[vpnc-devel] Working on certificate authentication ...
hilse at web.de
Thu Aug 10 16:31:22 CEST 2006
On Thu, 10 Aug 2006 16:13:01 +0200 Joerg Mayer <jmvpnc at loplof.de> wrote:
> > Most probably not by any means. The kernel can do AH/ESP encryption
> > but doesn't do key exchange at all, and this would be where
> > certificates come into play.
> The certificates are only needed for the authentication step at the
> end of phase 1 i.e. to *authenticate* the isakmp tunnel and nothing
> else. so it doesn't have anything to do with userspace vs.
> kernelspace ipsec.
Yes, this is what I meant to say with the above. The assumption that it
has/might have something to do with it is from the OP.
> > Using kernel IPsec would degrade vpnc from a user space
> > IPsec implementation to a IKE daemon like ipsec-tools' racoon
> > daemon. I don't see much sense doing this, because there _is_
> > racoon. OTOH, vpnc provides a user space IPsec implementation,
> > which might be an interesting thing to keep.
> IMO, one of the very strong points of vpnc is, that it does ipsec in
> userspace instead of kernelspace. What's the goal of a kernelspace
> ipsec implementation?
That would turn into an endless discussion (microkernels anyone?)... I
just want to make one rather pragmatic argument: There _is_ a kernel
implementation. And depending on the kernel's design reg. networking,
it could make sense to have it that way.
I basically think that reimplementing all of racoons features in vpnc
might be a bad idea since there is probably a lot in racoon that could
be integrated into vpnc, i.e. separating ipsec traffic handling from
authentication in vpnc and using it only for the latter.
More information about the vpnc-devel