If DNSSEC were deployed, I see no reason why SAs could not be
bound to domain names.
Donald
From: RJ Atkinson <rja(_at_)inet(_dot_)org>
Message-Id:
<5(_dot_)0(_dot_)0(_dot_)25(_dot_)2(_dot_)20001218204046(_dot_)009e1250(_at_)gnat(_dot_)inet(_dot_)org>
Date: Mon, 18 Dec 2000 20:45:43 -0500
To: smd(_at_)ebone(_dot_)net (Sean Doran)
Cc: ietf(_at_)ietf(_dot_)org
In-Reply-To: <20001215184418(_dot_)3C3F3898(_at_)sean(_dot_)ebone(_dot_)net>
The root issue with ESP/AH and NAT is that the Internet
Architecture does not currently have a sufficiently rich set
of namespaces. In the world of the current Internet Architecture,
ESP and AH are forced to bind SAs to addresses. In a different
world, they might be able to bind SAs to a different name. Some
folks are exploring which, if any, additional namespaces might
make sense to add to the architecture. As this is research,
not engineering, it is largely happening in the IRTF for now.
If something comes of it, no doubt an I-D or two will appear
online for perusal...
Ran