Yoav Nir <[email protected]> wrote: >> If you have the ID of entities you connect to (eg a hostname) then >> things are easier to lookup then if you only know and IP address, and are >> then given an ID. Because then you need to somehow verify the ID-IP set. >> Otherwise, one node in a network can take over another node's IP >> address, and present its own (valid!) credentials.
> This is what you do if all you have is a DNS.
DNS is a really well established distributed database with well established
and secure implementations which caches really well. It has decades of
proven interoperation.
> However, if you have this SDN controller/SDWAN controller/Zero-Touch
> deployment thingie, why do you need public keys at all. You can just
> have the controller provision the CPEs with identities and pair-wise
> shared secrets plus addresses and domains of peers. Then you don’t need
> any PKI, lookups DNSSEC and the like.
yes, the highly available SDN controller can configure all the information,
remembering to update all the nodes regularly with new information. Or the
SDN controller could simply do exactly the same thing using DNS zone
transfers using private DNS zones. (whether forward or reverse,etc.)
No PKI. DNSSEC if you like, TSIG authenticated zone transfers otherwise, and
numerous competing services that can provide DDoS resistance so that the SDN
controller doesn't have to be so available.
I don't really see the difference except new people can get paid to
re-discover the last 30 years of mistakes in DNS implementations.
--
Michael Richardson <[email protected]>, Sandelman Software Works
-= IPv6 IoT consulting =-
signature.asc
Description: PGP signature
_______________________________________________ I2nsf mailing list [email protected] https://www.ietf.org/mailman/listinfo/i2nsf
