IPSEC is not end to end, and does not provide user authentication.
By which I mean, an IPSEC tunnel may terminate partway, for example at a
firewall, and the traffic continue unencrypted over the organization's
network, where a password sniffer gets you (if you don't think corporate
networks are compromised, I'll be happy to sell you a bridge).
And we need to know who is at the other end of the connection.
Almost certainly, using SASL for authentication (see CYRUS SASL), and a
pluggable encryption library is the way to go (see libtomcrypt, for
example).
Using SASL would allow authentication to fit into both corporate
environments and much more ad hoc environments.
Regards,
Jim Gettys
On Sun, 2006-03-12 at 16:49 +0100, Martin Konold wrote:
> Am Donnerstag, 2. März 2006 23:03 schrieb Jim McQuillan:
>
> Hi,
>
> > o Encryption of the X protocol. Sure you can tunnel your X
> > connection over SSH, but there are scaling issues when you
> > run anything more than 30-40 thin clients from the same server.
> > We have several examples of hundreds of thin clients connected
> > to the same server, and currently, there isn't a good way of
> > encrypting the traffic.
>
> Did you check IPSEC? IMHO I expect that IPSEC can easily encrypt more than 40
> clients simulaneously. (Actually ssh should also be able to do it with a
> slight overhead).
>
> Regards,
> -- martin
>
--
Jim Gettys
One Laptop Per Child
_______________________________________________
Desktop_architects mailing list
[email protected]
https://lists.osdl.org/mailman/listinfo/desktop_architects
