ad hoc IPsec or similiar

Eugen Leitl eugen at leitl.org
Fri Jun 22 09:22:32 PDT 2007


On Fri, Jun 22, 2007 at 11:52:13PM +0800, Sandy Harris wrote:
> On 6/22/07, Eugen Leitl <eugen at leitl.org> wrote:
> 
> >So what's the state in ad hoc IPsec/VPN setup for any end points?
> 
> The Linux FreeS/WAN project was working on "opportunistic encryption".

I know, but it wasn't really lightweight. Session setup between
new hosts shouldn't take more than a few UDP packets; theirs
took publishing DNS records. If ad hoc encryption needs to happen
on a wide level, it need to be part of the usual suspect TCP/IP
stack, and work out of the box, without adding too much to 
the initial latency. It should also have key caching, and at
least a rudimentary logging to be able to catch MITM.

Once there's significant amounts of host key caches available,
it would become worthwhile to P2P publish those, and build
primitive trust by number of votes.
 
> The general idea is that if you use keys in DNS to authenticate gateways

Aye, that's the rub. Most hosts are in dynamic address space,
and anything involving DNS will not fly.

> and IPsec for secure tunnels then any two machines can communicate
> securely without their administrators needing to talk to each other or to
> set up specific pre-arranged tunnels.
> 
> http://www.freeswan.org/freeswan_trees/freeswan-2.00/doc/glossary.html#carpediem
> http://www.freeswan.org/freeswan_trees/freeswan-2.00/doc/quickstart.html
> 
> There is an RFC based on that work:
> ftp://ftp.rfc-editor.org/in-notes/rfc4322.txt
> 
> The FreeS/WAN project has ended. I do no know if the follow-on projects,
> openswan.org and strongswan.org, support OE.

Even if 1% of all hosts would be using it it would be extremely worthwhile.
There are some quite nice FreeBSD-based firewalls (m0n0/pfsense) which 
support IPsec quite well between themselves. It would be definitely very 
nice to have any such firewalls set up IPsec VPNs ad hoc whenever they 
talk to each other.

-- 
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE





More information about the cypherpunks-legacy mailing list