On Sun, 20 May 2001, Ilya Konstantinov wrote:
> Yet again, I'm not sure it's possible to establish IPSec connections to
> any accepting host around the world without preconfiguring it.
I seemed to have an idea (or possibly a misconception) that IPSec talked
about generic enctyption on the IP layer - since at some point in time
humanity, IETF, some paranoid sysadmins and the makers of "The Conspiracy
Theory" decided that plain-text IP packets were not such a good
idea after all and implementing encryption on a
per-application-protocol-basis (such as SSL, SSH, PGP, sFtp/scp,
etc.) was a positively dumb way to go about the whole thing. (That's not
to mention that every application developer has to implement it, which is
not very far from writing per-application hardware device drivers).
To my understanding, two TCP/IP applications (server and client) wanting
to communicate would neither need to *implement* nor *configure*
encryption (other than ask for it). They would just get this facility
out-of-the-box from their OS's socket mecnanism (whatever the OS would
be), as part of the TCP/IP envelope.
And in a better world, all major OS's would support these envelopes,
and the initial key-switching routines that would be required to make them
work. I also understood such a feature would be available in stock IPv6
and IPSec-enabled IPv4 implementations. The whole idea of course being, if
you're the sw developer of a TCP/IP application, "You don't HAVE to use
it, but if you need it, it's there for you and you don't need to reinvent
the wheel".
You seem to suggest that all IPSec is - is just yet-another
"pre-configuration-needed" (other than installing a socket that
supports it, of course) tunneling method between two points, ( both
of which you need to have superuser access over) of which we seem to have
more than enough at the moment - Cisco's Gre-over-IP, MS-VPN, Checkpoint's
VPN, The linux kernel IP Tunnel (some of these are probbably the same, I'm
not intimately acquainted with them all...) and other FW vendors probbably
have another proprietary protocol or two up their sleeves.
Moreover, you can't have two clients on host A and two servers on host B
where one pair would be talking encrypted and the other not?
Is IPSec yet-another-one/one-of-the-abovementioned? (with the slight
benefit of being standardized by being part of the IP spec)?
If that's the case, I'm not sure it's what I need at all... :-)
---= Miki Shapiro =------------------
---= Cell: (+972)-56-322433 =--------
---= ICQ: 3EE853 =-------------------
---= Windows Programmer in Rehab =---
-------------------------------------
"If at first you don't succeed...
.. Skydiving is probbably not for you."
=================================================================
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]
