[HamWAN PSDR] Traffic protection without encryption
steve monsey
stevewa206 at gmail.com
Thu Feb 21 19:52:35 PST 2013
Just coming in the middle of this. What about using certificates in some
way. You can issue certificates to legit hams ( users ) either by machine (
which is harder for machines that do not have that fuctionality) or by
user. No encryption needed. In other words, two factor authentication, if
you also have to log into the network. Basically a enterprise solution, or
is that to difficult to manage?
Steve N0FPF
On Feb 21, 2013, at 7:46 PM, Bart Kus <me at bartk.us> wrote:
Good direction, but I'd drop the requirement for policing the network by
actively preventing hams from using crypto. Hams are supposed to be
self-policing, and we'll be engaging a losing battle, and inviting
exploits. Let's just provide the tools to play nice. If people wanna run
astray of rules, HamWAN as repeater operator, is not ultimately responsible.
Let us know how the infonerd thing goes. :)
--Bart
On 2/21/2013 7:21 PM, Benjamin Krueger wrote:
I think we can solve a lot of our crypto-regulation problems if we explore
IPSec in Authentication Header Transport mode. This signs every IP packet
which gets us connection integrity, origin authentication, and replay
protection without encrypting anything. Then we only have to take very
basic measures to ensure folks don't intentionally or unintentionally make
encrypted connections (over SSL, SSH, or other commonly encrypted
protocols). The only outstanding question then is how to handle IKE (key
exchange) in an automated way with certificates.
I'm going to speak to some infosec geeks about this tonight
NB: This doesn't handle initial network access authentication. That's still
a problem to be solved, possibly with 802.1X, though that has its own
problem since RouterOS only supports TLS-EAP which incorporates crypto.
--
Benjamin
_______________________________________________
PSDR mailing listPSDR at hamwan.orghttp://mail.hamwan.org/mailman/listinfo/psdr_hamwan.org
_______________________________________________
PSDR mailing list
PSDR at hamwan.org
http://mail.hamwan.org/mailman/listinfo/psdr_hamwan.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.hamwan.net/pipermail/psdr/attachments/20130221/792f36db/attachment.html>
More information about the PSDR
mailing list