617 lines
13 KiB
Plaintext
617 lines
13 KiB
Plaintext
|
||
|
||
Independent submission M. Richardson
|
||
Internet-Draft SSW
|
||
Expires: August 24, 2003 February 23, 2003
|
||
|
||
|
||
A method for storing IPsec keying material in DNS.
|
||
draft-richardson-ipsec-rr-02.txt
|
||
|
||
Status of this Memo
|
||
|
||
This document is an Internet-Draft and is in full conformance with
|
||
all provisions of Section 10 of RFC2026.
|
||
|
||
Internet-Drafts are working documents of the Internet Engineering
|
||
Task Force (IETF), its areas, and its working groups. Note that
|
||
other groups may also distribute working documents as Internet-
|
||
Drafts.
|
||
|
||
Internet-Drafts are draft documents valid for a maximum of six months
|
||
and may be updated, replaced, or obsoleted by other documents at any
|
||
time. It is inappropriate to use Internet-Drafts as reference
|
||
material or to cite them other than as "work in progress."
|
||
|
||
The list of current Internet-Drafts can be accessed at http://
|
||
www.ietf.org/ietf/1id-abstracts.txt.
|
||
|
||
The list of Internet-Draft Shadow Directories can be accessed at
|
||
http://www.ietf.org/shadow.html.
|
||
|
||
This Internet-Draft will expire on August 24, 2003.
|
||
|
||
Copyright Notice
|
||
|
||
Copyright (C) The Internet Society (2003). All Rights Reserved.
|
||
|
||
Abstract
|
||
|
||
This document describes a new resource record for DNS. This record
|
||
may be used to store public keys for use in IPsec systems.
|
||
|
||
This record replaces the functionality of the sub-type #1 of the KEY
|
||
Resource Record, which has been proposed to be obsoleted by [1].
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Richardson Expires August 24, 2003 [Page 1]
|
||
|
||
Internet-Draft ipsecrr February 2003
|
||
|
||
|
||
Table of Contents
|
||
|
||
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
|
||
1.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
|
||
2. Storage formats . . . . . . . . . . . . . . . . . . . . . . . 4
|
||
3. IPSECKEY RDATA format . . . . . . . . . . . . . . . . . . . . 5
|
||
3.1 RDATA format - algo type . . . . . . . . . . . . . . . . . . . 5
|
||
3.2 RDATA format - precedence . . . . . . . . . . . . . . . . . . 5
|
||
3.3 RDATA format - RSA public key . . . . . . . . . . . . . . . . 5
|
||
3.4 RDATA format - DSA public key . . . . . . . . . . . . . . . . 6
|
||
3.5 RDATA format - gateway . . . . . . . . . . . . . . . . . . . . 6
|
||
4. Presentation formats . . . . . . . . . . . . . . . . . . . . . 7
|
||
4.1 Representation of IPSECKEY RRs . . . . . . . . . . . . . . . . 7
|
||
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8
|
||
6. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 9
|
||
Normative references . . . . . . . . . . . . . . . . . . . . . 10
|
||
Author's Address . . . . . . . . . . . . . . . . . . . . . . . 10
|
||
Full Copyright Statement . . . . . . . . . . . . . . . . . . . 11
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Richardson Expires August 24, 2003 [Page 2]
|
||
|
||
Internet-Draft ipsecrr February 2003
|
||
|
||
|
||
1. Introduction
|
||
|
||
1.1 Overview
|
||
|
||
Overview.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Richardson Expires August 24, 2003 [Page 3]
|
||
|
||
Internet-Draft ipsecrr February 2003
|
||
|
||
|
||
2. Storage formats
|
||
|
||
The IPSECKEY resource record (RR) is used to publish a public key
|
||
that is to be associated with a Domain Name System (DNS) name. It
|
||
will be a public key as only public keys are stored in the DNS. This
|
||
can be the public key of a host, network, or application (in the case
|
||
of per-port keying).
|
||
|
||
An IPSECKEY RR is, like any other RR, authenticated by a SIG RR.
|
||
|
||
It is expected that there will often be multiple resource records of
|
||
the IPSECKEY type. This will be due to the need to rollover keys,
|
||
and due to the presence of multiple gateways.
|
||
|
||
The type number for the IPSECKEY RR is 45 (IANA TBD).
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Richardson Expires August 24, 2003 [Page 4]
|
||
|
||
Internet-Draft ipsecrr February 2003
|
||
|
||
|
||
3. IPSECKEY RDATA format
|
||
|
||
The RDATA for an IPSECKEY RR consists of a precedence value, a public
|
||
key (and algorithm type), and an optional gateway address.
|
||
|
||
1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
|
||
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
|
||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
||
| RESV | algo | precedence | public key length |
|
||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
||
| /
|
||
/ public key
|
||
/ /
|
||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-|
|
||
~ gateway ~
|
||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
||
|
||
|
||
3.1 RDATA format - algo type
|
||
|
||
The algorithm type ("algo") field indicates the type of key that is
|
||
present in the public key field. Valid values are:
|
||
|
||
0 No key is present.
|
||
|
||
1 A RSA key is present, in the format defined in
|
||
|
||
2 A DSA key is present, in the format defined in
|
||
|
||
|
||
3.2 RDATA format - precedence
|
||
|
||
This is an 8-bit precedence for this record. This is interpreted in
|
||
a similar way to the PREFERENCE field described in section 3.3.9 of
|
||
[3].
|
||
|
||
3.3 RDATA format - RSA public key
|
||
|
||
If the algorithm type has the value 1, then public key portion
|
||
contains an RSA public key, encoded as described in secion 2 of [8],
|
||
and repeated here:
|
||
|
||
1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
|
||
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
|
||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
||
| pub exp length| public key exponent /
|
||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
||
| /
|
||
|
||
|
||
|
||
Richardson Expires August 24, 2003 [Page 5]
|
||
|
||
Internet-Draft ipsecrr February 2003
|
||
|
||
|
||
+- modulus /
|
||
| /
|
||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-/
|
||
|
||
RFC2065 limited the exponent and modulus to 2552 bits in length, and
|
||
RFC3110 to 4096 bits. No such limit is specified here for the
|
||
purposes of encoding and decoding. The length in octets of the
|
||
public exponent length is represented as one octet if it is in the
|
||
range of 1 to 255 and by a zero octet followed by a two octet
|
||
unsigned length if it is longer than 255 bytes. The public key
|
||
modulus field is a multiprecision unsigned integer. The length of
|
||
the modulus can be determined from the RDLENGTH and the preceding
|
||
RDATA fields including the exponent.
|
||
|
||
Leading zero bytes are prohibited in the exponent and modulus.
|
||
|
||
3.4 RDATA format - DSA public key
|
||
|
||
If the algorithm type has the value 2, then public key portion
|
||
contains an DSA public key, encoded as described in [7].
|
||
|
||
3.5 RDATA format - gateway
|
||
|
||
The gateway field indicates a gateway to which an IPsec tunnel may be
|
||
created in order to reach the entity holding this resource record.
|
||
The length of this field is the size of the data portion minus the
|
||
public key length, and the 4 bytes of header. The gateway field may
|
||
be absent.
|
||
|
||
The gateway field is a string. It is most commonly a simple fully
|
||
qualified domain name (FQDN). IP version 4 and IP version 6
|
||
addresses may be represented using names from in-addr.arpa. and
|
||
ip6.arpa.
|
||
|
||
The gateway field may also include a @-character in it. Either in
|
||
the form @FQDN, or user@FQDN. In this context, it does not reference
|
||
a single destination, but just an identifier that will be used when
|
||
doing key negotiations. This may be used in the context where the
|
||
gateway does not have a permanent IP address, but has permanent
|
||
address space behind it, and will be initiating connections only.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Richardson Expires August 24, 2003 [Page 6]
|
||
|
||
Internet-Draft ipsecrr February 2003
|
||
|
||
|
||
4. Presentation formats
|
||
|
||
4.1 Representation of IPSECKEY RRs
|
||
|
||
IPSECKEY RRs may appear as lines in a zone data master file. The
|
||
precedence field is mandatory. While both the gateway and public key
|
||
fields are optional, it is illegal for neither to be present.
|
||
|
||
As the IPv4, IPv6 and FQDN references to the gateway are mutually
|
||
exclusive, they can share a position. If no gateway is to be
|
||
indicated, then the special tokens of either "-" or "none" may be
|
||
used.
|
||
|
||
IPv4 addresses are to be represented as a dotted decimal quad, with
|
||
no leading zeroes. IPv6 addresses are to be presented as specified
|
||
in section 2.2 of [4].
|
||
|
||
|
||
38.46.139.192.in-addr.arpa. 7200 IN IPSECKEY ( 10 192.139.46.38
|
||
RSA: AQOrXJxB56Q28iOO43Va36elIFFKc/QB2orIeL94BdC5X4idFQZjSpsZ
|
||
Th48wKVXUE9xjwUkwR4R4/+1vjNN7KFp9fcqa2OxgjsoGqCn+3OPR8La
|
||
9uyvZg0OBuSTj3qkbh/2HacAUJ7vqvjQ3W8Wj6sMXtTueR8NNcdSzJh1
|
||
49ch3zqfiXrxxna8+8UEDQaRR9KOPiSvXb2KjnuDan6hDKOT4qTZRRRC
|
||
MWwnNQ9zPIMNbLBp0rNcZ+ZGFg2ckWtWh5yhv1iXYLV2vmd9DB6d4Dv8
|
||
cW7scc3rPmDXpYR6APqPBRHlcbenfHCt+oCkEWse8OQhMM56KODIVQq3
|
||
fejrfi1H )
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Richardson Expires August 24, 2003 [Page 7]
|
||
|
||
Internet-Draft ipsecrr February 2003
|
||
|
||
|
||
5. IANA Considerations
|
||
|
||
IANA is asked to assign resource record 45 to this resource record.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Richardson Expires August 24, 2003 [Page 8]
|
||
|
||
Internet-Draft ipsecrr February 2003
|
||
|
||
|
||
6. Acknowledgments
|
||
|
||
People who pushed me to write this.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Richardson Expires August 24, 2003 [Page 9]
|
||
|
||
Internet-Draft ipsecrr February 2003
|
||
|
||
|
||
Normative references
|
||
|
||
[1] Massey, D. and S. Rose, "Limiting the Scope of the KEY Resource
|
||
Record (RR)", RFC 3445, December 2002.
|
||
|
||
[2] Mockapetris, P., "Domain names - concepts and facilities", STD
|
||
13, RFC 1034, November 1987.
|
||
|
||
[3] Mockapetris, P., "Domain names - implementation and
|
||
specification", STD 13, RFC 1035, November 1987.
|
||
|
||
[4] Hinden, R. and S. Deering, "IP Version 6 Addressing
|
||
Architecture", RFC 1884, December 1995.
|
||
|
||
[5] Thomson, S. and C. Huitema, "DNS Extensions to support IP
|
||
version 6", RFC 1886, December 1995.
|
||
|
||
[6] Eastlake, D., "Domain Name System Security Extensions", RFC
|
||
2535, March 1999.
|
||
|
||
[7] Eastlake, D., "DSA KEYs and SIGs in the Domain Name System
|
||
(DNS)", RFC 2536, March 1999.
|
||
|
||
[8] Eastlake, D., "RSA/SHA-1 SIGs and RSA KEYs in the Domain Name
|
||
System (DNS)", RFC 3110, May 2001.
|
||
|
||
|
||
Author's Address
|
||
|
||
Michael C. Richardson
|
||
Sandelman Software Works
|
||
470 Dawson Avenue
|
||
Ottawa, ON K1Z 5V7
|
||
CA
|
||
|
||
EMail: mcr@sandelman.ottawa.on.ca
|
||
URI: http://www.sandelman.ottawa.on.ca/
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Richardson Expires August 24, 2003 [Page 10]
|
||
|
||
Internet-Draft ipsecrr February 2003
|
||
|
||
|
||
Full Copyright Statement
|
||
|
||
Copyright (C) The Internet Society (2003). All Rights Reserved.
|
||
|
||
This document and translations of it may be copied and furnished to
|
||
others, and derivative works that comment on or otherwise explain it
|
||
or assist in its implementation may be prepared, copied, published
|
||
and distributed, in whole or in part, without restriction of any
|
||
kind, provided that the above copyright notice and this paragraph are
|
||
included on all such copies and derivative works. However, this
|
||
document itself may not be modified in any way, such as by removing
|
||
the copyright notice or references to the Internet Society or other
|
||
Internet organizations, except as needed for the purpose of
|
||
developing Internet standards in which case the procedures for
|
||
copyrights defined in the Internet Standards process must be
|
||
followed, or as required to translate it into languages other than
|
||
English.
|
||
|
||
The limited permissions granted above are perpetual and will not be
|
||
revoked by the Internet Society or its successors or assigns.
|
||
|
||
This document and the information contained herein is provided on an
|
||
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
|
||
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
|
||
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
|
||
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
|
||
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
|
||
|
||
Acknowledgement
|
||
|
||
Funding for the RFC Editor function is currently provided by the
|
||
Internet Society.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Richardson Expires August 24, 2003 [Page 11]
|
||
|