On Thu, Sep 12, 2013 at 08:28:56PM -0400, Paul Wouters wrote:
> Stop making crypto harder!
I think you're arguing that active attacks are not a concern. That's
probably right today w.r.t. PRISMs. And definitely wrong as to cafe
shop wifi.
The threat model is the key. If you don't care about
On Thu, 12 Sep 2013, Nico Williams wrote:
Note: you don't just want BTNS, you also want RFC5660 -- "IPsec
channels". You also want to define a channel binding for such channels
(this is trivial).
To summarize: IPsec protects discrete *packets*, not discrete packet
*flows*. This means that -de
On Mon, Sep 09, 2013 at 10:25:03AM +0200, Eugen Leitl wrote:
> Just got word from an Openswan developer:
>
> "
> To my knowledge, we never finished implementing the BTNS mode.
>
> It wouldn't be hard to do --- it's mostly just conditionally commenting out
> code.
> "
> There's obviously a large p
On Thu, Sep 12, 2013 at 12:04 PM, Nico Williams wrote:
> Note: you don't just want BTNS, you also want RFC5660 -- "IPsec
> channels". You also want to define a channel binding for such channels
> (this is trivial).
I am not convinced. It's supposed to be *better than nothing*. Packets
that are e
Just got word from an Openswan developer:
"
To my knowledge, we never finished implementing the BTNS mode.
It wouldn't be hard to do --- it's mostly just conditionally commenting out
code.
"
There's obviously a large potential deployment base for
BTNS for home users, just think of Openswan/Open