On Tue, Jun 19, 2018 at 9:38 PM, Paul Wouters <[email protected]> wrote:
> On Tue, 19 Jun 2018, Eric Rescorla wrote: > > I'm asking if a common scenario will be that users of enterprise >> VPNs who implement this feature will end up in a situation where the >> VPN can impose TAs for any domain. >> > > I explained before that I think "for any domain" can be strictly limited > on the client side, either by preconfiguration or by confirmation on the > VPN client side. > Yes, that's technically true, but the question is whether it's in fact practical for people to do that. I'm sorry to repeat myself, but once again the document clearly states that this can happen: In most deployment scenario's, the IKE client has an expectation that it is connecting, using a split-network setup, to a specific organisation or enterprise. A recommended policy would be to only accept INTERNAL_DNSSEC_TA directives from that organization's DNS names. However, this might not be possible in all deployment scenarios, such as one where the IKE server is handing out a number of domains that are not within one parent domain. Is that text wrong? If not, I suspect we're just quibbling about "common". -Ekr
_______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
