ad hoc IPsec or similiar
Paul Hoffman
paul.hoffman at vpnc.org
Tue Jun 26 16:20:41 EDT 2007
At 2:49 PM -0500 6/26/07, Nicolas Williams wrote:
>On Fri, Jun 22, 2007 at 10:43:16AM -0700, Paul Hoffman wrote:
> > This was discussed many times, and always rejected as "not good
>> enough" by the purists. Then the IETF created the BTNS Working Group
>> which is spending huge amounts of time getting close to purity again.
>
>That's pretty funny, actually, although I don't quite agree with the
>substance (surprise!) :)
Why, are you some sort or purist? :-) (For those outside the IETF,
Nico is one of the main movers and shakers in BTNS, and is probably
one of the main reasons it looks like it will actually finish its
work.)
>Seriously, for those who merely want unauthenticated IPsec, MITMs and
>all, then yes, agreeing on a globally shared secret would suffice.
Well, almost suffice. You also need a way of signalling before the
Diffie-Hellman that this is what you are doing, but that's a trivial
extension to both IKEv1 and IKEv2.
>For all the other aspects of BTNS (IPsec connection latching [and
>channel binding], IPsec APIs, leap-of-faith IPsec) agreeing on a
>globally shared secret does not come close to being sufficient.
Fully agree. BTNS will definitely give you more than just one-off
encrypted tunnels, once the work is finished. But then, it should
probably be called MMTBTNS (Much More Than...).
--Paul Hoffman, Director
--VPN Consortium
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list