Full Disclosure mailing list archives
Re: IPsecurity theater
From: Joachim Schipper <j.schipper () math uu nl>
Date: Sat, 26 Nov 2005 20:51:27 +0100
On Sat, Nov 26, 2005 at 07:35:34AM -0800, coderman wrote:
On 11/26/05, Joachim Schipper <j.schipper () math uu nl> wrote:I fully agree. But if you only want to accept traffic from trusted, authenticated sources, it's about as close to that as you can get.what i'd like a key daemon to do: - create or import a symmetric key database (hardware entropy++) - for encrypted key databases prompt for authentication - enter SA's according to key schedule associated with db - invalidate used keys and securely delete them from db you can assume that key distribution details are covered. what i don't what it ever doing: opening a public network socket and listening to unauthenticated traffic (ISAKMP).
No need to run a daemon for all that. Just use gnupg for the encryption, setkey (linux/KAME), ipsecctl (OpenBSD), or whatever your OS of choice uses to set up keys, and a couple of cron jobs to read the database and invalidate old keys. Not quite as trivial as the above makes it out to be, of course, and all hell will break loose if you ever have a big clock skew, but outside of that, I don't see why it wouldn't work. Joachim _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- IPsecurity theater coderman (Nov 25)
- Re: IPsecurity theater Joachim Schipper (Nov 25)
- Re: IPsecurity theater coderman (Nov 25)
- Re: IPsecurity theater Joachim Schipper (Nov 26)
- Re: IPsecurity theater coderman (Nov 26)
- Re: IPsecurity theater Joachim Schipper (Nov 26)
- Re: IPsecurity theater coderman (Nov 25)
- Re: IPsecurity theater Joachim Schipper (Nov 25)