[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Design] Re: opportunistic encryption deployment problems

To: ipsec@lists.tislabs.com, design@lists.freeswan.org
Subject: Re: [Design] Re: opportunistic encryption deployment problems
From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
Date: Thu, 08 Nov 2001 19:02:17 -0500
cc: sommerfeld@East.Sun.COM
In-reply-to: Your message of "Mon, 20 Aug 2001 17:00:06 EDT." <200108202100.f7KL07022725@thunk.east.sun.com>
Sender: owner-ipsec@lists.tislabs.com

-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "Bill" == Bill Sommerfeld <sommerfeld@east.sun.com> writes:
    Bill> I'd like to suggest two changes to the proposal:

    Bill>  1) in the absence of a secured inverse zone, disallow use of a
    Bill> tunnel-to address different from the end system's address.
    Bill> Alternatively, just use transport mode..

  I have no objection to such a statement in a draft.

  As this is an Information RFC, and it documents what we do (and we don't do
this), I'm not sure it belongs in our draft.

    Bill> While it's outside the scope of a protocol specification, the spec
    Bill> should recommend that, in the absence of some form of certification,
    Bill> implementations should make {dnsname,address}->key mappings "sticky"
    Bill> using techniques similar to those currently used by ssh.

  I'll see if I can find a place to put this.
  The above comments apply again.

    Bill> I also think that some more thought should be given to ways to use
    Bill> opportunistic encryption in conjunction with the NAT traversal drafts;
    Bill> the current draft encourages using cleartext communications on the
    Bill> "inside" of the NAT, which is clearly the wrong answer when there's
    Bill> 802.11 on the "inside" of the NAT..

  As long as the OE host behind the NAT is the initiator and the responder
supports ESPUDP, I do not see any reason why this needs any special
considerations. 
  There is a section in the draft on what does and doesn't work already with
NATs (section 8) which refers specifically to ESPUDP.

]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy");  [


-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: latin1
Comment: Finger me for keys

iQCVAwUBO+sc/IqHRg3pndX9AQGt1wP/VX/ygfsInyh8Ldfr3qx9w70LHn82wU6m
2vQaAHSM+CBD6z5rQSE2Q8r3d/gdX5isxnWH8mFInv0IOYqeC8fRr+MmMhmebtmp
/wCO0UAtaH4M6H+N1OxnA+jTE+gqb45WwG1qu1xQkjJqmV35Ue33qEu4GXBIbzmf
r0khye9Vj40=
=osTK
-----END PGP SIGNATURE-----

Prev by Date: discussion of IPsec MIB requirements and goals, and my review of IPsec Flow Monitoring MIB
Next by Date: update to draft-richardson-ipsec-opportunistic.txt
Prev by thread: discussion of IPsec MIB requirements and goals, and my review of IPsec Flow Monitoring MIB
Next by thread: update to draft-richardson-ipsec-opportunistic.txt
Index(es):
- Main
- Thread