Keys are distributed via dns records. https://tools.ietf.org/html/rfc4322
Carl On Apr 21, 2014 5:35 PM, "Kevin Benton" <blak...@gmail.com> wrote: > This is interesting. How is key distribution handled when I want to use OE > with someone like Google.com for example? > > > On Thu, Apr 17, 2014 at 12:07 PM, Martinx - ジェームズ < > thiagocmarti...@gmail.com> wrote: > >> Guys, >> >> I here thinking about IPSec when with IPv6 and, one of the first >> ideas/wishes of IPv6 scientists, was to always deploy it with IPSec >> enabled, always (I've heard). But, this isn't well diffused by now. Who is >> actually using IPv6 Opportunistic Encryption?! >> >> For example: With O.E., we'll be able to make a IPv6 IPSec VPN with >> Google, so we can "ping6 google.com" safely... Or with Twitter, >> Facebook! Or whatever! That is the purpose of Opportunistic Encryption, am >> I right?! >> >> Then, with OpenStack, we might have a muiti-Region or even a multi-AZ >> cloud, based on the topology "Per-Tenant Routers with Private Networks", >> for example, so, how hard it will be to deploy the Namespace routers with >> "IPv6+IPSec O.E." just enabled by default? >> >> I'm thinking about this: >> >> >> * "IPv6 Tenant 1 subnet A" <-> "IPv6 Router + IPSec O.E." <-> *"Internet >> IPv6"* <-> "IPv6 Router + IPSec O.E." <-> "IPv6 Tenant 1 subnet B" >> >> >> So, with O.E., it will be simpler (from the tenant's point of view) to >> safely interconnect multiple tenant's subnets, don't you guys think?! >> >> Amazon in the other hand, for example, provides things like "VPC >> Peering", or "VPN Instances", or "NAT instances", as a "solution" to >> interconnect creepy IPv4 networks... We don't need none of this kind of >> solutions when with IPv6... Right?! >> >> Basically, the OpenStack VPNaaS (O.E.) will come enabled at the Namespace >> Router by default, without the tenant even knowing it is there, but of >> course, we can still show that IPv6-IPSec-VPN at the Horizon Dashboard, >> when established, just for fun... But tenants will never need to think >> about it... =) >> >> And to share the IPSec keys, the stuff required for Opportunistic >> Encryption to gracefully works, each OpenStack in the wild, can become a >> *"pod"*, which will form a network of *"pods"*, I mean, independently >> owned *pods* which interoperate to form the "*Opportunistic Encrypt >> Network of OpenStack Clouds*". >> >> I'll try to make a comparison here, as an analogy, do you guys have ever >> heard about the DIASPORA* Project? No, take a look: >> http://en.wikipedia.org/wiki/Diaspora_(social_network) >> >> I think that, OpenStack might be for the Opportunistic Encryption, what >> DIASPORA* Project is for Social Networks! >> >> If OpenStack can share its keys (O.E. stuff) in someway, with each other, >> we can easily build a huge network of OpenStacks, and then, each one will >> "naturally" talk with each other, using a secure connection. >> >> I would love to hear some insights from you guys! >> >> Please, keep in mind that I never deployed a IPSec O.E. before, this is >> just an idea I had... If I'm wrong, ignore this e-mail. >> >> >> References: >> >> https://tools.ietf.org/html/rfc4322 >> >> https://groups.google.com/d/msg/ipv6hackers/3LCTBJtr-eE/Om01uHUcf9UJ >> >> http://www.inrialpes.fr/planete/people/chneuman/OE.html >> >> >> Best! >> Thiago >> >> _______________________________________________ >> OpenStack-dev mailing list >> OpenStack-dev@lists.openstack.org >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >> >> > > > -- > Kevin Benton > > _______________________________________________ > OpenStack-dev mailing list > OpenStack-dev@lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > >
_______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev