From owner-freebsd-security Tue Feb 12 15:35:46 2002 Delivered-To: freebsd-security@freebsd.org Received: from smtp3.vol.cz (smtp3.vol.cz [195.250.128.83]) by hub.freebsd.org (Postfix) with ESMTP id 4358737B827 for ; Tue, 12 Feb 2002 15:34:53 -0800 (PST) Received: from obluda.cz (xkulesh.vol.cz [195.250.154.106]) by smtp3.vol.cz (8.11.3/8.11.3) with ESMTP id g1CNXbU99557 for ; Wed, 13 Feb 2002 00:33:37 +0100 (CET) (envelope-from dan@obluda.cz) Message-ID: <3C69A002.5307156C@obluda.cz> Date: Wed, 13 Feb 2002 00:06:42 +0100 From: Dan Lukes X-Sender: "Dan Lukes" X-Mailer: Mozilla 4.78 [en]C-CCK-MCD {FIO} (Windows NT 5.0; U) X-Accept-Language: cs,sk,en,* MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Re: Questions (Rants?) About IPSEC References: <20020207163347.51C606B29@mail.cise.ufl.edu> <200202072142.g17LgDL69359@khavrinen.lcs.mit.edu> Content-Type: text/plain; charset=iso-8859-2 Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Garrett Wollman wrote: > You are wrong. There are two distinct models: you can have pre-shared > keys, in which case you have no certificates and a single secret key > for every pair of communicating entities; or you can use public-key > certificates. I have some issues with the way the certificate support > works, that's not one of them. Pre-shared keys are not necesarily > specific to an IP address; you can use any type of identifier > supported in the IKE protocol. Note, the IKE knows two modes of establishing communication "main" and "agressive". Non-IP identifiers are avaiable only in "agressive" mode (it's because the targed need to use apropriate key to compute hash used i first response, but type identifiers are send later by the initiator). ---- Rob Frohwein wrote: > The intention with ipsec is that you dont need all public certs > from all your peers. > You only need (all) Ca certs > If you start a session , the remote party (racoon) sends its cert. > Your local racoon looks if it has a CA cert which has signed > your peers cert. > It the verifies the peer cert. Do you the racoon use an CRL ? I don't want to change CA and re-issue all certificates in case of compromise of one key. I have working configurations FBSD<->FBSD and FBSD<->W2K, both on static adresses, with pre-shared keys and with x509 certs. I failed to win over 'generate_policy' statement and dynamic IP support for now, but I'm still trying. Dan -- Dan Lukes tel: +420 2 21914205, fax: +420 2 21914206 root of FIONet, KolejNET, webmaster of www.freebsd.cz AKA: dan@obluda.cz, dan@freebsd.cz, dan@kolej.mff.cuni.cz To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message