[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [IPSECKEY] Security Considerations (pass 2)



-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "Rob" == Rob Austein <sra+ipseckey@hactrn.net> writes:
    Rob> So perhaps something like the following would do (keyboarded, might
    Rob> need wordsmithing):

    Rob>   Note that the danger here only applies to cases where the gateway
    Rob>   field of the IPSECKEY RR indicates a different entity than the owner
    Rob>   name of the IPSECKEY RR.  In cases where the end-to-end integrity of
    Rob>   the IPSECKEY RR is suspect, the end client MUST[*] restrict its use
    Rob>   of the IPSECKEY RR to cases where the RR owner name matches the
    Rob>   content of the gateway field.

  I don't find anything wrong with your text, and I agree about the MUST.

  The current OE document, already says, for instance:

3.2.4.1 Restriction on unauthenticated TXT delegation records

   An implementation SHOULD also provide an additional administrative
   control on delegation records and DNSSEC.  This control would apply
   to delegation records (the TXT records in the reverse-map) that are
   not protected by DNSSEC.  Records of this type are only permitted to
   delegate to their own address as a gateway.  When this option is
   enabled, an active attack on DNS will be unable to redirect packets
   to other than the original destination.

]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBPs0oUYqHRg3pndX9AQGTzAQAuFCWW0Zwh/7ebfJ6u2m9jf1IGnsuKzK0
iOpcDRnHoRqPFbiiUnFm1COQiSXyLoFUwLInNXBTCbLXr/KeWhJqOtRKSxFrd8dW
d1y6k+E+NnIBr2Bg3VDaY4qgubA9I2/cK/OfFeei/LqJnlSyLdrXI6HoQzgbQPFa
1ehony7T/hA=
=iF1w
-----END PGP SIGNATURE-----
-
This is the IPSECKEY@sandelman.ca list.
Email to ipseckey-request@sandelman.ca to be removed.