On Tue, 8 Nov 2011, Geoffrey Huang wrote:
Yes - so if something has to be added to DNS, then how would this be better or
more preferable than adding an extension to IKE?
DNS would act as a bootstrap to find the IKE daemon for a particular target(s).
Everything else
should indeed remain within the IKE daemon.
That is exactly what RFC 4025 does.
Paul
-geoff
-----Original Message-----
From: Yoav Nir [mailto:y...@checkpoint.com]
Sent: Tuesday, November 08, 2011 4:23 PM
To: Geoffrey Huang; m...@sandelman.ca
Cc: ipsec@ietf.org; bill manning; Praveen Sathyanarayan
Subject: Re: [IPsec] New -00 draft: Creating Large Scale Mesh VPNs Problem
There isn't now, but adding stuff to the DNS is all the rage now that DNSSEC,
ummm, exists. Just take a look at DANE.
On 11/8/11 5:18 PM, "Geoffrey Huang" <ghu...@juniper.net> wrote:
Is there a mechanism in DNS to communicate this kind of policy? As I
understand the example below, the communication from hub-gw to spoke32
would be something like: "to get to 192.168.79.0/24, go to spoke79."
-geoff
-----Original Message-----
From: m...@sandelman.ca [mailto:m...@sandelman.ca]
Sent: Monday, November 07, 2011 10:46 PM
To: Yoav Nir
Cc: ipsec@ietf.org; Geoffrey Huang; bill manning; Praveen Sathyanarayan
Subject: Re: [IPsec] New -00 draft: Creating Large Scale Mesh VPNs
Problem
"Yoav" == Yoav Nir <y...@checkpoint.com> writes:
Yoav> I don't see how DNS figures into this. We have three
Yoav> gateways: - hub-gw, which knows the protected domains of
Yoav> everyone - spoke32, which protects 192.168.32.0/24, knows
Yoav> about hub-gw, and sends all 192.168.0.0/16 to hub-gw. -
Yoav> spoke79, which protects 192.168.79.0/24, knows about hub-gw,
Yoav> and sends all 192.168.0.0/16 to hub-gw
>> Yes. And, how is this policy communicated?
Yoav> Over IKE?
Yoav> Using a new protocol that we'll invent?
Yoav> SOAP?
Yoav> As an attribute in a certificate, kind of like SIDR?
So, okay, so you want to do new work to replace work that's already
been well defined, that uses DNS as the transport.
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec