IPng6, SWIPE, ssh, etc.
I would like some summary opinions of the state of various efforts to enable full IP encryption. I'm looking for progress reports and hints as to which technologies are the closest to being implementable. After playing with ssh, I've been thinking of what it would take to start migrating certain links to full encryption, possibly using a VPN-like arrangement. I'm interested in hacking Linux, loopback userspace drivers for other Unix's, and thinking about what would need to be done for MS-BLECH. Of course, firewall like conversion of IP<->IPng6 would be great. Of course now that Linux has IP aliasing, IP masquerading (partial I think), ipfw, and IP over IP tunneling, it has much of what it needs. I'm just considering development and migration paths. I haven't kept up on IPng6 docs, so succinct pointers would be helpful. One interesting tact might be to start running a dual IPng6/IP stack where it learns to tunnel packets over a well-known IP udp/tcp link if an address doesn't respond to IPng6. sdw -- Stephen D. Williams 25Feb1965 VW,OH (FBI ID) sdw@lig.net http://www.lig.net/sdw Consultant, Vienna,VA Mar95- 703-918-1491W 43392 Wayside Cir.,Ashburn, VA 22011 OO/Unix/Comm/NN ICBM/GPS: 39 02 37N, 77 29 16W home, 38 54 04N, 77 15 56W Pres.: Concinnous Consulting,Inc.;SDW Systems;Local Internet Gateway Co.;28May95
On Fri, 4 Aug 1995, Stephen D. Williams wrote:
I'm interested in hacking Linux, loopback userspace drivers for other Unix's, and thinking about what would need to be done for MS-BLECH. Of course, firewall like conversion of IP<->IPng6 would be great.
Please keep me informed of your progress. Does anyone out there have a somewhat comprehensive listing of these or other implementations already ported to Linux? I am intending on setting up an alternative site for folks with nosey or suppressive employer accounts or private university accounts who desire an anonymous account somewhere else.
Of course now that Linux has IP aliasing, IP masquerading (partial I think), ipfw, and IP over IP tunneling, it has much of what it needs. I'm just considering development and migration paths.
While they are getting better and better, I am not certain that anything is ready to be deemed as secure as it can be.
I haven't kept up on IPng6 docs, so succinct pointers would be helpful.
In that same spirit, does anyone have pointers to Linux specific security implementations. I would also be interested in ported implementations of remailers, or other annonymity protecting services.
-- Stephen D. Williams 25Feb1965 VW,OH (FBI ID) sdw@lig.net http://www.lig.net/sdw Consultant, Vienna,VA Mar95- 703-918-1491W 43392 Wayside Cir.,Ashburn, VA 22011 OO/Unix/Comm/NN ICBM/GPS: 39 02 37N, 77 29 16W home, 38 54 04N, 77 15 56W Pres.: Concinnous Consulting,Inc.;SDW Systems;Local Internet Gateway Co.;28May95
Matt
Stephen D. Williams writes:
I would like some summary opinions of the state of various efforts to enable full IP encryption. I'm looking for progress reports and hints as to which technologies are the closest to being implementable.
The implementation efforts are in full swing. At the last IETF meeting in Stockholm, Steve Crocker challenged the community to have IPSEC in place and available in time for the Dallas meeting in December. There is now a mailing list for those actively working on the implementation efforts and a good deal of effort is being expended. In fact, I took off this month more or less so that I could work full time on implementation.
I haven't kept up on IPng6 docs, so succinct pointers would be helpful.
The actual RFCs were submitted to the RFC editor over the last day or so, so there should be real RFCs to quote shortly. However, for the moment, check out draft-ietf-ipsec-* in the nearest internet-drafts depository. ds.internic.net:/internet-drafts/ is probably a reasonable spot.
One interesting tact might be to start running a dual IPng6/IP stack where it learns to tunnel packets over a well-known IP udp/tcp link if an address doesn't respond to IPng6.
You don't need to use IPv6 for the security, by the way -- its defined to work on either. If you want, of course, I'm sure the v6 folks would love a Linux v6 stack to show up soon... Perry
On Fri, 4 Aug 1995, Perry E. Metzger wrote:
You don't need to use IPv6 for the security, by the way -- its defined to work on either. If you want, of course, I'm sure the v6 folks would love a Linux v6 stack to show up soon...
And so would dedicated Linux users from around the globe! Linux is quite liberating, but security is a whole different concern. Matt
Perry
Matt Miszewski IAAL - I AM a lawyer! (crypto@midex.com) wrote: : Please keep me informed of your progress. Does anyone out there have a : somewhat comprehensive listing of these or other implementations : already ported to Linux? I am intending on setting up an alternative : site for folks with nosey or suppressive employer accounts or private : university accounts who desire an anonymous account somewhere else. I have used deslogin and ctelnet with Linux : In that same spirit, does anyone have pointers to Linux specific security : implementations. I would also be interested in ported implementations of : remailers, or other annonymity protecting services. All the remailers that I know of work with Linux. Here's a list of crypto apps that I know will run under Linux: ssh cryptod/ctelnet deslogin cfs pgp datalock mixmaster v2 Stuff I'm not sure about: esm swipe Anything else?
participants (4)
-
Ghio -
Matt Miszewski (IAAL - I AM a lawyer!) -
Perry E. Metzger -
sdw@lig.net