J65nko BSD wrote:
Ofcourse, it requires access to the (public?) keys to create valid
encrypted packets. Hence, if the public key is kept as a shared secret
among the authorized users, one could assume that ESP packets are
authenticated/trusted.
This is my idea, discard AH, rely on ESP and assume that anyone capable
of producing decryptable packets must have access to the pre-shared
secret "public" key and hence authorized.
Your are not the first to have this idea. The authors of "Secure
Architectures with OpenBSD" already published this ;)
Dang! Why do someone always steal my ideas before I get them?
AH would work, if both ends were NATaware, such that the rigth src/dst
ip could be inserted in the header before checking. It just occured to
me that maybe this could be done by adding yet another IP/IP tunnel?
OpenBSD 3.6 supports NAT traversal. From http://openbsd.org/36.html:
"isakmpd(8) now supports NAT-traversal and Dead Peer Detection (RFC 3706)."
Don't know how ling it would take to before this is supported by FreeBSD ;)
Interesting, I'll take a look at that - thanks.
Erik
--
Ph: +34.666334818 web: http://www.locolomo.org
S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt
Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9
Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
