[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

(usagi-users 03125) Re: [Ipsec-tools-devel] Where to get detailed information about racoon of IPsec-Tools?

To: parklee_sel@xxxxxxxxx (Park Lee), michal@xxxxxxxx (Michal Ludvig)
Subject: (usagi-users 03125) Re: [Ipsec-tools-devel] Where to get detailed information about racoon of IPsec-Tools?
From: manu@xxxxxxxxxx (Emmanuel Dreyfus)
Date: Thu, 18 Nov 2004 21:23:03 +0100
Cc: ipsec-tools-devel@xxxxxxxxxxxxxxxxxxxxx, usagi-users@xxxxxxxxxxxxxx
In-reply-to: <20041118154908.7109.qmail@web51507.mail.yahoo.com>
Reply-to: usagi-users@xxxxxxxxxxxxxx
Resent-date: Fri, 19 Nov 2004 13:03:31 +0900
Resent-from: sekiya@xxxxxxxxxxxxxx
Resent-message-id: <200411191303.FMLAAB18612.usagi-users@linux-ipv6.org>
Resent-to: usagi-users@xxxxxxxxxxxxxx (moderated)
User-agent: MacSOUP/2.5b3 (Mac OS 9.0)

Park Lee <parklee_sel@xxxxxxxxx> wrote:

> But, I think when we learn some thing, we'd better first know some basic
> ideas about it ( such as its concept, its function, the description of
> it,etc). Then we can go to the details of it ( such as reading through its
> source code,etc). Now, I'm in the first step of learning racoon, so I just
> want to find some useful information about it to help me setup the basic
> idea of it. and then I can go forward.

I'm not an expert at this, but I'll try. Please correct me wherever I'm
wrong, everyone.

The basic idea: in order to echange IPsec traffic (either for
authentication and encryption), you need a symetric key on both hosts.
This key can be manually set using the setkey command, but it is not
very convenient:

- you have to copy the keys manually on each host, which is not
convenient
- the key being static, it increases the chances of been broken by an
attacker. 

To address that problem, we use a key exchange daemon, which speaks the
IKE protocol (Internet Key Exchange). racoon is an IKE daemon. It's job
is to exchange IPsec keys, and it does that by talking to other IKE
daemon (on port UDP 500 or UDP 4500 when a NAT is in the way).

IKE works with two phases. 
phase 1 is an authentication phase. Authentication can be done in many
ways:
- symetric key (not convenient to deploy)
- certificates
- certificate on one side, login/password on the other side (this is
called hybrid auth, and it's IKE phase 1 plus the login/password
exchange, which is not part of phase 1)

phase 1 is used to negociate a phase 1 security association, so that
communication get authenticated and encrypted. Then phase 2 can occur.

phase 2 negociate a phase 2 security association: a shared secret for
IPsec traffic is chosen. phase 1 usually occurs once, but phase 2 occurs
often (after some time or data volume has been transmited). This makes
more key changes and improves security.   

Once you'll have collected all the informations you are looking for, you
can think about writing some complete document and contribute it. That
won't hurt.

-- 
Emmanuel Dreyfus
Il y a 10 sortes de personnes dans le monde: ceux qui comprennent 
le binaire et ceux qui ne le comprennent pas.
manu@xxxxxxxxxx

References:
- (usagi-users 03126) Re: [Ipsec-tools-devel] Where to get detailed information about racoon of IPsec-Tools?
  - From: Park Lee

Prev by Date: (usagi-users 03124) Issues on calling racoon in Linux kernel 2.6
Next by Date: (usagi-users 03127) Re: [Ipsec-tools-devel] Issues on calling racoon in Linux kernel 2.6
Previous by thread: (usagi-users 03126) Re: [Ipsec-tools-devel] Where to get detailed information about racoon of IPsec-Tools?
Next by thread: (usagi-users 03124) Issues on calling racoon in Linux kernel 2.6
Index(es):
- Date
- Thread