[Swan-dev] debian continuous integration

Antony Antony antony at phenome.org
Tue Dec 12 10:47:27 UTC 2017


On Mon, Dec 11, 2017 at 08:27:03PM -0500, Daniel Kahn Gillmor wrote:
> Hi Antony--
> 
> On Mon 2017-12-11 23:47:50 +0100, Antony Antony wrote:
> 
> > Subject: [PATCH] tests/opportunistic fix, asymmetric dnssec test
> 
> thanks for this! I confess i'm still a little confused as to why this
> DNSSEC-driven policy should be labeled "opportunistic" as compared with
> the fully-opportunistic authnull policy.
Hi dkg,

It is easy to create a second test. Let me know which one, may be I can 
help.

However, agreeing on name(s) is probably hard. My focus is on the test not 
so much on names. And 0.02 cent comment on name/history.

So a bit of history and how that may relate to naming. In the FreeSWAN days 
opportunistic encryption meant symmetric DNSSEC, using RSASIG. AFIK there 
was only one identity validation and one
to authenticate(RSASIG) method. Also IKEv1 did not (AFIK) offer asymmetric 
authentication. So essentially one combination. Current one, the IKEv2,  
offer more choices. And do not have established names yet.

Now Libreswan is offering more choice. Symmetric and Asymmetric based on 
IKEv2 authentication. X509 Certificate, DNDSEC (IPSECKEY RR) -- reverse and 
forward --, and RFC 7619 NULL Authentication, based on identity validation.  
And if you dig further DNDSEC + IPSECKEY only support RSA key. Certificates 
may support more. RFC 7619 NULL Authentication is a variant of PSK.

The test I send you is against oe.libreswan.org . Which is running
DNSSEC + IPSECKEY (RSA SIG in reverse zone), IKEv2 Asymetric test. Atleast a  
few weeks ago:)  And this would work.

regards,
-antony


More information about the Swan-dev mailing list