[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: preshared key in ipv6

To: "Steven M. Bellovin" <smb@research.att.com>
Subject: Re: preshared key in ipv6
From: Derek Atkins <warlord@mit.edu>
Date: 23 Oct 2001 11:41:03 -0400
Cc: Paul Koning <ni1d@arrl.net>, sleepy-cat@263.net, ipsec@lists.tislabs.com
In-Reply-To: "Steven M. Bellovin"'s message of "Mon, 22 Oct 2001 14:16:13 -0400"
References: <20011022181614.0BA597B55@berkshire.research.att.com>
Sender: owner-ipsec@lists.tislabs.com

"Steven M. Bellovin" <smb@research.att.com> writes:

> The right answer is to do things based on domain name, not IP 
> addresses, but that means that we *really* need DNSSEC.

Why?  You can just as easily use pre-shared RSA keys as you can use
preshared DES keys.  Using pre-shared RSA keys allows you to use
domain names instead of IP addresses.  So you can disassociate
yourself from your IP address with practically zero added effort.

DNSSec only comes into play for optimistic encryption, where you want
to use IPsec with arbitrary correspondants across the net.

> 		--Steve Bellovin, http://www.research.att.com/~smb
> 		Full text of "Firewalls" book now at http://www.wilyhacker.com

-derek

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord@MIT.EDU                        PGP key available

References:

Re: preshared key in ipv6

From: "Steven M. Bellovin" <smb@research.att.com>

Prev by Date: I-D ACTION:draft-ietf-ipsec-sctp-02.txt
Next by Date: I-D ACTION:draft-ietf-ipsec-nat-t-ike-01.txt
Prev by thread: Re: preshared key in ipv6
Next by thread: Minimum implementation requirement of IPsec
Index(es):
- Main
- Thread