[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [IPSECKEY] new draft revision (00b)
At Mon, 31 Mar 2003 14:08:58 -0500, Michael Richardson wrote:
>
> The literal/immediate IP address is there to avoid a round
> trip. It's presence also means that no statements about trust in
> the forward need exist. So, if anything is "expendable", it is
> the FQDN.
The trust argument is a security design decision, on which I'll defer
to the folks who intend to use this.
I'm not convinced that the extra round trip is a major issue, but
given the trust argument it may be a moot point.
> Rob> 2) If it's important to distinguish between DNS names and IP
> Rob> addresses (eg, as a hint to IKE) but the WG wants to keep the
> Rob> IPSECKEY RR independent of the specific DNS representation of IP
> Rob> addresses, then add a one-octet field as the third octet of the
> Rob> RDATA, with semantics like:
>
> Rob> 0 = use the DNS name for IKE 1 = use the IP address one gets by
> Rob> resolving the name for IKE
>
> I.e. leave the format there but disambiguate it.
Er, no. As I meant it, case (2) never included an immediate address,
but provided a hint on how to use the name as an ID with IKE (RFC 2407
section 4.6.2.1 -- ID_FQDN vs ID_IPV*_ADDR, basicly). Warning: I'm
not an IKE expert, so I don't know if this really makes any sense, I
was attempting to reverse engineer your intent from the mechanism.
> Rob> 3) If it's important to support immediate IP addresses in the
> Rob> IPSECKEY RR, add a one-octet field as the third octet of the RDATA,
> Rob> with semantics like:
>
> This is essentially what the richardson-01 document said.
Yeah, I know. The main differences is using the DNS wire encoding for
the DNS name case (which is usually a better idea than using a text
representation of a DNS name).
-
This is the IPSECKEY@sandelman.ca list.
Email to ipseckey-request@sandelman.ca to be removed.