Hi, all,
Then why not consider the DHCP?
DHCP can support client authentication and can be used to configure the RS key
on the authenticated client.
Do you think this will help?
Zhiwei Yan
2015-04-14
Zhiwei Yan
发件人: Daniel Migault
发送时间: 2015-04-14 07:20:47
收件人: Paul Wouters
抄送: dns-privacy; Daniel Kahn Gillmor; Stephen Farrell
主题: Re: [dns-privacy] Considering IPsec
Hi Paul,
Thanks for the response. I am just initiating a new tread to avoid mixing
conversations.
On Mon, Apr 13, 2015 at 5:44 PM, Paul Wouters p...@nohats.ca wrote:
On Mon, 13 Apr 2015, Daniel Migault wrote:
Just for information, what are the technical reasons IPsec has not been
considered at all for providing DNS privacy.
People can already use an IPsec VPN and a remote DNS server without
anything new from IETF?
I do not see what prevents securing communications to IP_DNS or FQDN_DNS with
IPsec, either using transport or tunnel mode.
I think additionally, IPsec has a higher barrier to entrance because it
needs more priviledges to build a system host tunnel as compared to an
application encryption tunnel like (D)TLS.
This is partly true, especially if you use UDP encapsulation. If you do not use
UDP encapsulation, cannot it be possible to build your packet over a raw
socket. -- but that is right it may be still a bit more difficult. If you use
the IPsec kernel implementation, then the only disadvantage I would see is a
lake of interactions between the application and the SPD for alternatively a
secured and non-secured DNS.
Also, IPsec does not yet
allow the client to remain anonymous - although we're almost done that
part with draft-ietf-ipsecme-authnull. And you _can_ already use that
if you support IKE authnull to 193.110.157.123 (although it does not
yet support one-sided auth where the IKE client verifies the IKE server)
In addition there is also BTNS. RFC5386
Having an IPsec protected DNS connection is a very good and solid
solution. But an individual application cannot decide to use such
encrypted DNS. Using an application based (D)TLS would allow an
application to make encrypted DNS possible without requiring the system
core OS to have some support for that.
I see that as the higher barrier to entrance you mentioned earlier.
The use of IPsec could re-use existing extensions like NAT traversal,
compatibility with UDP/TCP, resilience to change of IP
addresses... and this without creating new extensions.
But you get those as well using (D)TLS ?
Yes of course, but the point is that you need both TLS and DTLS for the TCP/UDP
compatibility.
Paul
--
Daniel Migault
Ericsson
___
dns-privacy mailing list
dns-privacy@ietf.org
https://www.ietf.org/mailman/listinfo/dns-privacy
