Re: Use IPSEC as SSH replacement

["Perry E. Metzger" <perry@piermont.com>]

I had originally hoped, in fact, that IPSec would make tools like SSH
unnecessary by providing upper layer tools sufficient information that 
they could simply ask the identity of the other side of any TCP
session from the security layer and not need to manage any
cryptography on their own at all. Sadly, things have not thus far
worked out this way, but it is not an unreasonable goal for people to
be striving for.

Perry

Henry Spencer writes:
> >  Does it support a similar system as SSH? That is, asuming IKE/IPSEC
> >  implementation on both ends, two totally unrelated hosts can setup a
> >  secure connection between them. Without any preconfigured keys or
> >  knowledge about each others public keys?
> 
> It's close.  The two IKE daemons need a way to authenticate each other,
> and that needs either shared secrets or a trusted third party.  SSH has
> this requirement too, hidden in its "I haven't talked to that host before,
> should I accept that he's telling the truth about who he is?" question,
> but IKE needs a more definitive solution than "ask the user". 
> 
> The trusted third party for IKE could be Secure DNS, or it could be a
> certificate authority whose identity and authenticity is known to the IKE
> daemon by other means. 
> 
> > After that one could just use unmodified tools (telnet, smtp, etc)
> > again.
> 
> Exactly.  IPSEC is secure *IP*, which covers all IP-using applications.

---

References:

• Re: Use IPSEC as SSH replacement
• From: Henry Spencer <henry@spsystems.net>

---

• Prev by Date: Re: Agenda stuff
• Prev by thread: Re: Use IPSEC as SSH replacement
• Index(es):
  • Main
  • Thread