[536] IPsec: Opportunistic Encryption using DNSSEC & Deploying DNSSEC (plus audience participation: hack my DNS ) - Part 2

Description

With DNSSEC, it becomes possible to securely store public key information for various applications in the DNS hierarchy. We are going to use this ability to store and retrieve RSA keys to setup IPsec based VPN tunnels based on Opportunistic Encryption ("OE"). Hosts that support OE can secure communicate to each other through an IPsec tunnel, without prior arrangement or setup, and without prior secure out of bounds communication of their identity. This paves the way for a massive deployment of IPsec as the defacto way of communication over the internet.

Furthermore, an OE capable host can also be used to secure a whole subnet of machines which themselves do not support OE or even IPsec, such as a standard webfarm setup. Extending the DHCP with a special OE option, we can even secure WLAN's over an OE negotiated IPsec tunnel, which results in encryption of all the wireless traffic.

These features will be deployed at the conference, and people will be available during the conference to assist you with setting up OE on your laptop. All the discussed features will of course also work with regular DNS to protect against passive attacks. However, with DNSSEC, you are also protected against active attacks. With more and more people using, and telcos deploying, Voice Over IP calls, we can use these technologies to create an end to end secure telephony infrastructure.

At the time of writing, OE is only supported on Linux using FreeS/WAN or stock Linux 2.5 kernels. FreeS/WAN and OE already run on a variety of devices including the Sharp Zaurus handheld.