On Thu, Jul 02, 2015 at 10:09:46PM +0300, Yoav Nir wrote:
> > At the end of the day though, IPSEC needs to apply policy to
> > application traffic presented to the kernel (almost universally)
> > via the socket API. The socket API gives the kernel a transport
> > endpoint UDP/192.0.2.5/53, how is the kernel to decide whether to
> > use Mallory's keys for that same address or Alice?s.
>
> Host to host IPsec is very rare. VPNs are far more common and the packets
> don't get there by a socket API.
The attack I had in mind is not an attack on VPNs. It is an attack
on IPSEC in transport mode. If you want to use DANE as a PKI for
VPN tunnel key management (where both the gateway IP and the key
material are provided via DNSSEC), that should work.
The hard part is the transport-mode use-case.
So we were talking past each other. You were thinking tunnels,
and I was thinking transport.
DANE for VPN tunnels should be simple enough as you suggest,
and can simplify key management.
--
Viktor.
_______________________________________________
dane mailing list
dane@ietf.org
https://www.ietf.org/mailman/listinfo/dane
