Subject: Re: IPsec configuration issues
To: None <tech-security@netbsd.org>
From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
List: tech-security
Date: 03/12/2000 22:28:45
  by redmail.netbsd.org with SMTP; 13 Mar 2000 03:28:49 -0000
	by lox.sandelman.ottawa.on.ca (8.8.7/8.8.8) with ESMTP id WAA03251
	for <tech-security@netbsd.org>; Sun, 12 Mar 2000 22:28:46 -0500 (EST)
Message-Id: <200003130328.WAA06434@sandelman.ottawa.on.ca>
To: tech-security@netbsd.org
Subject: Re: IPsec configuration issues 
In-Reply-To: Your message of "Sun, 12 Mar 2000 21:36:44 EST."
             <20000313023649.0096D41F16@SIGABA.research.att.com> 
Mime-Version: 1.0 (generated by tm-edit 7.108)
Content-Type: text/plain; charset=US-ASCII
Date: Sun, 12 Mar 2000 22:28:45 -0500
From: Michael Richardson <mcr@sandelman.ottawa.on.ca>


>>>>> "Steven" == Steven M Bellovin <smb@research.att.com> writes:
    Steven> I'm certainly not an expert on those programs.  However -- there's a known 
    Steven> deficiency in IPsec key management (IKE) in shared secret mode:  it can't be 
    Steven> used when the clients have dynamic IP addresses, since the the identity of the 
    Steven> client isn't communicated until after the secret has to be used.  If racoon is 
    Steven> implementing this mode of IKE, it *can't* do what you want -- this is a bug in 
    Steven> the protocol spec, rather than in the code.

  racoon implements agressive mode, so it can do it with pre-shared secrets
at a loss of some DOS.
  The most recent racoons implement certificates, but I haven't gotten it
working yet. NetBSD people in the US can't use the certificate support until
the fall because it only supports RSA at present.

   :!mcr!:            |  Cow#1: Are you worried about getting Mad Cow Disease?
   Michael Richardson |  Cow#2: No. I'm a duck.
 Home: mcr@sandelman.ottawa.on.ca. PGP key available.