On Mon, 18 Sep 2017, Linda Dunbar wrote:
If we need to use IPsec tunnels to connect a group of CPE devices, (as shown in the figure I sent earlier), do you still need DNS? Or the Key management will be managed by the "Zero Touch Deployment Service" in the figure below?
You can use any protocol you want to validate the public key needed. It can come from DNSSEC, a supplied X.509 CA cert, or you can specify/implement another secure method. IKE allows for the pubkey to be transmited and received. External processes can then determine the authenticity of the pubkey (along with the ID presented) The idea remains the same, you connect to a remote hostname or IP, are given an ID and you use that ID to somehow/somewhere lookup what pubkey belongs to that ID. Possibly also match that ID to the IP as additional assurance. Then once the pubkey is trusted out-of-band, you use it in-band to authenticate. It could be querying a blockchain, confirming a bitcoin payment, a centralised DNS zone, the LetsEncrypt CA, a hardcoded list of pubkeys, etc. If you have the ID of entities you connect to (eg a hostname) then things are easier to lookup then if you only know and IP address, and are then given an ID. Because then you need to somehow verify the ID-IP set. Otherwise, one node in a network can take over another node's IP address, and present its own (valid!) credentials. Paul _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec