[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
opportunistic (was RE: Don't remove TS from IKEv2)
On Mon, 25 Mar 2002, Michael Choung Shieh wrote:
> It seems to me the model of "Opportunistic Encryption" is only applicable to
> client-server, not peer-to-peer scenario.
Why? Please explain. The words "client" and "server" do not appear in
the spec, last I looked, and it certainly works peer-to-peer -- we're
using it that way experimentally.
> It also has blackhole problem
> when data traffic is initiated from server side.
Why? Please explain. The protocol is symmetrical; there is no "client"
or "server" distinction made.
> The other problem is, under client server scenario, usually server is
> protecting more valuable information so it has stricter SPD than clients.
How is this relevant? Opportunistic encryption is intended to protect
communication that now goes out in cleartext; it is *not* just another
kind of VPN. There is no particular trust relationship between the two
ends, and no reason why an incoming packet over an OE tunnel is trusted
any more than a packet which arrives from the rest of the Internet.
Information which is protected from general Internet access should be
protected from access via OE tunnels too.
Henry Spencer
henry@spsystems.net