[Ipsec-tools-devel] racoon patches: loading keys from racoonctl and from DNS

[Michael C. W. <mc...@ha...>]

Hello,

I have been experimenting with racoon from ipsec-tools for a while. I
have a patch that implements two things:

  - Allows racoonctl to load a public key into a running racoon.
  
    It works but it's not quite finished. It currently doesn't check for
    duplicate keys.

  - Makes racoon query for IPSECKEY records in DNS.

    This is supposed to be used together with the first change. The
    initiator will use a public key loaded through racoonctl and the
    responder side will query DNS for the IPSECKEY record.

    In my current patch both sides will query DNS for IPSECKEY if no
    public key is loaded. This is something like Better-Than-Nothing
    Security but with external keys. Like BTNS it is open for a
    man-in-the-middle attack.

    I might remove this scenario.

The patch is very experimental and the code is far from production
quality but perhaps you might still be interested.

The intended use is opportunistic encryption in Transport Mode, like
this:

A small forwarding DNS resolver (I have a proof of concept in Perl with
Net::DNS) running on the local host will capture any attempts to query
for A or AAAA records and will simultaneously query for an IPSECKEY
record. If it exists, it will be loaded into racoon and a security
policy is set.

When traffic is seen and the IKE dialogue starts the responding racoon
will query DNS for the initiator's IPSECKEY. 

More about the project, including resolver source, patches to racoon and
racoonctl and a HOWTO document here:

  http://hack.org/mc/hacks/ipsec/

I've been thinking about doing the same with an IKEv2 daemon. Any
suggestions on which one I should choose?

Happy hacking, 
MC

-- 
http://hack.org/mc/
Warning! Plain text e-mail, please. HTML e-mail deleted unread.
OpenPGP: 673B 563E 3C78 1BA0 6525  2344 B22E 2C10 E4C9 2FA5