I'm concerned about using DNS as the introducer here. Doing this securely requires DNS records to be updated, signed, and distributed whenever a new "satellite" gateway or host arrives or departs. That's cumbersome, expensive, and complex since it requires interfacing the IPsec and DNSSEC infrastructure and lots of resigning.
The core IPsec gateway already knows all the information necessary to establish a secure direct connection between satellites and there's already a secure connection between the core and the satellites. Why not use that connection to distribute the information directly from the core to the satellites? Whatever technology is decided upon, my employer (Juniper Networks) sees a need for dynamically established "peer-to-peer" VPNs and supports efforts to create standards in this area and to get widespread adoption of those standards. Thanks, Steve Hanna > -----Original Message----- > From: ipsec-boun...@ietf.org [mailto:ipsec-boun...@ietf.org] On Behalf > Of Yoav Nir > Sent: Tuesday, October 25, 2011 4:40 AM > To: 'Michael Richardson'; ipsec@ietf.org > Cc: Ulliott, Chris > Subject: Re: [IPsec] New -00 draft: Creating Large Scale Mesh VPNs > Problem Statement > > Chris' case is a little different, because he is willing to do some > work to establish trust between the two administrative domains, so it's > not really opportunistic (although doing it with OE might be a > solution) > > So there could be some "hub gateway" that could do the introducing, > perhaps over IPsec or IKE. > > On the one hand, if DNS works and everybody already has a DNS resolver, > it may be better to use that than to invent a new mechanism. OTOH if I > didn't like inventing new mechanisms, I wouldn't be participating in > the IETF. > > > -----Original Message----- > From: ipsec-boun...@ietf.org [mailto:ipsec-boun...@ietf.org] On Behalf > Of Michael Richardson > Sent: 24 October 2011 16:01 > To: ipsec@ietf.org > Cc: Ulliott, Chris > Subject: Re: [IPsec] New -00 draft: Creating Large Scale Mesh VPNs > Problem Statement > > > I was not intending to be, (I have no ticket as yet), but plans might > change. > It seems like Chris has all of the requirements of OE, and there is all > of the challenges. IPv6 and homenet might well provide FDQNs for > hosts, and a trusted path to update the reverse. > > If DNS does not work for you, then you need another trusted introducer, > and there have been many proposals out there for doing this kind of > thing. None of taken off and hit the elbow of exponential growth. > > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
