Date: Sun, 23 Jan 2005 17:56:57 +0100 From: Erik Norgaard <norgaard@locolomo.org> To: J65nko BSD <j65nko@gmail.com> Cc: FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Re: IPSec without AH Message-ID: <41F3D759.4080400@locolomo.org> In-Reply-To: <19861fba05012308005d38fe04@mail.gmail.com> References: <41F39CE7.7040209@locolomo.org> <19861fba050123053644f383f7@mail.gmail.com> <41F3ACA6.6010002@locolomo.org> <19861fba05012308005d38fe04@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
J65nko BSD wrote: >>Ofcourse, it requires access to the (public?) keys to create valid >>encrypted packets. Hence, if the public key is kept as a shared secret >>among the authorized users, one could assume that ESP packets are >>authenticated/trusted. >> >>This is my idea, discard AH, rely on ESP and assume that anyone capable >>of producing decryptable packets must have access to the pre-shared >>secret "public" key and hence authorized. > > Your are not the first to have this idea. The authors of "Secure > Architectures with OpenBSD" already published this ;) Dang! Why do someone always steal my ideas before I get them? >>AH would work, if both ends were NATaware, such that the rigth src/dst >>ip could be inserted in the header before checking. It just occured to >>me that maybe this could be done by adding yet another IP/IP tunnel? > > OpenBSD 3.6 supports NAT traversal. From http://openbsd.org/36.html: > > "isakmpd(8) now supports NAT-traversal and Dead Peer Detection (RFC 3706)." > Don't know how ling it would take to before this is supported by FreeBSD ;) Interesting, I'll take a look at that - thanks. Erik -- Ph: +34.666334818 web: http://www.locolomo.org S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9 Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?41F3D759.4080400>