[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
DNS and VPN
All,
I've been studying IPSec in the context of VPN for a while now, and
was hoping someone could answer the following questions :
a. consider the case where one has an IPSec client that is connected
to multiple corporate sites through a single ISP PPP-link, with
packets being transmitted out in the tunnel-mode to said multiple
sites, with IPSec originating at the PC Client and not at the ISP
RAS. How does one now resolve DNS queries across sites ? (e.g.,
if more than one tunnel is simultaneously active, unless a packet
interceptor in the protocol stack intercepts a DNS request and
then knows which IPSec tunnel - pardon the use of the term here,
what I mean is the stream through which tunnel mode packets are
being transmitted - to send the query through and modifies the DNS
address accordingly, how can the name be resolved ? Also, does not
Win 95 permit one to have only two choices for DNS ? Does this
restrict the number of tunnels to a maximum of two ?). I think it
is unlikely that the client would know, (if incomplete names were
used), which DNS server to use to resolve the name, and DNS
namespaces hidden within the corporate network namespace would
therefore not be accessible - if it knew, and Windows did not
permit one to dynamically change the DNS IP, then one would have
to intercept the packet in the protocol stack and perform client
side NAT to get to the correct server, right ?.
If FQDNs were used, then I guess one could argue that even though
one was limited to two DNS IP addresses in the base OS, one could
change IP addresses on outgoing packets to get to query transmitted
to the appropriate corporate network destination, (or to multiple
corporate network destinations in a parallel effort to get the
DNS query resolved).
b. Recently, in the mailing list, there was a reference to the SKIX
(Symmetic Key Infrastructure Architecture) and X.17 in the context
of symmetric manual keying in IPSec. Could someone point me to
the appropriate IETF group that is working on this ?
Would appreciate any clarifications and/or pointers to information,
even if some of you feel these questions are trivial, since I'd
really like to get some answers.
Thank You.
--
Kumar V. Vemuri,
Member of Technical Staff,
Lucent Technologies Bell Labs.
--
Follow-Ups: