<div dir="ltr">I think we can solve a lot of our crypto-regulation problems if we explore IPSec in Authentication Header Transport mode. This signs every IP packet which gets us connection integrity, origin authentication, and replay protection without encrypting anything. Then we only have to take very basic measures to ensure folks don't intentionally or unintentionally make encrypted connections (over SSL, SSH, or other commonly encrypted protocols). The only outstanding question then is how to handle IKE (key exchange) in an automated way with certificates.<br>
<br>I'm going to speak to some infosec geeks about this tonight<br><br>NB: This doesn't handle initial network access authentication. That's still a problem to be solved, possibly with 802.1X, though that has its own problem since RouterOS only supports TLS-EAP which incorporates crypto.<br clear="all">
<div><br></div>-- <br><div dir="ltr">Benjamin<br></div>
</div>