Re: [IPsec] Review of draft-pauly-ipsecme-split-dns-02

On Thu, 23 Mar 2017, Tero Kivinen wrote: then someone manages to tear down the VPN connection, and suddenly all these mappings go away, the next time your mail client tries to fetch email, it does mail.example.com lookup using external DNS servers, and will get IP-address of 1.1.1.1 from

Re: [IPsec] Ben Campbell's Yes on draft-ietf-ipsecme-rfc7321bis-05: (with COMMENT)

A very real use case is OSPFv3 authentication (RFC 4552), all major router vendor supports OSPFv3 implement that, and it is deployed around world; Plus I don't see any realistic alternative for the use case > -Original Message- > From: IPsec [mailto:ipsec-boun...@ietf.org] On Behalf Of >

Re: [IPsec] Ben Campbell's Yes on draft-ietf-ipsecme-rfc7321bis-05: (with COMMENT)

> On Mar 23, 2017, at 5:37 AM, Tero Kivinen wrote: > > Paul Wouters writes: >>> -3: I wonder why "... is not to be used..." is not "... MUST NOT be >>> used...". But the section goes on to say if you do it anyway, you MUST >>> NOT use certain cryptosuites. So, does "... is not

Re: [IPsec] Ben Campbell's Yes on draft-ietf-ipsecme-rfc7321bis-05: (with COMMENT)

Paul Wouters writes: > > -3: I wonder why "... is not to be used..." is not "... MUST NOT be > > used...". But the section goes on to say if you do it anyway, you MUST > > NOT use certain cryptosuites. So, does "... is not to be used..." mean > > "SHOULD NOT"? Or is this one of those "MUST NOT BUT

Re: [IPsec] Review of draft-pauly-ipsecme-split-dns-02

Paul Wouters writes: > > When an IPsec connection is terminated, the DNS forwarding must be > > unconfigured. The DNS forwarding itself MUST be be deleted. All > > cached data of the INTERNAL_DNS_DOMAIN provided DNS domainis MUST be > > flushed. This includes negative cache entries.