Re: [IPsec] New -00 draft: Creating Large Scale Mesh VPNs Problem

Sat, 12 Nov 2011 10:58:19 -0800 

On Tue, 8 Nov 2011, Geoffrey Huang wrote:


Yes - so if something has to be added to DNS, then how would this be better or 
more preferable than adding an extension to IKE?


DNS would act as a bootstrap to find the IKE daemon for a particular target(s). 
Everything else
should indeed remain within the IKE daemon.

That is exactly what RFC 4025 does.

Paul


-geoff

-----Original Message-----
From: Yoav Nir [mailto:y...@checkpoint.com]
Sent: Tuesday, November 08, 2011 4:23 PM
To: Geoffrey Huang; m...@sandelman.ca
Cc: ipsec@ietf.org; bill manning; Praveen Sathyanarayan
Subject: Re: [IPsec] New -00 draft: Creating Large Scale Mesh VPNs Problem

There isn't now, but adding stuff to the DNS is all the rage now that DNSSEC, 
ummm, exists.  Just take a look at DANE.

On 11/8/11 5:18 PM, "Geoffrey Huang" <ghu...@juniper.net> wrote:


Is there a mechanism in DNS to communicate this kind of policy?  As I
understand the example below, the communication from hub-gw to spoke32
would be something like: "to get to 192.168.79.0/24, go to spoke79."

-geoff

-----Original Message-----
From: m...@sandelman.ca [mailto:m...@sandelman.ca]
Sent: Monday, November 07, 2011 10:46 PM
To: Yoav Nir
Cc: ipsec@ietf.org; Geoffrey Huang; bill manning; Praveen Sathyanarayan
Subject: Re: [IPsec] New -00 draft: Creating Large Scale Mesh VPNs
Problem



"Yoav" == Yoav Nir <y...@checkpoint.com> writes:

   Yoav> I don't see how DNS figures into this.  We have three
   Yoav> gateways: - hub-gw, which knows the protected domains of
   Yoav> everyone - spoke32, which protects 192.168.32.0/24, knows
   Yoav> about hub-gw, and sends all 192.168.0.0/16 to hub-gw.  -
   Yoav> spoke79, which protects 192.168.79.0/24, knows about hub-gw,
   Yoav> and sends all 192.168.0.0/16 to hub-gw
  >> Yes. And, how is this policy communicated?

   Yoav> Over IKE?

   Yoav> Using a new protocol that we'll invent?

   Yoav> SOAP?

   Yoav> As an attribute in a certificate, kind of like SIDR?

So, okay, so you want to do new work to replace work that's already
been well defined, that uses DNS as the transport.


_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec


_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

























					Reply via email to