IETF Logo Mail Archive

[IPsec] Re: [rt5.ietf.org #42992] IPSECTM DNS record with DHCPv6

Paul Wouters <paul@nohats.ca> Thu, 12 June 2025 00:40 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: ipsec@mail2.ietf.org
Delivered-To: ipsec@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 95CD733EDF79 for <ipsec@mail2.ietf.org>; Wed, 11 Jun 2025 17:40:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id T_LS4x1LOVKI for <ipsec@mail2.ietf.org>; Wed, 11 Jun 2025 17:40:58 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [IPv6:2a03:6000:1004:1::85]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 0145233EDF72 for <ipsec@ietf.org>; Wed, 11 Jun 2025 17:40:57 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 4bHkGc2SgCzCfp; Thu, 12 Jun 2025 02:40:56 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1749688856; bh=yZgolgtuBfGaYUvNIs7JSonBfWneltu43+FcnbAG9HE=; h=From:Subject:Date:References:Cc:In-Reply-To:To; b=DQS6kS0WDcWqRVFYhxVR9Dx6DDbYfX0XRpRZwHXkrOWTsQWDg3jS58p63+Ev4WU9n CbYTUasJCUE4C4ZnO9cM4f+Ot2JSB7hqXBoN5pFQ5Enbg21zutVohMmQIx68iSVPDK 7tOeMEOm4XyyOIhnU/aUSKY29a85DtXWLAxNpXKo=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id vTQvGhKszpwK; Thu, 12 Jun 2025 02:40:54 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [193.110.157.194]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Thu, 12 Jun 2025 02:40:54 +0200 (CEST)
Received: from smtpclient.apple (unknown [24.114.59.15]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by bofh.nohats.ca (Postfix) with ESMTPSA id 216A515E21E5; Wed, 11 Jun 2025 20:40:53 -0400 (EDT)
Content-Type: multipart/alternative; boundary="Apple-Mail-7E418C79-CCF8-4B92-ABBA-F4865EB4E333"
Content-Transfer-Encoding: 7bit
From: Paul Wouters <paul@nohats.ca>
Mime-Version: 1.0 (1.0)
Date: Wed, 11 Jun 2025 20:40:30 -0400
Message-Id: <3FDB8598-38DA-40A9-BC69-9E0A3C8C0C5D@nohats.ca>
References: <5237d1b1-f344-4d0e-bae8-69edca1baeff@willows7.myzen.co.uk>
In-Reply-To: <5237d1b1-f344-4d0e-bae8-69edca1baeff@willows7.myzen.co.uk>
To: russell.aspinwall@bcs.org.uk
X-Mailer: iPhone Mail (22F76)
Message-ID-Hash: H5LGSKYKMHPODPWKXPEYZNQOPC7XAZD3
X-Message-ID-Hash: H5LGSKYKMHPODPWKXPEYZNQOPC7XAZD3
X-MailFrom: paul@nohats.ca
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-ipsec.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Deb Cooley <debcooley1@gmail.com>, ipsec@ietf.org, russell.aspinwall@bcs.org.uk
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [IPsec] Re: [rt5.ietf.org #42992] IPSECTM DNS record with DHCPv6
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/spEbSnk883FNqDGlRUKjM0kxnmo>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Owner: <mailto:ipsec-owner@ietf.org>
List-Post: <mailto:ipsec@ietf.org>
List-Subscribe: <mailto:ipsec-join@ietf.org>
List-Unsubscribe: <mailto:ipsec-leave@ietf.org>

> On Jun 11, 2025, at 17:47, raspinwall@willows7.myzen.co.uk wrote:
> 
> Using book on OpenSwan (your book which I found very interesting) it requires the manual configuration of the DNS records

That’s a very old version of things. If you use a CA and certificates for each node, you don’t need DNS records (but libreswan does allow you to enable a check that the cert FQDN matches an A/AAAA record (after it got triggered by IP)

Also, the unbound resolver supports libreswan as module so you can run a local DNS resolver and whenever it looks up A/AAAA it also looks up IPSECKEY records and if found, gives the pubkey/IP to libreswan to negotiate IKE before unbound returns the A/AAAA to the application.
So by the time the application opens a connection, it’s covered by an existing IPsec tunnel.  And it only does it for lookups for names that were not already in the cache.


> I specifically targeted IPv6 only so that NAT would not be an issue, given the size of the IPv6 address space.

That might work in clouds but not with mobile networks using CGNAT.


> Internally if an organisation wanted to secure internal communication then the IPv6 hosts could be configured to automatically populate their public IPSec information into DNS via DHCP so all internal communication could use IPSec Tunnel mode as a point to point connection.

It’s much easier to just give them all a certificate and opportunistically try it based on CIDR networks of the internal networks.
> IPSec transport could be used internally but I would expect this to be more typically used within a DMZ allowing external clients to make an IPSec connection to a public IPv6 host, 
> 

You can use transport mode if you are sure that there is no NAT.

Paul

v2.31.3 | Report a Bug | By Email | System Status