From owner-freebsd-security Thu Jan 11 4:18:27 2001 Delivered-To: freebsd-security@freebsd.org Received: from coconut.itojun.org (coconut.itojun.org [210.160.95.97]) by hub.freebsd.org (Postfix) with ESMTP id B949837B401 for ; Thu, 11 Jan 2001 04:18:08 -0800 (PST) Received: from kiwi.itojun.org (localhost.itojun.org [127.0.0.1]) by coconut.itojun.org (8.9.3+3.2W/3.7W) with ESMTP id VAA29341; Thu, 11 Jan 2001 21:17:51 +0900 (JST) To: Josef Karthauser Cc: freebsd-security@FreeBSD.ORG In-reply-to: joe's message of Thu, 11 Jan 2001 12:11:44 GMT. <20010111121144.B3594@tao.org.uk> X-Template-Reply-To: itojun@itojun.org X-Template-Return-Receipt-To: itojun@itojun.org X-PGP-Fingerprint: F8 24 B4 2C 8C 98 57 FD 90 5F B4 60 79 54 16 E2 Subject: Re: How does Racoon exchange packets after policy has been defined? From: itojun@iijlab.net Date: Thu, 11 Jan 2001 21:17:51 +0900 Message-ID: <29339.979215471@coconut.itojun.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >I'm a bit confused as to how key exchange works between two machines? > >Imagine that I've used setkey to set a policy that all traffic between >two machines should be encrypted. Once this has been done no traffic >flows until the IPsec engine has got keys relating to this SPI AFAIU. > >I don't understand how Racoon (IKE) can occur. It can't occur in the >clear because the security policy says that only encrypted packets can >flow, and it can't occur encrypted because no keys have been installed >yet. > >Is there some special handling of IKE packets in the kernel to allow >this to work? yes, IKE has some special handling there. privileged user (root) can set a socket policy to "bypass normal IPsec operation" via setsockopt. IKE uses the functionality. IKE creates secret communication channel by its own. IKE has two phases: - phase 1, which establishes secret communication channel between two IKE daemons. very early packets will be sent in clear, but after that, IKE daemon will encrypt packets on its own. - phase 2, which establishes IPsec SAs between two machines. the commuication is protected by the secret communication channel established by phase 1. RFC240[0-9] has more detailed (and way too complicated) descriptions. itojun To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message