linux-ipsec: Newbie question about finding keys

I'm just trying to figure out how IPSEC works, or should work.

Methinks the logic for finding out whether we can establish an IPSEC connection with a particular machine should be something like:

ipsec = 0
if our organisation has a PKI in place

        if our PKI can authenticate a key for machine
                if negotiation succeeds
                        ipsec = 1
if ipsec = 0 & we recognise other CAs
        if one of those can authenticate a key for machine
                if negotiation succeeds
                        ipsec = 1
if ipsec = 0
        try to authenticate via DNS
        ipsec = result of DNS try

That is, if your organisation has a Public Key Infrastructure set up, you use it to authenticate whatever hosts fall within that structure. If that fails, check any other CAs you recognise.

If the PKI doesn't exist, or doesn't support IPSEC, or if your IPSEC implementation can't talk to it, or for hosts the PKI cannot handle, you fall back to using secure DNS to provide enough authentication that you can bootstrap a shared secret using Diffie-Hellman key exchange.

This would mean a minimal IPSEC implementation would only have to support DNS-based ISAKMP authentication & the associated signature types. & of course, how to refuse all other negotiation attempts.

I would think that minimalist system (with hooks to plug in CAs later) is what we should be building. The catch is, I think some of the RFCs may require more.

It's not clear to me where the currently implemented stuff in Pluto fits in. If I understand correctly, that's based on shared secrets stored in files. Those are authenticated via PGP or passed securely via SSH; whatever tools the two admins have to hand are used.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related lists.freeswan.org Links 1998-fall 1998-spring 1998-summer 1998-winter 1999-winter announce briefs bugs design freeswan-list hipsec ietf-sectest users users-admin Request more information about Pantek

If my scheme above is somewhere near accurate, I wonder whether shared secrets should be checked before or after DNS checks.

Shared secrets obviously don't scale or adapt very well since you need a shared secret for every machine you'll communicate with & beyond a few dozen known machines that's tricky to manage.

I think an interface to DNS will be needed soon.

--
Sandy Harris                        sandy.harris@sympatico.ca
Help secure the Internet: 
http://www.cygnus.com/~gnu/swan.html