On Oct 26, 2011, at 7:00 AM, Stephen Hanna wrote: > I'm concerned about using DNS as the introducer here. Doing this > securely requires DNS records to be updated, signed, and distributed > whenever a new "satellite" gateway or host arrives or departs. > That's cumbersome, expensive, and complex since it requires > interfacing the IPsec and DNSSEC infrastructure and lots of > resigning. > > The core IPsec gateway already knows all the information necessary > to establish a secure direct connection between satellites and > there's already a secure connection between the core and the > satellites. Why not use that connection to distribute the information > directly from the core to the satellites?
+1. Putting in a dependency not only on DNS, but DNSSEC, seems odd here. If there is already a trusted introducer here, use it. The use case for RFC 4322, opportunistic encryption (and thus no trusted introducer), is quite different than the one being proposed here. --Paul Hoffman _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
