From owner-freebsd-questions Sat Jan 6 12:47: 8 2001 From owner-freebsd-questions@FreeBSD.ORG Sat Jan 6 12:47:05 2001 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from naughty.monkey.org (naughty.monkey.org [63.77.239.20]) by hub.freebsd.org (Postfix) with ESMTP id 295E537B400; Sat, 6 Jan 2001 12:47:05 -0800 (PST) Received: by naughty.monkey.org (Postfix, from userid 1001) id 1B75610860C; Sat, 6 Jan 2001 15:46:59 -0500 (EST) Date: Sat, 6 Jan 2001 15:46:58 -0500 From: Dug Song To: Robert Watson Cc: security@freebsd.org, questions@freebsd.org Subject: Re: Antisniffer measures (digest of posts) Message-ID: <20010106154658.Y898@naughty.monkey.org> References: <3A56ABF8.90C9F0D8@softweyr.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from rwatson@FreeBSD.ORG on Sat, Jan 06, 2001 at 01:41:54PM -0500 Sender: dugsong@naughty.monkey.org Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Sat, Jan 06, 2001 at 01:41:54PM -0500, Robert Watson wrote: > However, the lack of a well-defined name->key binding mechanism > presents a number of problems that must be resolved. I know of > ongoing work to integrate DNSsec and OpenSSH at NAI Labs and (I > believe) ISI. see http://www.cs.jhu.edu/~smang/sshproject.html > End-to-end encryption is probably the answer to the problems seen by this > user -- however, FreeBSD has relatively poor IPsec integration due to lack > of IKE in the base system, making configuration and management of IPsec > somewhat of a nightmare. monkey-in-the-middle attacks are certainly possible against IPsec's IKE as well, especially with the fervent push toward opportunistic encryption (resulting in "opportunistic" exploits :-) -d. p.s. thank you for the nice summary, Robert. this is a busy list! --- http://www.monkey.org/~dugsong/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message