On Tue, 19 Jun 2018, Eric Rescorla wrote:
The ID can say that, but as a practical matter, any enterprise that has
a reasonable number of internal domains is just going to tell people
to configure their client to accept any domain name.
Which is the equivalent of an enterprise that requires you to accept the
TLS middleware box and its additional webpki CAs. Except we made it more
restrained to prevent abuse.
Sure, but it's not like clients will be choosing to connect to any VPN
servers. Generally the client must already have a trust anchor for the
SG to begin with.
Why? That trust anchor doesn't need to allow the creation of arbitrary
WebPKI certs.
It doesn't allow creation of _arbitrary_ webpki certs, only webpki certs
under mutually agreed domain names.
All that is needed is to be able to authenticate the VPN server itself.
This draft has nothing to do with authentication of the VPN server. That
is all done in IKE, possibly with certificates, but nothing related to
DNS whatsoever. This draft is about using a split-DNS setup where the
VPN client can keep using its own validating DNSSEC capable recursive
server, while allowing a cryptographic acception for mutually agreed
enterprise domains while still supporting DNSSEC for those enterprise
domains to protect against inside attackers.
Paul
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
