From owner-freebsd-security Thu Jan 11 4:12: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from tao.org.uk (genesis.tao.org.uk [194.242.131.94]) by hub.freebsd.org (Postfix) with ESMTP id E357F37B402 for ; Thu, 11 Jan 2001 04:11:40 -0800 (PST) Received: by tao.org.uk (Postfix, from userid 100) id BD3933248; Thu, 11 Jan 2001 12:11:44 +0000 (GMT) Date: Thu, 11 Jan 2001 12:11:44 +0000 From: Josef Karthauser To: itojun@iijlab.net Cc: freebsd-security@FreeBSD.ORG Subject: How does Racoon exchange packets after policy has been defined? Message-ID: <20010111121144.B3594@tao.org.uk> Mail-Followup-To: Josef Karthauser , itojun@iijlab.net, freebsd-security@FreeBSD.ORG Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi Itojun, I'm a bit confused as to how key exchange works between two machines? Imagine that I've used setkey to set a policy that all traffic between two machines should be encrypted. Once this has been done no traffic flows until the IPsec engine has got keys relating to this SPI AFAIU. I don't understand how Racoon (IKE) can occur. It can't occur in the clear because the security policy says that only encrypted packets can flow, and it can't occur encrypted because no keys have been installed yet. Is there some special handling of IKE packets in the kernel to allow this to work? Joe On Thu, Jan 11, 2001 at 11:32:03AM +0900, itojun@iijlab.net wrote: > > >> > Use a password generator that creates passwords with upper/lower case letters > >> > and numbers. This gives me 62 possible combinations. 3DES uses 192-bit keys > >> > for a keyspace of 2^192. So the problem is 62^x = 2^192. Take the log of both > >> > sides and divide to get: 32.2. Therefor, a 33 length password should provide a > >> > slightly greater keyspace to search than the 3DES keyspace. > >> > > >> > Am I doing this correctly? Also, if neither machine is compromised, is there > >> > any reason to change keys periodically since I am using IKE? > > preshared keys are not directly related to IPsec key length, > preshared keys are just for authenticating IKE daemon at the other end. > so key length argument (above) may not be 100% right... > > itojun > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message