ad hoc IPsec or similiar
Paul Hoffman
paul.hoffman at vpnc.org
Fri Jun 22 13:43:16 EDT 2007
At 11:52 PM +0800 6/22/07, Sandy Harris wrote:
>On 6/22/07, Eugen Leitl <eugen at leitl.org> wrote:
>
>>So what's the state in ad hoc IPsec/VPN setup for any end points?
>
>The Linux FreeS/WAN project was working on "opportunistic encryption".
>
>The general idea is that if you use keys in DNS to authenticate gateways
>and IPsec for secure tunnels then any two machines can communicate
>securely without their administrators needing to talk to each other or to
>set up specific pre-arranged tunnels.
>
>http://www.freeswan.org/freeswan_trees/freeswan-2.00/doc/glossary.html#carpediem
>http://www.freeswan.org/freeswan_trees/freeswan-2.00/doc/quickstart.html
>
>There is an RFC based on that work:
>ftp://ftp.rfc-editor.org/in-notes/rfc4322.txt
>
>The FreeS/WAN project has ended. I do no know if the follow-on projects,
>openswan.org and strongswan.org, support OE.
Note that that RFC is Informational only. There were a bunch of
perceived issues with it, although I think they were more purity
disagreements than anything.
FWIW, if you do *not* care about man-in-the-middle attacks (called
active attacks in RFC 4322), the solution is much, much simpler than
what is given in RFC 4322: everyone on the Internet agrees on a
single pre-shared secret and uses it. You lose any authentication
from IPsec, but if all you want is an encrypted tunnel that you will
authenticate all or parts of later, you don't need RFC 4322.
This was discussed many times, and always rejected as "not good
enough" by the purists. Then the IETF created the BTNS Working Group
which is spending huge amounts of time getting close to purity again.
--Paul Hoffman, Director
--VPN Consortium
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list