Good Evening Paul
Using book on OpenSwan (your book which I found very interesting) it
requires the manual configuration of the DNS records which is something
that I wanted to make deployment available on a mass scale. I
specifically targeted IPv6 only so that NAT would not be an issue, given
the size of the IPv6 address space. Internally if an organisation wanted
to secure internal communication then the IPv6 hosts could be configured
to automatically populate their public IPSec information into DNS via
DHCP so all internal communication could use IPSec Tunnel mode as a
point to point connection.
IPSec transport could be used internally but I would expect this to be
more typically used within a DMZ allowing external clients to make an
IPSec connection to a public IPv6 host,
Kind Regards
Russell
On 2025-06-11 18:54, Paul Wouters wrote:
On Jun 11, 2025, at 13:15, Deb Cooley <debcool...@gmail.com> wrote:
The objective is to automate the process of establishing IPSec
Transport or Tunnel Mode.
See the libreswan “opportunistic IPsec” feature. There should be
various recordings and slide decks available on libreswan.org/wiki and
you can see the “newoe” test cases on testing.libreswan.org. This all
works with the existing IPsec and IKEv2 protocols.
Stateful DHCPv6
The IPv6 Host performs a DHCPv6 SOLICIT and include the
IPSECTM option into which IPSec Flag, IPSec Mode Flag, IPSec
Public Key and IPSec Domain is encoded.
The Opportunistic Encryption model can use DNS records, certificates
or even null authentication. I don’t think hooking security into dhcp
would work better. This all works within an administrative domain (or
when using DNS, anyone who wants to)
The IPsecME tried to get a standard out for more automatic VPN
establishments between nodes of different orgs, but the WG failed to
reach consensus on the vendors proposals and the vendors were not able
to come with a unified approach. One of these was Cisco’s
autovpn feature.
The biggest problem of course with all of these are NATs. Libreswan /
Linux supports an “inside ipsec kernel NAT” feature, see the newoe
“cat” test cases.
Paul
_______________________________________________
IPsec mailing list -- ipsec@ietf.org
To unsubscribe send an email to ipsec-le...@ietf.org
