ipsec October 2011 archive
Main Archive Page > Month Archives  > ipsec archives
ipsec: Re: [IPsec] New -00 draft: Creating Large Scale Mesh VPNs

Re: [IPsec] New -00 draft: Creating Large Scale Mesh VPNs Problem Statement

From: Paul Hoffman <paul.hoffman_at_nospam>
Date: Wed Oct 26 2011 - 14:40:35 GMT
To: IPsecme WG <ipsec@ietf.org>

On Oct 26, 2011, at 7:00 AM, Stephen Hanna wrote:

> I'm concerned about using DNS as the introducer here. Doing this
> securely requires DNS records to be updated, signed, and distributed
> whenever a new "satellite" gateway or host arrives or departs.
> That's cumbersome, expensive, and complex since it requires
> interfacing the IPsec and DNSSEC infrastructure and lots of
> resigning.
> The core IPsec gateway already knows all the information necessary
> to establish a secure direct connection between satellites and
> there's already a secure connection between the core and the
> satellites. Why not use that connection to distribute the information
> directly from the core to the satellites?

+1. Putting in a dependency not only on DNS, but DNSSEC, seems odd here. If there is already a trusted introducer here, use it. The use case for RFC 4322, opportunistic encryption (and thus no trusted introducer), is quite different than the one being proposed here.

--Paul Hoffman

IPsec mailing list