[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: authentication
On Wed, 15 May 2002, Rob Frohwein wrote:
> Hello ,
>
> I know 2 types of authentication from racoon's IKE daemon.
> - preshared auth keys
> - certificates.
>
> For the case of users with a dynamic ip address the initiator
> can only identify itself by a certificate.
>
> On the initiators side a spd must be specified.
> At the responder's side no spd is needed.
> The initiator's spd triggers IKE to create (with peer) sa keys.
> At some phase the initiator sends its certificate.
> The responder sends a challenge ...
> The responder creates dynamically a spd.
> Both IKE's set the sa's (in the kernel).
>
> Why is it not possible for the case of dynamic (unknown) ip address
> initiators to identify themselfes by means of pre-shared auth keys?
Because the ID payload is in MM5 which is encrypted. So you need to
find the key without knowing the ID. The only way to do that is by the
IP address.
jan
> The IKE daemons on both sides could have a list like:
> The initiator ofcourse still needs an spd, for the responder
> the spd is created dynamically.
>
> Initiator (client)
> my-id-string (e.g. email address) authentication key
>
> Responder (Server)
> remote-id-string (e.g. email) authentiaction key
> other-remote-id string other-auth key
> ...
>
> Some hashing scheme on the server side could speed up lookup.
>
> This would be more easy to use for simple case, certificates
> are too complex for some cases.
>
> -------------------
>
> Furhermore in the spd tables (at least for kame) ip numbers must be used.
> Why not also the possibility for dns name usage?
> This is more generic and flexible.
> Ofcourse the spd is resident in the kernel, so the kernel needs to
> communicate with the IKE daemon to resolv the ip numbers.
>
>
> greetings
> Rob Frohwein.
>
>
--
Jan Vilhuber vilhuber@cisco.com
Cisco Systems, San Jose (408) 527-0847