Date: Thu, 11 Jan 2001 12:11:44 +0000 From: Josef Karthauser <joe@tao.org.uk> To: itojun@iijlab.net Cc: freebsd-security@FreeBSD.ORG Subject: How does Racoon exchange packets after policy has been defined? Message-ID: <20010111121144.B3594@tao.org.uk>
next in thread | raw e-mail | index | archive | help
Hi Itojun, I'm a bit confused as to how key exchange works between two machines? Imagine that I've used setkey to set a policy that all traffic between two machines should be encrypted. Once this has been done no traffic flows until the IPsec engine has got keys relating to this SPI AFAIU. I don't understand how Racoon (IKE) can occur. It can't occur in the clear because the security policy says that only encrypted packets can flow, and it can't occur encrypted because no keys have been installed yet. Is there some special handling of IKE packets in the kernel to allow this to work? Joe On Thu, Jan 11, 2001 at 11:32:03AM +0900, itojun@iijlab.net wrote: > > >> > Use a password generator that creates passwords with upper/lower case letters > >> > and numbers. This gives me 62 possible combinations. 3DES uses 192-bit keys > >> > for a keyspace of 2^192. So the problem is 62^x = 2^192. Take the log of both > >> > sides and divide to get: 32.2. Therefor, a 33 length password should provide a > >> > slightly greater keyspace to search than the 3DES keyspace. > >> > > >> > Am I doing this correctly? Also, if neither machine is compromised, is there > >> > any reason to change keys periodically since I am using IKE? > > preshared keys are not directly related to IPsec key length, > preshared keys are just for authenticating IKE daemon at the other end. > so key length argument (above) may not be 100% right... > > itojun > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010111121144.B3594>