Re: linux-ipsec: Re: your mail

> > IPsec and would like to contribute something to this project.

Gee, Henry, you take a nice volunteer on the IPSEC project and try to convince them to work on DNSSEC instead! Paul Vixie's group will do that work, in their own time. What we need much sooner, is our own code to handle RSA keys and to extract keys from the DNS. Remember, our goal is to secure the Internet against passive attacks first -- then against active attacks (like someone spoofing DNS data) later.

My guess at what needs doing is: First, IKE needs to be able to authenticate to the other end by using its own RSA public/private key pair (that it gets from a file, perhaps) and the remote daemon's RSA public key (that it also gets from a file). [This involves the RSA patent and thus requires RSA's permission in the US. Elsewhere in the world it's OK.]

Once it can do that, then, IKE needs to do a DNS lookup to get an RSA public key that corresponds to the other end. This is complicated slightly by the current DNS libraries being blocking and single-threaded. Since the DNS maintainers will fix this within the next year or two, the appropriate response (rather than rewrite the DNS ourselves) is to fork and do the lookup in a child. Mozilla (www.mozilla.org) has code to do this, keeping a stable of child processes around and feeding them DNS requests as needed. We could probably use this code, since we're GPL, but Mozilla has a wierd license and doesn't allow the option of merely pushing it into GPL (as the GNU Library License does), so we should ask the Mozilla folks if they'd give us a GPL copy of that code. Or if that becomes tedious, rewrite it.

Once it can do that, we'll need a few utilities for easily generating RSA key pairs and putting them into the DNS; some documentation; then we'll be done. This will allow IKE to look up the public key of any arbitrary target on the Internet, and authenticate that it's really talking to the Security Gateway for that target.

        John Received on Wed Dec 2 01:53:55 1998