[Hipsec] DNS considerations in draft-ietf-hip-native-nat-traversal

Miika Komu <miika.komu@ericsson.com> Sun, 05 April 2020 13:20 UTC

Return-Path: <miika.komu@ericsson.com>
X-Original-To: hipsec@ietfa.amsl.com
Delivered-To: hipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D2CCD3A08CD for <hipsec@ietfa.amsl.com>; Sun, 5 Apr 2020 06:20:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.103
X-Spam-Level:
X-Spam-Status: No, score=-2.103 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J-T2oq4iVMs0 for <hipsec@ietfa.amsl.com>; Sun, 5 Apr 2020 06:20:41 -0700 (PDT)
Received: from EUR04-VI1-obe.outbound.protection.outlook.com (mail-eopbgr80044.outbound.protection.outlook.com [40.107.8.44]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E72B73A08CB for <hipsec@ietf.org>; Sun, 5 Apr 2020 06:20:40 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=RbOHH1bNGj1gtGvRcuSRQ6upkmp4MK+JV3PQUIaVjYBs2PYFC4hGvN/NqWumbJTQwZLcHuGRTk19pA5n6PWhmcKTzpOu0RxRz95NbTBorBroC79dPuEIAsC4+Yk68xYr/RmvdIjn2NBeR10efD7Ycb9dijA1SkpmBZUvEJVlXD+n/1esUrIw2OW7cuddXxqAeo1P+gpST9xf+HqCXUtyvDMZLXJnYjzdj5xm0zXorRiYG2HnsTITwk2BNxT2JsnZcxwHgy0ARp3Fn9XfssFarS1IcJSV2Y1eVhOQZjJGphSVA91cm3a8ESoJCLUSqHiIIwNqifqN4wvp+HE20G15rw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=0qd9lkTRJFgVkLKWA0Xr6ApQuvClRVyBFmumME16KHs=; b=N7dumDsMfIMZVQpwxW2wyHaFRGH/m7jbk17ljzm+A2ZXCXXcea6bVo3hGveiQVpfxTFljrYkVkb34H4bNEdDVUsrqjE2QYzR56hnK0EPTKY9WerP6m8z65etSIB1rmBi2NpCbjscwmj+X4q3ktn04l707IdFvbhHJLL4FFVkmORMo6fvbeIx38ksWGPMFpzvFUyMyXgznlnKUL9tf/dsCkZm6AqYPKvD3+aECIW4FFzlUl2NWbcstVPNTXtRIvUca33O3ppOwpKGkAhvrQXDEXLB0Mj6aUeKu+QKJn9MHFIY8iRDU+STnPcY5+oqvXWis6g491gaQAHuHFiBCZotnw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=0qd9lkTRJFgVkLKWA0Xr6ApQuvClRVyBFmumME16KHs=; b=ZheODYzloFQNcbIwn/eYmFCj1jU62bi1wbtX12CPcyQGXbFqn6aGQX8GeEip7jLiHPneyCTUFwNiivrDf/63Cquf7RPKebXBk6YJFGztnKvbn68uzaGZ5OJB+emUSl8jRAzhbfAC97GNxQhzxpSDyCV8AKrP7dhWSeLr1ODx3rU=
Received: from AM0PR07MB3876.eurprd07.prod.outlook.com (52.134.81.144) by AM0PR07MB4516.eurprd07.prod.outlook.com (52.135.152.30) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2900.12; Sun, 5 Apr 2020 13:20:37 +0000
Received: from AM0PR07MB3876.eurprd07.prod.outlook.com ([fe80::5c87:eedc:6e84:fd4]) by AM0PR07MB3876.eurprd07.prod.outlook.com ([fe80::5c87:eedc:6e84:fd4%7]) with mapi id 15.20.2900.012; Sun, 5 Apr 2020 13:20:37 +0000
From: Miika Komu <miika.komu@ericsson.com>
To: "hipsec@ietf.org" <hipsec@ietf.org>
Thread-Topic: DNS considerations in draft-ietf-hip-native-nat-traversal
Thread-Index: AQHWC0z++EF13lTjuk+JiMyOEPIlOg==
Date: Sun, 5 Apr 2020 13:20:37 +0000
Message-ID: <ca8f592b3aa5ab33221ce2ef31bf5d8970335052.camel@ericsson.com>
Accept-Language: fi-FI, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Evolution 3.28.5-0ubuntu0.18.04.1
authentication-results: spf=none (sender IP is ) smtp.mailfrom=miika.komu@ericsson.com;
x-originating-ip: [88.148.205.35]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 5aae45ff-44c7-4f3c-eb18-08d7d9642125
x-ms-traffictypediagnostic: AM0PR07MB4516:
x-microsoft-antispam-prvs: <AM0PR07MB45169290FE03B49A7E1922B6FCC50@AM0PR07MB4516.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 03648EFF89
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM0PR07MB3876.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(10009020)(4636009)(396003)(136003)(346002)(366004)(39860400002)(376002)(2616005)(6916009)(5660300002)(71200400001)(66446008)(186003)(6512007)(44832011)(64756008)(66556008)(66476007)(86362001)(91956017)(478600001)(8676002)(66946007)(81156014)(6486002)(6506007)(81166006)(316002)(76116006)(2906002)(8936002)(36756003)(26005)(99106002); DIR:OUT; SFP:1101;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: ycJbJhl5McMIOPwO+JT8Ie7UMm2Z6DFEqUSTL8tfmTBlY2Hb1Epx5fgFdHI1CXhqdx1toJyRFHCp8/FuN78WIaEGR8/wnbwIQtl6JcBZe3Q510UoI4W+/BQKf6HyvFdTqxxiW3QsmumASfoVaJirgWZJdg6aqj+F8V+9m0p8D6lcnJsv4qk8loxwQAG+4K0WeCOX22F6d8VhFR4cdjf3QaTPAZr+cJpDbQ+jWe3ac5P5iQ/Ml5MYGqESV3BtDvDM2ipNDW+chpBL/GmNoEpBaZgQLXoFkyz2ddDHULKeFYLTC98gqXRU2kbTqRNeJj4HcfMshB4yeBSngI1UE4CDGvYCbOZBA71uELtXQtEp337VEh3gICH3WlEhdCl58AT0K3AIQuhlG4fFcIcveeCxiZKlYrZaxhO4N7lNKCeJwW1HaM6NqSIFwXHp1jVygJYo9cHk2Dw76SJuNh5t2GlhXJzBZarPcv/sI+5O5a32k5V2XwsTS+zzqz3IudumuKW3
x-ms-exchange-antispam-messagedata: dcWe8+2ocGFNyLv2qTBOjkd3BtofVwBGQncjOmOwpf71OpIJWzNHn3prvnlsikzkrifXc/dyl03T7Db+fJLyxgRGfKlICyOdTT6KNh/70RTyLzEIS1aPr9snGwIewAHrib4axMHqJQL9ACvuAvX7jQ==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <57DBFF0C72622543BE74F17E2C4C2FD9@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 5aae45ff-44c7-4f3c-eb18-08d7d9642125
X-MS-Exchange-CrossTenant-originalarrivaltime: 05 Apr 2020 13:20:37.1525 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: MzwOs8X1GcyrsBkkIUKHA0Wui1KPwbYC33JDpcUs/C9kQUc+iBqyq4JhNpvvwdl6ynmbGjl9X//h891hphyNmg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR07MB4516
Archived-At: <https://mailarchive.ietf.org/arch/msg/hipsec/0ag-jqBq53dNC-kRTx5XFFFbN-I>
Subject: [Hipsec] DNS considerations in draft-ietf-hip-native-nat-traversal
X-BeenThere: hipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the official IETF Mailing List for the HIP Working Group." <hipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hipsec>, <mailto:hipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/hipsec/>
List-Post: <mailto:hipsec@ietf.org>
List-Help: <mailto:hipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 05 Apr 2020 13:20:44 -0000

Hi,

during IESG review Magnus Westerlund asked about DNS support in draft-
ietf-hip-native-nat-traversal, so I added the the text below to draft-
ietf-hip-native-nat-traversal. Does it seem ok for the WG?

Appendix E.  DNS Considerations

[RFC5770] did not specify how an end-host can look up another end-
host via DNS and initiate an UDP-based HIP base exchange with it, so
this section makes an attempt to fill this gap.

[RFC8005] specifies how an HIP end-host and its Rendezvous server is
registered to DNS.  Essentially, the public key of the end-host is
stored as HI record and its Rendezvous Server as A or AAAA record.
This way, the Rendezvous Server can act as an intermediary for the
end-host and forward packets to it based on the DNS configuration.
Control Relay Server offers similar functionality as Rendezvous
Server, with the difference that the Control Relay Server forwards
all control messages, not just the first I1 message.

Prior to this document, the A and AAAA records in the DNS refer
either to the HIP end-host itself or a Rendezvous Server [RFC8005],
and control and data plane communication with the associated host has
been assumed to occur directly over IPv4 or IPv6.  However, this
specification extends the records to be used for UDP-based
communications.

Let us consider the case of a HIP Initiator with the default policy
to employ UDP encapsulation and the extensions defined in this
document.  The Initiator looks up the FQDN of a Responder, and
retrieves its HI, A and AAAA records.  Since the default policy is to
use UDP encapsulation, the Initiator MUST send the I1 message over
UDP to destination port 10500 (either over IPv4 in the case of a A
record or over IPv6 in the case of a AAAA record).  It MAY send an I1
message both with and without UDP encapsulation in parallel.  In the
case the Initiator receives R1 messages both with and without UDP
encapsulation from the Responder, the Initiator SHOULD ignore the R1
messages without UDP encapsulation.

The UDP encapsulated I1 packet could be received by three different
types of hosts:

1.  HIP Control Relay Server: in this case the A/AAAA records refers
    to a Control Relay Server, and it will forward the packet to the
    corresponding Control Relay Client based on the destination HIT
    in the I1 packet.

2.  HIP Responder supporting UDP encapsulation: in this case, the the
    A/AAAA records refers to the end-host.  Assuming the destination
    HIT belongs to the Responder, it receives and processes it
    according to the negotiated NAT traversal mechanism.  The support
    for the protocol defined in this document vs [RFC5770] is
    dynamically negotiated during the base exchange.  The details are
    specified in Section 4.3.

3.  HIP Rendezvous Server: this entity is not listening to UDP port
    10500, so it will drop the I1 message.

4.  HIP Responder not supporting UDP encapsulation: the targeted end-
       host is not listening to UDP port 10500, so it will drop the I1
       message.

The A/AAAA-record MUST NOT be configured to refer to a Data Relay
Server unless the host in question supports also Control Relay Server
functionality.

It also worth noting that SRV records are not employed in this
specification.  While they could be used for more flexible UDP port
selection, they are not suitable for end-host discovery but rather
would be more suitable for the discovery of HIP-specific
infrastructure.  Further extensions to this document may define SRV
records for Control and Data Relay Server discovery within a DNS
domain.