On 11/7/11 9:44 PM, "Michael Richardson" <m...@sandelman.ca> wrote:
> >>>>>> "Praveen" == Praveen Sathyanarayan <pravee...@juniper.net> writes: > Praveen> In this solution, HUB is the trust entity that all spoke > Praveen> establish static IPSec tunnel (either using Site to site > Praveen> tunnel or spoke establish dynamic remote access tunnel with > Praveen> hub). When tunnel is established, spoke will exchange > >So... you have a trusted third party: DNS server on HUB. >If you talk to it over IPsec, you are as secure as DNSSEC, but you have >perhaps less resiliancy. I don't see how DNS figures into this. We have three gateways: - hub-gw, which knows the protected domains of everyone - spoke32, which protects 192.168.32.0/24, knows about hub-gw, and sends all 192.168.0.0/16 to hub-gw. - spoke79, which protects 192.168.79.0/24, knows about hub-gw, and sends all 192.168.0.0/16 to hub-gw Host 192.168.79.5 sends a packet to 192.168.32.8. Spoke79 tries to create a child SA with hub-gw. Hub-gw tells spoke79 that that address can be reached through a gateway that will present a certificate with CN=spoke32 and protect 192.168.32.0/24. A similar message is sent to spoke32 about spoke79. Or maybe it generates a shared secret for them. Either way, spoke32 and spoke79 can then communicate directly. And no DNS. Yoav _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec