Tommy Pauly <[email protected]> wrote: > I’d like to see if the working group has interest in adding support for > a list of split-DNS domains to the configuration payload for > IKEv2. Existing split-tunnel VPN solutions often use a configuration in > which only a private domain is resolved using the VPN’s DNS server, and > all other resolutions use the physical network’s DNS server.
This falls into the MIF problem space. The VPN problem is directly called out by the problem statement (RFC6418). RFC6731 describes how to do what you want using DHCPv4 and DHCPv6 options. I would suggest that if running DHCP inside the tunnel is not acceptable, then I suggest tunnelling the DHCP messages inside of IKEv2. (DHCPv6 is a relatively straightforward application to run, no magic listening on the raw interfaces required, the DHCPv6 server doesn't need to be co-located with the IPsec gateway, and given DHCP relays and multicast destination addresses, the client doesn't even need to be configured) -- ] Never tell me the odds! | ipv6 mesh networks [ ] Michael Richardson, Sandelman Software Works | network architect [ ] [email protected] http://www.sandelman.ca/ | ruby on rails [ _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
