[MLB-WIRELESS] more important issues <aka: guerilla radio is by ninjas, for ninjas. Worked for global IP's development!>

vortex vortex at free2air.net
Fri Nov 2 08:54:40 EST 2001


IPsec Opportunistic encryption as described by John Gilmore at HAL2001 
worries me.

It's good in a sense, but is a terrific (sic) hack. Using DNS TXT fields to 
exchange keys for OIPsec is just nasty.

I actually think that the root of the problem lies within the IKE protocol - 
the real issue is that an IPsec gateway should somehow signal back to a 
client what it requires for successful communication to networks behind it 
(ie IT should start the IKE negotiation, not the remote end node that is 
attempting the connection).

Most implementations of IPsec hub-and-spoke style VPNs end up using IKE as a 
'client' initiated protocol. I belive that should be reversed. If clear IP 
traffic is unacceptable, then the gateway should indicate that.

But given IETF concerns and confusion over the existing complexity of IKE, I 
can't see this happening in the near future ...

Just some random thoughts ...

.vortex

On Tuesday 30 October 2001  9:24 pm, Tony Langdon wrote:
> > I know some guys who are using CIPE successfully for wireless
> > point to
> > point links.  It's very painless to get working.  It
> > encapsulates all IP
> > traffic with encrypted UDP packets.  It's Linux oriented but
> > there is an
> > NT/2K version which is a bit broken unfortunately.   It's
> > fine for point to
> > point links, a la backbone.  I don't think it'll do so well
>
> I have used CIPE successfully on both Linux and W2K with few problems.  It
> certainly does what it's supposed to do.
>
> > with dynamic
> > multipoint as each end needs to be set up with static
> > information.  I think
> > a version with public keys is being trialled now and might
> > lend itself to
> > multipoint cum dynamic stuff.  Could be talking through my
> > sasafras there
> > though...
>
> PKCIPE is now working, from all accounts, but only on Linux, not Windows.
>
> IPSec gets a bit heavy for a lot of things, but one thing I do like is th
> idea of opportunistic encryption, which I believe FreeS/WAN does.  That
> could be very useful for our purposes.
>
> --
> To unsubscribe, send mail to minordomo at melbwireless.dyndns.org with a
> subject of 'unsubscribe melbwireless' Archive of the Entire mailinst list
> at:
> http://melbwireless.dyndns.org/cgi-bin/minorweb.pl?A=LIST&L=melbwireless

--
To unsubscribe, send mail to minordomo at melbwireless.dyndns.org with a subject of 'unsubscribe melbwireless'  
Archive of the Entire mailinst list at:
http://melbwireless.dyndns.org/cgi-bin/minorweb.pl?A=LIST&L=melbwireless



More information about the Melbwireless mailing list