Re: IPSEC wireless router ?
- From: Jeff Liebermann <jeffl@xxxxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 26 Sep 2005 09:14:59 -0700
On 25 Sep 2005 12:33:53 -0700, lynn@xxxxxxxxxx wrote:
I'll risk a bit of topic drift here...
>to a large degree, the apperance of SSL was because of the same factor
>... the difficulty with doing end-to-end ipsec because of its
>impacting, existing deployed systems.
Difficulty is an understatement. The AH encapsulation would
effectively prevent re-writing the header on NAT firewalls making that
useless. At least ESP payload only works though NAT. Replay attack
prevention seems to cause some compatibility issues with different
implementations. I lost count of how many different encryption and
authentication protocols were available. Compatibility still seems to
be a problem:
I've also lost count of how many bug reports I've submitted to
manufacturers over VPN compatibility issues. My guess(tm) is that SSL
is becoming popular because it offers considerable simplicity and
>however, as part of that effort, we coined the term "certificate
>manufactoring" ... since the majority of the operations weren't
>actually doing full-fledge PKIs
Well, part of the incentive was the Verisign was charging ridiculous
amounts for a server certificate. That might be justifiable with a
big ecommerce site, but not with a small hosted web site that just
wants something better than a password. If Verisign had recognized
the market and priced their PKI services accordingly, there would not
have been any need for the "certificate manufactorys".
>it was quite a trivial proof to show that
>the digital certificates were redundant and superfluous (if you were
>relying on existing business operations for real-time validity ... then
>it was a very short step to having existing business operations also
>providing public keys in real time).
Well, when the browser now says "Just click here to accept this
certificate as valid" without the slightest authentication, one might
as well pretend that everything is valid. As I recall that was in
response to MS expiring all their certificates issued with Windoze
runtimes in 2000(?) combined with the social engineering of some MS
certificates from Verisign, where MS discovered they had no way to
revoke a certificate.
>there is now even cross-over between the original 94 vpn and the 94 ssl
>... with the apparance of ssl-based VPNs.
Yes, for good reason. The browsers all have SSL capability and an SSL
based VPN can therefore be deployed with a minimum of butchery on the
>However, there are numerous examples of infrastructures that use public
>keys, digital signatures, encrypted channels that don't involve PKI,
>certification authorities, and/or digital signatures.
Ummm.... Pre shared keys? (Never mind).
>in any case, IPSEC PKI infrastructure can carry with it a much heavier
>infrastructure operation than is actually needed for public key
>authentication and encryption (and even can be redundant and
>superfluous compared to simple upgrades to existing management and
We're talking about a home user with probably a handful of potential
users. The alleged benefit of PKI is that it authenticates the
terminating web pages as being whom they claim to be. I've setup
bogus servers to see how typical clients react. I've found that some
method of authentication is a required as almost all users are
clueless when a counterfeit web page appears. I even got caught in my
own trap when I forgot to turn it off one day. Same with a faked SSID
hot spot running HostAP. One doesn't really "need" PKI and a CA to do
the authentication, but methinks it is generally a good idea.
Jeff Liebermann jeffl@xxxxxxxxxxxxxxxxxxxxxx
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558