>From: "Major Variola (ret)" <[EMAIL PROTECTED]>
>Sent: Sep 17, 2004 10:27 PM
>To: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>
>Subject: Re: potential new IETF WG on anonymous IPSec
>At 06:20 AM 9/17/04 +, Justin wrote:
>>On 2004-09-16T20:11:
At 04:05 PM 9/16/2004, Joe Touch wrote:
FWIW, the other system we were referring to - TCP-MD5 - works at the TCP
layer. It rejects packets within TCP, before any further TCP processing,
that don't match the MD5 hash. It isn't BGP authentication.
Oh - I'd misunderstood. Yes, that sounds much hard
On 2004-09-17T19:27:09-0700, Major Variola (ret) wrote:
>
> At 06:20 AM 9/17/04 +, Justin wrote:
> >On 2004-09-16T20:11:56-0700, Major Variola (ret) wrote:
> >> At 02:17 PM 9/16/04 -0700, Joe Touch wrote:
> >> >Except that certs need to be signed by authorities that are trusted.
>
> >> Name o
At 09:09 AM 9/17/04 +0200, Thomas Shaddack wrote:
>On Thu, 16 Sep 2004, Major Variola (ret) wrote:
>
>> At 02:17 PM 9/16/04 -0700, Joe Touch wrote:
>> >Except that certs need to be signed by authorities that are trusted.
>>
>> Name one.
>
>You don't have to sign the certs. Use self-signed ones, th
At 06:20 AM 9/17/04 +, Justin wrote:
>On 2004-09-16T20:11:56-0700, Major Variola (ret) wrote:
>>
>> At 02:17 PM 9/16/04 -0700, Joe Touch wrote:
>> >Except that certs need to be signed by authorities that are trusted.
>>
>> Name one.
>
>Oh, come on. Nothing can be absolutely trusted. How much
Ian Grigg wrote:
...
I wouldn't think that the encryption need be opportunistic; in the BGP
backbone world, as you noted, peers are known a-priori, and should
have certs that could be signed by well-known, trusted CAs.
Let's see if I can make these assumptions clearer, because
I still perceive t
Joe Touch wrote:
Ian Grigg wrote:
On the backbone, between BGP peers, one would have thought
that there are relatively few attackers, as the staff are
highly trusted and the wires are hard to access - hence no
active attacks going on and only some passive eavesdropping
attacks. Also, anyone setti
On Thu, 16 Sep 2004, Major Variola (ret) wrote:
> At 02:17 PM 9/16/04 -0700, Joe Touch wrote:
> >Except that certs need to be signed by authorities that are trusted.
>
> Name one.
You don't have to sign the certs. Use self-signed ones, then publish a GPG
signature of your certificate in a known
On 2004-09-16T20:11:56-0700, Major Variola (ret) wrote:
>
> At 02:17 PM 9/16/04 -0700, Joe Touch wrote:
> >Except that certs need to be signed by authorities that are trusted.
>
> Name one.
Oh, come on. Nothing can be absolutely trusted. How much security is
enough?
Aren't the DOD CAs trusted
At 02:17 PM 9/16/04 -0700, Joe Touch wrote:
>Except that certs need to be signed by authorities that are trusted.
Name one.
Bill Stewart wrote:
At 02:17 PM 9/16/2004, Joe Touch wrote:
Ian Grigg wrote:
On the backbone, between BGP peers, one would have thought
that there are relatively few attackers, as the staff are
highly trusted and the wires are hard to access - hence no
active attacks going on and only some passive
At 02:17 PM 9/16/2004, Joe Touch wrote:
Ian Grigg wrote:
On the backbone, between BGP peers, one would have thought
that there are relatively few attackers, as the staff are
highly trusted and the wires are hard to access - hence no
active attacks going on and only some passive eavesdropping
attack
Ian Grigg wrote:
Bill Stewart wrote:
Also, the author's document discusses protecting BGP to prevent
some of the recent denial-of-service attacks,
and asks for confirmation about the assertion in a message
on the IPSEC mailing list suggesting
"E.g., it is not feasible for BGP routers to be conf
Bill Stewart wrote:
Also, the author's document discusses protecting BGP to prevent
some of the recent denial-of-service attacks,
and asks for confirmation about the assertion in a message
on the IPSEC mailing list suggesting
"E.g., it is not feasible for BGP routers to be configured with the
Currently BGP is "secured" by
1. accepting BGP info only from known router IPs
2. ISPs not propogating BGP from the edge inwards
Its a serious vulnerability (as in, take down the net),
equivalent to the ability to confuse the post office
machinery that sorts postcards. All you need to
do is subve
--- begin forwarded text
Delivered-To: [EMAIL PROTECTED]
Date: Sat, 11 Sep 2004 14:53:59 -0700 (PDT)
From: bear <[EMAIL PROTECTED]>
To: Eugen Leitl <[EMAIL PROTECTED]>
Cc: Cryptography List <[EMAIL PROTECTED]>
Subject: Re: [anonsec] Re: potential new IETF WG on anonymous IPSec
;[EMAIL PROTECTED]>
Subject: Re: anonymous IP terminology (Re: [anonsec] Re: potential new IETF
WG on anonymous IPSec (fwd from [EMAIL PROTECTED]))
User-Agent: Mutt/1.4.1i
Sender: [EMAIL PROTECTED]
On Sat, Sep 11, 2004 at 11:38:00AM -0700, Joe Touch wrote:
> >>Although anonymous access i
t;
Subject: anonymous IP terminology (Re: [anonsec] Re: potential new IETF WG
on anonymous IPSec (fwd from [EMAIL PROTECTED]))
User-Agent: Mutt/1.4.1i
Sender: [EMAIL PROTECTED]
Joe Touch <[EMAIL PROTECTED]> wrote:
> >The point has nothing to do with anonymity;
>
> The last one, agreed.
Bill Stewart wrote:
At 12:57 PM 9/9/2004, Hal Finney wrote:
> http://www.postel.org/anonsec
To clarify, this is not really "anonymous" in the usual sense. Rather it
is a proposal to an extension to IPsec to allow for unauthenticated
connections. Presently IPsec relies on either pre-shared
--- begin forwarded text
Delivered-To: [EMAIL PROTECTED]
Date: Fri, 10 Sep 2004 18:20:28 +0200
From: Eugen Leitl <[EMAIL PROTECTED]>
To: Cryptography List <[EMAIL PROTECTED]>
Subject: Re: [anonsec] Re: potential new IETF WG on anonymous IPSec (fwd
from [EMAIL PROTECTED]) (fwd
At 12:57 PM 9/9/2004, Hal Finney wrote:
> http://www.postel.org/anonsec
To clarify, this is not really "anonymous" in the usual sense. Rather it
is a proposal to an extension to IPsec to allow for unauthenticated
connections. Presently IPsec relies on either pre-shared secrets or a
trusted
On 2004, Sep 09, , at 16:57, Hal Finney wrote:
To clarify, this is not really "anonymous" in the usual sense. Rather
it
is a proposal to an extension to IPsec to allow for unauthenticated
connections. Presently IPsec relies on either pre-shared secrets or a
trusted third party CA to authenticate
22 matches
Mail list logo
