From: Aidas K. <a.k...@gm...> - 2005-03-08 05:27:18
|
Haripriya S wrote: > Hi all, > > Some of us at Novell are working on a client plug-in framework for > Racoon, which will let developers write plugins (including closed-source > plug-ins) for extending Racoon functionality to support the following > features: > > 1. Support to interoperate with vendor gateways like Nortel Contivity, > Novell BorderManager etc. using additional modes of authentication, > policy distribution etc. > 2. Graphical client utilities for connect, disconnect, statistics etc. > Graphical client imho is the easier part. You can include part of racoonctl program into your graphical client, or isvoke racoonctl via CLI. The only thing to remember is that connection/disconnection and policy manipulations are operations which require root permitions. And graphical applications should not run with those. So, you should come up with some schema, how to increase privileges for these oprations *securely*. Emmanuel was the person who worked on racoonctl recently, so you probably should contact him for good advises on this program and related things. Anyway, I hope most you need from that program, this program already does. Re plugins to extend racoon. I'm afraid it's a pandora's box -- once opened it will be dificult to close it :-( You see, there are three phase1 modes, one phase2 mode, and, in the future most likely there will be IKEv2 mode in racoon. Payloads for some operation appears in different packets. Some of them require to be inside encrypted packet or after authentication of peer is already verified. Schema for generatlization should be really clever (at the moment I have no idea, how it could be implemented). If you have such a schema -- you're very welcome to share! If, on the other hand, you intend to just add hooks at particular places in the code, then I will have less enthuzisam for such addition, yet it is possible (if others will not object). But, in such case please think, that other may need to add hooks in the other places too. Therefore, please make sure that such plugin architecture you will be proposing will be easily extendable. P.S. If that is possible, please make your extensions open source (and not proprietary). Ipsec-tools user and developer communities will be gratefull for such choice. ;-) > For this purpose we have created a open-source project called turnpike > at forge.novell.com, and will be updating code there shortly. We are > trying not to keep the framework tightly coupled with ipsec-tools since > this will not be applicable for a gateway, only to a workstation. > Keeping the framework separate will allow people to use it only if > required. But still looks like we would need to make a few changes to > the racoon code to get the framework itself to work with IKE. > > The main changes would be: > a. introduction of certain hook-points in IKE payload processing, to > enable the framework to dispatch vendor payload processing to the > plug-ins. > b. adding additional commands to the admin-port framework for operations > like connect, disconnect etc. > > We will be able to send the admin-port patches in a couple of weeks, and > the hookpoints to IKE and the actual framework in a month or so. We > would appreciate your inputs/concerns on the approach in general, as > well as the design and code. > > Thanks and Regards, > Haripriya S. -- Aidas Kasparas IT administrator GM Consult Group, UAB |