Cloud-OE: Difference between revisions

From Libreswan
Jump to navigation Jump to search
No edit summary
No edit summary
Line 6: Line 6:
[https://aws.amazon.com/quickstart/architecture/libreswan-ipsec-mesh|AWS OE quickstart]
[https://aws.amazon.com/quickstart/architecture/libreswan-ipsec-mesh|AWS OE quickstart]
AWS started libreswan Certifcate OE work in in 2018, in May 2019 a quick start guide was published. This guide will support internal AWS EC2 cloud-to-cloud support using certificates. The CA is created per AWS user using lambda functions.
AWS started libreswan Certifcate OE work in in 2018, in May 2019 a quick start guide was published. This guide will support internal AWS EC2 cloud-to-cloud support using certificates. The CA is created per AWS user using lambda functions.
=== AWS further ideas ====
=== AWS further ideas/roadmap ===
==== add internal IP address to alt names ====
==== add internal IP address to Subject Alt Names(SAN) ====
==== support OE for external use both symmetrical (no NAT) and asymmetrical case ===
 
==== support OE for external, Elastic IP(EIP), for both symmetrical and asymmetrical case ===
* create certificate for external name signed by either by [[https://docs.aws.amazon.com/acm/latest/userguide/acm-overview.html| AWS Certificate Manger]] or Letsencryt.
* create certificate for external name signed by either by [[https://docs.aws.amazon.com/acm/latest/userguide/acm-overview.html| AWS Certificate Manger]] or Letsencryt.
==== libreswan support to read SAN ===
==== libreswan support to read SAN ===

Revision as of 10:23, 3 June 2019

This is mostly a collection of ideas and possibilities, as of 2019. AWS support is already developed to a quickstart guide and others need more work. I hope to find resources to work on these and eventually develop further. The goal is code, quickstart/howto.

Commerical Cloud's support for Opportunistic Encryption

AWS

OE quickstart AWS started libreswan Certifcate OE work in in 2018, in May 2019 a quick start guide was published. This guide will support internal AWS EC2 cloud-to-cloud support using certificates. The CA is created per AWS user using lambda functions.

AWS further ideas/roadmap

add internal IP address to Subject Alt Names(SAN)

= support OE for external, Elastic IP(EIP), for both symmetrical and asymmetrical case

= libreswan support to read SAN

Currently libreswan only read Common Name(CN) from a certificate. Add support read Subject Alt Names (SAN). This has two advantages one is add IP addresses(internal, and external). It becomes an additional level of verification. We can support multiple IDR (Responder ID).

Google Compute Cloud

Google is arguably closer to support DNS OE and libreswan. Google support reverse zones, aka, ptr records and IPSECKEYS. However, as of 2019 May, there is no DNSSEC support for reverse zone. If DNSSEC was support that would be perfect IPsec OE authentication and authorization support. I hope Google will add singed reverse zones soon.

initial work add support to google cloud

Either create a letsencrypt certificate or IPSECKEY?

Microsoft Azure