Return to BSD News archive
Path: euryale.cc.adfa.oz.au!newshost.carno.net.au!harbinger.cc.monash.edu.au!nntp.coast.net!zombie.ncsc.mil!newsgate.duke.edu!agate!ihnp4.ucsd.edu!munnari.OZ.AU!news.ecn.uoknor.edu!news.wildstar.net!cancer.vividnet.com!hunter.premier.net!www.nntp.primenet.com!nntp.primenet.com!news.sprintlink.net!news-peer.sprintlink.net!newsfeed.internetmci.com!nntp-hub2.barrnet.net!nntp-hub3.barrnet.net!mars.hyperk.com!darkstar!cmott From: Charles Mott <cmott@srv.net> Newsgroups: comp.unix.bsd.freebsd.misc Subject: Re: TCP Encryption, part 2 Date: Mon, 30 Sep 1996 09:22:37 -0600 Organization: SRVnet, Inc. Lines: 29 Message-ID: <Pine.BSF.3.91.960930084835.17253A-100000@darkstar> References: <Pine.BSF.3.91.960929121424.16142A-100000@darkstar> <52nuf0$ghr@lastactionhero.rs.itd.umich.edu> NNTP-Posting-Host: ras69.srv.net Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Sender: cmott@darkstar In-Reply-To: <52nuf0$ghr@lastactionhero.rs.itd.umich.edu> On 30 Sep 1996, Dug Song wrote: > Why TCP-level encryption as opposed to IP? > I ran the SKIP loadable kernel module on two of my FreeBSD boxes for a > while without any problems. > > Go to http://skip.incog.com/ for public domain source and binaries. With TCP encryption, public keys can be passed in the SYN packets at the start of a connection. The initial ACK packets will indicate whether the opposite sides of the connection recognize the embedded encryption option. If not, then a normal connection takes place. The public keys should be randomly selected for each connection, and even changed within a connection. (This frustrates decryption aided by predictable string sequences, such as the PORT command preceding an FTP data connection.) IP encryption requires an elaborate public key discovery mechanism (or manually set tables of public keys), which incidentally does not support random public key changes. I think the NSA and other intelligence agencies might be very happy to see the SKIP system succeed over more robust schemes. From an architectural standpoint, I think TCP-level encryption, implemented through self-encoding header option words, is a better approach than IP-level encryption and public key discovery mechanisms. Charles Mott