> -----Original Message----- > From: [email protected] [mailto:[email protected]] On > Behalf Of Michael Thomas > Sent: Sunday, May 06, 2012 12:32 PM > To: [email protected] > Subject: [homenet] [SPAM] I have a problem > > I suspect many/most of you do too. Looking through the charter and arch > doc, my primary problem > is that I'm probably way off charter, but I'm not sure so I'll ask. > > When I'm out and about, there are zillions of wifi opportunities. Who > runs them and for what > reason, I haven't the foggiest idea. Some of them are undoubtedly > malicious, many more poorly > run. So it's fairly crazy to use them. But like a lot of people, > connectivity often trumps sanity. > > What I'd really like is to not feel dirty when I do that. The most > obvious thing to do is to > use a VPN, but I don't have a corporate mothership these days so I'd > have to set all of that > up, and it would most likely have to be through my home linux box since > my el cheapo home > router doesn't know about IPsec afaik. Not to mention that even if *I* > could move > heaven and earth to protect my posterior, the vast unwashed masses are > not so fortunate. > > So why did I come to homenet to complain? Well, it's because I can't > think of another place > that I'd reasonably place the other end of my VPN but on my home net. > As far as I can tell, there > aren't many places to dogleg my traffic to avoid access network fun and > games. My ISP doesn't > care about this problem let alone doing anything fancy like running a > mobile ip home agent > which would be even better of course. Nor do I see others, so I'm not > holding my breath. > > Yes, I know the performance would be miserable given the asymmetric > nature of cable/dsl. But > it would at least not allow $EVILSHOP to do nasty things with my > unencrypted traffic, and > traffic analysis on the rest. > > That said, even if this is widely off charter, another aspect may not: > if we have lots of new > services in our homes I may very well want to access them remotely. If > VPN's are good enough > for corpro, then mightn't the same be true for my home networks too?
"Understanding Apple's Back to My Mac (BTMM) Service", http://tools.ietf.org/html/rfc6281 is an interesting read. Regarding where to terminate the VPN, see its Section 7.3.2 titled "Discussion: End-to-End Encryption" which lists some disadvantages to terminating the VPN at the home gateway. There is also SIP-initiated IPsec, http://tools.ietf.org/html/rfc6193, which terminates the VPN on the home gateway. To your point that connectivity trumps sanity, if such VPNs were commonplace, an active attacker would interfere with attempts to bring up such VPNs. And the user's desire for connectivity would cause the user to skip setting up their VPN, under the mistaken assumption that their home network is down or otherwise unavailable. -d _______________________________________________ homenet mailing list [email protected] https://www.ietf.org/mailman/listinfo/homenet
