At 11:52 PM +0800 6/22/07, Sandy Harris wrote:
On 6/22/07, Eugen Leitl <[EMAIL PROTECTED]> wrote:
So what's the state in ad hoc IPsec/VPN setup for any end points?
The Linux FreeS/WAN project was working on "opportunistic encryption".
The general idea is that if you use keys in DNS to authenticate gateways
and IPsec for secure tunnels then any two machines can communicate
securely without their administrators needing to talk to each other or to
set up specific pre-arranged tunnels.
http://www.freeswan.org/freeswan_trees/freeswan-2.00/doc/glossary.html#carpediem
http://www.freeswan.org/freeswan_trees/freeswan-2.00/doc/quickstart.html
There is an RFC based on that work:
ftp://ftp.rfc-editor.org/in-notes/rfc4322.txt
The FreeS/WAN project has ended. I do no know if the follow-on projects,
openswan.org and strongswan.org, support OE.
Note that that RFC is Informational only. There were a bunch of
perceived issues with it, although I think they were more purity
disagreements than anything.
FWIW, if you do *not* care about man-in-the-middle attacks (called
active attacks in RFC 4322), the solution is much, much simpler than
what is given in RFC 4322: everyone on the Internet agrees on a
single pre-shared secret and uses it. You lose any authentication
from IPsec, but if all you want is an encrypted tunnel that you will
authenticate all or parts of later, you don't need RFC 4322.
This was discussed many times, and always rejected as "not good
enough" by the purists. Then the IETF created the BTNS Working Group
which is spending huge amounts of time getting close to purity again.
--Paul Hoffman, Director
--VPN Consortium
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]