Tarapia Tapioco wrote:
We've recently seen FreeS/WAN die, not least due to the apparent practical failure of Opportunistic Encryption. The largest blocking point for deployment of OE always seemed to be the requirement for publishing one's key in the reverse DNS space. ...
Yes.
So, the apparent solution for me seems to be the approach that the SPAM blacklists used - publish information in a subspace of the forward DNS space instead of using the authoritative in-addr.arpa area.
Worth discussing at least.
A possible implementation looks like this: ...
* Linux/KAME's IKE daemon racoon is patched to attempt retrieval of an RSA key from said DNS repository and generate appropriate security policies.
Cleaner solution, but more work probably.
Why would you use racoon? FreeS/WAN's Pluto is available, under GPL, already does OE, and works with 2.6 kernel IPsec (though I'm not certain if patches are needed for that). Wouldn't it be a better starting point?