[Openswan dev] Opportunistic Encryption thought over - x509 certificates vs DNS TXT records

mcr at xelerance.com mcr at xelerance.com
Tue Apr 20 18:46:44 CEST 2004


-----BEGIN PGP SIGNED MESSAGE-----


Marcus, please read:
	draft-richardson-ipsec-opportunistic-15.txt

The security considerations section is extensive and covers all of your
concerns.  OE does not replace VPN out of the box.  

The Win2K system is *NOT* scalable outside of an Enterprise. That's
par for the course for Microsoft - they think about enterprises as their
biggest problem, and never the Internet as a whole.

I suggest that you go and actually setup Opportunistic Encryption before
you go any further. 

DNSSEC has a ways to go to be universally deployed, yes. PowerDNS says
they will implement. Dan Bernstein likely will do so eventually as well
(despite his rants). 

But, you don't need DNSSEC if you are dealing zones you control only
and static IPs. You just secondary all zones onto each gateway. This is
a LOT simpler and WAY more scalable then doing the same thing with LDAP.

You then put the IPs in question into your "private" food group and you
are done for static IPs. A future revision of Openswan will provide a
new food group for cases where we know that there is DNSSEC. (or rather,
it will be insist on private communication with DNSSEC, or bust)

For dynamic IPs (RW), there are several choices, which I won't go into
here.

- --
]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson,    Xelerance Corporation, Ottawa, ON    |net architect[
] mcr at xelerance.com      http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBQIXEb4qHRg3pndX9AQHTnAQAtY54Sd/iqNM9gY/G3yX8HU2fwLbkwtew
MdXubhTaDxmsV+WN1Oylos4hzPOHDz2bOnHtNSb1TBR1O8/zoS0AjUzkDlNuVygr
h2W6JiFyBcVSE9gt0GUpqBuZKD9JVcEhxKCihBVv7gHFA3vcQ7FwdFZeu6TfMryq
I+aW+sSbHe8=
=Zc5Q
-----END PGP SIGNATURE-----


More information about the Dev mailing list