Re: [Design] IPSec in 2.5 Kernel?

On Thu, 20 Mar 2003, Paul Wouters wrote:
> The impact has been minimal, but frankly, OE needs to be put on some

I'm using the FreeS/WAN 1.98 that comes with SuSE 8.1, and it did OE once I put in the right DNS records. It helped that I'm the DNS administrator for the relevant domain.

It would seem useful to me to allow anonymous ipsec, e.g. Diffie-Hellman key exchange and that's all. You don't know who you're talking to, but "they" can't snoop your packets. For many sites (but not mine) this is all you really need; impersonation is a threat to only a subset of users, and many users have a real problem to set their TXT and KEY records.

As a second step, if demanded by policy, one or both sides could prove their identity by various means, e.g. a key from a trusted secure DNS server, or a X.509 certificate signed by The UCLA-Mathnet Certificate Authority. Of course, I'm no guru. I don't know if I would be bending or actually breaking the procedures in the RFCs.

Yes, the user could sign up for dynamic DNS, but at both the client and the server end the sysadmin is going to ask, what does OE get me and is it worth it? A jab at John Ashcroft (and his predecessors) is worth a little work in ipsec.conf or my own DNS tables, but as seen by me, probably not worth the hassle of dealing with an account on an unrelated system for dynamic DNS, even if free. With anonymous ipsec, the political jab takes a whole lot less work.

(But as I understand it, OE can be very useful in a dispersed organization with many to many connectivity, and with an I.T. staff willing to maintain the DNS records. E.g. at subnet West, machines West-A and West-B and... need to talk securely to any of East-A, East-B...)

James F. Carter Voice 310 825 2897 FAX 310 206 6673 UCLA-Mathnet; 6115 MSA; 405 Hilgard Ave.; Los Angeles, CA, USA 90095-1555 Email: jimc(at)math.ucla.edu http://www.math.ucla.edu/~jimc (q.v. for PGP key)