Check out the new USENIX Web site. next up previous
Next: Interoperability Up: Conclusion Previous: Current State

Future Directions

There seems to be an increasing number of proposed new IKE extensions after every IETF. We are, however, reluctant to incorporate them all as code bloat is a problem we should fight to maintain any kind of security. Something we definitely are going to add is IPv6 support, as we recently have started shipping OpenBSD with an IPsec-aware IPv6 stack. Other likely enhancements are support for PKCS#11 (an API to talk to cryptographic tokens, like smartcards, for authentication), challenge-response authentication for Phase 1 exchanges and PKIX compliance. A major short-term project is support for cryptographic hardware for RSA and Diffie-Hellman computation, since OpenBSD has began to support a cryptographic services framework in the kernel. Other minor projects involve integration with DNSSEC [10] infrastructure once we see further deployment and use, and ``New group mode'' support to dynamically negotiate new groups to compute DH secrets in. There are plans to support some new platforms, for example FreeS/WAN over PF_KEY and Solaris 8. There are other commercial Unices with IPsec stacks which we may port isakmpd to. Closer integration with the kernel and userland applications (possibly through the setsockopt(3)/getsockopt(3) API), and various projects involving policy discovery/negotiation (in particular, direct exchanging of KeyNote credentials) and automatic configuration are also part of our plans for future work.

next up previous
Next: Interoperability Up: Conclusion Previous: Current State
Angelos D. Keromytis