===================================
Lacing, pizza, and IPsec failures
===================================
Recently I have finally tried Ian's shoelace knot tying method: it
produces a regular bow knot, but a tiny bit faster, and it feels neat
to tie it with fewer movements. I'm not sure if it is quite as secure
as the regular method, since it is harder to keep it tensioned, but
seems to be fine.
Then I decided to go further and investigate lacing methods on Ian's
Shoelace Site (it is at fieggen.com). Found "Ukrainian lacing", which
"traps" the starting knot, so that you don't have to tie it again. It
has a drawback of the last pair of eyelets being left untensioned, but
its fourth variation solves that. So I tried it (after briefly trying
the third variation), and though it sort of works, so far (after more
than a month) I find it slower to both tie and untie shoes with that
kind of lacing: quick release is lost, so untying is a bit annoying,
while for tying it is tricky to find the correct runs of the shoelace:
you get a tangle of those, at least with certain kinds of shoes and
shoelaces. Maybe I'll try it again on summer shoes, but going to redo
the lacing back to regular crisscross lacing. Oh, and tensioning
seemed even harder to do well with Ukrainian lacing.
In other news, I keep cooking things occasionally, and most of them
turn out fine, but I rather messed up a couple of pizzas recently:
tried a new pizza dough recipe (with more precise measurements than
the ones I used before), but ended up tearing the dough (pizza base)
while trying to transfer it to the assembly surface, and tearing it
worse yet when tried to transfer it to the cooking surface (a baking
sheet). Maybe stretched it too thinly, and/or didn't knead enough. Had
to form it from scratch, but then it wasn't as neat as it should
be. The other one I have just assembled on a baking sheet. And the
oven temperature was below 200 degrees Celsius, in the end it didn't
turn as airy/bubbly as I hoped. Though it tasted fine, and wasn't bad
at all if compared to frozen pizzas.
And today I looked into opportunistic IPsec again. Perhaps after
looking into IPsec at work, or poking other network-related stuff
there, I'm rather excited about playing with the related technologies
more, including VPNs.
Libreswan's (wiki) documentation is confusing: apparently it was
planned to add DNS query interception, IPSECKEY retrieval, and
connection setup a few years and one major version ago, but unclear
where that went. There was oe.libreswan.org for testing, with IPSECKEY
set for the domain, but apparently it is down now. And libreswan's
/etc/ipsec.d/policies/private-or-clear configuration file suggests
that ideally opportunistic encryption should be enabled for every host
on the Internet, but it's unclear how it is supposed to work, since
with rightrsasigkey=%dnsondemand it only tries to check IPSECKEY in
reverse DNS (which fails for oe.libreswan.org).
Then there is strongSwan, which has an ipseckey module, but it doesn't
seem to be included in Debian, and not much about opportunistic
encryption is in sight there; only found some issue on an issue
tracker, mentioning that it would be nice to introduce someday, and
then left silent for years.
Then there is the Unbound caching DNS server: it can be compiled with
ipsecmod, which apparently issues an IPSECKEY request along with
A/AAAA requests, runs a configurable hook executable before returning
the A/AAAA result, and may be used to configure an IPsec daemon using
the discovered key and address. Doesn't require much of special
handling (beyond addition of a key/host, though even that can be
hacked via configuration files) from an IKE daemon, so perhaps can be
used with strongSwan as well. But Unbound on Debian 11 comes without
that module compiled, and building it manually would lead to a rather
awkward setup, for very little benefit. I guess it can be made to work
that way, but I don't hope to find many servers configured for that in
the wild, IPSECKEY should probably be replaced with DANE's IPSECA, and
then there will be this hacky setup. Just too awkward and not very
useful overall.
Though it still does seem potentially nice: to sort out
confidentiality, integrity, and server authentication with
opportunistic IPsec, and to use simple protocols (including Gopher) on
top of it. Relying just on the DNSSEC trust chain, without X.509's
PKIX.
And then there is WireGuard, which seems to have some additional neat
features (such as roaming), yet apparently it is not intended to
handle opportunistic encryption with arbitrary Internet hosts: it can
be hacked together, but there are no standards.
Possibly I will build Unbound with ipsecmod and try to set such IPsec
OE later, once will be more bored and will have more of spare time,
but postponing it again for now.
