Re: [IPsec] New -00 draft: Creating Large Scale Mesh VPNs Problem Statement

On Oct 26, 2011, at 7:00 AM, Stephen Hanna wrote:

> I'm concerned about using DNS as the introducer here. Doing this
> securely requires DNS records to be updated, signed, and distributed
> whenever a new "satellite" gateway or host arrives or departs.
> That's cumbersome, expensive, and complex since it requires
> interfacing the IPsec and DNSSEC infrastructure and lots of
> resigning.
>
> The core IPsec gateway already knows all the information necessary
> to establish a secure direct connection between satellites and
> there's already a secure connection between the core and the
> satellites. Why not use that connection to distribute the information
> directly from the core to the satellites?

+1. Putting in a dependency not only on DNS, but DNSSEC, seems odd here. If there is already a trusted introducer here, use it. The use case for RFC 4322, opportunistic encryption (and thus no trusted introducer), is quite different than the one being proposed here.

--Paul Hoffman

_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

• This message: [ Message body ]
• Next message: Galina Pildush: "Re: [IPsec] New -00 draft: Creating Large Scale Mesh VPNs Problem Statement"
• Previous message: Stephen Hanna: "Re: [IPsec] New -00 draft: Creating Large Scale Mesh VPNs Problem Statement"
• In reply to: Stephen Hanna: "Re: [IPsec] New -00 draft: Creating Large Scale Mesh VPNs Problem Statement"
• Next in thread: Galina Pildush: "Re: [IPsec] New -00 draft: Creating Large Scale Mesh VPNs Problem Statement"
• Reply: Galina Pildush: "Re: [IPsec] New -00 draft: Creating Large Scale Mesh VPNs Problem Statement"

• Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ]