[Design] pluto now checks our sides DNS credentials for Opportunism

I've just checked into HEAD code that checks for our side's credentials in DNS before initiating an Opportunistic connection. It checks what the other side would need to have in order to respond to the negotiation:

• if the connection's local ID is a Fully Qualified Domain, it checks that there is a KEY record in that domain that matches the private key we would use.
• otherwise, if the source address is of our OE gateway interface, it checks that there is a suitable KEY record in the reverse domain for that IP address.
• if the source address is not the of our OE gateway, it looks up the TXT record in the reverse domain. It checks that the TXT record delegates to us properly (ip address or FQDN; public key if present; if not present, KEY record is checked)

This change should make it more convenient to enamble OE before setting up the credentials in DNS. There will still be a problem after the DNS records have been set up but before they propagate to the peer.

It should also make it easier to support OE for some nodes behind a Security Gateway, but not all.

This code is not well tested. The following deltas embody the change:

programs/pluto/CHANGES;
new revision: 1.191; previous revision: 1.190

programs/pluto/connections.c;
new revision: 1.156; previous revision: 1.155

programs/pluto/ipsec_doi.c;
new revision: 1.184; previous revision: 1.183

programs/pluto/rcv_whack.c;
new revision: 1.78; previous revision: 1.77

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related lists.freeswan.org Links 1998-fall 1998-spring 1998-summer 1998-winter 1999-winter announce briefs bugs design freeswan-list hipsec ietf-sectest users users-admin Request more information about Pantek

testing/pluto/bin/dopluto;
new revision: 1.8; previous revision: 1.7

testing/pluto/bin/dowhack;
new revision: 1.19; previous revision: 1.18

testing/pluto/log.ref/ipsec-oppo/wi-log; new revision: 1.6; previous revision: 1.5

testing/pluto/log.ref/ipsec-oppo-group/wi-log; new revision: 1.3; previous revision: 1.2

testing/pluto/log.ref/ipsec-oppo-narrow/wi-log; new revision: 1.3; previous revision: 1.2

Hugh Redelmeier
hugh@mimosa.com voice: +1 416 482-8253