Re: [dane] [IPsec] Bootstrapping IPSec from DNSSSEC/DANE
Paul Wouters <paul@cypherpunks.ca> Sun, 22 September 2013 01:53 UTC
Return-Path: <paul@cypherpunks.ca>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 91B9911E81F5; Sat, 21 Sep 2013 18:53:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.448
X-Spam-Level:
X-Spam-Status: No, score=-2.448 tagged_above=-999 required=5 tests=[AWL=0.151, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0v7k7LXiclHW; Sat, 21 Sep 2013 18:53:49 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) by ietfa.amsl.com (Postfix) with ESMTP id A148E11E81F2; Sat, 21 Sep 2013 18:53:49 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 3cjBXV16vtz3pK; Sat, 21 Sep 2013 21:53:46 -0400 (EDT)
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id ufzpAEttT5VP; Sat, 21 Sep 2013 21:53:45 -0400 (EDT)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) by mx.nohats.ca (Postfix) with ESMTP; Sat, 21 Sep 2013 21:53:45 -0400 (EDT)
Received: by bofh.nohats.ca (Postfix, from userid 500) id E881C8009E; Sat, 21 Sep 2013 21:53:45 -0400 (EDT)
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id DFA8580018; Sat, 21 Sep 2013 21:53:45 -0400 (EDT)
Date: Sat, 21 Sep 2013 21:53:45 -0400
From: Paul Wouters <paul@cypherpunks.ca>
X-X-Sender: paul@bofh.nohats.ca
To: Yoav Nir <ynir@checkpoint.com>
In-Reply-To: <39C9757C-9E0B-4606-AB6F-5143E913EF95@checkpoint.com>
Message-ID: <alpine.LFD.2.10.1309212149530.23494@bofh.nohats.ca>
References: <22017290.30831379763068147.JavaMail.www@wwinf3706> <39C9757C-9E0B-4606-AB6F-5143E913EF95@checkpoint.com>
User-Agent: Alpine 2.10 (LFD 1266 2009-07-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; format="flowed"; charset="US-ASCII"
Cc: "<ipsec@ietf.org>" <ipsec@ietf.org>, "<david.lloyd@fsmail.net>" <david.lloyd@fsmail.net>, "<dane@ietf.org>" <dane@ietf.org>
Subject: Re: [dane] [IPsec] Bootstrapping IPSec from DNSSSEC/DANE
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 22 Sep 2013 01:53:55 -0000
On Sat, 21 Sep 2013, Yoav Nir wrote: > I believe this would require a separate document. But I'm not sure that tying it to an IP address is appropriate. IKE implementations work from behind NAT devices and sometimes move around (see MOBIKE), so I think it would be more appropriate to tie the record to any type of ID payload that we have in IKE: IP address and FQDN at least, maybe also KEYID and RFC822 address. > > You might need to profile the IKE IDs used for this. > On Sep 21, 2013, at 2:31 PM, david.lloyd@fsmail.net wrote: >> I am interested in using a variant of DANE to bootstrap my IPSec IKE root certificate trust. Is anyone aware of any work been done in this area? >> >> From my understanding, it looks as though the is no technical issue with using reverse DNS lookup for the IPSec target machine with DNSSec (although this may be a little unreliable on the "real-world" internet), so returning standard DANE entries for the IPSec certificate. Then I would simply use these as part of the standard IPSec certificate validation algorithm. >> >> Looking at similar proposed applications of DANE, such as the draft-ietf-dane-srv, mostly this involves defining an appropriate protocol query name (for example _ipsec.123.123.123.123.in-addr.arpa). >> >> Is this something that would fit into an existing document either from the IKE side or the DANE side? Or would it be worth me creating an more extensive proposal? We (freeswan) tried to use the reverse and failed. It's even worse now with IPv6. If you think of clients running a DNSSEC validating resolver themselves, than having a module in the DNS server that looks up IPSECKEY records in the forward, signed by DNSSEC, and then instructs the IKE daemon to setup a tunnel would require no new standards document. Just ensure you ignore the "gateway" property as it is not secure without the coupling to the reverse tree. Paul
- [dane] Bootstrapping IPSec from DNSSSEC/DANE david.lloyd
- Re: [dane] Bootstrapping IPSec from DNSSSEC/DANE Yoav Nir
- Re: [dane] Bootstrapping IPSec from DNSSSEC/DANE James Cloos
- Re: [dane] [IPsec] Bootstrapping IPSec from DNSSS… Paul Wouters
- [dane] Bootstrapping IPSec from DNSSSEC/DANE david.lloyd
- Re: [dane] [IPsec] Bootstrapping IPSec from DNSSS… Paul Wouters
- Re: [dane] Bootstrapping IPSec from DNSSSEC/DANE Alex Maurin