[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TODO List - Volunteers welcomed

To: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>, openldap-devel@OpenLDAP.org
Subject: Re: TODO List - Volunteers welcomed
From: Bastiaan Bakker <bastiaan.bakker@lifeline.nl>
Date: Sat, 27 May 2000 02:56:08 +0200
References: <3.0.5.32.20000518082824.00923430@infidel.boolean.net> <3.0.5.32.20000526150448.00959bc0@infidel.boolean.net>

"Kurt D. Zeilenga" wrote:

> At 10:42 PM 5/26/00 +0200, Bastiaan Bakker wrote:
> >> Add IPv6 and IPSEC support
> >
> >Could you please explain briefly what you mean with IPSEC support?
>
> IPSec can be used in two modes, transport and tunnel.  In tunnel
> model, the client and server have no knowledge that IPSEC is
> present.  This is often used to create VPNs and such.
>
> However, in transport mode, IPSEC sits on top of IP and may be
> used to secure higher level protocols such as UDP and TCP, and,
> hence, LDAP.  An LDAP implementation which is IPSEC aware
> can make better use of the services offerred by IPSEC.  In
> particular, IPSEC information can be used for authentication,
> authorization, and access control.  I suspect that most IPSEC
> implementations do not yet expose APIs which would allow these
> interactions (yet).
>

Ah right, up until now I've been focussing on tunnel mode, because most
people, including me are primarily interested in using IPSec for VPN's
at the moment. But with the introduction of DNSSEC and use of
opportunistic encryption transport mode may become more popular in the
near future.  On the other hand Bruce Schneier has argued in his
analysis of IPSec ( http://www.counterpane.com/ipsec.html) in favor of
eliminating transport mode....

>
> Specifically, I was thinking someone could implement IPSEC
> aware SASL/EXTERNAL (as meantioned in RFC 2222).  Also hooking
> it into ACLs (we'd like to make access choices based, in part,
> upon lower level integrity/privacy protections).
>

OK, I look into IPSec based authentication a bit further, this weekend.
Probably, it's best not to focus specifically on OpenLDAP support
initially, since it may be very usable to other applications as well and
want to keep it generic enough.

Bastiaan

PS. Shouldn't stuff like this be on the 2.X or 3.0 ToDo list, rather
than the 2.0 one? IPSec support may be a nice feature, but it really
isn't essential for a proper 2.0 release. Surely already more than
enough cool features have been added since 1.2 to justify calling the
new release 2.0? :-)
Just some of my last Florin cents....

Follow-Ups:
- Re: TODO List - Volunteers welcomed
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

References:
- TODO List - Volunteers welcomed
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: TODO List - Volunteers welcomed
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: Re: TODO List - Volunteers welcomed
Next by Date: Re: TODO List - Volunteers welcomed
Index(es):
- Chronological
- Thread