[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [IPSECKEY] new draft revision (00b)



At Mon, 31 Mar 2003 14:08:58 -0500, Michael Richardson wrote:
> 
>   The literal/immediate IP address is there to avoid a round
>   trip. It's presence also means that no statements about trust in
>   the forward need exist.  So, if anything is "expendable", it is
>   the FQDN.

The trust argument is a security design decision, on which I'll defer
to the folks who intend to use this.

I'm not convinced that the extra round trip is a major issue, but
given the trust argument it may be a moot point.

>     Rob> 2) If it's important to distinguish between DNS names and IP
>     Rob> addresses (eg, as a hint to IKE) but the WG wants to keep the
>     Rob> IPSECKEY RR independent of the specific DNS representation of IP
>     Rob> addresses, then add a one-octet field as the third octet of the
>     Rob> RDATA, with semantics like:
> 
>     Rob> 0 = use the DNS name for IKE 1 = use the IP address one gets by
>     Rob> resolving the name for IKE
> 
>   I.e. leave the format there but disambiguate it.

Er, no.  As I meant it, case (2) never included an immediate address,
but provided a hint on how to use the name as an ID with IKE (RFC 2407
section 4.6.2.1 -- ID_FQDN vs ID_IPV*_ADDR, basicly).   Warning: I'm
not an IKE expert, so I don't know if this really makes any sense, I
was attempting to reverse engineer your intent from the mechanism.

>     Rob> 3) If it's important to support immediate IP addresses in the
>     Rob> IPSECKEY RR, add a one-octet field as the third octet of the RDATA,
>     Rob> with semantics like:
> 
>   This is essentially what the richardson-01 document said.

Yeah, I know.  The main differences is using the DNS wire encoding for
the DNS name case (which is usually a better idea than using a text
representation of a DNS name).
-
This is the IPSECKEY@sandelman.ca list.
Email to ipseckey-request@sandelman.ca to be removed.