linux-ipsec: Re: opportunistic routers?

Robert Moskowitz rgm at icsa.net
Mon Jul 26 01:20:12 EDT 1999


At 09:37 PM 7/25/99 -0700, John Gilmore wrote:

Hi John.

>> So actually, opportunistic encryption really does not work.  You do need
>> policy.
>
>I'm glad to hear how showing a few issues without showing their solutions
>proves that opportunistic encryption doesn't work.
>
>The plan is for an opportunistic encryptor to look up DNS KEY records
>in in-addr.arpa.  A KEY record specifying the IPSEC protocol byte
>would indicate that the other end supports opportunistic encryption.
>And would contain the public key of the target system.

Policy by anyother name....

Also look at the KX record, as it is not enough to know the key (in the
case of gateways), you also need to know the gateway address for the tunnel
endpoint.

Of course, your model, end-to-end only needs KEY records.

>Just as "port 500" IKE packets can be blocked or spoofed, these KEY
>records can also be spoofed, this year.  But using them will provide
>protection against PASSIVE attacks -- such as the NSA vacuum cleaner
>and most password sniffers.
>
>Protection against active attacks will automatically follow as DNSSEC
>is deployed and it becomes impossible to spoof the DNS.  The returned
>public key will have been certified by a chain of signatures all the
>way up to the DNS root.

Perhaps the DNS poisioning of the Hillary election web site might get some
vendors to add DNSSEC support.


Robert Moskowitz
ICSA, Inc.
	(248) 968-9809
Fax:	(248) 968-2824
rgm at icsa.net

There's no limit to what can be accomplished 
if it doesn't matter who gets the credit


****************************************************************
TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com

The VPN FAQ (under construction) is available at
http://kubarb.phsx.ukans.edu/~tbird/FAQ.html

We are currently experiencing "unsubscribe" difficulties.  If you
wish to unsubscribe, please send a message containing the single line
"unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com

****************************************************************




More information about the VPN mailing list