Hi, Paul > On 19 Sep 2017, at 1:31, Paul Wouters <[email protected]> wrote: > > On Mon, 18 Sep 2017, Linda Dunbar wrote: > >> If we need to use IPsec tunnels to connect a group of CPE devices, (as shown >> in the figure I sent earlier), do you still need DNS? Or the Key >> management will be managed by the "Zero Touch Deployment Service" in the >> figure below? > > You can use any protocol you want to validate the public key > needed. It can come from DNSSEC, a supplied X.509 CA cert, or you can > specify/implement another secure method. IKE allows for the pubkey to > be transmited and received. External processes can then determine the > authenticity of the pubkey (along with the ID presented) > > The idea remains the same, you connect to a remote hostname or IP, > are given an ID and you use that ID to somehow/somewhere lookup what > pubkey belongs to that ID. Possibly also match that ID to the IP as > additional assurance. Then once the pubkey is trusted out-of-band, > you use it in-band to authenticate. > > It could be querying a blockchain, confirming a bitcoin payment, a > centralised DNS zone, the LetsEncrypt CA, a hardcoded list of pubkeys, > etc. > > If you have the ID of entities you connect to (eg a hostname) then > things are easier to lookup then if you only know and IP address, and are > then given an ID. Because then you need to somehow verify the ID-IP set. > Otherwise, one node in a network can take over another node's IP > address, and present its own (valid!) credentials.
This is what you do if all you have is a DNS. However, if you have this SDN controller/SDWAN controller/Zero-Touch deployment thingie, why do you need public keys at all. You can just have the controller provision the CPEs with identities and pair-wise shared secrets plus addresses and domains of peers. Then you don’t need any PKI, lookups DNSSEC and the like. Yoav
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ I2nsf mailing list [email protected] https://www.ietf.org/mailman/listinfo/i2nsf
