Support for RFC 4025, 4322 and RFC DANE (approved)

half12 · Post by **half12** » Sat Feb 11, 2012 10:21 am

Will Billion be supporting the following RFC 4025 and 4322?

RFC 4025 - A Method for Storing IPsec Keying Material in DNS (IPSec Phase 1)
RFC 4322 - Opportunistic Encryption using the Internet Key Exchange (IKE) (IPSec Phase 2)

The RFCs above should allow Firewall Administrators at each end of a proposed IPSec VPN tunnel to enter the FQDN of the host they need to connect to which will allow the Firewall to obtain the IPSec Phase 1 and Phase 2 configuration from DNS and authenticate it using DNSSEC and create a VPN tunnel. The routing would need to be configured manually, but if during the VPN creation process the users know the remote end is a Billion device, automatic routing could be configured.

RFC DANE is for DNS Authenticated Named Entities this is a new Transport Layer Security Association which allows Certificates (including self signed certificates) to be placed into DNS and authenticated using DNSSEC. This allows all DNSSEC signed DNS zones to become their own Certificate Authority.... The Web browsers are including support for this as it means they can completely dispense with the need for Trusted Root Certificates. To make of this Billion would have to enable the creation of self signed certificates and a way to export the certificate to it can be imported into DNS using RFC 4398.

++++Update++++
RFC DANE is no longer a draft RFC but has been approved and is current awaiting the assignment of an RFC number. RFC DANE creates four new certificate types, type 1 is a certificate which is used to hold an external (from a Trusted Certificate Authority) CA root certificate which is linked to a server within a DNS zone. The RFC DANE will then check the certificate presented by a server to verify that it has been signed by the CA signed certificate and is used to stop certificates from hacked CA being used to fake site from being legitimate https based servers. Type 2 certificates are external CA signed certificates for a specific server (ie shopping website) the RFC DANE is used to verify that the server provided certificate matches that held in DNS and signed using DNSSec.
A Type 3 certificate is a DNS Zone trust anchor which holds the CA certificate from a private CA server which is stored in DNS and signed using DNSSec so that it can be trusted and allows a DNS Zone Administrator to become their own CA. eg a Windows CA Root Certificate could be published using RFC DANE so that it can be trusted without having it externally signed. The final certificate is a Type 4 and is a certificate which has been signed by the Type 3 CA certificate and is used to tie the certificate to a specific server within a DNS Zone.