On Thu, Jul 02, 2015 at 10:09:46PM +0300, Yoav Nir wrote: > > At the end of the day though, IPSEC needs to apply policy to > > application traffic presented to the kernel (almost universally) > > via the socket API. The socket API gives the kernel a transport > > endpoint UDP/192.0.2.5/53, how is the kernel to decide whether to > > use Mallory's keys for that same address or Alice?s. > > Host to host IPsec is very rare. VPNs are far more common and the packets > don't get there by a socket API.
The attack I had in mind is not an attack on VPNs. It is an attack on IPSEC in transport mode. If you want to use DANE as a PKI for VPN tunnel key management (where both the gateway IP and the key material are provided via DNSSEC), that should work. The hard part is the transport-mode use-case. So we were talking past each other. You were thinking tunnels, and I was thinking transport. DANE for VPN tunnels should be simple enough as you suggest, and can simplify key management. -- Viktor. _______________________________________________ dane mailing list dane@ietf.org https://www.ietf.org/mailman/listinfo/dane