IETF Logo Mail Archive

[dane] Bootstrapping IPSec from DNSSSEC/DANE

david.lloyd@fsmail.net Sun, 29 September 2013 20:23 UTC

Return-Path: <david.lloyd@fsmail.net>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7CD8011E8134 for <dane@ietfa.amsl.com>; Sun, 29 Sep 2013 13:23:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.501
X-Spam-Level:
X-Spam-Status: No, score=0.501 tagged_above=-999 required=5 tests=[BAYES_50=0.001, SARE_FREE_WEBM_NetFs=0.5]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id W3kSnO8BEL3M for <dane@ietfa.amsl.com>; Sun, 29 Sep 2013 13:23:12 -0700 (PDT)
Received: from smtpout.wanadoo.co.uk (smtpout4.wanadoo.co.uk [80.12.242.68]) by ietfa.amsl.com (Postfix) with ESMTP id 9887F21E80B7 for <dane@ietf.org>; Sun, 29 Sep 2013 13:23:11 -0700 (PDT)
Received: from wwinf3715 ([10.232.27.59]) by mwinf5d59 with ME id X8P81m00t1GX7wy038P8Fk; Sun, 29 Sep 2013 22:23:08 +0200
Date: Sun, 29 Sep 2013 22:23:08 +0200
From: david.lloyd@fsmail.net
To: ipsec@ietf.org, dane@ietf.org
Message-ID: <7039763.53681380486188849.JavaMail.www@wwinf3715>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
X-Originating-IP: [86.26.3.116]
X-Wum-Nature: EMAIL-NATURE
X-WUM-FROM: |~|
X-WUM-TO: |~||~|
X-WUM-REPLYTO: |~|
Subject: [dane] Bootstrapping IPSec from DNSSSEC/DANE
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: david.lloyd@fsmail.net
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 29 Sep 2013 20:23:17 -0000

Hi,

Thanks for the various responses.  I have also been asked for a little clarification on what I am trying to achieve, so I'll give a quick overview.

There's not much to it...  Basically, we have three independent groups who have certificate-based IPSec (on IPv6), and now they'd like occasionally to connect to each other.  The obvious solution is to cross-sign certificates, but we have also recently implemented DNSSEC, so I was wondering if there was a better/another way.  Or maybe: I have a shiny new hammer called DNSSEC, and a lot of things are starting to look like nails.

In terms of getting IPSec based off DNSSEC, the two RFCs 4025 and 4322 actually do pretty much what I want (plus or minus that it'll look very different to the way I am configuring TLS DANE).  I am going to see if I can get those to work.


For the other things that were talked about:

Mobile devices and NATs	- It is	true that reverse lookup is inappropriate for these scenarios, but ultimately this is just a rejig of the problem that the incoming ipaddress is not particularly useful in these scenarios.  If a server wishes to verify such connecting clients, it'll have to choose something else as an identifier (and thus it falls back into the traditional CA/Kerebros setup)

Reverse	DNS being poorly supported by iSPs - To	be honest, this	is less	of a problem for me as I only have an internal deployment, so I	can do what I like (in-addr.arpa is ultimately just a convention, anyone could run a reverse DNS system that actually works properly).  Most of my ip addresses are not routable from the public internet anyway.  It did lead me to the somewhat more philosophical question of what it means to "own" an ipaddress if I can't associate my public keys with a secure central registry...


So I think that	the answer is that I can do this with existing technology, with some basic restrictions in that I'll need to be running my own reverse DNS lookup for my deployment - which seems entirely sensible as I want to have control over which ip addresses "exist" in my environment.

Thanks!

DDD

v2.23.0 | Report a Bug | By Email