From owner-freebsd-security Mon Sep 25 8:41:39 2000 Delivered-To: freebsd-security@freebsd.org Received: from green.dyndns.org (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with ESMTP id 929BD37B422; Mon, 25 Sep 2000 08:41:33 -0700 (PDT) Received: from localhost (vykygn@localhost [127.0.0.1] (may be forged)) by green.dyndns.org (8.11.0/8.11.0) with ESMTP id e8PFfM549719; Mon, 25 Sep 2000 11:41:25 -0400 (EDT) (envelope-from green@FreeBSD.org) Message-Id: <200009251541.e8PFfM549719@green.dyndns.org> X-Mailer: exmh version 2.2 06/23/2000 with nmh-1.0.4 To: Scot Elliott Cc: CrazZzy Slash , Ali Alaoui El Hassani <961BE653994@stud.alakhawayn.ma>, freebsd-security@FreeBSD.org, Peter Pentchev Subject: Re: Encryption over IP In-Reply-To: Message from Scot Elliott of "Mon, 25 Sep 2000 11:04:04 BST." From: "Brian F. Feldman" Date: Mon, 25 Sep 2000 11:41:21 -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > As a friend pointed out to me recently, long term SSH connections that > move a lot of data are probably not very secure, as the SSH protocol does > not re-generate it's encryption keys unlike something like IPSec... So, weigh that into your decision of whether SSH is appropriate or not; are people on the inside going to be actively attempting a chosen-plaintext or known-plaintext attack? A long term SSH connection which only you have control over should really not have any need for rekeying; the stream should not be able to be known by anyone else in its unencrypted form nor should it be able to be modified at will before transport. For using SSH as an anonymous tunnel in hostile environments, I'd definitely want to know it was rekeying at a decent interval. -- Brian Fundakowski Feldman \ FreeBSD: The Power to Serve! / green@FreeBSD.org `------------------------------' To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message