Host Identity Protocol (HIP) Domain Name System (DNS) Extensions
RFC 5205
Document | Type |
RFC - Experimental
(April 2008; No errata)
Obsoleted by RFC 8005
Was draft-ietf-hip-dns (hip WG)
|
|
---|---|---|---|
Authors | Pekka Nikander , Julien Laganier | ||
Last updated | 2019-12-21 | ||
Stream | IETF | ||
Formats | plain text html pdf htmlized bibtex | ||
Reviews | |||
Stream | WG state | (None) | |
Document shepherd | No shepherd assigned | ||
IESG | IESG state | RFC 5205 (Experimental) | |
Action Holders |
(None)
|
||
Consensus Boilerplate | Unknown | ||
Telechat date | |||
Responsible AD | Mark Townsley | ||
Send notices to | (None) |
Network Working Group P. Nikander Request for Comments: 5205 Ericsson Research NomadicLab Category: Experimental J. Laganier DoCoMo Euro-Labs April 2008 Host Identity Protocol (HIP) Domain Name System (DNS) Extension Status of This Memo This memo defines an Experimental Protocol for the Internet community. It does not specify an Internet standard of any kind. Discussion and suggestions for improvement are requested. Distribution of this memo is unlimited. Abstract This document specifies a new resource record (RR) for the Domain Name System (DNS), and how to use it with the Host Identity Protocol (HIP). This RR allows a HIP node to store in the DNS its Host Identity (HI, the public component of the node public-private key pair), Host Identity Tag (HIT, a truncated hash of its public key), and the Domain Names of its rendezvous servers (RVSs). Nikander & Laganier Experimental [Page 1] RFC 5205 HIP DNS Extension April 2008 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Conventions Used in This Document . . . . . . . . . . . . . . 3 3. Usage Scenarios . . . . . . . . . . . . . . . . . . . . . . . 4 3.1. Simple Static Singly Homed End-Host . . . . . . . . . . . 5 3.2. Mobile end-host . . . . . . . . . . . . . . . . . . . . . 6 4. Overview of Using the DNS with HIP . . . . . . . . . . . . . . 8 4.1. Storing HI, HIT, and RVS in the DNS . . . . . . . . . . . 8 4.2. Initiating Connections Based on DNS Names . . . . . . . . 8 5. HIP RR Storage Format . . . . . . . . . . . . . . . . . . . . 9 5.1. HIT Length Format . . . . . . . . . . . . . . . . . . . . 9 5.2. PK Algorithm Format . . . . . . . . . . . . . . . . . . . 9 5.3. PK Length Format . . . . . . . . . . . . . . . . . . . . . 10 5.4. HIT Format . . . . . . . . . . . . . . . . . . . . . . . . 10 5.5. Public Key Format . . . . . . . . . . . . . . . . . . . . 10 5.6. Rendezvous Servers Format . . . . . . . . . . . . . . . . 10 6. HIP RR Presentation Format . . . . . . . . . . . . . . . . . . 10 7. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 8. Security Considerations . . . . . . . . . . . . . . . . . . . 12 8.1. Attacker Tampering with an Insecure HIP RR . . . . . . . . 12 8.2. Hash and HITs Collisions . . . . . . . . . . . . . . . . . 13 8.3. DNSSEC . . . . . . . . . . . . . . . . . . . . . . . . . . 13 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13 10. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 14 11. References . . . . . . . . . . . . . . . . . . . . . . . . . . 14 11.1. Normative references . . . . . . . . . . . . . . . . . . . 14 11.2. Informative references . . . . . . . . . . . . . . . . . . 15 Nikander & Laganier Experimental [Page 2] RFC 5205 HIP DNS Extension April 2008 1. Introduction This document specifies a new resource record (RR) for the Domain Name System (DNS) [RFC1034], and how to use it with the Host Identity Protocol (HIP) [RFC5201]. This RR allows a HIP node to store in the DNS its Host Identity (HI, the public component of the node public- private key pair), Host Identity Tag (HIT, a truncated hash of its HI), and the Domain Names of its rendezvous servers (RVSs) [RFC5204]. Currently, most of the Internet applications that need to communicate with a remote host first translate a domain name (often obtained via user input) into one or more IP address(es). This step occurs prior to communication with the remote host, and relies on a DNS lookup. With HIP, IP addresses are intended to be used mostly for on-the-wire communication between end hosts, while most Upper Layer Protocols (ULP) and applications use HIs or HITs instead (ICMP might be an example of an ULP not using them). Consequently, we need a means to translate a domain name into an HI. Using the DNS for this translation is pretty straightforward: We define a new HIP resource record. Upon query by an application or ULP for a name to IP address lookup, the resolver would then additionally perform a name to HI lookup, and use it to construct the resulting HI to IP address mapping (which is internal to the HIP layer). The HIP layer uses the HI to IP address mapping to translate HIs and HITs into IP addresses and vice versa. The HIP Rendezvous Extension [RFC5204] allows a HIP node to be reached via the IP address(es) of a third party, the node'sShow full document text