[Openswan Users] DNSSEC opportunistic encryption: just a beautiful dream?
paul at nohats.ca
Sun Mar 11 13:46:19 EDT 2012
On Sun, 11 Mar 2012, Niccolò Belli wrote:
> Server Y ---[internet]--- Gateway+resolver [B] ---[lan]--- Client [A]
> A wants to connect to Y. B is in front of A since it is its gateway. B is
> also its nameserver.
> 1) A asks for y.com
> 2) since B is its resolver it gets the A/AAAA record
> 3) B queries for IPSECKEY record for y.com
> 4) if received, unbound runs an ipsec whack command that pushes the IP from
> the A/AAAA record with the IPSECKEY obtained RSA key into pluto
> 5) pluto loads the policy, meaning it will %trap packets to the IP
> 6) B releases the A/AAAA to A
> 7) A sends a packet to Y, it travels in clear in the local network until it
> reaches B
> 8) B initiates an IKE connection and sets up an IPsec SA
> 9) connection is setup encrypted from B to Y while it's still in clear from A
> to B (but I don't care since the local network is trusted)
Right, this works in the same way, as long as the gateway is also the
resolver. However, there is a layer of NAT here. The tunnel would be a
host to host tunnel between Y and B, and A would get SNAT'ed to B before
going through the tunnel to Y. A difficulty here is if A actually
supports this natively, it will ALSO try to setup a tunnel to Y,
which\likely won't work because there is already a tunnel for "B" on Y.
>> Note that you need DLV enabled because fedora's registrar does not
>> support DNSSEC yet.
> So that's the problem since I commented out DLV. I did it because I think the
> real solution is domain transfer, not DLV.
While I agree, that solution is not within my power :)
More information about the Users