Split DNS Configuration for IKEv2
draft-ietf-ipsecme-split-dns-04
The information below is for an old version of the document.
Document | Type |
This is an older version of an Internet-Draft that was ultimately published as RFC 8598.
|
|
---|---|---|---|
Authors | Tommy Pauly , Paul Wouters | ||
Last updated | 2018-01-22 | ||
Replaces | draft-pauly-ipsecme-split-dns | ||
RFC stream | Internet Engineering Task Force (IETF) | ||
Formats | |||
Reviews | |||
Additional resources | Mailing list discussion | ||
Stream | WG state | In WG Last Call | |
Document shepherd | David Waltermire | ||
IESG | IESG state | Became RFC 8598 (Proposed Standard) | |
Consensus boilerplate | Unknown | ||
Telechat date | (None) | ||
Responsible AD | (None) | ||
Send notices to | David Waltermire <david.waltermire@nist.gov> |
draft-ietf-ipsecme-split-dns-04
Network T. Pauly Internet-Draft Apple Inc. Intended status: Standards Track P. Wouters Expires: July 26, 2018 Red Hat January 22, 2018 Split DNS Configuration for IKEv2 draft-ietf-ipsecme-split-dns-04 Abstract This document defines two Configuration Payload Attribute Types for the IKEv2 protocol that add support for private DNS domains. These domains should be resolved using DNS servers reachable through an IPsec connection, while leaving all other DNS resolution unchanged. This approach of resolving a subset of domains using non-public DNS servers is referred to as "Split DNS". Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on July 26, 2018. Copyright Notice Copyright (c) 2018 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of Pauly & Wouters Expires July 26, 2018 [Page 1] Internet-Draft Split DNS Configuration for IKEv2 January 2018 the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 2. Background . . . . . . . . . . . . . . . . . . . . . . . . . 3 3. Protocol Exchange . . . . . . . . . . . . . . . . . . . . . . 3 3.1. Configuration Request . . . . . . . . . . . . . . . . . . 4 3.2. Configuration Reply . . . . . . . . . . . . . . . . . . . 4 3.3. Mapping DNS Servers to Domains . . . . . . . . . . . . . 5 3.4. Example Exchanges . . . . . . . . . . . . . . . . . . . . 5 3.4.1. Simple Case . . . . . . . . . . . . . . . . . . . . . 5 3.4.2. Requesting Domains and DNSSEC trust anchors . . . . . 6 4. Payload Formats . . . . . . . . . . . . . . . . . . . . . . . 6 4.1. INTERNAL_DNS_DOMAIN Configuration Attribute Type . . . . 6 4.2. INTERNAL_DNSSEC_TA Configuration Attribute . . . . . . . 7 5. Split DNS Usage Guidelines . . . . . . . . . . . . . . . . . 7 6. Security Considerations . . . . . . . . . . . . . . . . . . . 9 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 10 8.1. Normative References . . . . . . . . . . . . . . . . . . 10 8.2. Informative References . . . . . . . . . . . . . . . . . 10 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 11 1. Introduction Split DNS is a common configuration for secure tunnels, such as Virtual Private Networks in which host machines private to an organization can only be resolved using internal DNS resolvers [RFC2775]. In such configurations, it is often desirable to only resolve hosts within a set of private domains using the tunnel, while letting resolutions for public hosts be handled by a device's default DNS configuration. The Internet Key Exchange protocol version 2 [RFC7296] negotiates configuration parameters using Configuration Payload Attribute Types. This document defines two Configuration Payload Attribute Types that add support for trusted Split DNS domains. The INTERNAL_DNS_DOMAIN attribute type is used to convey one or more DNS domains that should be resolved only using the provided DNS nameserver IP addresses, causing these requests to use the IPsec connection. The INTERNAL_DNSSEC_TA attribute type is used to convey DNSSEC trust anchors for those domains. Pauly & Wouters Expires July 26, 2018 [Page 2] Internet-Draft Split DNS Configuration for IKEv2 January 2018 When only a subset of traffic is routed into a private network using an IPsec SA, these Configuration Payload options can be used to define which private domains should be resolved through the IPsec connection without affecting the client's global DNS resolution. For the purposes of this document, DNS resolution servers accessible through an IPsec connection will be referred to as "internal DNS servers", and other DNS servers will be referred to as "external DNS servers". A client using these configuration payloads will be able to request and receive Split DNS configurations using the INTERNAL_DNS_DOMAIN and INTERNAL_DNSSEC_TA configuration attributes. The client device can use the internal DNS server(s) for any DNS queries within the assigned domains. DNS queries for other domains should be send to regular external DNS server. 1.1. Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119]. 2. Background Split DNS is a common configuration for enterprise VPN deployments, in which only one or a few private DNS domains are accessible and resolvable via an IPsec based VPN connection. Other tunnel-establishment protocols already support the assignment of Split DNS domains. For example, there are proprietary extensions to IKEv1 that allow a server to assign Split DNS domains to a client. However, the IKEv2 standard does not include a method to configure this option. This document defines a standard way to negotiate this option for IKEv2. 3. Protocol Exchange In order to negotiate which domains are considered internal to an IKEv2 tunnel, initiators indicate support for Split DNS in their CFG_REQUEST payloads, and responders assign internal domains (and DNSSEC trust anchors) in their CFG_REPLY payloads. When Split DNS has been negotiated, the existing DNS server configuration attributes will be interpreted as internal DNS servers that can resolve hostnames within the internal domains. Pauly & Wouters Expires July 26, 2018 [Page 3] Internet-Draft Split DNS Configuration for IKEv2 January 2018 3.1. Configuration Request To indicate support for Split DNS, an initiator includes one more INTERNAL_DNS_DOMAIN attributes as defined in Section 4 as part of the CFG_REQUEST payload. If an INTERNAL_DNS_DOMAIN attribute is included in the CFG_REQUEST, the initiator SHOULD also include one or more INTERNAL_IP4_DNS and INTERNAL_IP6_DNS attributes in the CFG_REQUEST. The INTERNAL_DNS_DOMAIN attribute sent by the initiator is usually empty but MAY contain a suggested domain name. The absence of INTERNAL_DNS_DOMAIN attributes in the CFG_REQUEST payload indicates that the initiator does not support or is unwilling to accept Split DNS configuration. To indicate support for DNSSEC, an initiator includes one or more INTERNAL_DNSSEC_TA attributes as defined in Section 4 as part of the CFG_REQUEST payload. If an INTERNAL_DNSSEC_TA attriute is included in the CFG_REQUEST, the initiator SHOULD also include one or more INTERNAL_DNS_DOMAIN attributes in the CFG_REQUEST. An initiator MAY convey its current DNSSEC trust anchors for the domain specified in the INTERNAL_DNS_DOMAIN attribute. If it does not wish to convey this information, it MUST use a length of 0. The absence of INTERNAL_DNSSEC_TA attributes in the CFG_REQUEST payload indicates that the initiator does not support or is unwilling to accept DNSSEC trust anchor configuration. 3.2. Configuration Reply Responders MAY send one or more INTERNAL_DNS_DOMAIN attributes in their CFG_REPLY payload. If an INTERNAL_DNS_DOMAIN attribute is included in the CFG_REPLY, the responder MUST also include one or both of the INTERNAL_IP4_DNS and INTERNAL_IP6_DNS attributes in the CFG_REPLY. These DNS server configurations are necessary to define which servers should receive queries for hostnames in internal domains. If the CFG_REQUEST included an INTERNAL_DNS_DOMAIN attribute, but the CFG_REPLY does not include an INTERNAL_DNS_DOMAIN attribute, the initiator should behave as if Split DNS configurations are not supported by the server. Each INTERNAL_DNS_DOMAIN represents a domain that the DNS servers address listed in INTERNAL_IP4_DNS and INTERNAL_IP6_DNS can resolve. If the CFG_REQUEST included INTERNAL_DNS_DOMAIN attributes with non- zero lengths, the content MAY be ignored or be interpreted as a suggestion by the responder. Pauly & Wouters Expires July 26, 2018 [Page 4] Internet-Draft Split DNS Configuration for IKEv2 January 2018 For each DNS domain specified in an INTERNAL_DNS_DOMAIN attribute, one or more INTERNAL_DNSSEC_TA attributes MAY be included by the responder. This attribute lists the corresponding internal DNSSEC trust anchor in the DNS presentation format of a DS record as specified in [RFC4034]. The INTERNAL_DNSSEC_TA attribute MUST immediately follow the INTERNAL_DNS_DOMAIN attribute that it applies to. 3.3. Mapping DNS Servers to Domains All DNS servers provided in the CFG_REPLY MUST support resolving hostnames within all INTERNAL_DNS_DOMAIN domains. In other words, the INTERNAL_DNS_DOMAIN attributes in a CFG_REPLY payload form a single list of Split DNS domains that applies to the entire list of INTERNAL_IP4_DNS and INTERNAL_IP6_DNS attributes. 3.4. Example Exchanges 3.4.1. Simple Case In this example exchange, the initiator requests INTERNAL_IP4_DNS and INTERNAL_DNS_DOMAIN attributes in the CFG_REQUEST, but does not specify any value for either. This indicates that it supports Split DNS, but has no preference for which DNS requests should be routed through the tunnel. The responder replies with two DNS server addresses, and two internal domains, "example.com" and "city.other.com". Any subsequent DNS queries from the initiator for domains such as "www.example.com" should use 198.51.100.2 or 198.51.100.4 to resolve. CP(CFG_REQUEST) = INTERNAL_IP4_ADDRESS() INTERNAL_IP4_DNS() INTERNAL_DNS_DOMAIN() CP(CFG_REPLY) = INTERNAL_IP4_ADDRESS(198.51.100.234) INTERNAL_IP4_DNS(198.51.100.2) INTERNAL_IP4_DNS(198.51.100.4) INTERNAL_DNS_DOMAIN(example.com) INTERNAL_DNS_DOMAIN(city.other.com) Pauly & Wouters Expires July 26, 2018 [Page 5] Internet-Draft Split DNS Configuration for IKEv2 January 2018 3.4.2. Requesting Domains and DNSSEC trust anchors In this example exchange, the initiator requests INTERNAL_IP4_DNS, INTERNAL_DNS_DOMAIN and INTERNAL_DNSSEC_TA attributess in the CFG_REQUEST Any subsequent DNS queries from the initiator for domains such as "www.example.com" or "city.other.com" would be DNSSEC validated using the DNSSEC trust anchor received in the CFG_REPLY In this example, the initiator has no existing DNSSEC trust anchors would the requested domain. the "example.com" dommain has DNSSEC trust anchors that are returned, while the "other.com" domain has no DNSSEC trust anchors CP(CFG_REQUEST) = INTERNAL_IP4_ADDRESS() INTERNAL_IP4_DNS() INTERNAL_DNS_DOMAIN() INTERNAL_DNSSEC_TA() CP(CFG_REPLY) = INTERNAL_IP4_ADDRESS(198.51.100.234) INTERNAL_IP4_DNS(198.51.100.2) INTERNAL_IP4_DNS(198.51.100.4) INTERNAL_DNS_DOMAIN(example.com) INTERNAL_DNSSEC_TA(43547,8,1,B6225AB2CC613E0DCA7962BDC2342EA4F1B56083) INTERNAL_DNSSEC_TA(31406,8,2,F78CF3344F72137235098ECBBD08947C2C90....) INTERNAL_DNS_DOMAIN(city.other.com) 4. Payload Formats 4.1. INTERNAL_DNS_DOMAIN Configuration Attribute Type 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-----------------------------+-------------------------------+ |R| Attribute Type | Length | +-+-----------------------------+-------------------------------+ | | ~ Domain Name in DNS presentation format ~ | | +---------------------------------------------------------------+ o Reserved (1 bit) - Defined in IKEv2 RFC [RFC7296]. o Attribute Type (15 bits) 25 - INTERNAL_DNS_DOMAIN. Pauly & Wouters Expires July 26, 2018 [Page 6] Internet-Draft Split DNS Configuration for IKEv2 January 2018 o Length (2 octets, unsigned integer) - Length of domain name. o Domain Name (0 or more octets) - A Fully Qualified Domain Name used for Split DNS rules, such as example.com, in DNS presentation format and optionally using IDNA [RFC5890] for Internationalized Domain Names. Implementors need to be careful that this value is not null-terminated. 4.2. INTERNAL_DNSSEC_TA Configuration Attribute 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-----------------------------+-------------------------------+ |R| Attribute Type | Length | +-+-----------------------------+---------------+---------------+ | Key Tag | Algorithm | Digest Type | +-------------------------------+---------------+---------------+ | | ~ Digest ~ | | +---------------------------------------------------------------+ o Reserved (1 bit) - Defined in IKEv2 RFC [RFC7296]. o Attribute Type (15 bits) [TBD IANA] - INTERNAL_DNSSEC_TA. o Length (2 octets, unsigned integer) - Length of DNSSEC Trust Anchor data. o Key Tag value (0 or 2 octets, unsigned integer) - Key Tag as specified in [RFC4034] Section 5.1 o Algorithm (0 or 1 octet) - DNSKEY algorithm value from the IANA DNS Security Algorithm Numbers Registry o DS algorithm (0 or 1 octet) - DS algorithm value from the IANA Delegation Signer (DS) Resource Record (RR) Type Digest Algorithms Registry o Digest (0 or more octets) - The DNSKEY digest as specified in [RFC4034] Section 5.1 in presentation format. 5. Split DNS Usage Guidelines If a CFG_REPLY payload contains no INTERNAL_DNS_DOMAIN attributes, the client MAY use the provided INTERNAL_IP4_DNS or INTERNAL_IP6_DNS servers as the default DNS server(s) for all queries. Pauly & Wouters Expires July 26, 2018 [Page 7] Internet-Draft Split DNS Configuration for IKEv2 January 2018 If a client is configured by local policy to only accept a limited number of INTERNAL_DNS_DOMAIN values, the client MUST ignore any other INTERNAL_DNS_DOMAIN values. For each INTERNAL_DNS_DOMAIN entry in a CFG_REPLY payload that is not prohibited by local policy, the client MUST use the provided INTERNAL_IP4_DNS or INTERNAL_IP6_DNS DNS servers as the only resolvers for the listed domains and its sub-domains and it MUST NOT attempt to resolve the provided DNS domains using its external DNS servers. If the initiator host is configured to block DNS answers containing IP addresses from special IP address ranges such as those of [RFC1918], the initiator SHOULD allow the DNS domains listed in the INTERNAL_DNS_DOMAIN attributes to contain those Special IP addresses. If a CFG_REPLY contains one or more INTERNAL_DNS_DOMAIN attributes and its local policy does not forbid these values, the client MUST configure its DNS resolver to resolve those domains and all their subdomains using only the DNS resolver(s) listed in that CFG_REPLY message. If those resolvers fail, those names MUST NOT be resolved using any other DNS resolvers. Other domain names SHOULD be resolved using some other external DNS resolver(s), configured independently from IKE. Queries for these other domains MAY be sent to the internal DNS resolver(s) listed in that CFG_REPLY message, but have no guarantee of being answered. For example, if the INTERNAL_DNS_DOMAIN attribute specifies "example.com", then "example.com", "www.example.com" and "mail.eng.example.com" MUST be resolved using the internal DNS resolver(s), but "anotherexample.com" and "ample.com" SHOULD NOT be resolved using the internal resolver and SHOULD use the system's external DNS resolver(s). When an IKE SA is terminated, the DNS forwarding must be unconfigured. The DNS forwarding itself MUST be be deleted. All cached data of the INTERNAL_DNS_DOMAIN provided DNS domainis MUST be flushed. This includes negative cache entries. Obtained DNSSEC trust anchors MUST be removed from the list of trust anchors. The outstanding DNS request queue MUST be cleared. INTERNAL_DNS_DOMAIN and INTERNAL_DNSSEC_TA attributes SHOULD only be used on split tunnel configurations where only a subset of traffic is routed into a private remote network using the IPsec connection. If all traffic is routed over the IPsec connection, the existing global INTERNAL_IP4_DNS and INTERNAL_IP6_DNS can be used without creating specific DNS exemptions. Pauly & Wouters Expires July 26, 2018 [Page 8] Internet-Draft Split DNS Configuration for IKEv2 January 2018 6. Security Considerations The use of Split DNS configurations assigned by an IKEv2 responder is predicated on the trust established during IKE SA authentication. However, if IKEv2 is being negotiated with an anonymous or unknown endpoint (such as for Opportunistic Security [RFC7435]), the initiator MUST ignore Split DNS configurations assigned by the responder. If a host connected to an authenticated IKE peer is connecting to another IKE peer that attempts to claim the same domain via the INTERNAL_DNS_DOMAIN attribute, the IKE connection should only process the DNS information if the two connections are part of the same logical entity. Otherwise, the client should refuse the DNS information and potentially warn the enduser. INTERNAL_DNSSEC_TA payloads MUST immediately follow an INTERNAL_DNS_DOMAIN payload. As the INTERNAL_DNSSEC_TA format itself does not contain the domain name, it relies on the preceding INTERNAL_DNS_DOMAIN to provide the domain for which it specifies the trust anchor. If the initiator is using DNSSEC validation for a domain in its public DNS view, and it requests and receives an INTERNAL_DNS_DOMAIN attribute without an INTERNAL_DNSSEC_TA, it will need to reconfigure its DNS resolver to allow for an insecure delegation. It SHOULD NOT accept insecure delegations for domains that are DNSSEC signed in the public DNS view, for which it has not explicitely requested such deletation by specifying the domain specifically using a INTERNAL_DNS_DOMAIN(domain) request. A domain that is served via INTERNAL_DNS_DOMAIN should pay close attention to their use of indirect reference RRtypes such as CNAME, DNAME, MX or SRV records so that resolving works as intended when all, some or none of the IPsec connections are established. The content of INTERNAL_DNS_DOMAIN and INTERNAL_DNSSEC_TA may be passed to another (DNS) program for processing. As with any network input, the content should be considered untrusted and handled accordingly. 7. IANA Considerations This document defines two new IKEv2 Configuration Payload Attribute Types, which are allocated from the "IKEv2 Configuration Payload Attribute Types" namespace. Pauly & Wouters Expires July 26, 2018 [Page 9] Internet-Draft Split DNS Configuration for IKEv2 January 2018 Multi- Value Attribute Type Valued Length Reference ------ ------------------- ------ ---------- --------------- 25 INTERNAL_DNS_DOMAIN YES 0 or more [this document] [TBD] INTERNAL_DNSSEC_TA YES 0 or more [this document] Figure 1 8. References 8.1. Normative References [RFC1918] Rekhter, Y., Moskowitz, B., Karrenberg, D., de Groot, G., and E. Lear, "Address Allocation for Private Internets", BCP 5, RFC 1918, DOI 10.17487/RFC1918, February 1996, <https://www.rfc-editor.org/info/rfc1918>. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, <https://www.rfc- editor.org/info/rfc2119>. [RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, "Resource Records for the DNS Security Extensions", RFC 4034, DOI 10.17487/RFC4034, March 2005, <https://www.rfc-editor.org/info/rfc4034>. [RFC5890] Klensin, J., "Internationalized Domain Names for Applications (IDNA): Definitions and Document Framework", RFC 5890, DOI 10.17487/RFC5890, August 2010, <https://www.rfc-editor.org/info/rfc5890>. [RFC7296] Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., and T. Kivinen, "Internet Key Exchange Protocol Version 2 (IKEv2)", STD 79, RFC 7296, DOI 10.17487/RFC7296, October 2014, <https://www.rfc-editor.org/info/rfc7296>. 8.2. Informative References [RFC2775] Carpenter, B., "Internet Transparency", RFC 2775, DOI 10.17487/RFC2775, February 2000, <https://www.rfc- editor.org/info/rfc2775>. [RFC7435] Dukhovni, V., "Opportunistic Security: Some Protection Most of the Time", RFC 7435, DOI 10.17487/RFC7435, December 2014, <https://www.rfc-editor.org/info/rfc7435>. quot;). o RFC Production Center. o RFC Publisher. The RFC Series production and process under this structure is schematically represented by the figure below. (The figure does not depict oversight and escalation relations.) ------ ----- ------ --------- Stream | | | | | | |Community| Pro- | IETF | | IAB | | IRTF | | at | ducers | | | | | | | Large | --^--- --^-- ---^-- ----^---- | | | | | | | | ------- | | | | | Indep.| --v--- ---v--- ---v-- ----v------ | Stream| Stream | | | | | | |Independent| | Edi- | Appro- | IESG | | IAB | | IRSG | |Submission |.....| torial| vers | | | | | | | Editor | | Board | ----^- ---^--- ----^--- ----^------ ------- | | | | | | | | ------- | | | | | RFC | ------ --v--------v----------v-----------v----- | Series| | | | | | Adv. | | IANA | <->| RFC Production Center <---. | Group | | | | | | ------- ------ -----------------^---------------------- | | | | | | ------v------- ------v--------- | | | | | RFC Series | | RFC Publisher |<------->| Editor | | | | | ---------------- -------------- Figure 1: Ordinary RFC Series production and process Kolkman & IAB Informational [Page 5] RFC 5620 RFC Editor Model (Version 1) August 2009 In this model, documents are produced and approved through multiple document streams. The four that now exist are described in [1]. Documents from these streams are edited and processed by the Production Center and published by the Publisher. The RFC Series Editor will exercise executive-level management over many of the activities of the RFC Publisher and the RFC Production Center (which can be seen as back-office functions) and will be the entity that: o Faces the community. o Works with the IAOC for contractual responsibilities. o In collaboration with the RFC Series Advisory Group (RSAG), identifies and leads community discussion of important issues and opportunities facing the RFC Series. while the IAB and IAOC maintain their chartered responsibility. More details about the collaboration with the RSAG and the IAB responsibilities can be found in Section 4.1. The RSE does not have the authority to hire or fire RFC Editor contractors or personnel (see Section 4.1.3). 3.1. RFC Series Editor The RFC Series Editor is an individual who may have assistants and who will regularly be provided support from an advisory group (see Section 4.1). The RSE is responsible for: 1. Identifying appropriate steps for RFC Series continuity; 2. Exercising executive-level management over the implementation of policies, processes, and procedures established to ensure the quality and consistency for the RFC Series. The RFC Series Editor will work with the RSAG, and, where appropriate, the IAB and IAOC to develop new policy and see that contractual agreements are met; 3. Taking proposed changes to the community, and working with the IAB so that the IAB can ensure that there is sufficient community review before significant policies or policy changes are adopted; 4. Coordinating with the IAB and/or IAOC and, together with the IAB and/or IAOC, participating in reviews of the RFC Publisher, RFC Production Center, and Independent Submission Editor functions to ensure the above-mentioned continuity; Kolkman & IAB Informational [Page 6] RFC 5620 RFC Editor Model (Version 1) August 2009 5. Developing, maintaining, and publishing the RFC Style Manual for use by authors, editors, the stream managers, the RFC Production Center, and the RFC Publisher; 6. Managing the RFC errata process; 7. Liaising with the IAB; 8. Overseeing consistency of RFCs with the RFC Series and RFC Style Manual. There are many potential issues with respect to RFC Series continuity. To name a few: look and feel of the series, indexing methodologies, accessibility of the publications, IPR and copyright issues, and formatting issues. After identifying the appropriate steps to address such issues, the implementation of those steps resides mostly with the RFC production and publishing functions. Since the IAOC maintains oversight of the implementation, the RFC Series Editor is expected to be invited and to participate in reviews of that implementation. The RFC Series Editor is a senior technology professional with the following qualifications: 1. Strong understanding of the IETF and RFC process. 2. Executive management experience suitable to managing the requirements outlined elsewhere in this document and the many aspects of this role, and to coordinating the overall RFC Editor process. 3. Good understanding of the English language and technical terminology related to the Internet. 4. Good communication skills. 5. Experience with editorial processes. 6. Independent worker. 7. Experience as an RFC author desired. There are alternative selection methods for selecting the individual to serve as the RFC Series Editor: The first alternative involves a Request for Proposal (RFP) process run by the IAOC. The IAOC would seek a person with the listed qualifications in a broadly distributed RFP. The winner would be Kolkman & IAB Informational [Page 7] RFC 5620 RFC Editor Model (Version 1) August 2009 selected by the IAOC in consultation with the IAB, and then, the IAOC would contract for the services. Contract terms, including length of contract, extensions, and renewals, shall be as provided in the RFP. The opportunity to bid shall be broadly available. Fees and expenses to support the administrative operation of the RFC Series Editor would be part of the awarded contract and be part of the IASA budget. The second alternative involves a nomination and confirmation process. Candidates are nominated, and then an individual with the listed qualifications is selected by the Internet community and confirmed by the IAB. An approach similar to the one used by the IAB to select an IAOC member every other year (as described in Appendix A) will be used. Once the selection is made, a contract will be negotiated between the person selected and the IAOC, following the general model above. Financial compensation and expenses to support the administrative operation of the RFC Series Editor selected in this manner would be part of the IASA budget. Based on an Request for Information (RFI) issued by the IAOC in December 2008, the IAOC recommended that the second alternative is chosen for the selection cycle to be completed in 2009. 3.2. Independent Submission Editor The Independent Submission Editor is an individual who may have assistants and who is responsible for: 1. Maintaining technical quality of the Independent Submission stream. 2. Reviewing, approving, and processing Independent Submissions. 3. Forwarding to the Production Center the Internet-Drafts that have been accepted for publication as RFCs in the Independent Submission Stream. 4. Reviewing and approving RFC errata in Independent Submissions. 5. Coordinating work and conforming to general RFC Series policies as specified by the IAB and RSE. 6. Providing statistics and documentation as requested by the RSE and/or IAOC. The Independent Submission Editor is a senior position for which the following qualifications are desired: Kolkman & IAB Informational [Page 8] RFC 5620 RFC Editor Model (Version 1) August 2009 1. Technical competence, i.e., broad technical experience and perspective across the whole range of Internet technologies and applications, and specifically, the ability to work effectively with portions of that spectrum in which no personal expertise exists. 2. Thorough familiarity with the RFC series. 3. An ability to define and constitute advisory and document review arrangements. If those arrangements include an Editorial Board similar to the current one or some equivalent arrangement, assess the technical competence of potential Editorial Board members. 4. Good standing in the technical community, in and beyond the IETF. 5. Demonstrated editorial skills, good command of the English language, and demonstrated history of being able to work effectively with technical documents and materials created by others. 6. The ability to work effectively in a multi-actor environment with divided authority and responsibility similar to that described in this document. The Independent Submission Editor may seek support from an advisory board (see Section 4.2) and may form a team to perform the activities needed to fulfill their responsibilities. The individual with the listed qualifications will be selected by the IAB after input is collected from the community. An approach similar to the one used by the IAB to select an IAOC member every other year (as described in Appendix A) should be used. While the ISE itself is considered a volunteer function, the IAB considers maintaining the Independent Submission stream within the RFC Series part of the IAB's supported activities, and will include the expenses made for the support of the ISE in its IASA-supported budget. 3.3. RFC Production Center RFC Production is performed by a paid contractor, and the contractor responsibilities include: 1. Editing inputs from all RFC streams to comply with the RFC Style Manual; 2. Creating records of edits performed on documents; Kolkman & IAB Informational [Page 9] RFC 5620 RFC Editor Model (Version 1) August 2009 3. Identifying where editorial changes might have technical impact and seeking necessary clarification; 4. Engaging in dialogue with authors, document shepherds, IANA, and/or stream-dependent contacts when clarification is needed; 5. Creating records of dialogue with document authors; 6. Requesting advice from the RFC Series Editor as needed; 7. Providing suggestions to the RFC Series Editor as needed; 8. Coordinating with IANA to perform protocol parameter registry actions; 9. Assigning RFC numbers; 10. Establishing publication readiness of each document through communication with the authors, document shepherds, IANA and/or stream-dependent contacts, and, if needed, with the RFC Series Editor; 11. Forwarding ready-to-publish documents to the RFC Publisher; 12. Forwarding records of edits and author dialogue to the RFC Publisher so these can be preserved; 13. Liaising with IESG and IAB. The RFC Production Center contractor is to be selected by the IAOC through an RFP process. The IAOC will seek a bidder who, among other things, is able to provide a professional, quality, timely, and cost- effective service against the established style and production guidelines. Contract terms, including length of contract, extensions and renewals, shall be as defined in an RFP. The opportunity to bid shall be broadly available. As described in Section 3.1, this model allows the IAOC to recommend the RSE position to be selected through an RFP process. In that case, the model also allows combining the RFC Production Center bid with the RSE bid. For 2009, the recommendation was made that the RSE is selected through an IAB-led selection process. Kolkman & IAB Informational [Page 10] RFC 5620 RFC Editor Model (Version 1) August 2009Pauly & Wouters Expires July 26, 2018 [Page 10] Internet-Draft Split DNS Configuration for IKEv2 January 2018 Authors' Addresses Tommy Pauly Apple Inc. 1 Infinite Loop Cupertino, California 95014 US Email: tpauly@apple.com Paul Wouters Red Hat Email: pwouters@redhat.com Pauly & Wouters Expires July 26, 2018 [Page 11]