Paul Wouters writes: > Should such a document include a section on client usage or just specify > the payload formats?
If such document is written, it has to defined client usage for the information, as those have security issues. > For example, there are some expected behaviours for client cache flushing > on VPN (dis)connect. The client needs to flush the local dns-cache (both in local resolver library, but also in all applications currently running) when the VPN connection is established. Otherwise the attacker could return wrong IP-address for mail.example.com before the VPN connection gets up, and then the mail client would still use that wrong IP-address, which could cause the connection to go outside the VPN tunnel. Using dns to configure anything in the IPsec is inheritly dangerous as the IPsec policy is based on the IP-addresses, not host names, and if you use untrusted information to do the mapping this will cause problems. > There is also a security concern if a third party VPN specfies to send > DNS queries for apple.com or "." to it. Also if you have multiple VPN connections up and running and all of them claim that they are the only ones who want to serve ".". So I think the actual payload formats are easy, but the document would need to also think about all these cases, and specify how those should be solved. -- [email protected] _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
