[IPsec] Re: [rt5.ietf.org #42992] IPSECTM DNS record with DHCPv6
Paul Wouters <paul@nohats.ca> Wed, 11 June 2025 17:54 UTC
Return-Path: <paul@nohats.ca>
X-Original-To: ipsec@mail2.ietf.org
Delivered-To: ipsec@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 3760133CD2C5 for <ipsec@mail2.ietf.org>; Wed, 11 Jun 2025 10:54:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -4.396
X-Spam-Level:
X-Spam-Status: No, score=-4.396 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8ToLOVobXHf2 for <ipsec@mail2.ietf.org>; Wed, 11 Jun 2025 10:54:57 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.85]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 47B5F33CD2BE for <ipsec@ietf.org>; Wed, 11 Jun 2025 10:54:57 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 4bHYG65pjyz735; Wed, 11 Jun 2025 19:54:54 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1749664494; bh=5eN+LnBsBXp9aYFqZ01O6lGQhIjpgnmp2D4RYS+l4ak=; h=From:Subject:Date:References:Cc:In-Reply-To:To; b=IQbbigFfI5QJMjKXVdYO+WH+Z1gIPEt9VQnhw5qnha6s2t+I0YQoOoxzkDbColk/c CWMzQEy3JqsMDer2324JBw3g1uKgKnEY+jOe0wyYCUnNJUFXh5xjKu8vlJVqr8Uq8G gLALDA4RreLl0RcXhS8kNQLUH6KTw5aY3FA3m5Ms=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id BvbBoEHTYCCC; Wed, 11 Jun 2025 19:54:53 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [193.110.157.194]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Wed, 11 Jun 2025 19:54:53 +0200 (CEST)
Received: from smtpclient.apple (unknown [193.110.157.207]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by bofh.nohats.ca (Postfix) with ESMTPSA id 9622D15E1D95; Wed, 11 Jun 2025 13:54:52 -0400 (EDT)
Content-Type: multipart/alternative; boundary="Apple-Mail-DC147FB4-88CD-4634-BB5D-AF552891355B"
Content-Transfer-Encoding: 7bit
From: Paul Wouters <paul@nohats.ca>
Mime-Version: 1.0 (1.0)
Date: Wed, 11 Jun 2025 13:54:42 -0400
Message-Id: <8C79D46B-D1A5-49E5-B543-CFF635FC6792@nohats.ca>
References: <CAGgd1OfZMPAC7tvPuhWD7TnsKJL19fz0LU_XO-p+vLCEokF4cw@mail.gmail.com>
In-Reply-To: <CAGgd1OfZMPAC7tvPuhWD7TnsKJL19fz0LU_XO-p+vLCEokF4cw@mail.gmail.com>
To: Deb Cooley <debcooley1@gmail.com>
X-Mailer: iPhone Mail (22F76)
Message-ID-Hash: FVOPQ25GZBLUDKVZT77FI5LT7RZX76YP
X-Message-ID-Hash: FVOPQ25GZBLUDKVZT77FI5LT7RZX76YP
X-MailFrom: paul@nohats.ca
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-ipsec.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: russell.aspinwall@bcs.org.uk, raspinwall@willows7.myzen.co.uk, ipsec@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [IPsec] Re: [rt5.ietf.org #42992] IPSECTM DNS record with DHCPv6
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/GBeboVDuXQRyAe50HrYx3LHv9eU>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Owner: <mailto:ipsec-owner@ietf.org>
List-Post: <mailto:ipsec@ietf.org>
List-Subscribe: <mailto:ipsec-join@ietf.org>
List-Unsubscribe: <mailto:ipsec-leave@ietf.org>
On Jun 11, 2025, at 13:15, Deb Cooley <debcooley1@gmail.com> wrote: > > The objective is to automate the process of establishing IPSec Transport or Tunnel Mode. See the libreswan “opportunistic IPsec” feature. There should be various recordings and slide decks available on libreswan.org/wiki and you can see the “newoe” test cases on testing.libreswan.org. This all works with the existing IPsec and IKEv2 protocols. >> Stateful DHCPv6 >> >> The IPv6 Host performs a DHCPv6 SOLICIT and include the IPSECTM option into which IPSec Flag, IPSec Mode Flag, IPSec Public Key and IPSec Domain is encoded. >> The Opportunistic Encryption model can use DNS records, certificates or even null authentication. I don’t think hooking security into dhcp would work better. This all works within an administrative domain (or when using DNS, anyone who wants to) The IPsecME tried to get a standard out for more automatic VPN establishments between nodes of different orgs, but the WG failed to reach consensus on the vendors proposals and the vendors were not able to come with a unified approach. One of these was Cisco’s autovpn feature. The biggest problem of course with all of these are NATs. Libreswan / Linux supports an “inside ipsec kernel NAT” feature, see the newoe “cat” test cases. Paul
- [IPsec] Re: [rt5.ietf.org #42992] IPSECTM DNS rec… Deb Cooley
- [IPsec] Re: [rt5.ietf.org #42992] IPSECTM DNS rec… Paul Wouters
- [IPsec] Re: [rt5.ietf.org #42992] IPSECTM DNS rec… Michael Richardson
- [IPsec] Re: [rt5.ietf.org #42992] IPSECTM DNS rec… Paul Wouters
- [IPsec] Re: [rt5.ietf.org #42992] IPSECTM DNS rec… raspinwall@willows7.myzen.co.uk