Re: ad hoc IPsec or similiar

2007-06-26 Thread Sandy Harris
On 6/23/07, Eugen Leitl [EMAIL PROTECTED] wrote: The general idea is that if you use keys in DNS to authenticate gateways Aye, that's the rub. Most hosts are in dynamic address space, and anything involving DNS will not fly. It is certainly a problem, but you can get around it partially

Re: ad hoc IPsec or similiar

2007-06-26 Thread Taral
On 6/26/07, Sandy Harris [EMAIL PROTECTED] wrote: It is certainly a problem, but you can get around it partially even if your IP address is dynamically assigned: http://www.freeswan.org/freeswan_trees/freeswan-2.00/doc/quickstart.html#opp.client You do need to use a dynamic DNS server to

Re: ad hoc IPsec or similiar

2007-06-26 Thread Nicolas Williams
On Fri, Jun 22, 2007 at 10:43:16AM -0700, Paul Hoffman wrote: Note that that RFC is Informational only. There were a bunch of perceived issues with it, although I think they were more purity disagreements than anything. FWIW, if you do *not* care about man-in-the-middle attacks (called

Re: ad hoc IPsec or similiar

2007-06-26 Thread Paul Hoffman
At 2:49 PM -0500 6/26/07, Nicolas Williams wrote: On Fri, Jun 22, 2007 at 10:43:16AM -0700, Paul Hoffman wrote: This was discussed many times, and always rejected as not good enough by the purists. Then the IETF created the BTNS Working Group which is spending huge amounts of time getting

Re: ad hoc IPsec or similiar

2007-06-26 Thread Nicolas Williams
On Tue, Jun 26, 2007 at 01:20:41PM -0700, Paul Hoffman wrote: For all the other aspects of BTNS (IPsec connection latching [and channel binding], IPsec APIs, leap-of-faith IPsec) agreeing on a globally shared secret does not come close to being sufficient. Fully agree. BTNS will definitely

Re: ad hoc IPsec or similiar

2007-06-26 Thread Paul Hoffman
At 3:26 PM -0500 6/26/07, Nicolas Williams wrote: I strongly dislike the WG's name. Suffice it to say that it was not my idea :); it created a lot of controversy at the time, though perhaps that controversy helped sell the idea (why would you want this silly, insecure stuff? because it enables

Re: ad hoc IPsec or similiar

2007-06-22 Thread Eugen Leitl
On Thu, Jun 21, 2007 at 06:00:48PM +0100, Richard Clayton wrote: (a) the EU legislation was actually passed well over a year ago http://europa.eu.int/eur-lex/lex/LexUriServ/site/en/oj/2006/l_105/l_10520060413en00540063.pdf It is not national law yet. I'm only concerned about when I have to

Re: ad hoc IPsec or similiar

2007-06-22 Thread Sandy Harris
On 6/22/07, Eugen Leitl [EMAIL PROTECTED] wrote: So what's the state in ad hoc IPsec/VPN setup for any end points? The Linux FreeS/WAN project was working on opportunistic encryption. The general idea is that if you use keys in DNS to authenticate gateways and IPsec for secure tunnels then

Re: ad hoc IPsec or similiar

2007-06-22 Thread Paul Hoffman
At 11:52 PM +0800 6/22/07, Sandy Harris wrote: On 6/22/07, Eugen Leitl [EMAIL PROTECTED] wrote: So what's the state in ad hoc IPsec/VPN setup for any end points? The Linux FreeS/WAN project was working on opportunistic encryption. The general idea is that if you use keys in DNS to

Re: ad hoc IPsec or similiar

2007-06-22 Thread auto37159
The wikipedia article has some information, but it could use some edits if you have new information. http://en.wikipedia.org/wiki/Opportunistic_encryption rearden On Fri, 22 Jun 2007 11:52:13 -0400 Sandy Harris [EMAIL PROTECTED] wrote: On 6/22/07, Eugen Leitl [EMAIL PROTECTED] wrote: So

Re: ad hoc IPsec or similiar

2007-06-21 Thread Richard Clayton
In article [EMAIL PROTECTED], Eugen Leitl [EMAIL PROTECTED] writes There's a rather ominous EU legislation to be passed soon, which requires any party acting as a provider (you run anonymous proxy, or mix cascade, you are a provider) to log all connection info (when, who, with whom). What's the