[Openswan dev] Opportunistic Encryption thought over - x509 certificates vs DNS TXT records

Marcus Blomenkamp mblomenk at gmx.de
Thu Apr 15 14:49:05 CEST 2004 

Hi all,

First of all this is not meant be be a rant. I really appreciate the work you 
put on {Free,Open}SWAN on a daily basis. However i have serious difficulties 
getting the idea behind your choice of utilizing DNS records as a public key 
infrastructure, both from a security and a manageability point of view. 
Therefore i want to put focus on an alternative approach for which i welcome 
any kind of reaction.

The current design of OE leads me to the assumption of the only objective 
being to use IPSec at all - and not making OpenSWAN the solution to problems 
people usually want to solve with IPSec. Thus people avoid the complexity of 
setting up OE infrastructure, with the actual outcome of not widespread use 
of OE. See recent history - i think you all know what i am referring to.

Obstacles observed on deploying DNS-based OE:

Retrieving plain RSA signatures from DNS allow us to generate an ISAKMP SA, 
however we still no not know who we are communicating with. In a usual setup 
we cannot trust the DNS server thus opening up the possibility of spoofing 
attacks.

If we want to trust the DNS server there are two options - IPSec and DNSSEC. 
The former one implies kind of chicken-egg problem or manual work on each 
machine at least - plus requiring the DNS server to run IPSec too, but what 
if you are not the in the appropriate administrative position to dictate 
this?
DNSSEC on the other hand - i must admit that i've not digged into that deeply 
- is nowhere better. There are at least two components you have to twiggle to 
get a basic working setup, authoritative DNS server and client-side resolver. 
With respect to DNSSEC capabilities the great diversity of available DNS 
servers (open-source, closed-source, commercial, whatever) reduces to a 
compact number of two, BIND9 and NSD2. Neither have i run any of them, nor i 
intend to. NSD2 is known to insiders only and BIND has a history of its own 
when it comes to security considerations. Nevertheless if one would like to 
use DNSSEC servers, lack of administrative power might cross these plans too. 
Additionally one has to implant an DNSSEC resolver library into his system. 
To my knowledge glibc does not provide that. Best wishes to anyone crossing 
this software minefield.

Furthermore obstacles in Joe Sixpack's real-world setup:

Joe has a wireless LAN with several machines running GNU/Linux. Naturally he 
wants them to communicate privately. However he has the IP addresses assigned 
dynamically by a DHCP server. A static map of IP==RSASIG as it might be 
configured on his trusted DNS server will bite on that scenario. To work 
around this he configures his DNS server to accept dynamic changes aka DDNS. 
To prevent one (possibly compromised) machine from subverting all DNS entries 
Joe has to generate a separate shared-secret for each machine==DNS-entry 
item. So in addition to his previously created RSA key pairs he creates yet 
another key infrastructure. The resulting phenomenon is redundancy and 
usually considered bad design.

Did i miss anything which might simplify the utilization of DNS records for 
Opportunistic Encryption? If not, then the only conclusion i can draw is to 
throw it overboard and head for something better.

The approach more suitable is already implemented in - sorry to all OS zealots 
- Windows2k. Machines are simply equipped with their respective certs and 
cacerts and can automagically build up an ISAKMP-SA to another machine if 
both have their certs signed by the same CA. No dependencies on additional 
infrastructure. It just plain works. Did i overlook something vital and thus 
made a total fool of myself? If so then i apologize.

I haven't looked at OpenSWAN's code that much until now, but is this doable 
with the current design of pluto and kernel? Could one reuse the same hooks 
currently used by OE to trigger signature retrieval from DNS?

I do have real interest in bringing this to production quality. Am i the only 
one longing for this feature? I don't think i could stem this up all by 
myself.

sincerely yours, Marcus

More information about the Dev mailing list