Thursday, 21 February 2013

IPSec on our SL6 machines II - KINK

Kerberos can be used to set up an IPSec security association (SA), the protocol is called Kerberized Internet Negotiation of Keys (KINK). It would sense to make use of our kerberos infrastructure directly rather than generating x.509 certificates using kerberos. KINK is supported by racoon2 which is available from EPEL. So this is probably worth exploring although documentation is also very sparse. It would be nice if we could use opportunistic encryption which doesn't require both ends of the IPSec tunnel to be specified. However, it does rely on extra entries in DNS. This might be possible but adds a certain amount of complication. This is also an interesting article giving an overview of IPSec. It suggests that an LDAP might be used to distribute public keys. Nate Carlson's post on how to setup an IPSec tunnel between openswan and windows XP looks also worth looking into.