Re: Ease of setting up IPSEC

2003-10-12 Thread D.K. Smetters 


John Gilmore wrote:

Rich $alz said:
 

it might be more useful to create a user-friendly management
interface to IPsec implementations to join the zero or so already
   

We've been making it simpler in just about every release.  Now you
basically have to download the RPM, install it, it spits out a public
key, and you install that public in your DNS in-addr records.  Then
 

Ah, but that last is the kicker.  I'm all for the whole 
DNSSEC-as-key-distribution model, but we're
a long way from it in practice.  In your example above, there are 
actually two more
common versions of step 3: 1) user who doesn't even know he has a public 
key takes it
to the guy in charge of maintaining DNS for his installation and 
attempts to convince him
that he ought to put it in the user's machine's in-addr record.  Or 2) 
home/roaming user
who has no effective DNS service for his endpoint from his ISP looks at 
his shiny new key
and wonders what to do.  (Yes, in theory you could grease the wheels 
with clever use of
dynamic DNS, but it's not currently deployed in a way that will help 
most people with this
problem.)

--Diana

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Ease of setting up IPSEC

2003-10-11 Thread John Gilmore 
Rich $alz said:
> it might be more useful to create a user-friendly management
> interface to IPsec implementations to join the zero or so already
> out there.  The difficulty in setting up any IPsec tunnel is what's
> been motivating the creation of (often insecure) non- IPsec VPN
> software, so what'd be a lot more helpful than (no offense, but) yet
> another SSL implementation is some means of making IPsec easier to
> use

Has anybody on this list tried setting up FreeS/WAN recently, by
following the Quick Start instructions?  It's pretty simple.

We've been making it simpler in just about every release.  Now you
basically have to download the RPM, install it, it spits out a public
key, and you install that public in your DNS in-addr records.  Then
the software automatically brings up VPN tunnels on demand, to any
other machine that's done the same thing.

A lot of the hair in other IPSEC implementations comes from having to
set up and transport keys, to sign things with X.509 certs and check
the signatures, to figure out what subnets are protected with which
keys, etc.  We push those jobs into the DNS, so it gets done once, and
then every node on the network can just look up the answer.

John

PS:  Yes, this approach has issues:  but ease of setup shouldn't be one
of them.

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]