[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Wes Hardaker: opportunistic encryption deployment problems



-----BEGIN PGP SIGNED MESSAGE-----

   I just spoke about the FreeS/WAN's teams Opportunistic Encryption
design using IKE/IPsec at IETF and am already getting email on the
subject. 
   The conversation will now be split between our list and the IETF
ipsec list (look at the headers below).  Such is life.

   To answer Mr. Hardaker, we understand the problem with requiring the
data be in the reverse DNS space and considering a forward space
solution, but there are many folks who have no control over even their
forward space.
   At some point one has to just give up and tell folks to get it
together and control there own resources.

   On the subject of NAT:  If your NAT on the net your NOT on the net.
That's what I personally say at least.

		||ugh Daniel
		hugh@freeswan.org

			Systems Testing & Project mis-Management
			The Linux FreeS/WAN Project
			http://www.freeswan.org

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv
Comment: For the matching public key, finger the Reply-To: address.

iQCVAwUBO26usVZpdJR7FBQRAQF6QgP7BhFHok49P/UZcsw61EEUEeITH74DArkM
FyaNWCbCGtySAK2SRiV6k/8weXairJuLb5xTT62Siq/+JTWAlxGPmsa9AuKnAJvY
98nVKG066UcqyRu7/rS2fhP8lRpFHtY3a3TgkLevICPg4rl9vM2Hburs28DMx+rw
7gxta46ZRFI=
=6D6I
-----END PGP SIGNATURE-----

------- Forwarded Message

Return-Path: wes@hardakers.net
Delivery-Date: Mon Aug  6 07:33:39 2001
Return-Path: <wes@hardakers.net>
Received: from wanderer.hardakers.net (root@host217-33-137-141.ietf.ignite.net [217.33.137.141])
	by ecotone.toad.com (8.8.7/8.8.7) with ESMTP id HAA04408
	for <hugh@road.xisp.net>; Mon, 6 Aug 2001 07:33:38 -0700
Received: (from hardaker@localhost)
	by wanderer.hardakers.net (8.11.2/8.11.2) id f76EYs108296;
	Mon, 6 Aug 2001 07:34:54 -0700
X-Authentication-Warning: wanderer.hardakers.net: hardaker set sender to wes@hardakers.net using -f
To: Hugh Daniel <hugh@road.xisp.net>
Cc: ipsec@lists.tislabs.com
Subject: opportunistic encryption deployment problems
From: Wes Hardaker <wes@hardakers.net>
X-URL: http://dcas.ucdavis.edu/~hardaker
Organization: Network Associates - NAI Labs
X-Face: #qW^}a%m*T^{A:Cp}$R\"38+d}41-Z}uU8,r%F#c#s:~Nzp0G9](s?,K49KJ]s"*7gvRgA
  SrAvQc4@/}L7Qc=w{)]ACO\R{LF@S{pXfojjjGg6c;q6{~C}CxC^^&~(F]`1W)%9j/iS/
  IM",B1M.?{w8ckLTYD'`|kTr\i\cgY)P4
Date: Mon, 06 Aug 2001 07:34:54 -0700
Message-ID: <sd4rrlb6k1.fsf@wanderer.hardakers.net>
Lines: 24
User-Agent: Gnus/5.090004 (Oort Gnus v0.04) XEmacs/21.2 (Terspichore)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii


3 problems I see with the deployment of opportunistic encryption:

1) your method of obtaining information is by reverse DNS lookup,
    which will provide problems with people who can't control their
    reverse DNS bindings.  As an example, I don't have control over the
    subnet mapped to my house and can not insert information into the
    controlling DNS server (and can not convince them to redirect to
    me).

2) your method of obtaining information is by reverse DNS lookup,
    which will provide problems with people behind NATs.  Until IPv6 is
    (if) widely deployed, this will continue to be a growing problem.
    Sure, if you can convince your NAT provider to do encryption to and
    from both sides of the NAT, you may be able to get around this but
    it certainly would take an effort to get this done.

3) The wider and wider spread use of things like web and other proxies
    will provide similar problems seen in #2.

- -- 
Wes Hardaker
NAI Labs
Network Associates

------- End of Forwarded Message




Follow-Ups: