On Tue, Jun 19, 2018 at 12:40:55PM -0400, Paul Wouters wrote: > On Tue, 19 Jun 2018, Eric Rescorla wrote: > > > Yes. You are the Enterprise customer. It's a feature. > > > >Not all enterprises who use VPNs want to run a MITM proxy. > > So only specify INTERNAL_DNS_DOMAIN with "internal.example.com" > and all TA's outside that domain would not be accepted by the client.
What the I-D has to say is that the VPN client MUST support local policy for what domains it will accept TAs for from the SG. This is far simpler for the client than having to have local DNS configuration including TAs for split-DNS. A perfectly valid configuration would have the SG MITM all external DNS too, thus sending the client only TAs for . [and possibly internal domains if the client only wants those, but then the client will not be able to use DNSSEC for external domains]. If the client doesn't want this, then it mustn't use that SG. In practice, for enterprises, the client gets no choice, and may even be built, configured, maintained, and provided by the enterprise. This I-D would be useful if the enterprise provides and maintains the VPN client: it makes it easier to maintain clients by reducing the amount of configuration to update as keys are rotated or policy changed. This is just a matter of Security Considerations wordsmithing. Nico -- _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
