Re: [Hipsec] DNS considerations in draft-ietf-hip-native-nat-traversal
Miika Komu <miika.komu@ericsson.com> Tue, 07 April 2020 06:32 UTC
Return-Path: <miika.komu@ericsson.com>
X-Original-To: hipsec@ietfa.amsl.com
Delivered-To: hipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1])
by ietfa.amsl.com (Postfix) with ESMTP id 8E8463A1763
for <hipsec@ietfa.amsl.com>; Mon, 6 Apr 2020 23:32:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.268
X-Spam-Level:
X-Spam-Status: No, score=-2.268 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.168, DKIM_SIGNED=0.1,
DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key)
header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44])
by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id dBuzBNfmB1mN for <hipsec@ietfa.amsl.com>;
Mon, 6 Apr 2020 23:32:46 -0700 (PDT)
Received: from EUR04-DB3-obe.outbound.protection.outlook.com
(mail-eopbgr60071.outbound.protection.outlook.com [40.107.6.71])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by ietfa.amsl.com (Postfix) with ESMTPS id AD2273A1761
for <hipsec@ietf.org>; Mon, 6 Apr 2020 23:32:45 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=exWvhvykdaMtNbt1jzACqHKE6CL+nr1yEQPUJV/eMbsBB/uapHGOM3fk2ThP+7yBzi8D+laPVivPd3+Ap3cevLv+R5nkSFkHxqrOhoBw3l2XM/zdXEtDKDc+4LgBYOk6VHu5z+//Tlmk1ir7zyHTEXsOLZD3bAnnFLHIaedt7Mj9r0wfzHrxRdcXeJojh0h5J5iwUHSPwh3rHDbVFwX+4rZPyhLy2NfhcXN8HxK4pAfZcvz8eioveRuNoIg6Y8Sk8fUOFNJ48vGP5CvfhsU5hJJZYUQPrTgu9W9NSvcJr3bpvCcYYrdcdREXjJS3gL651cRg2of39ULU87IA25/wyQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=e8MEOBNwIiinVEXBG0r/gYLtLXiktjbk2fEctxZmxhk=;
b=lhnYtwhIJLn3EE48bEARW5Ubrb8Jc8wV6MiFzya1To0gr+U/iYbrROo03RjmqzwVi8IIohb8DbZIcTpPSU7XG+H2FSPNVcQ9T/QeM8K4YFWjqauvgrYmbq4DbHsWL8F80O2Cwl2Ymb5x+P/x0AI2rP/rppl3luB+32gkTdEYhspE0Z8ZsyCJYTspbrVgqoqQ9o8QjLNMxYmz/x5yujeqrRO+FxFroEaEOe0knAs9N6DxREtiwozwsj9G55V0QP3HqdGoz6PI/Kku1fS7QM2tlzskvx2/XxKvhjoNS9pBnF6mCa25yDpuTTwcoM2q14ICZPX64i+fTdcSU8RNIGT9ig==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com;
dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com;
s=selector1;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=e8MEOBNwIiinVEXBG0r/gYLtLXiktjbk2fEctxZmxhk=;
b=n9GHcTduj6cU7EextIPBTkW9VWKWYDCKEm3WPZYx95ugqEq7IrJbpkaI0TnIxSxS6AWMgBn7hjMHLJjju1y2aP1S4O06p+5IO5j2LPlxG8wbFrcfymGo8jEpHODrtiJstGrWbuZ1wXkalvo98oxJFnjdX7xbSi8MGrDBjT2PqCI=
Received: from AM0PR07MB3876.eurprd07.prod.outlook.com (2603:10a6:208:44::16)
by AM0PR07MB4452.eurprd07.prod.outlook.com (2603:10a6:208:6e::21)
with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2900.15; Tue, 7 Apr
2020 06:32:42 +0000
Received: from AM0PR07MB3876.eurprd07.prod.outlook.com
([fe80::5c87:eedc:6e84:fd4]) by AM0PR07MB3876.eurprd07.prod.outlook.com
([fe80::5c87:eedc:6e84:fd4%7]) with mapi id 15.20.2900.015; Tue, 7 Apr 2020
06:32:42 +0000
From: Miika Komu <miika.komu@ericsson.com>
To: "miika.komu=40ericsson.com@dmarc.ietf.org"
<miika.komu=40ericsson.com@dmarc.ietf.org>, "j.ahrenholz@Tempered.io"
<j.ahrenholz@Tempered.io>, "hipsec@ietf.org" <hipsec@ietf.org>
Thread-Topic: [Hipsec] DNS considerations in
draft-ietf-hip-native-nat-traversal
Thread-Index: AQHWDBl6+EF13lTjuk+JiMyOEPIlOqhtNHyA
Date: Tue, 7 Apr 2020 06:32:42 +0000
Message-ID: <6f2da742222f0f75a91e2fd2d82b992e55a89a8f.camel@ericsson.com>
References: <BE5944AA-CC27-4D07-99CD-5A5B16B19369@tempered.io>
In-Reply-To: <BE5944AA-CC27-4D07-99CD-5A5B16B19369@tempered.io>
Accept-Language: fi-FI, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Evolution 3.28.5-0ubuntu0.18.04.1
authentication-results: spf=none (sender IP is )
smtp.mailfrom=miika.komu@ericsson.com;
x-originating-ip: [88.148.205.35]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: ad93fc69-a13d-48e3-f2e0-08d7dabd7a0c
x-ms-traffictypediagnostic: AM0PR07MB4452:
x-microsoft-antispam-prvs: <AM0PR07MB4452E37C67A5868BA7F72E3AFCC30@AM0PR07MB4452.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:5236;
x-forefront-prvs: 036614DD9C
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM;
H:AM0PR07MB3876.eurprd07.prod.outlook.com; PTR:; CAT:NONE;
SFTY:;
SFS:(10009020)(4636009)(39860400002)(376002)(346002)(396003)(366004)(136003)(86362001)(6512007)(26005)(966005)(478600001)(186003)(2616005)(44832011)(6486002)(8676002)(8936002)(110136005)(81166006)(5660300002)(66446008)(64756008)(66556008)(66476007)(316002)(76116006)(66946007)(81156014)(36756003)(6506007)(2906002)(71200400001)(91956017)(99106002);
DIR:OUT; SFP:1101;
received-spf: None (protection.outlook.com: ericsson.com does not designate
permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: nb5bfqyH1eAqAm7RW2qgBRfMfnxVFyqzX2OLcsQLACfN1ZA0Q/jqPZZXlcjkHkXk3OqH/G+EztMVMh075sC7x57nSdjA7QZ4RKDIozGULLNDxfuDknjg7TarJDTTx51Bdmbn9YWmwcrV2Y2CHM0klQbklt/qfinE0Y5qWtQNQIv22T91O4wZ+4vp77qbg5vo4M0EdktmkUuEkezjWCpq+yMvQFk+32lYj4pnQ0Y6G/sHyoKUSFKs/aK+vxt7YComo/xdeC2iL7S7mKtH6D1D5fSIYGQbSw9rKIAMkEXLz4n+/f19n4JDOtR8mXj0Hp9qBIa+B8C2Wu3BmHJ6mcUDdUP+gfsqz/E/rR0b6wvn6SeQcBfKcDFesYffr2wZnx0B9Gf41SbVfWUhLGSkeb3DsfFqBfXUjlvYwJjgmba+QfffTymDQf8DtmfE6igL60cbr5kf6ipTL3ukj8Sx6ZYQUj1JOnZXSyDKAduGHDyZE5O5cmCe2lOBxK4TiQ4Nn42w7/TMPiCAjhVcxmDkqykRs41JLBXPNNWgwzSSNhGcO96hcjd1fkdgD/SqpCVvl5WA
x-ms-exchange-antispam-messagedata: 4RJPtR3IKDgMRiiVHnHpFEFUFdCP94RM9WiDkGgb28it4/T7Y5cVcHiWqI8QExhNsc/jeibU192bx+7j0wA8jqP79jOc4+AEptiIqnDHOWkPGr7jZDcMmF2sIAxFGxaIppOnVasxJQY1JZ6X8Y1VuA==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <55B614076EDB3D48B25DF7432D72933A@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: ad93fc69-a13d-48e3-f2e0-08d7dabd7a0c
X-MS-Exchange-CrossTenant-originalarrivaltime: 07 Apr 2020 06:32:42.7287 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: NF/d8ddLbSo9toAHb0NShaB3SqjFPd0WysVpuif+3OhNAYE1pN5mH1Y4FopGb61RmGga7PBcQXqfYTR9iceS0Q==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR07MB4452
Archived-At: <https://mailarchive.ietf.org/arch/msg/hipsec/Qt7oGb7gh6RPwccTxsPfV5rTTJw>
Subject: Re: [Hipsec] DNS considerations in
draft-ietf-hip-native-nat-traversal
X-BeenThere: hipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the official IETF Mailing List for the HIP Working Group."
<hipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hipsec>,
<mailto:hipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/hipsec/>
List-Post: <mailto:hipsec@ietf.org>
List-Help: <mailto:hipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hipsec>,
<mailto:hipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Apr 2020 06:32:48 -0000
Thanks Jeff, your nits will be included in the next version. ma, 2020-04-06 kello 13:44 +0000, Jeff Ahrenholz kirjoitti: > Miika, > Looks good to me. I like how the distinction between RVS and Control > Relay Server is spelled out. > > Just a couple of nits: > s/an HIP/ a HIP/ > s/the the A/the A/ > > -Jeff > > On 4/5/20, 6:20 AM, "Hipsec on behalf of Miika Komu" < > hipsec-bounces@ietf.org on behalf of > miika.komu=40ericsson.com@dmarc.ietf.org> wrote: > > Hi, > > during IESG review Magnus Westerlund asked about DNS support in > draft- > ietf-hip-native-nat-traversal, so I added the the text below to > draft- > ietf-hip-native-nat-traversal. Does it seem ok for the WG? > > Appendix E. DNS Considerations > > [RFC5770] did not specify how an end-host can look up another > end- > host via DNS and initiate an UDP-based HIP base exchange with it, > so > this section makes an attempt to fill this gap. > > [RFC8005] specifies how an HIP end-host and its Rendezvous server > is > registered to DNS. Essentially, the public key of the end-host > is > stored as HI record and its Rendezvous Server as A or AAAA > record. > This way, the Rendezvous Server can act as an intermediary for > the > end-host and forward packets to it based on the DNS > configuration. > Control Relay Server offers similar functionality as Rendezvous > Server, with the difference that the Control Relay Server > forwards > all control messages, not just the first I1 message. > > Prior to this document, the A and AAAA records in the DNS refer > either to the HIP end-host itself or a Rendezvous Server > [RFC8005], > and control and data plane communication with the associated host > has > been assumed to occur directly over IPv4 or IPv6. However, this > specification extends the records to be used for UDP-based > communications. > > Let us consider the case of a HIP Initiator with the default > policy > to employ UDP encapsulation and the extensions defined in this > document. The Initiator looks up the FQDN of a Responder, and > retrieves its HI, A and AAAA records. Since the default policy > is to > use UDP encapsulation, the Initiator MUST send the I1 message > over > UDP to destination port 10500 (either over IPv4 in the case of a > A > record or over IPv6 in the case of a AAAA record). It MAY send > an I1 > message both with and without UDP encapsulation in parallel. In > the > case the Initiator receives R1 messages both with and without UDP > encapsulation from the Responder, the Initiator SHOULD ignore the > R1 > messages without UDP encapsulation. > > The UDP encapsulated I1 packet could be received by three > different > types of hosts: > > 1. HIP Control Relay Server: in this case the A/AAAA records > refers > to a Control Relay Server, and it will forward the packet to > the > corresponding Control Relay Client based on the destination > HIT > in the I1 packet. > > 2. HIP Responder supporting UDP encapsulation: in this case, the > the > A/AAAA records refers to the end-host. Assuming the > destination > HIT belongs to the Responder, it receives and processes it > according to the negotiated NAT traversal mechanism. The > support > for the protocol defined in this document vs [RFC5770] is > dynamically negotiated during the base exchange. The details > are > specified in Section 4.3. > > 3. HIP Rendezvous Server: this entity is not listening to UDP > port > 10500, so it will drop the I1 message. > > 4. HIP Responder not supporting UDP encapsulation: the targeted > end- > host is not listening to UDP port 10500, so it will drop > the I1 > message. > > The A/AAAA-record MUST NOT be configured to refer to a Data Relay > Server unless the host in question supports also Control Relay > Server > functionality. > > It also worth noting that SRV records are not employed in this > specification. While they could be used for more flexible UDP > port > selection, they are not suitable for end-host discovery but > rather > would be more suitable for the discovery of HIP-specific > infrastructure. Further extensions to this document may define > SRV > records for Control and Data Relay Server discovery within a DNS > domain. > _______________________________________________ > Hipsec mailing list > Hipsec@ietf.org > https://www.ietf.org/mailman/listinfo/hipsec > > > _______________________________________________ > Hipsec mailing list > Hipsec@ietf.org > https://www.ietf.org/mailman/listinfo/hipsec
- [Hipsec] DNS considerations in draft-ietf-hip-nat… Miika Komu
- Re: [Hipsec] DNS considerations in draft-ietf-hip… Robert Moskowitz
- Re: [Hipsec] DNS considerations in draft-ietf-hip… Jeff Ahrenholz
- Re: [Hipsec] DNS considerations in draft-ietf-hip… Miika Komu
- Re: [Hipsec] DNS considerations in draft-ietf-hip… Miika Komu
- Re: [Hipsec] DNS considerations in draft-ietf-hip… Jeff Ahrenholz