On Fri, Jun 22, 2007 at 11:52:13PM +0800, Sandy Harris wrote:

On 6/22/07, Eugen Leitl <eugen@leitl.org> wrote:

...

So what's the state in ad hoc IPsec/VPN setup for any end points?

The Linux FreeS/WAN project was working on "opportunistic encryption".

I know, but it wasn't really lightweight. Session setup between new hosts shouldn't take more than a few UDP packets; theirs took publishing DNS records. If ad hoc encryption needs to happen on a wide level, it need to be part of the usual suspect TCP/IP stack, and work out of the box, without adding too much to the initial latency. It should also have key caching, and at least a rudimentary logging to be able to catch MITM. Once there's significant amounts of host key caches available, it would become worthwhile to P2P publish those, and build primitive trust by number of votes.

The general idea is that if you use keys in DNS to authenticate gateways

Aye, that's the rub. Most hosts are in dynamic address space, and anything involving DNS will not fly.

and IPsec for secure tunnels then any two machines can communicate securely without their administrators needing to talk to each other or to set up specific pre-arranged tunnels.

http://www.freeswan.org/freeswan_trees/freeswan-2.00/doc/glossary.html#carpe... http://www.freeswan.org/freeswan_trees/freeswan-2.00/doc/quickstart.html

There is an RFC based on that work: ftp://ftp.rfc-editor.org/in-notes/rfc4322.txt

The FreeS/WAN project has ended. I do no know if the follow-on projects, openswan.org and strongswan.org, support OE.

Even if 1% of all hosts would be using it it would be extremely worthwhile. There are some quite nice FreeBSD-based firewalls (m0n0/pfsense) which support IPsec quite well between themselves. It would be definitely very nice to have any such firewalls set up IPsec VPNs ad hoc whenever they talk to each other. -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE