[anonsec] Re: request for posts on separate WG vs. merged
hartmans-ietf at mit.edu
Sun Jan 2 14:05:31 PST 2005
>>>>> "Michael" == Michael Richardson <mcr at sandelman.ottawa.on.ca> writes:
Michael> My question: would you wish to *AVOID* making certain
Michael> queries if you knew that DNS wasn't over BTNS? If so,
Michael> then you need to make the ability to notify the
Michael> applications about the BTNS status.
I have to agree that long-term applications need to be able to know
whether BTNS is being used. Applications also need to be able to know
when the BTNS identity of the peer changes.
There are lots of ways of implementing this. One way is to provide
notifications to an application. Another way is to allow an
application to make policy assertions like "this traffic selecter will
use BTNS and once the peer identity is established it must not change
until this policy assertion is removed."
There are significant issues that would need to be worked through for
either approach. For the policy approach, you would need to make sure
that BTNS policy could not be used to subvert normal IPsec policy.
You'd also need to consider denial of service and conflicts between
different applications' policies.
For the notification approach, you would need to figure out how to
track enough state to notify applications.
More information about the ANONSEC