On Fri, Jul 25, 2003 at 04:19:24PM -0700, Bob Miller wrote: > How much harder would it be to set up IKE? Is it possible to have a > star configuration for IKE and a fully connected graph for the IP > traffic itself? Using freeswan at least (and likely for every other implementation of ipsec), without opportunistic encryption, each connection is point to point. Thus it may be practical for all clients to a few servers, but certainly not for all machines to all machines.
> The problem with opportunistic encryption is that a bad guy can > prevent it (sometimes). Depends on the setup. How about a packet filter on each kernel that only allows input via an ipsec# interface? Now the only way to talk (new connections) to the machine is by being authenticated via RSA. Put your rsa keys in the dns server and lock it down. Viola, more secure than C2. Cory -- Cory Petkovsek Adapting Information Adaptable IT Consulting Technology to your (541) 914-8417 business [EMAIL PROTECTED] www.AdaptableIT.com _______________________________________________ EuG-LUG mailing list [EMAIL PROTECTED] http://mailman.efn.org/cgi-bin/listinfo/eug-lug
