From wk2 at rogers.com  Tue Mar  9 22:46:17 2021
From: wk2 at rogers.com (W)
Date: Tue, 9 Mar 2021 16:46:17 -0500
Subject: [strongSwan-dev] External handling for PPK and PPK_ID
References: <868ba4c8-01a2-ec29-c2d5-14786adf9e79.ref@rogers.com>
Message-ID: <868ba4c8-01a2-ec29-c2d5-14786adf9e79@rogers.com>

Hi,

Is it possible to externalize PPK and PPK_ID handling via a custom plugin?

The scenario here is for Site-to-Site gateways.

I'd like to be able (through a plugin or otherwise) to retrieve a random 
PPK_ID and PKK from an external service for the initiator, and the 
responder would look up the PPK_ID on it's end to retrieve the 
associated PPK (again via an external keying service).

In accordance with RFC 8784, the responder would look up the PPK from 
the sent PPK_ID, and if the keys are mismatched, the connection fails 
(this works now in Strongswan). I understand that NULL authentication 
(RFC 7619) is not implemented in Strongswan, but that's not an issue in 
this case.

I've looked into how to build plugins, so any pointers are appreciated.

Thanks in advance.