Opportunistic Encryption using the Internet Key Exchange (IKE)

This document describes opportunistic encryption (OE) as designed and implemented by the Linux FreeS/WAN project. OE uses the Internet Key Exchange (IKE) and IPsec protocols. The objective is to allow encryption for secure communication without any pre-arrangement specific to the pair of systems involved. DNS is used to distribute the public keys of each system involved. This is resistant to passive attacks. The use of DNS Security (DNSSEC) secures this system against active attackers as well. As a result, the administrative overhead is reduced from the square of the number of systems to a linear dependence, and it becomes possible to make secure communication the default even when the partner is not known in advance. This memo provides information for the Internet community.

[1]  Internet Architecture Board,et al.  IAB and IESG Statement on Cryptographic Technology and the Internet , 1996, RFC.

[2]  Stephen T. Kent,et al.  Security Architecture for the Internet Protocol , 1998, RFC.

[3]  Scott Rose,et al.  DNS Security Introduction and Requirements , 2005, RFC.

[4]  Richard L. Rosenbaum Using the Domain Name System To Store Arbitrary String Attributes , 1993, RFC.

[5]  Fred Baker,et al.  Requirements for IP Version 4 Routers , 1995, RFC.

[6]  Scott O. Bradner,et al.  Key words for use in RFCs to Indicate Requirement Levels , 1997, RFC.

[7]  Craig Metz,et al.  PF_KEY Key Management API, Version 2 , 1998, RFC.

[8]  Simon Josefsson Storing Certificates in the Domain Name System (DNS) , 2006, RFC.

[9]  Derrell Piper,et al.  The Internet IP Security Domain of Interpretation for ISAKMP , 1998, RFC.

[10]  Paul V. Mockapetris,et al.  Domain names - implementation and specification , 1987, RFC.

[11]  Scott Rose,et al.  Limiting the Scope of the KEY Resource Record (RR) , 2002, RFC.

[12]  Hugo Krawczyk,et al.  A Security Architecture for the Internet Protocol , 1999, IBM Syst. J..

[13]  Donald E. Eastlake,et al.  RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS) , 2001, RFC.

[14]  Dan Harkins,et al.  The Internet Key Exchange (IKE) , 1998, RFC.

[15]  Paul Vixie,et al.  Extension Mechanisms for DNS (EDNS0) , 1999, RFC.

[16]  Jon Postel,et al.  Internet Protocol , 1981, RFC.

[17]  Tero Kivinen,et al.  More Modular Exponential (MODP) Diffie-Hellman groups for Internet Key Exchange (IKE) , 2003, RFC.

[18]  Iana Considerations Section in RFCs Special-Use IPv4 Addresses , 2002 .

[19]  W. Douglas Maughan,et al.  Internet Security Association and Key Management Protocol (ISAKMP) , 1998, RFC.

[20]  Matt Holdrege,et al.  IP Network Address Translator (NAT) Terminology and Considerations , 1999, RFC.

[21]  Michael C. Richardson,et al.  A Method for Storing IPsec Keying Material in DNS , 2005, RFC.

[22]  Iesg IAB and IESG Statement on Cryptographic Technology and the Internet , 1996 .

[23]  Donald E. Eastlake,et al.  Domain Name System Security Extensions , 1997, RFC.

[24]  Scott Rose,et al.  DNS Security Introduction and Requirements , 2005, RFC.

[25]  Paul V. Mockapetris,et al.  Domain names: Concepts and facilities , 1983, RFC.