Re: [Users] Announce: FreeS/WAN Project Ending

On Tue, 9 Mar 2004, Wes Hardaker wrote:

> If you want to put a system like OE in place and have it widely used,

We have made it simpler, though not faultless yet. If the last bugs are ironed out, there is no configuration of the user neccessary, apart from having a valid hostname and key in the forward dns.

> really common. (When I mentioned this difficulty a long time ago on

Access to the reverse is only needed for OE on servers, not for clients connecting to it. Also, with the widepsread use of NAT required us to also store the key in some forward zone.

> system more successful (IE, trivial to use). Throw in dynamic IP

host -t key vaio.xtdnet.nl.

(or use a txt record)  

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related lists.freeswan.org Links 1998-fall 1998-spring 1998-summer 1998-winter 1999-winter announce briefs bugs design freeswan-list hipsec ietf-sectest users users-admin Request more information about Pantek

> 1) PGP. pgp has key servers to help connect 2 otherwise
 

We have written the hooks for dhclient to push the TXT/KEY record from your machine into a forward zone you can control. Though I don't think any of the free dns zones accept dynamic updates might I might be wrong or should start one myself :P

> 2) SSH. ssh exchanges the public keys in the first connection, asking

But this only works because nerds use ssh. If your Director of European Sales uses somethign like this to connect to the corporate VPN, do you think this is still such a good idea? Do you think he might click "no" when the key claims to have changed because his neighbour laptop is being a man in the middle?

Also, for ssh this is used in a scenario where you connect to a few trusted ssh servers. OE is meant to connect to everyone and their grandmother, and you would be hitting "yes i don't care the key changed' every 5 minutes.

> OE is a good technology with good goals. But to say that you're

Why also includes the inability of IETF to come up with decent standards within a decade (KEY record, DNSSEC, secure DHCP), Microsoft's goal of moving everything into their (or Larry's) LDAP, Verisign/NetSol/ICANN politics instead of deploying on technical merits, ISC's arcane slow development of ISC dhcp in the last two years and the ISC "conformance" of the bind software to not release until the all the AD and the RFC Editor hav died of old age :P

Why also includes "Because OE doesn't properly see when it should shut itself down because there is no key" which is messing with everyone's static VPN.

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related lists.freeswan.org Links 1998-fall 1998-spring 1998-summer 1998-winter 1999-winter announce briefs bugs design freeswan-list hipsec ietf-sectest users users-admin Request more information about Pantek

Why also included the "no US code" politics, dropped by Openswan.

Sorry for ranting :)

Paul