On Thu, Jul 02, 2015 at 05:13:01PM +0300, Yoav Nir wrote:
> The IPsec entity will resolve this FQDN with DNSSEC, yielding both an IP
> address and a DANE record. The DANE record can be used to identify the
> certificate or raw public key used in IKE.
What prevents IP address hijacking (mallory.example publishes
alice.example's IP address and now mallory's IPSEC keys are used
to encrypt traffic to alice)?
I thought that Paul Wouters is working on a more comprehensive
specification, IIRC in an IPSEC working group where it can get
better informed review. This is much more of an IPSEC design
problem, than a DANE design problem.
Once the IPSEC parts are in good shape, perhaps the document can
be discussed here for any final DANE-specific issues (details of
just the DANE RRset used for the document).
--
Viktor.
_______________________________________________
dane mailing list
dane@ietf.org
https://www.ietf.org/mailman/listinfo/dane
