[kea-dev] Support for SSL on backend database connections
Francis Dupont
fdupont at isc.org
Thu Oct 22 20:20:04 UTC 2015
DHCP itself has no protection at all (secure DHCPv6 provides only
authentication and integrity, no encryption) so there is no plan
to use MySQL over TLS.
Note if you'd like to secure the server infrastructure, IPsec is
the standard solution and is more flexible as it protects all traffic.
BTW it is the way Relay-Server DHCPv6 communication is supposed to
be secured when needed.
At the other hand OpenSSL is already an option for the crypto backend
so MySQL over TLS can be used without adding a new dependency (or
worse a conflicting dependency) so it should be enough to extend
the MySQL connection setup...
Regards
Francis Dupont <fdupont at isc.org>
PS: this is my own opinion and I am known to see the world in two
colors (red and black) and to not trust TLS to be correctly used
by common users.
More information about the kea-dev
mailing list