Re: [Ipsec-tools-devel] Client plug-in framework for IKE

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Haripriya S wrote:
> Hi all,
> 
> Some of us at Novell are working on a client plug-in framework for
> Racoon, which will let developers write plugins (including closed-source
> plug-ins) for extending Racoon functionality to support the following
> features:
> 
> 1. Support to interoperate with vendor gateways like Nortel Contivity,
> Novell BorderManager etc. using additional modes of authentication,
> policy distribution etc.
> 2. Graphical client utilities for connect, disconnect, statistics etc.
> 

Graphical client imho is the easier part. You can include part of 
racoonctl program into your graphical client, or isvoke racoonctl via 
CLI. The only thing to remember is that connection/disconnection and 
policy manipulations are operations which require root permitions. And 
graphical applications should not run with those. So, you should come up 
with some schema, how to increase privileges for these oprations 
*securely*. Emmanuel was the person who worked on racoonctl recently, so 
you probably should contact him for good advises on this program and 
related things. Anyway, I hope most you need from that program, this 
program already does.

Re plugins to extend racoon. I'm afraid it's a pandora's box -- once 
opened it will be dificult to close it :-( You see, there are three 
phase1 modes, one phase2 mode, and, in the future most likely there will 
be IKEv2 mode in racoon. Payloads for some operation appears in 
different packets. Some of them require to be inside encrypted packet or 
after authentication of peer is already verified. Schema for 
generatlization should be really clever (at the moment I have no idea, 
how it could be implemented). If you have such a schema -- you're very 
welcome to share!

If, on the other hand, you intend to just add hooks at particular places 
in the code, then I will have less enthuzisam for such addition, yet it 
is possible (if others will not object). But, in such case please think, 
that other may need to add hooks in the other places too. Therefore, 
please make sure that such plugin architecture you will be proposing 
will be easily extendable.

P.S. If that is possible, please make your extensions open source (and 
not proprietary). Ipsec-tools user and developer communities will be 
gratefull for such choice. ;-)

> For this purpose we have created a open-source project called turnpike
> at forge.novell.com, and will be updating code there shortly. We are
> trying not to keep the framework tightly coupled with ipsec-tools since
> this will not be applicable for a gateway, only to a workstation.
> Keeping the framework separate will allow people to use it only if
> required. But still looks like we would need to make a few changes to
> the racoon code to get the framework itself to work with IKE. 
> 
> The main changes would be:
> a. introduction of certain hook-points in IKE payload processing, to
> enable the framework to dispatch vendor payload processing to the
> plug-ins.
> b. adding additional commands to the admin-port framework for operations
> like connect, disconnect etc.
> 
> We will be able to send the admin-port patches in a couple of weeks, and
> the hookpoints to IKE and the actual framework in a month or so. We
> would appreciate your inputs/concerns on the approach in general, as
> well as the design and code.
> 
> Thanks and Regards,
> Haripriya S.

-- 
Aidas Kasparas
IT administrator
GM Consult Group, UAB