This is mostly a collection of ideas and possibilities, as of 2019. AWS support is already developed to a quickstart guide and others need more work. I hope to find resources to work on these and eventually develop further. The goal is code, quickstart/howto.

Commerical Cloud's support for Opportunistic Encryption

AWS =

OE quickstart AWS started libreswan Certifcate OE work in in 2018, in May 2019 a quick start guide was published. This guide will support internal AWS EC2 cloud-to-cloud support using certificates. The CA is created per AWS user using lambda functions.

AWS further ideas =

add internal IP address to alt names

= support OE for external use both symmetrical (no NAT) and asymmetrical case

• create certificate for external name signed by either by [AWS Certificate Manger] or Letsencryt.

= libreswan support to read SAN

Currently libreswan only read Common Name(CN) from a certificate. Add support read Subject Alt Names (SAN). This has two advantages one is add IP addresses(internal, and external). It becomes an additional level of verification. We can support multiple IDR (Responder ID).

Google Compute Cloud

Google is arguably closer to support DNS OE and libreswan. Google support reverse zones, aka, ptr records and IPSECKEYS. However, as of 2019 May, there is no DNSSEC support for reverse zone. If DNSSEC was support that would be perfect IPsec OE authentication and authorization support. I hope Google will add singed reverse zones soon.

initial work add support to google cloud

Either create a letsencrypt certificate or IPSECKEY?

Microsoft Azure