RE: ENUM Privacy (was RE: [Enum] User ENUM vs Operator ENUM)

["Christian de Larrinaga" <cdel at firsthand.net>]

Peter Williams
Sent: 29 June 2004 17:14

>cdel:--< what specifically do you propose? It sounds like you are proposing
>non routable private e164.arpa zones behind firewalls?

not firewalls: SSL VPNs... (which also give you the security negotiation,
the single signon, and the layer-independent privacy handling) Adding ENUM
discovery to SSL single signon makes a lot of sense, when the SSL layer is
tuned for setting up the SIP proxys' sessions.  The E.164 address can also
be added to the SAML, which when signed and issued by authorities can
implement the semantics of the national authorities that Richard seeks to
preserve (who knows why some people wish to preserve dinosaurs).

But as you imply, behind every VPN there is a private DNS. Inter-VPN routing
can allow references to the DNS access points of some of the other providers
in the n confederations.

Jim's idea is use e164.arpa as a name, not as a zone administration point.If
I go one step further, in the SSL world, we just have each SSL VPN issue a
self-signed cert, asserting a binding between this .arpa name and the local
tunnel endpoinf to the DNS server reachable to the community using the
particular SSL-net interface.

Dump DNS zone delegation, and use VPN management system mechanism, instead -
and use the SSL culture to handle the politics of confederated naming (given
SSL management works on an critical infrastructure scale).


christian :--> Thanks for the clear presentation of this idea.

But does it matter if it is SSL or IPSEC with or without BGP4 policy? i.e.,
would it be better to allow user to define network architecture rather than
imposing SSL only for ENUM use as a one size fits all? Or have I
misunderstood you?


Christian


_______________________________________________
enum mailing list
enum at ietf.org
https://www1.ietf.org/mailman/listinfo/enum