Hi David I believe this would require a separate document. But I'm not sure that tying it to an IP address is appropriate. IKE implementations work from behind NAT devices and sometimes move around (see MOBIKE), so I think it would be more appropriate to tie the record to any type of ID payload that we have in IKE: IP address and FQDN at least, maybe also KEYID and RFC822 address.
You might need to profile the IKE IDs used for this. Yoav On Sep 21, 2013, at 2:31 PM, david.ll...@fsmail.net wrote: > Hi, > > I am interested in using a variant of DANE to bootstrap my IPSec IKE > root certificate trust. Is anyone aware of any work been done in this area? > > From my understanding, it looks as though the is no technical issue with > using reverse DNS lookup for the IPSec target machine with DNSSec (although > this may be a little unreliable on the "real-world" internet), so returning > standard DANE entries for the IPSec certificate. Then I would simply use > these as part of the standard IPSec certificate validation algorithm. > > Looking at similar proposed applications of DANE, such as the > draft-ietf-dane-srv, mostly this involves defining an appropriate protocol > query name (for example _ipsec.123.123.123.123.in-addr.arpa). > > Is this something that would fit into an existing document either from the > IKE side or the DANE side? Or would it be worth me creating an more > extensive proposal? > > Regards, > > David L > > P.S. Sorry for cross-signing two lists! > _______________________________________________ > dane mailing list > d...@ietf.org > https://www.ietf.org/mailman/listinfo/dane _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
