| From: Philip Mullis <[EMAIL PROTECTED]> | | As Bill stated IPSEC is a good way,if your uber paranoid other flavours of vpn | pptp etc.. not so good as the initial handshakes can be capture then you can | have a man-in-the-middle scenario, weve been use IPSEC here for over a year | and I can testify to its solidness, we use it to connect all our international | offices.
The IPSec protocol was designed to prevent man-in-the-middle attacks. All it takes is authentication. The protocol always requires authentication (but of course you can weaken authentication enough to make it disappear). It turns out that encryption is easy but authentication is hard. Authentication requires pre-arranged methods of communicating authentication material, causing a kind of chicken-and-egg situation. Something like a phone book with public keys would be a reasonable way of distributing authentication material. But how do you convince yourself that the phone book has not been subverted? What you need to use depends on your threat model. Well, it actually depends on your real threats, not the ones you imagine. My threat models mean that I want end-to-end encryption. That makes authentication harder because there is an open-ended set of nodes that I want to authenticate. The FreeS/WAN project had a novel way of configuring IPSec to allow behind-the-scenes end-to-end IPSec without pre-arrangement between the parties. It authenticated based on IP address as identity and used the reverse domain (DNS) to distribute public keys. That now seems insufficient since many endpoints have dynamic IP addresses and many lack control of the reverse for their IP address. | Its not hard to setup either just requires extra equipment, and if your a law | office or otherwise, it would offer even greater security than copper :/ now | thats a spin for voip resellers to kick the bell muscle man in the ba**s with. | :) End-user to ITSP IPSec is easy, at least in theory. The Openswan project has deployed their IPSec code in OpenWRT routers (like the Asus WL-500gP). If the PAP2 was open source, and had a bit of spare room, it could probably run Openswan IPSec. Any asterisk box should be able to run Openswan. At the ITSP end, it is also easy. It would take extra hardware if many customers used it. At least for experimental implementation, no hardware would be needed (until their was a high uptake of the offering). As I understand it, the Openswan project offered to deploy IPSec for a local ITSP (for free, I think) but the ITSP was not interested. I find that interest in cryptography is really hard to gauge. Lots of people say they want it but few actually bother. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
