Re: [Hipsec] DNS considerations in draft-ietf-hip-native-nat-traversal

Miika Komu <miika.komu@ericsson.com> Tue, 07 April 2020 06:32 UTC

Return-Path: <miika.komu@ericsson.com>
X-Original-To: hipsec@ietfa.amsl.com
Delivered-To: hipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8E8463A1763 for <hipsec@ietfa.amsl.com>; Mon, 6 Apr 2020 23:32:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.268
X-Spam-Level:
X-Spam-Status: No, score=-2.268 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.168, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dBuzBNfmB1mN for <hipsec@ietfa.amsl.com>; Mon, 6 Apr 2020 23:32:46 -0700 (PDT)
Received: from EUR04-DB3-obe.outbound.protection.outlook.com (mail-eopbgr60071.outbound.protection.outlook.com [40.107.6.71]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AD2273A1761 for <hipsec@ietf.org>; Mon, 6 Apr 2020 23:32:45 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=exWvhvykdaMtNbt1jzACqHKE6CL+nr1yEQPUJV/eMbsBB/uapHGOM3fk2ThP+7yBzi8D+laPVivPd3+Ap3cevLv+R5nkSFkHxqrOhoBw3l2XM/zdXEtDKDc+4LgBYOk6VHu5z+//Tlmk1ir7zyHTEXsOLZD3bAnnFLHIaedt7Mj9r0wfzHrxRdcXeJojh0h5J5iwUHSPwh3rHDbVFwX+4rZPyhLy2NfhcXN8HxK4pAfZcvz8eioveRuNoIg6Y8Sk8fUOFNJ48vGP5CvfhsU5hJJZYUQPrTgu9W9NSvcJr3bpvCcYYrdcdREXjJS3gL651cRg2of39ULU87IA25/wyQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=e8MEOBNwIiinVEXBG0r/gYLtLXiktjbk2fEctxZmxhk=; b=lhnYtwhIJLn3EE48bEARW5Ubrb8Jc8wV6MiFzya1To0gr+U/iYbrROo03RjmqzwVi8IIohb8DbZIcTpPSU7XG+H2FSPNVcQ9T/QeM8K4YFWjqauvgrYmbq4DbHsWL8F80O2Cwl2Ymb5x+P/x0AI2rP/rppl3luB+32gkTdEYhspE0Z8ZsyCJYTspbrVgqoqQ9o8QjLNMxYmz/x5yujeqrRO+FxFroEaEOe0knAs9N6DxREtiwozwsj9G55V0QP3HqdGoz6PI/Kku1fS7QM2tlzskvx2/XxKvhjoNS9pBnF6mCa25yDpuTTwcoM2q14ICZPX64i+fTdcSU8RNIGT9ig==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=e8MEOBNwIiinVEXBG0r/gYLtLXiktjbk2fEctxZmxhk=; b=n9GHcTduj6cU7EextIPBTkW9VWKWYDCKEm3WPZYx95ugqEq7IrJbpkaI0TnIxSxS6AWMgBn7hjMHLJjju1y2aP1S4O06p+5IO5j2LPlxG8wbFrcfymGo8jEpHODrtiJstGrWbuZ1wXkalvo98oxJFnjdX7xbSi8MGrDBjT2PqCI=
Received: from AM0PR07MB3876.eurprd07.prod.outlook.com (2603:10a6:208:44::16) by AM0PR07MB4452.eurprd07.prod.outlook.com (2603:10a6:208:6e::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2900.15; Tue, 7 Apr 2020 06:32:42 +0000
Received: from AM0PR07MB3876.eurprd07.prod.outlook.com ([fe80::5c87:eedc:6e84:fd4]) by AM0PR07MB3876.eurprd07.prod.outlook.com ([fe80::5c87:eedc:6e84:fd4%7]) with mapi id 15.20.2900.015; Tue, 7 Apr 2020 06:32:42 +0000
From: Miika Komu <miika.komu@ericsson.com>
To: "miika.komu=40ericsson.com@dmarc.ietf.org" <miika.komu=40ericsson.com@dmarc.ietf.org>, "j.ahrenholz@Tempered.io" <j.ahrenholz@Tempered.io>, "hipsec@ietf.org" <hipsec@ietf.org>
Thread-Topic: [Hipsec] DNS considerations in draft-ietf-hip-native-nat-traversal
Thread-Index: AQHWDBl6+EF13lTjuk+JiMyOEPIlOqhtNHyA
Date: Tue, 7 Apr 2020 06:32:42 +0000
Message-ID: <6f2da742222f0f75a91e2fd2d82b992e55a89a8f.camel@ericsson.com>
References: <BE5944AA-CC27-4D07-99CD-5A5B16B19369@tempered.io>
In-Reply-To: <BE5944AA-CC27-4D07-99CD-5A5B16B19369@tempered.io>
Accept-Language: fi-FI, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Evolution 3.28.5-0ubuntu0.18.04.1
authentication-results: spf=none (sender IP is ) smtp.mailfrom=miika.komu@ericsson.com;
x-originating-ip: [88.148.205.35]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: ad93fc69-a13d-48e3-f2e0-08d7dabd7a0c
x-ms-traffictypediagnostic: AM0PR07MB4452:
x-microsoft-antispam-prvs: <AM0PR07MB4452E37C67A5868BA7F72E3AFCC30@AM0PR07MB4452.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:5236;
x-forefront-prvs: 036614DD9C
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM0PR07MB3876.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(10009020)(4636009)(39860400002)(376002)(346002)(396003)(366004)(136003)(86362001)(6512007)(26005)(966005)(478600001)(186003)(2616005)(44832011)(6486002)(8676002)(8936002)(110136005)(81166006)(5660300002)(66446008)(64756008)(66556008)(66476007)(316002)(76116006)(66946007)(81156014)(36756003)(6506007)(2906002)(71200400001)(91956017)(99106002); DIR:OUT; SFP:1101;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: nb5bfqyH1eAqAm7RW2qgBRfMfnxVFyqzX2OLcsQLACfN1ZA0Q/jqPZZXlcjkHkXk3OqH/G+EztMVMh075sC7x57nSdjA7QZ4RKDIozGULLNDxfuDknjg7TarJDTTx51Bdmbn9YWmwcrV2Y2CHM0klQbklt/qfinE0Y5qWtQNQIv22T91O4wZ+4vp77qbg5vo4M0EdktmkUuEkezjWCpq+yMvQFk+32lYj4pnQ0Y6G/sHyoKUSFKs/aK+vxt7YComo/xdeC2iL7S7mKtH6D1D5fSIYGQbSw9rKIAMkEXLz4n+/f19n4JDOtR8mXj0Hp9qBIa+B8C2Wu3BmHJ6mcUDdUP+gfsqz/E/rR0b6wvn6SeQcBfKcDFesYffr2wZnx0B9Gf41SbVfWUhLGSkeb3DsfFqBfXUjlvYwJjgmba+QfffTymDQf8DtmfE6igL60cbr5kf6ipTL3ukj8Sx6ZYQUj1JOnZXSyDKAduGHDyZE5O5cmCe2lOBxK4TiQ4Nn42w7/TMPiCAjhVcxmDkqykRs41JLBXPNNWgwzSSNhGcO96hcjd1fkdgD/SqpCVvl5WA
x-ms-exchange-antispam-messagedata: 4RJPtR3IKDgMRiiVHnHpFEFUFdCP94RM9WiDkGgb28it4/T7Y5cVcHiWqI8QExhNsc/jeibU192bx+7j0wA8jqP79jOc4+AEptiIqnDHOWkPGr7jZDcMmF2sIAxFGxaIppOnVasxJQY1JZ6X8Y1VuA==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <55B614076EDB3D48B25DF7432D72933A@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: ad93fc69-a13d-48e3-f2e0-08d7dabd7a0c
X-MS-Exchange-CrossTenant-originalarrivaltime: 07 Apr 2020 06:32:42.7287 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: NF/d8ddLbSo9toAHb0NShaB3SqjFPd0WysVpuif+3OhNAYE1pN5mH1Y4FopGb61RmGga7PBcQXqfYTR9iceS0Q==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR07MB4452
Archived-At: <https://mailarchive.ietf.org/arch/msg/hipsec/Qt7oGb7gh6RPwccTxsPfV5rTTJw>
Subject: Re: [Hipsec] DNS considerations in draft-ietf-hip-native-nat-traversal
X-BeenThere: hipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the official IETF Mailing List for the HIP Working Group." <hipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hipsec>, <mailto:hipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/hipsec/>
List-Post: <mailto:hipsec@ietf.org>
List-Help: <mailto:hipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Apr 2020 06:32:48 -0000

Thanks Jeff,

your nits will be included in the next version.

ma, 2020-04-06 kello 13:44 +0000, Jeff Ahrenholz kirjoitti:
> Miika,
> Looks good to me. I like how the distinction between RVS and Control
> Relay Server  is spelled out.
> 
> Just a couple of nits:
> s/an HIP/ a HIP/
> s/the the A/the A/
> 
> -Jeff
> 
> On 4/5/20, 6:20 AM, "Hipsec on behalf of Miika Komu" <
> hipsec-bounces@ietf.org on behalf of 
> miika.komu=40ericsson.com@dmarc.ietf.org> wrote:
> 
>     Hi,
>     
>     during IESG review Magnus Westerlund asked about DNS support in
> draft-
>     ietf-hip-native-nat-traversal, so I added the the text below to
> draft-
>     ietf-hip-native-nat-traversal. Does it seem ok for the WG?
>     
>     Appendix E.  DNS Considerations
>     
>     [RFC5770] did not specify how an end-host can look up another
> end-
>     host via DNS and initiate an UDP-based HIP base exchange with it,
> so
>     this section makes an attempt to fill this gap.
>     
>     [RFC8005] specifies how an HIP end-host and its Rendezvous server
> is
>     registered to DNS.  Essentially, the public key of the end-host
> is
>     stored as HI record and its Rendezvous Server as A or AAAA
> record.
>     This way, the Rendezvous Server can act as an intermediary for
> the
>     end-host and forward packets to it based on the DNS
> configuration.
>     Control Relay Server offers similar functionality as Rendezvous
>     Server, with the difference that the Control Relay Server
> forwards
>     all control messages, not just the first I1 message.
>     
>     Prior to this document, the A and AAAA records in the DNS refer
>     either to the HIP end-host itself or a Rendezvous Server
> [RFC8005],
>     and control and data plane communication with the associated host
> has
>     been assumed to occur directly over IPv4 or IPv6.  However, this
>     specification extends the records to be used for UDP-based
>     communications.
>     
>     Let us consider the case of a HIP Initiator with the default
> policy
>     to employ UDP encapsulation and the extensions defined in this
>     document.  The Initiator looks up the FQDN of a Responder, and
>     retrieves its HI, A and AAAA records.  Since the default policy
> is to
>     use UDP encapsulation, the Initiator MUST send the I1 message
> over
>     UDP to destination port 10500 (either over IPv4 in the case of a
> A
>     record or over IPv6 in the case of a AAAA record).  It MAY send
> an I1
>     message both with and without UDP encapsulation in parallel.  In
> the
>     case the Initiator receives R1 messages both with and without UDP
>     encapsulation from the Responder, the Initiator SHOULD ignore the
> R1
>     messages without UDP encapsulation.
>     
>     The UDP encapsulated I1 packet could be received by three
> different
>     types of hosts:
>     
>     1.  HIP Control Relay Server: in this case the A/AAAA records
> refers
>         to a Control Relay Server, and it will forward the packet to
> the
>         corresponding Control Relay Client based on the destination
> HIT
>         in the I1 packet.
>     
>     2.  HIP Responder supporting UDP encapsulation: in this case, the
> the
>         A/AAAA records refers to the end-host.  Assuming the
> destination
>         HIT belongs to the Responder, it receives and processes it
>         according to the negotiated NAT traversal mechanism.  The
> support
>         for the protocol defined in this document vs [RFC5770] is
>         dynamically negotiated during the base exchange.  The details
> are
>         specified in Section 4.3.
>     
>     3.  HIP Rendezvous Server: this entity is not listening to UDP
> port
>         10500, so it will drop the I1 message.
>     
>     4.  HIP Responder not supporting UDP encapsulation: the targeted
> end-
>            host is not listening to UDP port 10500, so it will drop
> the I1
>            message.
>     
>     The A/AAAA-record MUST NOT be configured to refer to a Data Relay
>     Server unless the host in question supports also Control Relay
> Server
>     functionality.
>     
>     It also worth noting that SRV records are not employed in this
>     specification.  While they could be used for more flexible UDP
> port
>     selection, they are not suitable for end-host discovery but
> rather
>     would be more suitable for the discovery of HIP-specific
>     infrastructure.  Further extensions to this document may define
> SRV
>     records for Control and Data Relay Server discovery within a DNS
>     domain.
>     _______________________________________________
>     Hipsec mailing list
>     Hipsec@ietf.org
>     https://www.ietf.org/mailman/listinfo/hipsec
>     
> 
> _______________________________________________
> Hipsec mailing list
> Hipsec@ietf.org
> https://www.ietf.org/mailman/listinfo/hipsec