Subject: Re: IPsec configuration issues
To: None <tech-security@netbsd.org>
From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
List: tech-security
Date: 03/12/2000 22:28:45
by redmail.netbsd.org with SMTP; 13 Mar 2000 03:28:49 -0000
by lox.sandelman.ottawa.on.ca (8.8.7/8.8.8) with ESMTP id WAA03251
for <tech-security@netbsd.org>; Sun, 12 Mar 2000 22:28:46 -0500 (EST)
Message-Id: <200003130328.WAA06434@sandelman.ottawa.on.ca>
To: tech-security@netbsd.org
Subject: Re: IPsec configuration issues
In-Reply-To: Your message of "Sun, 12 Mar 2000 21:36:44 EST."
<20000313023649.0096D41F16@SIGABA.research.att.com>
Mime-Version: 1.0 (generated by tm-edit 7.108)
Content-Type: text/plain; charset=US-ASCII
Date: Sun, 12 Mar 2000 22:28:45 -0500
From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
>>>>> "Steven" == Steven M Bellovin <smb@research.att.com> writes:
Steven> I'm certainly not an expert on those programs. However -- there's a known
Steven> deficiency in IPsec key management (IKE) in shared secret mode: it can't be
Steven> used when the clients have dynamic IP addresses, since the the identity of the
Steven> client isn't communicated until after the secret has to be used. If racoon is
Steven> implementing this mode of IKE, it *can't* do what you want -- this is a bug in
Steven> the protocol spec, rather than in the code.
racoon implements agressive mode, so it can do it with pre-shared secrets
at a loss of some DOS.
The most recent racoons implement certificates, but I haven't gotten it
working yet. NetBSD people in the US can't use the certificate support until
the fall because it only supports RSA at present.
:!mcr!: | Cow#1: Are you worried about getting Mad Cow Disease?
Michael Richardson | Cow#2: No. I'm a duck.
Home: mcr@sandelman.ottawa.on.ca. PGP key available.