From: Major Variola (ret) [EMAIL PROTECTED]
Sent: Sep 17, 2004 10:27 PM
To: [EMAIL PROTECTED] [EMAIL PROTECTED]
Subject: Re: potential new IETF WG on anonymous IPSec
At 06:20 AM 9/17/04 +, Justin wrote:
On 2004-09-16T20:11:56-0700, Major Variola (ret) wrote:
..
Oh, come on. Nothing can
At 09:09 AM 9/17/04 +0200, Thomas Shaddack wrote:
On Thu, 16 Sep 2004, Major Variola (ret) wrote:
At 02:17 PM 9/16/04 -0700, Joe Touch wrote:
Except that certs need to be signed by authorities that are trusted.
Name one.
You don't have to sign the certs. Use self-signed ones, then publish a
On 2004-09-17T19:27:09-0700, Major Variola (ret) wrote:
At 06:20 AM 9/17/04 +, Justin wrote:
On 2004-09-16T20:11:56-0700, Major Variola (ret) wrote:
At 02:17 PM 9/16/04 -0700, Joe Touch wrote:
Except that certs need to be signed by authorities that are trusted.
Name one.
Oh,
At 04:05 PM 9/16/2004, Joe Touch wrote:
FWIW, the other system we were referring to - TCP-MD5 - works at the TCP
layer. It rejects packets within TCP, before any further TCP processing,
that don't match the MD5 hash. It isn't BGP authentication.
Oh - I'd misunderstood. Yes, that sounds much
At 06:20 AM 9/17/04 +, Justin wrote:
On 2004-09-16T20:11:56-0700, Major Variola (ret) wrote:
At 02:17 PM 9/16/04 -0700, Joe Touch wrote:
Except that certs need to be signed by authorities that are trusted.
Name one.
Oh, come on. Nothing can be absolutely trusted. How much security is
Ian Grigg wrote:
..
I wouldn't think that the encryption need be opportunistic; in the BGP
backbone world, as you noted, peers are known a-priori, and should
have certs that could be signed by well-known, trusted CAs.
Let's see if I can make these assumptions clearer, because
I still perceive
Ian Grigg wrote:
Bill Stewart wrote:
Also, the author's document discusses protecting BGP to prevent
some of the recent denial-of-service attacks,
and asks for confirmation about the assertion in a message
on the IPSEC mailing list suggesting
E.g., it is not feasible for BGP routers to be
Joe Touch wrote:
Ian Grigg wrote:
On the backbone, between BGP peers, one would have thought
that there are relatively few attackers, as the staff are
highly trusted and the wires are hard to access - hence no
active attacks going on and only some passive eavesdropping
attacks. Also, anyone
On Thu, 16 Sep 2004, Major Variola (ret) wrote:
At 02:17 PM 9/16/04 -0700, Joe Touch wrote:
Except that certs need to be signed by authorities that are trusted.
Name one.
You don't have to sign the certs. Use self-signed ones, then publish a GPG
signature of your certificate in a known
Bill Stewart wrote:
At 02:17 PM 9/16/2004, Joe Touch wrote:
Ian Grigg wrote:
On the backbone, between BGP peers, one would have thought
that there are relatively few attackers, as the staff are
highly trusted and the wires are hard to access - hence no
active attacks going on and only some
At 02:17 PM 9/16/04 -0700, Joe Touch wrote:
Except that certs need to be signed by authorities that are trusted.
Name one.
On 2004-09-16T20:11:56-0700, Major Variola (ret) wrote:
At 02:17 PM 9/16/04 -0700, Joe Touch wrote:
Except that certs need to be signed by authorities that are trusted.
Name one.
Oh, come on. Nothing can be absolutely trusted. How much security is
enough?
Aren't the DOD CAs trusted
At 02:17 PM 9/16/2004, Joe Touch wrote:
Ian Grigg wrote:
On the backbone, between BGP peers, one would have thought
that there are relatively few attackers, as the staff are
highly trusted and the wires are hard to access - hence no
active attacks going on and only some passive eavesdropping
Bill Stewart wrote:
Also, the author's document discusses protecting BGP to prevent
some of the recent denial-of-service attacks,
and asks for confirmation about the assertion in a message
on the IPSEC mailing list suggesting
E.g., it is not feasible for BGP routers to be configured with the
On Wed, 15 Sep 2004, Ian Grigg wrote:
The whole point of the CA model is that there is no prior
relationship and that the network is a wild wild west sort
of place - both of these assumptions seem to be reversed
in the backbone world, no? So one would think that using
opportunistic
On Sun, 12 Sep 2004, R. A. Hettinga wrote:
From: Adam Back [EMAIL PROTECTED]
Subject: Re: anonymous IP terminology (Re: [anonsec] Re: potential new IETF
At ZKS we had software to remail
MIME mail to provide a pseudonymous email. But one gotcha is that
mail clients include MIME boundary
Currently BGP is secured by
1. accepting BGP info only from known router IPs
2. ISPs not propogating BGP from the edge inwards
Its a serious vulnerability (as in, take down the net),
equivalent to the ability to confuse the post office
machinery that sorts postcards. All you need to
do is
At 12:57 PM 9/9/2004, Hal Finney wrote:
http://www.postel.org/anonsec
To clarify, this is not really anonymous in the usual sense. Rather it
is a proposal to an extension to IPsec to allow for unauthenticated
connections. Presently IPsec relies on either pre-shared secrets or a
trusted
Bill Stewart wrote:
At 12:57 PM 9/9/2004, Hal Finney wrote:
http://www.postel.org/anonsec
To clarify, this is not really anonymous in the usual sense. Rather it
is a proposal to an extension to IPsec to allow for unauthenticated
connections. Presently IPsec relies on either pre-shared
On 2004, Sep 09, , at 16:57, Hal Finney wrote:
To clarify, this is not really anonymous in the usual sense. Rather
it
is a proposal to an extension to IPsec to allow for unauthenticated
connections. Presently IPsec relies on either pre-shared secrets or a
trusted third party CA to authenticate
--- begin forwarded text
Delivered-To: [EMAIL PROTECTED]
From: Paul Syverson [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Cc: Paul Syverson [EMAIL PROTECTED]
Subject: potential new IETF WG on anonymous IPSec
User-Agent: Mutt/1.4.1i
Sender: [EMAIL PROTECTED]
List-Id: Primary NymIP discussion list
The IETF has been discussing setting up a working group
for anonymous IPSec. They will have a BOF at the next IETF
in DC in November. They're also setting up a mailing list you
might be interested in if you haven't heard about it already.
...
http://www.postel.org/anonsec
To
22 matches
Mail list logo