[Openswan dev] Re: [Openswan Users] Re: KLIPS or NETKEY on 2.6 kernels

[Michael Richardson]

-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "Paul" == Paul Wouters <paul at xelerance.com> writes:
    >> A little bit near-topic, is this the same issue why IPcomp isn't
    >> working between 2.6.x kernels and Check Point FW-1? I did only a
    >> test with racoon some time ago and it looked like an SA problem
    >> (afair IPcomp SA was separated from encryption SA).

    Paul> That is often the case when racoon is misconfigured. People
    Paul> often do not believe it, because racoon interops with itself
    Paul> in such a broken configuration.

  It isn't really racoon's fault.
  racoon doesn't try to involve itself with policy --- it is just a
keying daemon.  

  It assumes that the kernel knows exactly what policy it wants. If you
get the input to setkey wrong, then racoon happily does the wrong thing.

  It's a good idea --- putting the configuration in the kernel where the
applications can set it --- unfortunately, it isn't done right.

  The policy needs to be *fully* specifiable in that interface,
including phase 1 IDs, authentication materials (RSA keys, PSKs, etc.).
Of course, few application writers (think "Mozilla" or "Evolution")
want to deal with such things, yet alone should end-users be given such
knobs. 

- -- 
] Michael Richardson          Xelerance Corporation, Ottawa, ON |  firewalls  [
] mcr @ xelerance.com           Now doing IPsec training, see   |net architect[
] http://www.sandelman.ca/mcr/    www.xelerance.com/training/   |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBQm7z1oqHRg3pndX9AQFskQP/ay+KGwMhZ0TySy8YDAK7RXKrCfeuccXT
jYhWWnq8bFMXCHDLnTCGqI/vfE2DS4U3knnk+c1+vjIYkKnvdyickKH8ugRrEgde
o1kSayEKc59hrUkqukFTmYJO9+WO99ax/+79qMBIqstPKhrYVlwpo5LXR5veB3Ck
DpCmYMTZ/yo=
=PFUz
-----END PGP SIGNATURE-----