opportunistic encryption deployment problems

[Wes Hardaker <wes@hardakers.net>]

3 problems I see with the deployment of opportunistic encryption:

1) your method of obtaining information is by reverse DNS lookup,
   which will provide problems with people who can't control their
   reverse DNS bindings.  As an example, I don't have control over the
   subnet mapped to my house and can not insert information into the
   controlling DNS server (and can not convince them to redirect to
   me).

2) your method of obtaining information is by reverse DNS lookup,
   which will provide problems with people behind NATs.  Until IPv6 is
   (if) widely deployed, this will continue to be a growing problem.
   Sure, if you can convince your NAT provider to do encryption to and
   from both sides of the NAT, you may be able to get around this but
   it certainly would take an effort to get this done.

3) The wider and wider spread use of things like web and other proxies
   will provide similar problems seen in #2.

-- 
Wes Hardaker
NAI Labs
Network Associates

---

Follow-Ups:

• Re: opportunistic encryption deployment problems
• From: Sandy Harris <sandy@storm.ca>
• Re: opportunistic encryption deployment problems
• From: Henry Spencer <henry@spsystems.net>
• Re: opportunistic encryption deployment problems
• From: Michael Richardson <mcr@sandelman.ottawa.on.ca>

---

• Prev by Date: RE: isakmp cookies field
• Next by Date: RE: isakmp cookies field
• Prev by thread: Packet Interceptor Implementation for IPSec
• Next by thread: Re: opportunistic encryption deployment problems
• Index(es):
  • Main
  • Thread