On Tue, 20 Nov 2018, Michael Richardson wrote:
Tero Kivinen <[email protected]> wrote:
> Presentation format includes things like comments, newlines,
> whitespace etc.
> That is the reason I do not like to have presentation format inside
> the binary wire formats like IKE. We do not need to do string parsing,
> or regex processing in IKE library, but to properly parse presentation
> format you need to do that.
+1
For all the reasons you cited.
Parsing wouldn't happen the way Tero envisions this.
IKE software like have something like an option that reads RRTYPEs, so
that a DNS/VPN administrator can do:
dig ds internal.example.com > /etc/ipsec.d/internal.example.com.ds
dig ns internal.example.com > /etc/ipsec.d/internal.example.com.ns
And put that in a cron job in case they do internal DNSSEC with key
rollovers.
with a config line in the IKE config that loads these entries.
conn example.com
modecfgdns=example.com
modecfgdns-ns=/etc/ipsec.d/internal.example.com.ns
modecfgdns-ds=/etc/ipsec.d/internal.example.com.ds
[...]
Paul
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
