potential new IETF WG on anonymous IPSec

Hal Finney hal at finney.org
Thu Sep 9 15:57:29 EDT 2004


> The IETF has been discussing setting up a working group
> for anonymous IPSec.  They will have a BOF at the next IETF
> in DC in November.  They're also setting up a mailing list you
> might be interested in if you haven't heard about it already.
> ...
> 	http://www.postel.org/anonsec

To clarify, this is not really "anonymous" in the usual sense.  Rather it
is a proposal to an extension to IPsec to allow for unauthenticated
connections.  Presently IPsec relies on either pre-shared secrets or a
trusted third party CA to authenticate the connection.  The new proposal
would let connections go forward using a straight Diffie-Hellman type
exchange without authentication.  It also proposes less authentication
of IP message packets, covering smaller subsets, as an option.

The point has nothing to do with anonymity; rather it is an attempt
to secure against weaknesses in TCP which have begun to be exploited.
Sequence number guessing attacks are more successful today because of
increasing bandwidth, and there have been several instances where they
have caused disruption on the net.  While workarounds are in place, a
better solution is desirable.

This new effort is Joe Touch's proposal to weaken IPsec so that it uses
less resources and is easier to deploy.  He calls the weaker version
AnonSec.  But it is not anonymous, all the parties know the addresses
of their counterparts.  Rather, it allows for a degree of security on
connections between communicators who don't share any secrets or CAs.
I don't think "anonymous" is the right word for this, and I hope the
IETF comes up with a better one as they go forward.

Hal Finney

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list