Project

General

Profile

Actions

Feature #2078

closed

Support for RFC 4025 and RFC 4322 - using DNSSEC to hold IPsec config

Added by r a over 9 years ago. Updated about 7 years ago.

Status:
Closed
Priority:
Low
Assignee:
-
Category:
kernel
Start date:
2012-02-04
Due date:
% Done:

0%

Estimated time:
Difficulty:
Expert
Tags:
needs-triage
Gerrit CR:

Description

RFC 4025 and RFC 4322 describe how to use DNSSEC to hold information to relating to the configuration of IPsec Phase 1 and Phase 2 respectively for establishing IPsec tunnels.

Can support for these RFCs be included in OpenIndiana?

Assuming that all the major Firewall vendors also support these RFCs, then establishing VPNs between OpenIndiana could be radically simplified.

Actions #1

Updated by Bayard Bell over 9 years ago

This is an issue for the illumos-gate upstream.

Actions #2

Updated by Bayard Bell over 9 years ago

  • Project changed from OpenIndiana Distribution to illumos gate
Actions #3

Updated by r a about 9 years ago

Can this Feature request be updated to support RFC 6071 IP Security (IPSec) and Internet Key Exchange (IKE) using DNSSEC

Actions #4

Updated by Dan McDonald about 7 years ago

  • Category set to kernel
  • Status changed from New to Feedback
  • Priority changed from Normal to Low
  • Difficulty changed from Medium to Expert

The IPsec part of this bug (gathering SPD information via DNSSEC) might be possible, but the IKE part is not, due to IKEv1 (in.iked) being closed-source, and IKEv2 being a victim of Oracle.

Actions #5

Updated by Dan McDonald about 7 years ago

  • Status changed from Feedback to Closed

Closing this, since 1/2 of it affects a closed-source program, and the other half should be called out separately IF that's the problem you really want solved (IPsec SPD/ipsecconf(1M) input in DNS).

Actions

Also available in: Atom PDF