Re: Use IPSEC as SSH replacement

[Will Price <wprice@cyphers.net>]

Well, that pretty much rules out X.509 certs.

I don't think what you want exists today, but the specs for IPSEC certainly
support it.  The following would solve the issue were the following to exist:

1] Use IKE with OpenPGP certs.  They don't constantly expire, don't cost money,
and you can use whatever trust model you want with them (hierarchy, WOT, etc...)
The ISAKMP RFC already has an ID for OpenPGP certs, so no changes required.  (see
RFC 2044 for OpenPGP)

2] To be just like SSH in terms of ease of use, your IKE implementation must be
able to be configured such that the certificate received when the first Phase 1 SA
is established with any other host on the internet is implictly accepted.  That
certificate from then on is required for authentication whenever communicating
with the same remote host.  While this introduces a minor security issue for first
connections, this is something most people have been willing to live with for
years with SSH.  To eliminate this security issue, just use the web of trust to
validate the certs.  If that doesn't scale to your organization, use OpenPGP
meta-introducers to establish a hierarchy.

One day if these worldwide CA-based pay-for-each-cert IPSEC X.509 PKI ramblings
become accepted and popular, your IKE implementation could also support X.509 and
be compatible with that too.  In the meantime, I agree that it would be nice to
get IKE widely usable without the hurdles that seem to have been erected for it.

-Will


Markku Savela wrote:

> My query about using some solution based on IPSEC to replace SSH,
> originates from a desire to demonstrate and do something *useful* with
> IPSEC as fast as possible, preferrably *NOW*. I was hoping some
> minimal effort IKE (or something) specification that would give
> at least the same as SSH, but using IPSEC architecture.
>
> A solution that would be forward compatible with future "real"
> solutions that were mentioned, secure DNS etc., when they become
> available. It also should be as simple to use as ssh, and free to use
> (don't require CAs that cost money to get).
>
> Just doing PING tests is boring. Is there a test setup with IPSEC on a
> host that would allow me to telnet in, either to IPSEC host itself or
> to a some test host behind the IPSEC gateway, or even more ambitious,
> have AH+ESP (tunnel) to SG, and another AH+ESP layer to the test host
> behind it [however, I only do with manual keys...].
>
> --
> Markku Savela (msa@hemuli.tte.vtt.fi), Technical Research Centre of Finland
> Multimedia Systems, P.O.Box 1203,FIN-02044 VTT,http://www.vtt.fi/tte/staff/msa/

--

Will Price, Architect/Sr. Mgr., PGP Client Products
Total Network Security Division
Network Associates, Inc.
Direct  (408)346-5906
Cell/VM (650)533-0399
<pgpfone://cast.cyphers.net>

PGPkey: <http://pgpkeys.mit.edu:11371/pks/lookup?op=get&search=0xCF73EC4C>

---

Follow-Ups:

• Re: Use IPSEC as SSH replacement
• From: Stephen Kent <kent@bbn.com>
• Re: Use IPSEC as SSH replacement
• From: Tero Kivinen <kivinen@ssh.fi>

References:

• Re: Use IPSEC as SSH replacement
• From: Markku Savela <msa@anise.tte.vtt.fi>

---

• Prev by Date: Re: Use IPSEC as SSH replacement
• Next by Date: IKE signature payload
• Prev by thread: Re: Use IPSEC as SSH replacement
• Next by thread: Re: Use IPSEC as SSH replacement
• Index(es):
  • Main
  • Thread