[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Use IPSEC as SSH replacement

To: Markku Savela <msa@hemuli.tte.vtt.fi>
Subject: Re: Use IPSEC as SSH replacement
From: Henry Spencer <henry@spsystems.net>
Date: Mon, 30 Nov 1998 11:06:04 -0500 (EST)
cc: ipsec@tis.com
In-Reply-To: <199811301334.PAA28327@anise.tte.vtt.fi>
Sender: owner-ipsec@ex.tis.com

>  Does it support a similar system as SSH? That is, asuming IKE/IPSEC
>  implementation on both ends, two totally unrelated hosts can setup a
>  secure connection between them. Without any preconfigured keys or
>  knowledge about each others public keys?

It's close.  The two IKE daemons need a way to authenticate each other,
and that needs either shared secrets or a trusted third party.  SSH has
this requirement too, hidden in its "I haven't talked to that host before,
should I accept that he's telling the truth about who he is?" question,
but IKE needs a more definitive solution than "ask the user". 

The trusted third party for IKE could be Secure DNS, or it could be a
certificate authority whose identity and authenticity is known to the IKE
daemon by other means. 

> After that one could just use unmodified tools (telnet, smtp, etc)
> again.

Exactly.  IPSEC is secure *IP*, which covers all IP-using applications.

                                                          Henry Spencer
                                                       henry@spsystems.net
                                                     (henry@zoo.toronto.edu)

Follow-Ups:

Re: Use IPSEC as SSH replacement

From: "Perry E. Metzger" <perry@piermont.com>

References:

Use IPSEC as SSH replacement

From: Markku Savela <msa@anise.tte.vtt.fi>

Prev by Date: Re: Agenda stuff
Next by Date: Re: Agenda stuff
Prev by thread: Re: Use IPSEC as SSH replacement
Next by thread: Re: Use IPSEC as SSH replacement
Index(es):
- Main
- Thread