<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div>Just coming in the middle of this. What about using certificates in some way. You can issue certificates to legit hams ( users ) either by machine ( which is harder for machines that do not have that fuctionality) or by user. No encryption needed. In other words, two factor authentication, if you also have to log into the network. Basically a enterprise solution, or is that to difficult to manage? </div>
<div> <br><br>Steve N0FPF</div><div><br>On Feb 21, 2013, at 7:46 PM, Bart Kus <<a href="mailto:me@bartk.us">me@bartk.us</a>> wrote:<br><br></div><blockquote type="cite"><div>
<meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type">
<div class="moz-cite-prefix">Good direction, but I'd drop the
requirement for policing the network by actively preventing hams
from using crypto. Hams are supposed to be self-policing, and
we'll be engaging a losing battle, and inviting exploits. Let's
just provide the tools to play nice. If people wanna run astray
of rules, HamWAN as repeater operator, is not ultimately
responsible.<br>
<br>
Let us know how the infonerd thing goes. :)<br>
<br>
--Bart<br>
<br>
<br>
On 2/21/2013 7:21 PM, Benjamin Krueger wrote:<br>
</div>
<blockquote cite="mid:CAMcW5DoWJy3LVG2wP2EkUPGVzrrQhDyXizOe+CxK3XcBDbX1vg@mail.gmail.com" type="cite">
<div dir="ltr">I think we can solve a lot of our crypto-regulation
problems if we explore IPSec in Authentication Header Transport
mode. This signs every IP packet which gets us connection
integrity, origin authentication, and replay protection without
encrypting anything. Then we only have to take very basic
measures to ensure folks don't intentionally or unintentionally
make encrypted connections (over SSL, SSH, or other commonly
encrypted protocols). The only outstanding question then is how
to handle IKE (key exchange) in an automated way with
certificates.<br>
<br>
I'm going to speak to some infosec geeks about this tonight<br>
<br>
NB: This doesn't handle initial network access authentication.
That's still a problem to be solved, possibly with 802.1X,
though that has its own problem since RouterOS only supports
TLS-EAP which incorporates crypto.<br clear="all">
<div><br>
</div>
-- <br>
<div dir="ltr">Benjamin<br>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre>_______________________________________________
PSDR mailing list
<a class="moz-txt-link-abbreviated" href="mailto:PSDR@hamwan.org">PSDR@hamwan.org</a>
<a class="moz-txt-link-freetext" href="http://mail.hamwan.org/mailman/listinfo/psdr_hamwan.org">http://mail.hamwan.org/mailman/listinfo/psdr_hamwan.org</a>
</pre>
</blockquote>
<br>
</div></blockquote><blockquote type="cite"><div><span>_______________________________________________</span><br><span>PSDR mailing list</span><br><span><a href="mailto:PSDR@hamwan.org">PSDR@hamwan.org</a></span><br><span><a href="http://mail.hamwan.org/mailman/listinfo/psdr_hamwan.org">http://mail.hamwan.org/mailman/listinfo/psdr_hamwan.org</a></span><br>
</div></blockquote></body></html>