Hi, Thanks for the various responses. I have also been asked for a little clarification on what I am trying to achieve, so I'll give a quick overview.
There's not much to it... Basically, we have three independent groups who have certificate-based IPSec (on IPv6), and now they'd like occasionally to connect to each other. The obvious solution is to cross-sign certificates, but we have also recently implemented DNSSEC, so I was wondering if there was a better/another way. Or maybe: I have a shiny new hammer called DNSSEC, and a lot of things are starting to look like nails. In terms of getting IPSec based off DNSSEC, the two RFCs 4025 and 4322 actually do pretty much what I want (plus or minus that it'll look very different to the way I am configuring TLS DANE). I am going to see if I can get those to work. For the other things that were talked about: Mobile devices and NATs - It is true that reverse lookup is inappropriate for these scenarios, but ultimately this is just a rejig of the problem that the incoming ipaddress is not particularly useful in these scenarios. If a server wishes to verify such connecting clients, it'll have to choose something else as an identifier (and thus it falls back into the traditional CA/Kerebros setup) Reverse DNS being poorly supported by iSPs - To be honest, this is less of a problem for me as I only have an internal deployment, so I can do what I like (in-addr.arpa is ultimately just a convention, anyone could run a reverse DNS system that actually works properly). Most of my ip addresses are not routable from the public internet anyway. It did lead me to the somewhat more philosophical question of what it means to "own" an ipaddress if I can't associate my public keys with a secure central registry... So I think that the answer is that I can do this with existing technology, with some basic restrictions in that I'll need to be running my own reverse DNS lookup for my deployment - which seems entirely sensible as I want to have control over which ip addresses "exist" in my environment. Thanks! DDD _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
