[Openswan Users] DSL modems in bridge mode and UDP fragmentat ion

Michael Richardson mcr at sandelman.ottawa.on.ca
Sat Jan 3 23:49:53 CET 2004


-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "Tim" == Tim Bouwer <TBouwer at pfn.com> writes:
    Tim> Thanks for your response.

    >>> No, it isn't inevitable.

    >>> It is only going to occur if you transmit the certificates.  There is
    Tim> very
    >>> little reason to do that.

    >>> Unless you have 1000 road warriors, I don't see a reason to do
    >>> that. It just causes problems, like the one that you have.

    Tim> We use x509 across the board for authentication of the Freeswan
    Tim> gateways and for our roadwarriors and also as the basis for the
    Tim> encryption in preference to preshared keys - it would be difficult

  I never said use pre-shared keys.

  I said, don't transmit the certificates. There is simply no point in doing
that, except for road-warriors where you have a policy of accepting any
certificate from a particular CA, *AND* you have no way to retrieve them
from, say an LDAP server.
  
]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson,    Xelerance Corporation, Ottawa, ON    |net architect[
] mcr at xelerance.com      http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBP/ebb4qHRg3pndX9AQExugP+IL1jkMIbhp55QbohstaAq0g2HcYqLWNe
y/k9jwOVqmq1mcYQwXjDcuCqTLEtnMsgojcSkgOpYDsZQXHgxVYP2TptB4+d/yXh
RVyJk3nzUxmo4G+8OsqzLg2N22cYtEdZuUa68HusUyvzBxUP16KRd9HLLZT+fVkw
TRDd09RLvAY=
=qnlX
-----END PGP SIGNATURE-----


More information about the Users mailing list