Hi, Sandy Harris wrote:

Tarapia Tapioco wrote:

...

A possible implementation looks like this: ...

* Linux/KAME's IKE daemon racoon is patched to attempt retrieval of an RSA key from said DNS repository and generate appropriate security policies.

Cleaner solution, but more work probably.

Why would you use racoon? FreeS/WAN's Pluto is available, under GPL, already does OE, and works with 2.6 kernel IPsec (though I'm not certain if patches are needed for that). Wouldn't it be a better starting point?

I have to take a look at this. Using racoon was my first idea because it seems to be the "official" Linux thing these days and is portable to the *BSDs, too. It's probably only the NIH syndrome at work. Also, using pluto suffers from the general FreeS/WAN problem of not allowing contributions from USAians. Anyway, thanks for the reminder - while the project is still at the "half-assed idea tossing" state, hacking FreeS/WAN should still be an option.