ad hoc IPsec or similiar
Eugen Leitl
eugen at leitl.org
Fri Jun 22 09:22:32 PDT 2007
On Fri, Jun 22, 2007 at 11:52:13PM +0800, Sandy Harris wrote:
> On 6/22/07, Eugen Leitl <eugen at leitl.org> wrote:
>
> >So what's the state in ad hoc IPsec/VPN setup for any end points?
>
> The Linux FreeS/WAN project was working on "opportunistic encryption".
I know, but it wasn't really lightweight. Session setup between
new hosts shouldn't take more than a few UDP packets; theirs
took publishing DNS records. If ad hoc encryption needs to happen
on a wide level, it need to be part of the usual suspect TCP/IP
stack, and work out of the box, without adding too much to
the initial latency. It should also have key caching, and at
least a rudimentary logging to be able to catch MITM.
Once there's significant amounts of host key caches available,
it would become worthwhile to P2P publish those, and build
primitive trust by number of votes.
> The general idea is that if you use keys in DNS to authenticate gateways
Aye, that's the rub. Most hosts are in dynamic address space,
and anything involving DNS will not fly.
> and IPsec for secure tunnels then any two machines can communicate
> securely without their administrators needing to talk to each other or to
> set up specific pre-arranged tunnels.
>
> http://www.freeswan.org/freeswan_trees/freeswan-2.00/doc/glossary.html#carpediem
> http://www.freeswan.org/freeswan_trees/freeswan-2.00/doc/quickstart.html
>
> There is an RFC based on that work:
> ftp://ftp.rfc-editor.org/in-notes/rfc4322.txt
>
> The FreeS/WAN project has ended. I do no know if the follow-on projects,
> openswan.org and strongswan.org, support OE.
Even if 1% of all hosts would be using it it would be extremely worthwhile.
There are some quite nice FreeBSD-based firewalls (m0n0/pfsense) which
support IPsec quite well between themselves. It would be definitely very
nice to have any such firewalls set up IPsec VPNs ad hoc whenever they
talk to each other.
--
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
More information about the cypherpunks-legacy
mailing list