Hello! I am writing a Master's Thesis regarding deployment of host-to-host IPsec in a network with a couple of hundred servers. I'm currently thinking about how to make configuration and certificate distribution as easy as possible. The servers provide one or more of a set of services to the network and services need to communicate with each other.
My plan is to organize the servers into groups where a group of servers provide a specific service and where a server might be a member of multiple groups. I'm hoping that the IPsec policy can be specified for each group and that the policy for a specific server can be calculated from the policies for each group that the server is a member of. Does anyone know if this is possible with the tools that are available today? My first thought was to use Attribute Certificates to identify group membership and to let the servers provide the appropriate Attribute Certificates to prove that they are part of the required group. However, if I understand things correctly, the Attribute Certificates must be available on both ends of the IKE exchange for this to work. Would it be possible to add support for sending the Attribute Certificates when they are requested or is this unsupported by IKE? I saw some old post about using LDAP for Attribute Certificate lookups. Could that be another option in this case? The next option I have investigated is to instead use the Organization Unit part of X.509 certificates for group membership. The problem with this is that the wildcard support seems to be unable to receive a variable number of Organization Unit attributes for a specific rightid parameter in ipsec.conf. Is it possible to do this somehow? A final option that I've thought about is to give each client one certificate with a single group membership for each group that it is a part of and select the appropriate one for each connection. This might make the administration a bit difficult though. Another problem that I've come upon is the configuration files themselves. I've only been able to use auto=start or auto=route with single hosts, requiring that all conn sections for each applicable hosts are listed in the ipsec.conf file on every host in the network. Is it somehow possible to use auto=route for connections to different hosts covering an entire subnet? It should be possible to choose the appropriate groups based on protocols and ports used for the connections. A solution for this issue might be to instead use Opportunistic Encryption, but from what I've seen this is not really used in practice. Since the network would be internal, DNS security will not be as big of a problem as it is on a larger-scale internet deployment of IPsec with Opportunistic Encryption. My last resort as things are right now is to generate configuration files automatically, with individual connections in separate conn sections. These would then be distributed to the servers with a tool such as Puppet. Does it seem as if this would be possible to do? Is there some other solution to my problem that I might have missed? I will probably be able to convince my thesis advisors that I should spend some time on implementing missing functionality if that is the easiest way to make administration much simpler in the end. Yours, Jonas Sundberg _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
