Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Full-disclosure] IPsecurity theater

from [Joachim Schipper] Network Security [Permanent Link]
Subject: Re: [Full-disclosure] IPsecurity theater
Date: Sat, 26 Nov 2005 20:51:27 +0100 
On Sat, Nov 26, 2005 at 07:35:34AM -0800, coderman wrote:

On 11/26/05, Joachim Schipper <j.schipper@math.uu.nl> wrote:

I fully agree. But if you only want to accept traffic from trusted,
authenticated sources, it's about as close to that as you can get.


what i'd like a key daemon to do:
- create or import a symmetric key database (hardware entropy++)
- for encrypted key databases prompt for authentication
- enter SA's according to key schedule associated with db
- invalidate used keys and securely delete them from db
you can assume that key distribution details are covered.

what i don't what it ever doing:
opening a public network socket and listening to unauthenticated
traffic (ISAKMP).


No need to run a daemon for all that. Just use gnupg for the encryption,
setkey (linux/KAME), ipsecctl (OpenBSD), or whatever your OS of choice
uses to set up keys, and a couple of cron jobs to read the database and
invalidate old keys.

Not quite as trivial as the above makes it out to be, of course, and all
hell will break loose if you ever have a big clock skew, but outside of
that, I don't see why it wouldn't work.

                Joachim
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Full-disclosure] Return of the Phrack High Council, Kyle Lutze
Next by Date:  Re: [Full-disclosure] Return of the Phrack High Council, Mike Tewner
Previous by Thread:  Re: [Full-disclosure] IPsecurity theater, coderman
Next by Thread:  [Full-disclosure] Interesting reading-Government MAC systems under fire, Randall M
Indexes:  [Date] [Thread] [Top] [All Lists]