{sorry to re-interate, and/or beat what might be a dead horse already} Warren Kumari <war...@kumari.net> wrote: > So, I'm still fairly uncomfortable - having a VPN provider able to > override my DNSSEC configuration worries me, especially if things like > TLSA / DNSSEC Chain Extension / similar are used. > I was starting to come to terms with this, as I'd assumed that the > common deployment scenario was "Install (as root / admin) this binary > package containing a VPN client.", in which case a malicious VPN > provider already has the ability to do, well, basically anything (and > doesn't need this method to be malicious), but if this isn't the > universal case, I'm concerned again...
It's more of the: "Install (as root / admin) this binary package containing an *IKEv2* VPN client." and this just does not apply to 90% of the non-Enterprise use cases, because they aren't using IKEv2 anyway. The places where you should have a concern are: 1) iOS, Android phones, Linux/MacOS desktops, running the OS-provided IKEv2/IPsec client. 2) installing an opaque (to the end user) configuration blob. - configuration blob enables DNSSEC and INTERNAL_DNS configuration support 3) connecting to a non-Enterprise VPN supplier, or to an Enterprise that does not already own (p0wn) the device you are using (i.e. BYOD). I omit windows desktop VPN (even if it's IPsec), because in practice there is always a binary install of some kind, despite decades of trying to do otherwise. (This in itself should make the IESG sad) Note if (2) is not true, that is, the end user is loading .p12 files, and setting up policies in some semi-manual fashion (IKEv2 lets us automate a great deal of the policy), then the dialog ought to have some way for a knowledgeable user to decline and/or whitelist the DNSSEC overrides. A non-knowledgeable user is going to be loading a configuration blob. Potentially, there might be validation on the contents of that, and whatever DNSSEC whitelisting is going to occur. -- ] Never tell me the odds! | ipv6 mesh networks [ ] Michael Richardson, Sandelman Software Works | network architect [ ] m...@sandelman.ca http://www.sandelman.ca/ | ruby on rails [ -- Michael Richardson <mcr+i...@sandelman.ca>, Sandelman Software Works -= IPv6 IoT consulting =-
signature.asc
Description: PGP signature
_______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec