| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20051126095126.GA18194@melpomene.jschipper.dynalias.net> Date: Sat Nov 26 09:51:38 2005 From: j.schipper at math.uu.nl (Joachim Schipper) Subject: IPsecurity theater On Fri, Nov 25, 2005 at 04:04:31PM -0800, coderman wrote: > On 11/25/05, Joachim Schipper <j.schipper@...h.uu.nl> wrote: > > ... > > While I'm not too sure what you mean, doesn't manual keying solve this > > problem? > > setkey doesn't make the greatest key daemon. something that supports > decent authentication for access to key material and provides some > form of key scheduling would be nice. I fully agree. But if you only want to accept traffic from trusted, authenticated sources, it's about as close to that as you can get. If that's not what you meant, which is quite possible as I'm not sure I understood your initial message fully, could you please elaborate on what you want to do? Just shield vulnerable, sucky key daemons from the wide internet? That's doable with something like isakmpd over stunnel, which, come to think of it, is not a bad idea (but, like all of IPsec, probably a bitch to set up). Joachim
Powered by blists - more mailing lists