At 11:52 PM +0800 6/22/07, Sandy Harris wrote:
On 6/22/07, Eugen Leitl <[EMAIL PROTECTED]> wrote:

So what's the state in ad hoc IPsec/VPN setup for any end points?

The Linux FreeS/WAN project was working on "opportunistic encryption".

The general idea is that if you use keys in DNS to authenticate gateways
and IPsec for secure tunnels then any two machines can communicate
securely without their administrators needing to talk to each other or to
set up specific pre-arranged tunnels.

There is an RFC based on that work:

The FreeS/WAN project has ended. I do no know if the follow-on projects, and, support OE.

Note that that RFC is Informational only. There were a bunch of perceived issues with it, although I think they were more purity disagreements than anything.

FWIW, if you do *not* care about man-in-the-middle attacks (called active attacks in RFC 4322), the solution is much, much simpler than what is given in RFC 4322: everyone on the Internet agrees on a single pre-shared secret and uses it. You lose any authentication from IPsec, but if all you want is an encrypted tunnel that you will authenticate all or parts of later, you don't need RFC 4322.

This was discussed many times, and always rejected as "not good enough" by the purists. Then the IETF created the BTNS Working Group which is spending huge amounts of time getting close to purity again.

--Paul Hoffman, Director
--VPN Consortium

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to