IPSec without AH
Erik Norgaard
norgaard at locolomo.org
Sun Jan 23 08:57:03 PST 2005
J65nko BSD wrote:
>>Ofcourse, it requires access to the (public?) keys to create valid
>>encrypted packets. Hence, if the public key is kept as a shared secret
>>among the authorized users, one could assume that ESP packets are
>>authenticated/trusted.
>>
>>This is my idea, discard AH, rely on ESP and assume that anyone capable
>>of producing decryptable packets must have access to the pre-shared
>>secret "public" key and hence authorized.
>
> Your are not the first to have this idea. The authors of "Secure
> Architectures with OpenBSD" already published this ;)
Dang! Why do someone always steal my ideas before I get them?
>>AH would work, if both ends were NATaware, such that the rigth src/dst
>>ip could be inserted in the header before checking. It just occured to
>>me that maybe this could be done by adding yet another IP/IP tunnel?
>
> OpenBSD 3.6 supports NAT traversal. From http://openbsd.org/36.html:
>
> "isakmpd(8) now supports NAT-traversal and Dead Peer Detection (RFC 3706)."
> Don't know how ling it would take to before this is supported by FreeBSD ;)
Interesting, I'll take a look at that - thanks.
Erik
--
Ph: +34.666334818 web: http://www.locolomo.org
S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt
Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9
Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2
More information about the freebsd-questions
mailing list