can be difficult to
>>  read or maintain, so dedicating a record to each IP version or not is
>>  left to the administrator.  Multiple RRs MAY be defined for a given
>>  IP version.
>> 
>> 3.1.  RR name field
>> 
>>  The CRC RR name field is composed of the third-party application
>>  domain, its port, followed by the fully qualified name inherent in
>>  this zone.  These three components are separated by the underscore
>>  character.
>> 
>> 3.2.  CRC RDATA Wire Format
>> 
>>  The CRC RDATA wire format is encoded as follows:
>> 
>>      +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
>>      /                     CRC                       /
>>      /                                               /
>>      +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
>> 
>>  The CRC field contains a list of either IPv4 or IPv6 ranges separated
>>  by the comma character.
>> 
>> 3.3.  CRC Presentation Format
>> 
>>  The presentation format of the CRC record is:
>> 
>>  CRC (ip4netlist [,ip6netlist]) / ([ip4netlist,] ip6netlist)
>> 
>>  ip4netlist = ip4net *(,ip4net)
>> 
>>  ip4net = IPv4address "/" ip4range
>> 
>>  ip4range = DIGIT / "1" DIGIT / "2" DIGIT / "3" DIGIT %x30-32
>> 
>>  ip6netlist = ip6net *(,ip6net)
>> 
>>  ip6net = (ipv6-address "/" prefix-length)
>> 
>> 
>> 
>> 
>> 
>> 
>> Adell                    Expires 7 October 2022                 [Page 4]
>> 
>> Internet-Draft           Client Roaming Control               April 2022
>> 
>> 
>> 4.  The CRS Resource Record
>> 
>>  The CRS RR indicates which control is done on the client
>>  organizations, and thus which ones are authorized.  A requirement
>>  field is used for this purpose, it has one of the following values
>>  meaning when the checking is performed :
>> 
>>  *  "N" : Never, all organizations are authorized
>> 
>>  *  "A" : Always, only organizations with a CRC are authorized
>> 
>>  *  "O" : Optional, any organization CRC is honored, other
>>     organizations are authorized
>> 
>>  In addition to this value, an optional list of ports can be given.
>>  Indeed, multiple applications can be hosted on different ports under
>>  the same domain name, and an equivalent support was described for the
>>  CRC RR.  In case of different requirement values, it is RECOMMENDED
>>  to have one dedicated RR for each although one single RR with all the
>>  information is supported.  One particular port MUST NOT appear in
>>  more than one RR.  When no port is mentioned, only one RR MAY be
>>  declared and its requirement value covers all applications for this
>>  domain name.
>> 
>>  In the absence of such record, no roaming control is to be expected
>>  by the client, any of its CRC RRs will be ignored.  It is equivalent
>>  to a CRS requirement value indicating no control is performed.
>> 
>> 4.1.  CRS RDATA Wire Format
>> 
>>  The CRS RDATA wire format is encoded as follows:
>> 
>>      +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
>>      /                     CRS                       /
>>      /                                               /
>>      +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
>> 
>>  The CRS field contains a list of requirements followed by their
>>  respective optional ports.
>> 
>> 4.2.  CRS Presentation Format
>> 
>>  The presentation format of the CRS record is:
>> 
>>  CRS (single-rule / multiple-rules)
>> 
>>  single-rule = "R=" ("N" / "A" / "O") *(,port)
>> 
>> 
>> 
>> 
>> Adell                    Expires 7 October 2022                 [Page 5]
>> 
>> Internet-Draft           Client Roaming Control               April 2022
>> 
>> 
>>  multiple-rules = unit-rule 1*2(;unit-rule)
>> 
>>  unit-rule = "R=" ("N" / "A" / "O") 1*(,port)
>> 
>>  port = [1-9] *([DIGIT])
>> 
>> 5.  Examples
>> 
>>  The following examples show some typical uses expected from this
>>  documentation.  Particularly, the intended behaviors for different
>>  CRC and CRS values are explained, while the user identification is
>>  done directly through carried data or a deduction process.
>> 
>> 5.1.  Restricted Application
>> 
>>  In this example, an application is only opened to organizations
>>  publishing their respective allowed networks.  The requirement value
>>  of the CRS record equals "A", and any organization with an empty or
>>  missing CRC for this application will be denied access.
>> 
>>  The ftp.foo.com domain is dedicated to hosting an FTP application,
>>  which extracts the client's domain from the username used during the
>>  authentication process.  This information is then used for requesting
>>  the client CRC record and finally comparing its content with the
>>  client's IP.  The client organization bar.com allows its users from
>>  its own network 195.13.35.0/24 and from a cloud service located at
>>  91.220.43.0/24.  A second organization baz.com has no CRC record and
>>  its users are rejected.
>> 
>>  Application FQDN : ftp.foo.com
>>  Application CRS record : CRS R=A,21
>> 
>>  Client FQDN : bar.com
>>  Client organization CRC record : CRC
>>  ftp.foo.com_21_bar.com,195.13.35.0/24,91.220.43.0/24
>> 
>>  Client FQDN : baz.com
>>  No client organization CRC record
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> Adell                    Expires 7 October 2022                 [Page 6]
>> 
>> Internet-Draft           Client Roaming Control               April 2022
>> 
>> 
>>  Client DNS  Client FTP                Server FTP
>> 
>>                    FTP USER me@bar.com
>>              ----------------------------->
>>                           ...
>>                    FTP PASS ********
>>              ----------------------------->
>>         Query : CRC ftp.foo.com_21_bar.com
>>       <------------------------------------
>>         Answer : CRC ftp.foo.com_21_bar.com,195.13.35.0/24,91.220.43.0/24
>>       ------------------------------------>
>>                    FTP 230
>>             <------------------------------
>> 
>> 
>>                    FTP USER me@baz.com
>>              ----------------------------->
>>                           ...
>>                    FTP PASS ********
>>              ----------------------------->
>>         Query : CRC ftp.foo.com_21_baz.com
>>       <------------------------------------
>>         Answer : No such name (3)
>>       ------------------------------------>
>>                    FTP 430
>>             <------------------------------
>> 
>> 5.2.  Controlled Application
>> 
>>  The foo.com domain hosts a Web application on port 443 using client
>>  certificates for authenticating its users.  The application extracts
>>  the client domains from the certificates, which are used to retrieve
>>  their CRC records.  Users from the bar.com organization are allowed
>>  only if they connect from an authorized network listed in the CRC
>>  record, while users from baz.com are always granted access since this
>>  one has no CRC declared.
>> 
>>  Application FQDN : foo.com
>>  Application CRS record : CRS R=A,443
>> 
>>  Client FQDN : bar.com
>>  Client organization CRC record : CRC
>>  ftp.foo.com_443_bar.com,195.13.35.0/24,91.220.43.0/24
>> 
>>  Client FQDN : baz.com
>>  No client organization CRC record
>> 
>> 
>> 
>> 
>> 
>> Adell                    Expires 7 October 2022                 [Page 7]
>> 
>> Internet-Draft           Client Roaming Control               April 2022
>> 
>> 
>>  Client DNS  Client browser                Web application
>> 
>> 
>>                            .....
>>                Client certificate me@bar.com
>>              ----------------------------------->
>>         Query : CRC foo.com_443_bar.com
>>       <------------------------------------------
>>         Answer : CRC foo.com_443_bar.com,195.13.35.0/24,91.220.43.0/24
>>       ------------------------------------------>
>>                            .....
>>                    200 OK
>>              <-----------------------------------
>> 
>> 
>>                            .....
>>                Client certificate me@baz.com
>>              ----------------------------------->
>>         Query : CRC foo.com_443_baz.com
>>       <------------------------------------------
>>         Answer : No such name (3)
>>       ------------------------------------------>
>>                            .....
>>                    200 OK
>>              <-----------------------------------
>> 
>> 5.3.  Opened Application
>> 
>>  A company is testing the CRC and CRS behaviors before opening a new
>>  service to its customers.  Its first test described below consists in
>>  configuring both sides to be completely opened, likely before
>>  hardening the CRS, then the CRC, and testing again.
>> 
>>  The application.foo.com domain hosts a Web application on port 443
>>  where users are logged in by sending a numerical identifier and a
>>  password.  The application uses a dictionary data type to identify
>>  the user's domain.  The client.foo.com domain is temporarily using 2
>>  CRC records indicating a free access from anywhere.
>> 
>>  Application FQDN : application.foo.com
>>  Application CRS record : CRS R=N,443
>> 
>>  Client FQDN : client.foo.com
>>  Client organization CRC records : CRC
>>  application.foo.com_443_foo.com,0.0.0.0/24; CRC
>>  application.foo.com_443_foo.com,fe80::/10
>> 
>> 
>> 
>> 
>> 
>> Adell                    Expires 7 October 2022                 [Page 8]
>> 
>> Internet-Draft           Client Roaming Control               April 2022
>> 
>> 
>>  Client DNS  Client browser                Web application
>> 
>> 
>>                            .....
>>                HTTP POST 123456/******
>>              ----------------------------------->
>>                    200 OK
>>              <-----------------------------------
>> 
>> 6.  IANA Considerations
>> 
>>  According to Guidelines for Writing an IANA Considerations Section in
>>  RFCs [RFC8126] it is asked to IANA to add into the Resource Record
>>  (RR) TYPEs registry located at https://www.iana.org/assignments/dns-
>>  parameters/dns-parameters.xhtml#dns-parameters-4 the two entries CRC
>>  and CRS.
>> 
>>          +------+-------+------------------------+-----------+
>>          | TYPE | Value | Description            | Reference |
>>          +------+-------+------------------------+-----------+
>>          | CRC  | TBD1  | Client Roaming Control | this RFC  |
>>          +------+-------+------------------------+-----------+
>>          | CRS  | TBD2  | Client Roaming Support | this RFC  |
>>          +------+-------+------------------------+-----------+
>> 
>>                                 Table 1
>> 
>> 7.  Security Considerations
>> 
>>  This section is meant to inform developers and users of the security
>>  implications of the CRC/CRS mechanism described by this document.
>>  While the CRS RR mostly plays an informative role, the CRC RR
>>  delivers important data which requires attention from the developers
>>  and administrators.  Some particular points are discussed here.
>> 
>> 7.1.  DNS misconfiguration
>> 
>>  Any DNS CRS misconfiguration such as multiple records with different
>>  requirement values but with the same port value can get a client
>>  confused.  In this case the client does not know without testing the
>>  actual configuration, if its organization is protected against
>>  roaming, and contacting the application administrator to fix the
>>  situation is a possibility.
>> 
>>  While CRC misconfigurations are more or less leading to serious
>>  security problems, administrators need to pay attention when dealing
>>  with multiple networks or records.  Particularly, multiple records
>>  for the same network range or overlapping networks should be avoided.
>> 
>> 
>> 
>> Adell                    Expires 7 October 2022                 [Page 9]
>> 
>> Internet-Draft           Client Roaming Control               April 2022
>> 
>> 
>> 7.2.  DNS Security
>> 
>>  Client and application administrators need to pay as much attention
>>  as they usually do when dealing with DNS management.  As the CRC
>>  records are supposed to be requested during an application
>>  authentication process, reflection attacks could be built to target a
>>  client organization, even one not hosting any CRC record at all.
>>  In a general manner, administrators may consider an adequate TTL
>>  setting to not overload client organizations, enable TCP as the
>>  preferred transport, or rely on DNSSEC to warrant data authenticity
>>  and integrity.
>> 
>> 7.3.  Application Security
>> 
>>  The following points are of concern to developers:
>> 
>>  Encryption:
>>  Whenever possible, the application protocol should be encrypted to
>>  prevent eavesdropping and man-in-the-middle attacks.  It is a
>>  critical point for applications maintaining a user session with
>>  anything like a token or cookie, as it can lead to session hijacking
>>  as discussed below.
>> 
>>  Timing attack:
>>  All authentication systems need to be careful to not deliver any
>>  information derived from the computing time to a denied user, even
>>  the ones involving multiple factors or steps like the one described
>>  in this document.  In particular, the order in which these steps are
>>  executed and their respective implementations, need to defeat
>>  statistical hypotheses.
>> 
>>  Intermediate systems:
>>  Some applications are not directly Internet facing and cannot access
>>  to the real client's IP address without involving a mechanism to
>>  forward this IP at the application layer.  For example with HTTP, the
>>  common practice based on the non-standard X-Forwarded-For header, or
>>  its alternative standard Forwarded [RFC7239], are playing this role.
>>  Such practice requires a correct sanitizing of user data to avoid
>>  false injected IPs.
>> 
>>  Session hijacking:
>>  A well-known attack called Session Hijacking is not meant to be
>>  defeated by this document alone.  Application developers must ensure
>>  that any receveid session token, such as an HTTP Cookie, belongs to
>>  the same IP address than the one which started this session.
>> 
>> 8.  References
>> 
>> 
>> 
>> 
>> Adell                    Expires 7 October 2022                [Page 10]
>> 
>> Internet-Draft           Client Roaming Control               April 2022
>> 
>> 
>> 8.1.  Normative References
>> 
>>  [RFC1035]  Mockapetris, P., "Domain names - implementation and
>>             specification", STD 13, RFC 1035, DOI 10.17487/RFC1035,
>>             November 1987, <https://www.rfc-editor.org/info/rfc1035>.
>> 
>>  [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
>>             Requirement Levels", BCP 14, RFC 2119,
>>             DOI 10.17487/RFC2119, March 1997,
>>             <https://www.rfc-editor.org/info/rfc2119>.
>> 
>>  [RFC3986]  Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
>>             Resource Identifier (URI): Generic Syntax", STD 66,
>>             RFC 3986, DOI 10.17487/RFC3986, January 2005,
>>             <https://www.rfc-editor.org/info/rfc3986>.
>> 
>>  [RFC4291]  Hinden, R. and S. Deering, "IP Version 6 Addressing
>>             Architecture", RFC 4291, DOI 10.17487/RFC4291, February
>>             2006, <https://www.rfc-editor.org/info/rfc4291>.
>> 
>>  [RFC5234]  Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax
>>             Specifications: ABNF", STD 68, RFC 5234,
>>             DOI 10.17487/RFC5234, January 2008,
>>             <https://www.rfc-editor.org/info/rfc5234>.
>> 
>>  [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
>>             2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
>>             May 2017, <https://www.rfc-editor.org/info/rfc8174>.
>> 
>> 8.2.  Informative References
>> 
>>  [RFC7239]  Petersson, A. and M. Nilsson, "Forwarded HTTP Extension",
>>             RFC 7239, DOI 10.17487/RFC7239, June 2014,
>>             <https://www.rfc-editor.org/info/rfc7239>.
>> 
>>  [RFC8499]  Hoffman, P., Sullivan, A., and K. Fujiwara, "DNS
>>             Terminology", BCP 219, RFC 8499, DOI 10.17487/RFC8499,
>>             January 2019, <https://www.rfc-editor.org/info/rfc8499>.
>> 
>> Author's Address
>> 
>>  Eugene Adell
>>  Email: eugene.adell@gmail.com
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> Adell                    Expires 7 October 2022                [Page 11]
>> 
>> 
>> RFC 6895 :
>> A. Submission Date:2002/04/05
>> B.1 Submission Type:  [X] New RRTYPE  [ ] Modification to RRTYPE
>> B.2 Kind of RR:  [X] Data RR  [ ] Meta-RR
>> C. Contact Information for submitter :
>>  Name: Eugene Adell               Email Address: eugene.adell@gmail.com
>>  International telephone number: +33699056914
>>  Other contact handles:
>> D. Motivation for the new RRTYPE application.
>>  Introduce a couple of RR types working together in order to better
>> secure remote access to partner applications
>> E. Description of the proposed RR type.
>>  CRC contains a limited list of authorized networks for a particular
>> application
>> F. What existing RRTYPE or RRTYPEs come closest to filling that need
>> and why are they unsatisfactory?
>>  TXT RRTYPE allows the storage of any text data but in practice is
>> usually associated with more or less fixed name or data which is not
>> what is needed here. A dedicated RRTYPE is easier to identify and
>> manage by a security team other than the usual DNS operator team.
>> G. What mnemonic is requested for the new RRTYPE (optional)?
>>  CRC
>> H. Does the requested RRTYPE make use of any existing IANA registry or
>> require the creation of a new IANA subregistry in DNS Parameters?
>>  It uses the existing Resource Record (RR) TYPEs registry
>> I. Does the proposal require/expect any changes in DNS
>> servers/resolvers that prevent the new type from being processed as an
>> unknown RRTYPE (see [RFC3597])?
>>  No
>> J. Comments:
>>  None
>> 
>> 
>> A. Submission Date:2002/04/05
>> B.1 Submission Type:  [X] New RRTYPE  [ ] Modification to RRTYPE
>> B.2 Kind of RR:  [X] Data RR  [ ] Meta-RR
>> C. Contact Information for submitter :
>>  Name: Eugene Adell               Email Address: eugene.adell@gmail.com
>>  International telephone number: +33699056914
>>  Other contact handles:
>> D. Motivation for the new RRTYPE application.
>>  Introduce a couple of RR types working together in order to better
>> secure remote access to partner applications
>> E. Description of the proposed RR type.
>>  CRS contains a requirement value and a list of ports indicating
>> what kind of authorization check is done during the application
>> authentication process
>> F. What existing RRTYPE or RRTYPEs come closest to filling that need
>> and why are they unsatisfactory?
>>  TXT RRTYPE allows the storage of any text data but in practice is
>> usually associated with more or less fixed name or data which is not
>> what is needed here. A dedicated RRTYPE is easier to identify and
>> manage by a security team other than the usual DNS operator team.
>> G. What mnemonic is requested for the new RRTYPE (optional)?
>>  CRS
>> H. Does the requested RRTYPE make use of any existing IANA registry or
>> require the creation of a new IANA subregistry in DNS Parameters?
>>  It uses the existing Resource Record (RR) TYPEs registry
>> I. Does the proposal require/expect any changes in DNS
>> servers/resolvers that prevent the new type from being processed as an
>> unknown RRTYPE (see [RFC3597])?
>>  No
>> J. Comments:
>>  None
>> <draft-adell-client-roaming-00.txt><RFC 6895 material.txt>_______________________________________________
>> DNSOP mailing list
>> DNSOP@ietf.org
>> https://www.ietf.org/mailman/listinfo/dnsop
> 
> -- 
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742              INTERNET: marka@isc.org
> 
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka@isc.org

v2.23.0 | Report a Bug | By Email