From owner-freebsd-security Mon Feb 11 18:28:42 2002 Delivered-To: freebsd-security@freebsd.org Received: from newman2.bestweb.net (newman2.bestweb.net [209.94.102.67]) by hub.freebsd.org (Postfix) with ESMTP id E0F6837B693 for ; Mon, 11 Feb 2002 18:19:34 -0800 (PST) Received: from okeeffe.bestweb.net (okeefe.bestweb.net [209.94.100.110]) by newman2.bestweb.net (Postfix) with ESMTP id DBAE7232F0 for ; Mon, 11 Feb 2002 21:18:24 -0500 (EST) Received: by okeeffe.bestweb.net (Postfix, from userid 0) id 0CBE89F430; Mon, 11 Feb 2002 21:12:56 -0500 (EST) From: "Rob Frohwein" To: freebsd-security@freebsd.org Subject: Re: Questions (Rants?) About IPSEC Date: Thu, 7 Feb 2002 14:25:14 -0800 Message-Id: <20020212021256.0CBE89F430@okeeffe.bestweb.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org "James F. Hranicky" wrote in message news:list.freebsd.security#20020207163347.51C606B29@mail.cise.ufl.edu... > > After reading up on IPSEC, I have one major question: Is it really > a good protocol? > > It may be that I don't understand it well enough, or that the > implementations I've looked at are lacking in features that I want, > but it seems to me that it simply isn't a good solution for anything > more than a small number of users. Here are the problems I have with > IPSEC: > > - IPSEC routers don't seem to be able to advertise routes > for an arbitrary number of networks behind them I dont understand what you mean here, ipsec doesnt require something special from routing. > > - IPSEC routers have to basically be the border router for > a site, as there is no post-decryption NAT protocol to > get packets back to a router on the inside of the network > (Apparently, Cisco VPN boxes have this capability, but > it's an add-on to IPSEC AFAICT). There are some new RFC's about natting ipsec tunnel packets. You can only nat tunnel packets because the outer headers are not authenticated. > > - Clients with dynamic IPs are poorly supported. Can only be done when using cert authentiaction. > > AFAICT, what I want is to be able to issuce x509 certs to > any of my remote users for key exchange, and accept any > cert from any client that was signed by my CA. That's what > PKI is all about, right? Checking the racoon.conf man pages > and sample racoon.conf files shows that I need to have the > client's *private* key for a *specific* IP address. > > o Is this really the case, or am I just wrong here? Every ipsec endpoint needs own private key + certificate + CA certificate, thats all. > > o Isn't requiring the server to have the private cert > key the same as having a shared secret? Every party needs to have its own private + public key. > > o If I'm not wrong, and cert's private keys are required per > IP address, is there some problem with the scheme I detailed > above? As a comparison, isn't the whole point of the > ssh_known_hosts file to keep only the public keys on the > remote server? I mean, wouldn't it be great if ssh supported > x509 certs, obviating the need for even the ssh_known_hosts > file, as host keys would be signed by the CA? > > Isn't this what we want for IPSEC??? The intention with ipsec is that you dont need all public certs from all your peers. You only need (all) Ca certs If you start a session , the remote party (racoon) sends its cert. Your local racoon looks if it has a CA cert which has signed your peers cert. It the verifies the peer cert. This is also the only way for mobile users. > > In the end, if I go with a FreeBSD racoon or isakmpd solution, am I limited > to the following setups ? : > > - One shared secret for all my users in the interest of manageability. > > I can only assume this means any user could theoretically listen in > on the key exchange and thus be able to decrypt another's IPSEC > communications > > - Different shared secrets for all users/client machines. > > Key management nightmare. > > - Different x509 certs for all users/client machines. > > See above. > > - GSSAPI Auth . > > Does this even work? Does it work with w2k clients and an MIT > KDC? If it does, this would probably do what I need for any w2k > boxes out there, but all the info I read said it didn't work > with w2k yet. Never mind any other IPSEC client software. > > Is there another VPN solution (mpd-netgraph+PPTP) that would suit my needs > any better? > > Any enlightenment I can receive that can convince me IPSEC is anything > more than an alpha-quality protocol that requires vendors (a la Cisco) > to fix it would be most appreciated. It's entirely possible I have > no idea what I'm talking about. > You should really first do some tests with ipsec. I used 2 freebsd machines (inside vmware). There are numerous examples on the net which clarifies your questions. I works with win2000 , with pre-shared authentication keys , associated with ip addresses. with cert authentication , associated with x509 names/email addresses. greeting Rob Frohwein > ---------------------------------------------------------------------- > | Jim Hranicky, Senior SysAdmin UF/CISE Department | > | E314D CSE Building Phone (352) 392-1499 | > | jfh@cise.ufl.edu http://www.cise.ufl.edu/~jfh | > ---------------------------------------------------------------------- > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message