MC's journal

Pungenday, the 61 day of The Aftermath in the YOLD 3177

OE IPsec part 2

I recently posted a first blog entry about my Opportunistic Encryption project. Right now I updated the IPsec project page with an insight about using rather slack but all-encompassing security policies like these:

#!/sbin/setkey -f 

spdflush ; 

spdadd ::/0 ::/0 any -P in ipsec esp/transport//use ; 
spdadd ::/0 ::/0 any -P out ipsec esp/transport//use ; 

spdadd 0.0.0.0 0.0.0.0 any -P in ipsec esp/transport//use ; 
spdadd 0.0.0.0 0.0.0.0  any -P out ipsec esp/transport//use ;

Using this with my racoon configuration with statically configured public key files works fine.

Now racoon only needs to get the public key loaded on demand. This might happen from my resolver or perhaps with a patch to racoon itself. It can already lookup CERT records in DNS, albeit the obsolete RFC 2538 version. I might be able to reuse this code to do an IPSECKEY lookup.

More later…


Written by MC using Emacs and friends.