[vpnc-devel] Working on certificate authentication ...
Joerg Mayer
jmvpnc at loplof.de
Thu Aug 10 16:13:01 CEST 2006
On Thu, Aug 10, 2006 at 03:47:51PM +0200, Hans-Werner Hilse wrote:
> I think the most important question is: Do we need certificate
> authentication in vpnc?
Definitely! the only security currently supported is preshared key
(psk), which is vulnerable to man-in-the-middle attacks when the only
available xauth authentication method is username+password. I'd be
very happy to see hybrid mode working :-)
> Most probably not by any means. The kernel can do AH/ESP encryption but
> doesn't do key exchange at all, and this would be where certificates
> come into play.
The certificates are only needed for the authentication step at the end
of phase 1 i.e. to *authenticate* the isakmp tunnel and nothing else. so
it doesn't have anything to do with userspace vs. kernelspace ipsec.
> Using kernel IPsec would degrade vpnc from a user space
> IPsec implementation to a IKE daemon like ipsec-tools' racoon daemon. I
> don't see much sense doing this, because there _is_ racoon. OTOH, vpnc
> provides a user space IPsec implementation, which might be an
> interesting thing to keep.
IMO, one of the very strong points of vpnc is, that it does ipsec in
userspace instead of kernelspace. What's the goal of a kernelspace ipsec
implementation?
ciao
Joerg
--
Joerg Mayer <jmayer at loplof.de>
We are stuck with technology when what we really want is just stuff that
works. Some say that should read Microsoft instead of technology.
More information about the vpnc-devel
mailing list