[HamWAN PSDR] Traffic protection without encryption

Benjamin Krueger ben.krueger at gmail.com
Thu Feb 21 19:21:13 PST 2013


I think we can solve a lot of our crypto-regulation problems if we explore
IPSec in Authentication Header Transport mode. This signs every IP packet
which gets us connection integrity, origin authentication, and replay
protection without encrypting anything. Then we only have to take very
basic measures to ensure folks don't intentionally or unintentionally make
encrypted connections (over SSL, SSH, or other commonly encrypted
protocols). The only outstanding question then is how to handle IKE (key
exchange) in an automated way with certificates.

I'm going to speak to some infosec geeks about this tonight

NB: This doesn't handle initial network access authentication. That's still
a problem to be solved, possibly with 802.1X, though that has its own
problem since RouterOS only supports TLS-EAP which incorporates crypto.

-- 
Benjamin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.hamwan.net/pipermail/psdr/attachments/20130221/f516d37f/attachment.html>


More information about the PSDR mailing list