Return to BSD News archive
Path: euryale.cc.adfa.oz.au!newshost.carno.net.au!harbinger.cc.monash.edu.au!munnari.OZ.AU!spool.mu.edu!newspump.sol.net!www.nntp.primenet.com!nntp.primenet.com!howland.erols.net!newsfeed.internetmci.com!news.sprintlink.net!news-peer.sprintlink.net!worldlinx.com!newbridge.com!magnus2!iduncan
From: Ian Duncan <iduncan@newbridge.com>
Newsgroups: comp.unix.bsd.freebsd.misc
Subject: Re: TCP Encryption
Date: Mon, 30 Sep 1996 17:31:30 -0400
Organization: Newbridge Networks Corporation
Lines: 33
Message-ID: <Pine.GSO.3.93.960930172903.3617L-100000@magnus2>
References: <Pine.BSF.3.91.960928164946.15233A-100000@darkstar> <324E4BFC.167EB0E7@FreeBSD.org>
Reply-To: Ian Duncan <iduncan@newbridge.com>
NNTP-Posting-Host: 138.120.141.33
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-Sender: iduncan@magnus2
In-Reply-To: <324E4BFC.167EB0E7@FreeBSD.org>
On Sun, 29 Sep 1996, Jordan K. Hubbard wrote:
>I think that's adding protection at the wrong level. Consider: It's not
>the transport that needs to be secured, it's certain services that run
>on top [...]
SSH is excellent for protecting logins and X connections in tight spaces
where secure plumbing is hard to come by.
>If, on the other hand, you *really* want to secure an entire pipe, then
>you can still do it with tunneling, implementing a "virtual private
>network" topology with full crypto between the various LANs. One of our
>core team members, Peter Wemm, did something like this with the
>tunneling device and ssh.
Nah. The *right* solution is to build in IPSEC AH/ESP. VPN and end-2-end
are both available when you do this.
>Either way, it doesn't take hacking the TCP/IP stack to provide
>security, simply some setup work with already available tools.
Hacking TCP is definitely wrong, although the folks who brought us SSL may
aomewhat violently disagree. Using IP with security should be the best
option. All that's required is a bit of porting support from the FreeBSD
folk. At least two of the readily available implementations are based off
4.4 networking code.
/id
--
Ian Duncan <iduncan@Newbridge.com>