|Main Archive Page > Month Archives > ipsec archives|
On Oct 26, 2011, at 7:00 AM, Stephen Hanna wrote:
> I'm concerned about using DNS as the introducer here. Doing this
> securely requires DNS records to be updated, signed, and distributed
> whenever a new "satellite" gateway or host arrives or departs.
> That's cumbersome, expensive, and complex since it requires
> interfacing the IPsec and DNSSEC infrastructure and lots of
> The core IPsec gateway already knows all the information necessary
> to establish a secure direct connection between satellites and
> there's already a secure connection between the core and the
> satellites. Why not use that connection to distribute the information
> directly from the core to the satellites?
+1. Putting in a dependency not only on DNS, but DNSSEC, seems odd here. If there is already a trusted introducer here, use it. The use case for RFC 4322, opportunistic encryption (and thus no trusted introducer), is quite different than the one being proposed here.
IPsec mailing list