[liberationtech] [cryptography] [ipv6hackers] opportunistic encryption in IPv6
Bill Woodcock
woody at pch.net
Thu Jun 13 09:01:08 PDT 2013
On Jun 12, 2013, at 4:25 PM, Nico Williams <nico at cryptonector.com> wrote:
> There have been many proposed ways of doing roughly the same thing.
> To my knowledge not one has succeeded wildly. RFC5660 has not been
> implemented. Lacking IPsec channels one needs something like CGA to
> ensure peer key/ID continuity, as otherwise IPsec only authenticates
> individual packets (and their senders), not *packet flows*, which
> wouldn't be a problem if IP addresses weren't assigned dynamically.
Any reasonable way to bootstrap this off DNSSEC and dynamic DNS in the in-addr? More complicated than DANE, but if the key distribution is the hard part, and DNSSEC solved that, I'd rather do the hard part once and get the benefit of it for multiple other protocols, rather than reinvent the wheel each time.
-Bill
More information about the liberationtech
mailing list