On Thu, Jul 02, 2015 at 11:09:02AM -0400, Paul Wouters wrote:
> On Thu, 2 Jul 2015, Viktor Dukhovni wrote:
>
> >>The IPsec entity will resolve this FQDN with DNSSEC, yielding both an IP
> >>address and a DANE record. The DANE record can be used to identify the
> >>certificate or raw public key used in IKE.
> >
> >What prevents IP address hijacking (mallory.example publishes
> >alice.example's IP address and now mallory's IPSEC keys are used
> >to encrypt traffic to alice)?
>
> This is the biggest problem yes. At best, you can detect you got
> two different IPsec pubkeys for the same IP (say 8.8.8.8) and
> then you have to disconnect both to prevent encrypting to the attacker.
I also thought that Nico had some ideas about extending the socket
API so that one could associate a socket endpoint with a "domain",
not an IP address, and some sort of "connection latching", but I
am just repeating terms I don't fully understand.
Anyway, my takeway was that this a difficult problem, and that the
DNS keying records were not the difficult parts, so I think that
perhaps this work is best done elsewhere.
--
Viktor.
_______________________________________________
dane mailing list
dane@ietf.org
https://www.ietf.org/mailman/listinfo/dane
