There isn't now, but adding stuff to the DNS is all the rage now that DNSSEC, ummm, exists. Just take a look at DANE.
On 11/8/11 5:18 PM, "Geoffrey Huang" <ghu...@juniper.net> wrote: >Is there a mechanism in DNS to communicate this kind of policy? As I >understand the example below, the communication from hub-gw to spoke32 >would be something like: "to get to 192.168.79.0/24, go to spoke79." > >-geoff > >-----Original Message----- >From: m...@sandelman.ca [mailto:m...@sandelman.ca] >Sent: Monday, November 07, 2011 10:46 PM >To: Yoav Nir >Cc: ipsec@ietf.org; Geoffrey Huang; bill manning; Praveen Sathyanarayan >Subject: Re: [IPsec] New -00 draft: Creating Large Scale Mesh VPNs Problem > > >>>>>> "Yoav" == Yoav Nir <y...@checkpoint.com> writes: > Yoav> I don't see how DNS figures into this. We have three > Yoav> gateways: - hub-gw, which knows the protected domains of > Yoav> everyone - spoke32, which protects 192.168.32.0/24, knows > Yoav> about hub-gw, and sends all 192.168.0.0/16 to hub-gw. - > Yoav> spoke79, which protects 192.168.79.0/24, knows about hub-gw, > Yoav> and sends all 192.168.0.0/16 to hub-gw > >> Yes. And, how is this policy communicated? > > Yoav> Over IKE? > > Yoav> Using a new protocol that we'll invent? > > Yoav> SOAP? > > Yoav> As an attribute in a certificate, kind of like SIDR? > >So, okay, so you want to do new work to replace work that's already been >well defined, that uses DNS as the transport. _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
