From: Matthew G. <mg...@sh...> - 2007-08-31 01:55:42
|
All, I was looking at the sainfo idtype config file syntax the other day and noticed something quite peculiar. Does anyone have an insight as to why an ID that would normally be used in phase1 would be used in phase2 negotiations? For example as ... sainfo anonymous fqdn "what.the.hell" { lifetime time 3600 seconds; encryption_algorithm aes,3des; authentication_algorithm hmac_md5,hmac_sha1; compression_algorithm deflate; } ... can be defined and racoon is happy. The negotiation process will attempt to match it to the received remote id during phase2 negotiations as well :) I would understand if cfparse.y relied on a generic id parser to digest the standard address or network sytax but there is a separate yacc section that is defined to handle these id types. I just can't conceive of any reason why this option is provided. Anyone? If we removed this, not only would it get rid of what I perceive as useless code, but the racoon.conf specified syntax could be reduced from ( soon to be ) ... sainfo (source_id destination_id | source_id clientaddr | source_id anonymous | anonymous destination_id | anonymous clientaddr | anonymous ) [from idtype [string]] [group string] ... to ... sainfo (source_id | anonymous) ( destination_id | clientaddr | anonymous ) [from idtype [string]] [group string] ... which is much easier to read in my opinion. Thanks, -Matthew |
From: VANHULLEBUS Y. <va...@fr...> - 2007-08-31 09:45:00
|
On Thu, Aug 30, 2007 at 08:56:21PM -0500, Matthew Grooms wrote: > All, Hi. > I was looking at the sainfo idtype config file syntax the other day and > noticed something quite peculiar. Does anyone have an insight as to why > an ID that would normally be used in phase1 would be used in phase2 > negotiations? > > For example as ... > > sainfo anonymous fqdn "what.the.hell" Means that this specific sainfo can only be "used" if the peer's PH1 identifier (used for phase 1 negociation) is "what.the.hell". It can be very interesting for example if you have lots of roaming users (so a remote anonymous used by lots of users), but only one or two who should negociate a specific phase2 (in fact, who should establish a tunnel to a specific host/net). Yvan. |
From: Matthew G. <mg...@sh...> - 2007-08-31 16:29:19
|
VANHULLEBUS Yvan wrote: > On Thu, Aug 30, 2007 at 08:56:21PM -0500, Matthew Grooms wrote: >> All, > > Hi. > >> I was looking at the sainfo idtype config file syntax the other day and >> noticed something quite peculiar. Does anyone have an insight as to why >> an ID that would normally be used in phase1 would be used in phase2 >> negotiations? >> >> For example as ... >> >> sainfo anonymous fqdn "what.the.hell" > > Means that this specific sainfo can only be "used" if the peer's PH1 > identifier (used for phase 1 negociation) is "what.the.hell". > > It can be very interesting for example if you have lots of roaming > users (so a remote anonymous used by lots of users), but only one or > two who should negociate a specific phase2 (in fact, who should > establish a tunnel to a specific host/net). > I understand what the from syntax is for. I believe you misread my example. Here is another to make my case more clear ... sainfo anonymous fqdn "why.on.earth" from fqdn "what.the.hell" { lifetime time 3600 seconds; encryption_algorithm aes,3des; authentication_algorithm hmac_md5,hmac_sha1; compression_algorithm deflate; } ... with the sainfo storing it as ... 2007-08-31 23:06:45: DEBUG: getsainfo params: loc='ANONYMOUS', rmt='why.on.earth', peer='what.the.hell', id=0 Again, why do we allow this? -Matthew |