On Sun, 29 Sep 2013, [email protected] wrote:
Thanks for the various responses. I have also been asked for a little
clarification on what I am trying to achieve, so I'll give a quick overview.
There's not much to it... Basically, we have three independent groups who have
certificate-based IPSec (on IPv6), and now they'd like occasionally to connect
to each other. The obvious solution is to cross-sign certificates, but we have
also recently implemented DNSSEC, so I was wondering if there was a
better/another way. Or maybe: I have a shiny new hammer called DNSSEC, and a
lot of things are starting to look like nails.
In terms of getting IPSec based off DNSSEC, the two RFCs 4025 and 4322 actually
do pretty much what I want (plus or minus that it'll look very different to the
way I am configuring TLS DANE). I am going to see if I can get those to work.
We have been working on re-doing IPsec OE (which can use DANE/DNSSEC)
using IKEv2. We will be writing up our findings in a new draft and
implement this in libreswan. The core functionality is not hard. The
problem is in cornercases and trying not to get stuck in too many
of them like the BTNS work did.
For the other things that were talked about:
Mobile devices and NATs - It is true that reverse lookup is inappropriate for
these scenarios, but ultimately this is just a rejig of the problem that the
incoming ipaddress is not particularly useful in these scenarios. If a server
wishes to verify such connecting clients, it'll have to choose something else
as an identifier (and thus it falls back into the traditional CA/Kerebros setup)
Forget the reverse. You either use the forward lookup with DNSSEC using
a locally running DNSSEC resolver or you if you don't find anything, you
try an anonymous (MITMable) IPsec directly.
So I think that the answer is that I can do this with existing technology, with some
basic restrictions in that I'll need to be running my own reverse DNS lookup for my
deployment - which seems entirely sensible as I want to have control over which ip
addresses "exist" in my environment.
Yes. the problems are mostly in the local implementation.
How to deal with NAT and overlapping IP addresses.
How to ensure there is no malicious NAT-T pre-NAT IP attempts at traffic
stealing (eg 8.8.8.8)
How (or if) to present the difference of "anonymous IPsec" versus "one
or two sided authenticated IPsec" to the user.
What to do when the roles of initiator/responder change and the
connection was only authenticated by the original initiator.
I hope to have a rough draft and implementation ready in Vancouver,
Paul
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
