Skip to main content

Opportunistic Encryption with DANE Semantics and IPsec: IPSECA

Document Type Expired Internet-Draft (individual)
Expired & archived
Authors Eric Osterweil , Glen Wiley , Tomofumi Okubo , Ramana Lavu , Aziz Mohaisen
Last updated 2016-01-07 (Latest revision 2015-07-06)
RFC stream (None)
Intended RFC status (None)
Stream Stream state (No stream defined)
Consensus boilerplate Unknown
RFC Editor Note (None)
IESG IESG state Expired
Telechat date (None)
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft is available in these formats:


This document defines a new Domain Name System (DNS) resource record type called the IPSECA RR that is used to associate an X.509 certificate or a public key to an Internet Protocol Security (IPsec) gateway in a similar manner TLSA RR is used in the DNS-based Authentication of Named Entities (DANE) protocol does that for Transport Layer Security (TLS) in order to make the credential discovery easier through DNS and to allow credential discovery to be performed in a secure manner leveraging DNS Security Extensions (DNSSEC). Among the issues addressed in this draft is the danger of IP address spoofing that can be a liability to IPsec endpoints. It is important to note that the "right destination" in this document is strictly defined by the response of the DNS and does not attest to the identity of the organization or the ownership of the IP address space. The identity of the organization shall be attested in an X.509 certificate issued by a certification authority if desired and the ownership of the IP address space shall be attested by other mechanisms such as Towards A Secure Routing System (TASRS) architecture or Resource Public Key Infrastructure (RPKI).


Eric Osterweil
Glen Wiley
Tomofumi Okubo
Ramana Lavu
Aziz Mohaisen

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)