Date: Thu, 11 Jan 2001 21:17:51 +0900 From: itojun@iijlab.net To: Josef Karthauser <joe@tao.org.uk> Cc: freebsd-security@FreeBSD.ORG Subject: Re: How does Racoon exchange packets after policy has been defined? Message-ID: <29339.979215471@coconut.itojun.org> In-Reply-To: joe's message of Thu, 11 Jan 2001 12:11:44 GMT. <20010111121144.B3594@tao.org.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
>I'm a bit confused as to how key exchange works between two machines? > >Imagine that I've used setkey to set a policy that all traffic between >two machines should be encrypted. Once this has been done no traffic >flows until the IPsec engine has got keys relating to this SPI AFAIU. > >I don't understand how Racoon (IKE) can occur. It can't occur in the >clear because the security policy says that only encrypted packets can >flow, and it can't occur encrypted because no keys have been installed >yet. > >Is there some special handling of IKE packets in the kernel to allow >this to work? yes, IKE has some special handling there. privileged user (root) can set a socket policy to "bypass normal IPsec operation" via setsockopt. IKE uses the functionality. IKE creates secret communication channel by its own. IKE has two phases: - phase 1, which establishes secret communication channel between two IKE daemons. very early packets will be sent in clear, but after that, IKE daemon will encrypt packets on its own. - phase 2, which establishes IPsec SAs between two machines. the commuication is protected by the secret communication channel established by phase 1. RFC240[0-9] has more detailed (and way too complicated) descriptions. itojun To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?29339.979215471>