On Thu, Jul 02, 2015 at 11:09:02AM -0400, Paul Wouters wrote: > On Thu, 2 Jul 2015, Viktor Dukhovni wrote: > > >>The IPsec entity will resolve this FQDN with DNSSEC, yielding both an IP > >>address and a DANE record. The DANE record can be used to identify the > >>certificate or raw public key used in IKE. > > > >What prevents IP address hijacking (mallory.example publishes > >alice.example's IP address and now mallory's IPSEC keys are used > >to encrypt traffic to alice)? > > This is the biggest problem yes. At best, you can detect you got > two different IPsec pubkeys for the same IP (say 8.8.8.8) and > then you have to disconnect both to prevent encrypting to the attacker.
I also thought that Nico had some ideas about extending the socket API so that one could associate a socket endpoint with a "domain", not an IP address, and some sort of "connection latching", but I am just repeating terms I don't fully understand. Anyway, my takeway was that this a difficult problem, and that the DNS keying records were not the difficult parts, so I think that perhaps this work is best done elsewhere. -- Viktor. _______________________________________________ dane mailing list dane@ietf.org https://www.ietf.org/mailman/listinfo/dane