[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Use IPSEC as SSH replacement
> Does it support a similar system as SSH? That is, asuming IKE/IPSEC
> implementation on both ends, two totally unrelated hosts can setup a
> secure connection between them. Without any preconfigured keys or
> knowledge about each others public keys?
It's close. The two IKE daemons need a way to authenticate each other,
and that needs either shared secrets or a trusted third party. SSH has
this requirement too, hidden in its "I haven't talked to that host before,
should I accept that he's telling the truth about who he is?" question,
but IKE needs a more definitive solution than "ask the user".
The trusted third party for IKE could be Secure DNS, or it could be a
certificate authority whose identity and authenticity is known to the IKE
daemon by other means.
> After that one could just use unmodified tools (telnet, smtp, etc)
> again.
Exactly. IPSEC is secure *IP*, which covers all IP-using applications.
Henry Spencer
henry@spsystems.net
(henry@zoo.toronto.edu)
Follow-Ups:
References: