[Openswan dev] Opportunistic encryption questions
mcr at sandelman.ottawa.on.ca
Wed Apr 5 19:28:13 CEST 2006
-----BEGIN PGP SIGNED MESSAGE-----
You are absolutely right: static IPs and reverse control is hard to get.
I should point out that you can do initiator-only OE with a forward
name, and dynamic DNS services such fdns.net support putting KEY
and TXT records in their forward service.
As for having a key server on the responding node --- we don't need to
do that. We can send the raw rsa keys in the IKE connection. This is
easier and more robust. We can easily do this for the initiator's key,
and doing exactly this is the subject of the the IETF "BTNS"
(Better-Than-Nothing Security) WG.
The problem for the responding node (which is out of scope for BTNS), is
that the TXT record in the reverse serves as an indication to the
initiator that trying OE is worthwhile.
There a number of protocols for which we can out other means to
communicate the willingness to do OE, and which could carry the keys:
a) we can write a SIP extension (most of this is already
present, but they assumed a PKI, which is why nobody
uses this method in SIP)
b) P2P systems could spread "will do OE" as another
attribute of the hosts.
c) we could have another database, could be DNS distributed
(or LDAP, or HTTP, or ...) in which people could register.
This solution has scaling problems.
For both (a) and (b), we need a way to get new public keys into
the IKE daemon, even if the p2p or SIP programs are running as a
non-priveledged user. I.e. we need an API.
Turns out that this is almost *in scope* for the IETF BTNS WG.
If you are interested in working on any of these ideas, let me know.
s> idea would stand. Is someone working on it already? Is it
s> likely to be added to openswan if it were developed?
If the code is clean enough, yes.
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson, Xelerance Corporation, Ottawa, ON |net architect[
] mcr at xelerance.com http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Finger me for keys
-----END PGP SIGNATURE-----
More information about the Dev