[IPsec] Re: [rt5.ietf.org #42992] IPSECTM DNS record with DHCPv6
Deb Cooley <debcooley1@gmail.com> Wed, 11 June 2025 17:14 UTC
Return-Path: <debcooley1@gmail.com>
X-Original-To: ipsec@mail2.ietf.org
Delivered-To: ipsec@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 6789733CA5D5 for <ipsec@mail2.ietf.org>; Wed, 11 Jun 2025 10:14:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.848
X-Spam-Level:
X-Spam-Status: No, score=-1.848 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pLby3yvs8fQb for <ipsec@mail2.ietf.org>; Wed, 11 Jun 2025 10:14:35 -0700 (PDT)
Received: from mail-pj1-x1034.google.com (mail-pj1-x1034.google.com [IPv6:2607:f8b0:4864:20::1034]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id D43DB33CA5CA for <ipsec@ietf.org>; Wed, 11 Jun 2025 10:14:35 -0700 (PDT)
Received: by mail-pj1-x1034.google.com with SMTP id 98e67ed59e1d1-3122368d7c4so138806a91.1 for <ipsec@ietf.org>; Wed, 11 Jun 2025 10:14:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1749662075; x=1750266875; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=yYsflkuDtyfQjqfIObTd8h5JvSIfLpq37CD/AjRJrpU=; b=CA67I5Ep+uLT7BJnmdU/smam9BGmi7JbZ5nqYjqIvo3s5MUsehjKFBoiVxV/BMXVoC Z6dohtfdrzhIg6hQwgWzep9ROKEGEZf/waWuixxtfGpaLE8v7+ihjAq4jvPld5rf56U+ Evdq/NnW8W19L/WF2+BpqPNWzPDSVGwhrnePTwsDeL2GtEz30SHqsC8uVT94u+1kmdiu C0ryzIVruBhrO+Uz6QVyL8m9pK+dBkymjh2AO13xOqTIZNsaPykLmiscQ3pbSwLyPXFi ZZYZ6R6g9A7lNsvP2p4nUkr5JKeQoXqxNBT5qCrAQvkXgSnlFbmkDTfuKqY4pg1CvVLZ yztw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1749662075; x=1750266875; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=yYsflkuDtyfQjqfIObTd8h5JvSIfLpq37CD/AjRJrpU=; b=ILRSBKmtVxrnLGrmP7UM9za23MTqUYKAxqzK9b9U+CMpZldcDT/DubEfF6rNZZp83z J/I4cHj+npLC6IF5m7nQyWJlu5HCM2qNy5uUzzOOjRi3t/n66ftP2+Hr/RLXzRbujm81 E8VdofE+jB56sc4ZxfLGdQK+RiZvlzOfdkj5I715WUpMQYTBF7cKAQ+b+HoiekNG8iJg I+sI8E6S6g3o5gUztNpiOb2gVQC+BAGmqna+St8wYLEX7kP69jaHLBWNqoh0LkcR7jOc P/PnutAbTr2U5UXiZ8eeZZxEPGFbIQBqvnPzj2pAg3S06L+kHiwS/3elDyNdRaIKf+BZ 0w3g==
X-Gm-Message-State: AOJu0YyLPFCk1x/+4YX0OD1W2o5rZ89JO8snmbdtzmmcE0PexgU8Q9rd +ZL0FzYrKLEAr6baBJAyvB4xiHyAQSvSTnnMx0JDZPasgAEbgF/VFrdLGyhg281R9yp9gFddhNF tdyZ0u7aIWgPCN5PViA5HmTbLRZFPhA==
X-Gm-Gg: ASbGncuucMiL6P+T7ZSfO3OPAHVBtPw4+Kn1A4qvvJ/AnfpCP+766mCgB8+0Gjx9noy s7CstII5eP+EbT/Eqz7D/KS1nr5UG/v6y0awI53aTcr3ym3oDIE5fyWG+frbo5/HRIyZ0dupxMo 93+1XVbPQI2jARqX0z6PEvoFCH//nXlZxN6sXjsgLYkAcjEUmjhLOCieLd1HcUh6GyFFC2UvNhL rWR
X-Google-Smtp-Source: AGHT+IGYihLMyWg0KnBXSKrDIPAoq47YOmG6eRIpy5X3Zze4M2sag69ykDSpjhX4IeD43IiV3dIKK3h/s5H/WGdblos=
X-Received: by 2002:a17:90b:582e:b0:313:1c7b:fc62 with SMTP id 98e67ed59e1d1-313af1afbd5mr4857829a91.22.1749662074742; Wed, 11 Jun 2025 10:14:34 -0700 (PDT)
MIME-Version: 1.0
References: <RT-Ticket-42992@rt5.ietf.org> <9e01ad65-29fd-48c6-8560-9803cc0aa13b@willows7.myzen.co.uk> <rt-5.0.8-645371-1749652286-240.42992-5-0@rt5.ietf.org>
In-Reply-To: <rt-5.0.8-645371-1749652286-240.42992-5-0@rt5.ietf.org>
From: Deb Cooley <debcooley1@gmail.com>
Date: Wed, 11 Jun 2025 13:14:24 -0400
X-Gm-Features: AX0GCFt9HhiP6uN9kbxF2lCs_6VYwa6QzB_yOQtovj09c9XPCFyHpZaiuLC0ub8
Message-ID: <CAGgd1OfZMPAC7tvPuhWD7TnsKJL19fz0LU_XO-p+vLCEokF4cw@mail.gmail.com>
To: russell.aspinwall@bcs.org.uk, raspinwall@willows7.myzen.co.uk
Content-Type: multipart/alternative; boundary="000000000000712a7006374ef2bf"
Message-ID-Hash: F4I6BWCWKWHO63KTRSOGJ6E5L2T2QUFQ
X-Message-ID-Hash: F4I6BWCWKWHO63KTRSOGJ6E5L2T2QUFQ
X-MailFrom: debcooley1@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-ipsec.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: ipsec@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [IPsec] Re: [rt5.ietf.org #42992] IPSECTM DNS record with DHCPv6
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/cduWeNtBNLiX8xwG1TiiNLTAwws>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Owner: <mailto:ipsec-owner@ietf.org>
List-Post: <mailto:ipsec@ietf.org>
List-Subscribe: <mailto:ipsec-join@ietf.org>
List-Unsubscribe: <mailto:ipsec-leave@ietf.org>
I am indeed the Responsible Area Director for the IPsec working group (ipsecme). I have removed the support email from the address line, and I'm taking the liberty of cc'ing the working group to get you the best answer to your question. The mail archive for this list is here: https://mailarchive.ietf.org/arch/browse/ipsec/ And you can subscribe if you like here: https://www.ietf.org/mailman/listinfo/ipsec Deb Cooley Sec AD On Wed, Jun 11, 2025 at 10:31 AM Cindy Morgan via RT <support@ietf.org> wrote: > Hi Russell, > > You have reached the IETF Secretariat, which handles administrative > functions for the Internet Engineering Task Force. As such, we are not > qualified to evaluate your technical proposal. > > I have copied Deb Cooley, the Area Director for the IP Security > Maintenance and Extensions (ipsecme) Working Group, who may be better able > to answer your questions. > > Best regards, > > Cindy Morgan > IETF Secretariat > > > > On Wed Jun 11 05:12:35 2025, russell.aspinwall@bcs.org.uk wrote: > > Good Afternoon > > I am trying to determine if my idea is worth considering as RFC. > > The objective is to automate the process of establishing IPSec Transport > or Tunnel Mode. > > An IPv6 host would be configured via IPSec Flag, IPSec Mode Flag and IPSec > Public Key. > > The IPSec Flag set to 0 indicates IPSec is enabled, with a value of 1 > IPSec disabled. > The IPSec Mode Flag set to 0 indicates IPSec Transport Mode, set 1 > indicates IPSec Tunnel Mode > The IPSec Public Key is the IPSec data in IPSECKEY format > The IPSec Domain is the host FQDN. > > The DNS IPSECTM record would include the IPSec Transport Flag and IPSec > Public Key for the IPSec Domain entry. > > > > Stateful DHCPv6 > > The IPv6 Host performs a DHCPv6 SOLICIT and include the IPSECTM option > into which IPSec Flag, IPSec Mode Flag, IPSec Public Key and IPSec Domain > is encoded. > > The DHCPv6 service would take information in the IPSECTM option and > respond to the IPv6 host in the DHCP Advertise by sending back the IPSECTM > option with the IPSec Flag set to 1 indicating that IPSECTM records are not > supported. > The DHCPv6 service would take information in the IPSECTM option and > respond to the IPv6 host in the DHCP Advertise by sending back the IPSECTM > option with the IPSec Flag set to 0 with the IPSec Mode Flag unchanged if > the selected Mode is supported or return the value that is supported, 0 for > Transport or 1 for Tunnel mode. > > The DHCPv6 Service would send a DDNS update to the primary DNS server for > the IPSec Domain, registering the IPSECTM DNS record which specifies IPSec > Transport mode and Public Key of the IPSec Domain FQDN host > > > Stateless or SLAAC > > The IPv6 Host sends a DDNS update the DNS Service would be configured to > process the normal DNS update either block all IPSECTM records, or allow > IPSECTM records with Transport Mode or Tunnel Mode or accept all IPSECTM > records. > > > > Fixed Address > > The IPv6 Host IPSECTM record would be manually configured in DNS > > > > Going forward applications SSH, SMTP, can query for the IPSECTM record and > can automatically use it to create an IPSec communication channel as a > point to point communication. > > > > Kind Regards > > Russell Aspinwall > > > > > >
- [IPsec] Re: [rt5.ietf.org #42992] IPSECTM DNS rec… Deb Cooley
- [IPsec] Re: [rt5.ietf.org #42992] IPSECTM DNS rec… Paul Wouters
- [IPsec] Re: [rt5.ietf.org #42992] IPSECTM DNS rec… Michael Richardson
- [IPsec] Re: [rt5.ietf.org #42992] IPSECTM DNS rec… Paul Wouters
- [IPsec] Re: [rt5.ietf.org #42992] IPSECTM DNS rec… raspinwall@willows7.myzen.co.uk