Subject: IPSEC and user vs machine authentication
To: None <,>
From: Daniel Carosone <>
List: tech-security
Date: 08/12/2005 14:40:27
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

Right now, there are two paths into having a particular network
connection (say, a TCP session) encrypted/authenticated with IPSEC:
either via the setkey packet-filter SPD, or via per-socket policy set
by the application.

In either case, however, authentication for the resulting SA is done
using what are essentially machine credentials; the PSK or certificate
or Kerberos ticket used has to be available to racoon, even if they
really belong to a user (such as might be the case in a remote-access
user VPN scenario).

Even if one trusts racoon with these credentials, there doesn't appear
to be any way to select which identity should be used for a given
socket, or to bind an identity with a local uid, or to pass/delegate
credentials to racoon per user.  This has implications both for
multi-user machines (including 'non-credentialled processes' on
single-user machines), and for users who move between multiple

I'm looking for the ability to have network connections authenticated
with IPSEC on a per-user basis (using certificates, kerberos and/or
XAUTH hybrid mode) via encapsulation, both for applications and
protocols without native support for such mechanisms in the endpoints,
and for authenticated traversal of intermediate gateways.

There are similarities in requirements here for other kernel-mediated
network activities that may involve authentication, too, such as
potential Kerberised-RPC NFS or SMBFS. Are there any facilities for
this I have missed, prior art, thoughts, designs, active work,
comments, etc?

Content-Type: application/pgp-signature
Content-Disposition: inline

Version: GnuPG v1.4.1 (NetBSD)