authentication

["Rob Frohwein" <rob@frohwein.xs4all.nl>]

Hello ,

I know 2 types of authentication from racoon's IKE daemon.
- preshared auth keys
- certificates.

For the case of users with a dynamic ip address the initiator 
can only identify itself by a certificate.

On the initiators side a spd must be specified.
At the responder's side no spd is needed.
The initiator's spd triggers IKE to create (with peer) sa keys.
At some phase the initiator sends its certificate.
The responder sends a challenge ...
The responder creates dynamically a spd.
Both IKE's set the sa's (in the kernel).

Why is it not possible for the case of dynamic (unknown) ip address
initiators to identify themselfes by means of pre-shared auth keys?
The IKE daemons on both sides could have a list like:
The initiator ofcourse still needs an spd, for the responder
the spd is created dynamically.

Initiator (client)
my-id-string (e.g. email address)    authentication key

Responder  (Server)
remote-id-string (e.g. email)		authentiaction key
other-remote-id string			other-auth key
...

Some hashing scheme on the server side could speed up lookup.

This would be more easy to use for simple case, certificates 
are too complex for some cases.

-------------------

Furhermore in the spd tables (at least for kame) ip numbers must be used.
Why not also the possibility for dns name usage?
This is more generic and flexible.
Ofcourse the spd is resident in the kernel, so the kernel needs to 
communicate with the IKE daemon to resolv the ip numbers.


greetings
Rob Frohwein.