by redmail.netbsd.org with SMTP; 13 Mar 2000 02:45:24 -0000
	by adk.gr (8.9.3/8.9.3) with ESMTP id VAA30831;
	Sun, 12 Mar 2000 21:45:01 -0500 (EST)
Message-Id: <200003130245.VAA30831@adk.gr>
To: "Steven M. Bellovin" <smb@research.att.com>
Cc: thorpej@shagadelic.org, tech-security@netbsd.org
Subject: Re: IPsec configuration issues 
In-reply-to: Your message of "Sun, 12 Mar 2000 21:36:44 EST."
             <20000313023649.0096D41F16@SIGABA.research.att.com> 
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Sun, 12 Mar 2000 21:45:01 -0500
From: "Angelos D. Keromytis" <angelos@dsl.cis.upenn.edu>


In message <20000313023649.0096D41F16@SIGABA.research.att.com>, "Steven M. Bell
ovin" writes:
>
>I'm certainly not an expert on those programs.  However -- there's a known 
>deficiency in IPsec key management (IKE) in shared secret mode:  it can't be 
>used when the clients have dynamic IP addresses, since the the identity of the
>client isn't communicated until after the secret has to be used.  If racoon is
>implementing this mode of IKE, it *can't* do what you want -- this is a bug in
>the protocol spec, rather than in the code.

That's correct if you use Main (ID Protection) Mode. If you use Aggressive Mode,
it is possible to use shared secret authentication with dynamic IP addresses,
since there's no encryption involved. Then, you can lookup the shared secret
based on the remote ID. Dunno if racoon lets you do that (it's a trivial hack,
took all of 2 minutes to implement in isakmpd).
-Angelos