From owner-freebsd-questions@FreeBSD.ORG Sun Jan 23 16:57:03 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BE29016A4CE for ; Sun, 23 Jan 2005 16:57:03 +0000 (GMT) Received: from top.daemonsecurity.com (FW-182-254.go.retevision.es [62.174.254.182]) by mx1.FreeBSD.org (Postfix) with ESMTP id 356B443D48 for ; Sun, 23 Jan 2005 16:57:03 +0000 (GMT) (envelope-from norgaard@locolomo.org) Received: from [192.168.0.32] (charm.daemonsecurity.com [192.168.0.32]) by top.daemonsecurity.com (Postfix) with ESMTP id 08027FD020; Sun, 23 Jan 2005 17:57:01 +0100 (CET) Message-ID: <41F3D759.4080400@locolomo.org> Date: Sun, 23 Jan 2005 17:56:57 +0100 From: Erik Norgaard User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.2) Gecko/20041114 X-Accept-Language: en, en-us, da, it, es MIME-Version: 1.0 To: J65nko BSD References: <41F39CE7.7040209@locolomo.org> <19861fba050123053644f383f7@mail.gmail.com> <41F3ACA6.6010002@locolomo.org> <19861fba05012308005d38fe04@mail.gmail.com> In-Reply-To: <19861fba05012308005d38fe04@mail.gmail.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: FreeBSD Questions Subject: Re: IPSec without AH X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 23 Jan 2005 16:57:03 -0000 J65nko BSD wrote: >>Ofcourse, it requires access to the (public?) keys to create valid >>encrypted packets. Hence, if the public key is kept as a shared secret >>among the authorized users, one could assume that ESP packets are >>authenticated/trusted. >> >>This is my idea, discard AH, rely on ESP and assume that anyone capable >>of producing decryptable packets must have access to the pre-shared >>secret "public" key and hence authorized. > > Your are not the first to have this idea. The authors of "Secure > Architectures with OpenBSD" already published this ;) Dang! Why do someone always steal my ideas before I get them? >>AH would work, if both ends were NATaware, such that the rigth src/dst >>ip could be inserted in the header before checking. It just occured to >>me that maybe this could be done by adding yet another IP/IP tunnel? > > OpenBSD 3.6 supports NAT traversal. From http://openbsd.org/36.html: > > "isakmpd(8) now supports NAT-traversal and Dead Peer Detection (RFC 3706)." > Don't know how ling it would take to before this is supported by FreeBSD ;) Interesting, I'll take a look at that - thanks. Erik -- Ph: +34.666334818 web: http://www.locolomo.org S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9 Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2