On 9/29/2013 3:23 PM, [email protected] wrote:
There's not much to it... Basically, we have three independent groups who have
certificate-based IPSec (on IPv6), and now they'd like occasionally to connect
to each other. The obvious solution is to cross-sign certificates, but we have
also recently implemented DNSSEC, so I was wondering if there was a
better/another way. Or maybe: I have a shiny new hammer called DNSSEC, and a
lot of things are starting to look like nails.
I think the same.
DNSSEC, especially combined with DANE, makes a lot of things begin to
look like nails.
A nice example, when combined with PGP-DNS and IPsec, would be trivial
VoIP encryption.
In terms of getting IPSec based off DNSSEC, the two RFCs 4025 and 4322 actually
do pretty much what I want (plus or minus that it'll look very different to the
way I am configuring TLS DANE). I am going to see if I can get those to work.
For the other things that were talked about:
Mobile devices and NATs - It is true that reverse lookup is inappropriate for
these scenarios, but ultimately this is just a rejig of the problem that the
incoming ipaddress is not particularly useful in these scenarios. If a server
wishes to verify such connecting clients, it'll have to choose something else
as an identifier (and thus it falls back into the traditional CA/Kerebros setup)
Reverse DNS being poorly supported by iSPs - To be honest, this is less of a problem for
me as I only have an internal deployment, so I can do that I like (in-addr.arpa is
ultimately just a convention, anyone could run a reverse DNS system that actually works
properly). Most of my ip addresses are not routable from the public internet anyway. It
did lead me to the somewhat more philosophical question of what it means to
"own" an ipaddress if I can't associate my public keys with a secure central
registry...
Where did you get a silly idea like that? Obviously ICANN and the
largest carriers own them.
If we based IP ownership on SHA-3-512 hashes of PGP certs, however...
but I doubt anyone would go along with that.
So I think that the answer is that I can do this with existing technology, with some
basic restrictions in that I'll need to be running my own reverse DNS lookup for my
deployment - which seems entirely sensible as I want to have control over which ip
addresses "exist" in my environment.
This sort of thinking makes me reconsider the concept of community
petnaming.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
