> On Jun 19, 2018, at 18:46, Nico Williams <n...@cryptonector.com> wrote: > > > Because my VPN clients don't connect promiscuously. I can't say no > promiscuous VPN clients exist, but I imagine that none do. And any > promiscuous VPN clients get what they deserve.
Opportunistic IPsec exists and are “promiscuously”. And the draft opens the Security Considerations section with: The use of Split DNS configurations assigned by an IKEv2 responder is predicated on the trust established during IKE SA authentication. However, if IKEv2 is being negotiated with an anonymous or unknown endpoint (such as for Opportunistic Security [RFC7435]), the initiator MUST ignore Split DNS configurations assigned by the responder. Paul
_______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec