On 11/7/11 11:46 PM, "Michael Richardson" <[email protected]> wrote:
> >>>>>> "Yoav" == Yoav Nir <[email protected]> writes: > Yoav> I don't see how DNS figures into this. We have three > Yoav> gateways: - hub-gw, which knows the protected domains of > Yoav> everyone - spoke32, which protects 192.168.32.0/24, knows > Yoav> about hub-gw, and sends all 192.168.0.0/16 to hub-gw. - > Yoav> spoke79, which protects 192.168.79.0/24, knows about hub-gw, > Yoav> and sends all 192.168.0.0/16 to hub-gw > >> Yes. And, how is this policy communicated? > > Yoav> Over IKE? > > Yoav> Using a new protocol that we'll invent? > > Yoav> SOAP? > > Yoav> As an attribute in a certificate, kind of like SIDR? > >So, okay, so you want to do new work to replace work that's already been >well defined, that uses DNS as the transport. Hey, that's what engineers do. But more seriously, in my example hub-gw responds to spoke79 with the configuration of spoke32, and initiates a message to spoke32 about spoke79. I'm no expert on DNS, but I think there is no "push mode" of DNS, so hub-gw acting as DNS server would not be able to tell spoke32 what it needs to do. Sure, you can make them all DNS servers (fits with the peer to peer concept of IKE), and start zone transfers with hub-gw acting once as client and once as server. But I agree with Praveen. We have one IKE peer telling another IKE peer about a third IKE peer, where IKE SAs already exist between them. IKE seems like a natural protocol for this configuration information. Some may object that IKE is meant for key exchange, not for configuration, and would prefer something over IPsec, but I don't think that DNS really fits this. _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
