Re: The TCP and UDP checksum algorithm may soon need updating

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, Jun 08, 2020 at 10:24:10AM -0700, Michael Thomas wrote:
> On 6/8/20 10:16 AM, Nico Williams wrote:
> > On Mon, Jun 08, 2020 at 10:11:09AM -0700, Joe Touch wrote:
> > > > On Jun 8, 2020, at 10:00 AM, Michael Thomas <mike@xxxxxxxx> wrote:
> > > > i assume that you can hack ipsec to emulate clients not having certs.
> > > It is called BTNS.  See RFC 5387.
> > Yes, but you also need RFC5660 implementations to make it more
> > meaningful.  Still, if all you want is error detection, BTNS will do.
> 
> this is undoubtedly a complete rehash, but who controls what the root CA's
> are with ipsec? is that something that the application layer has some say-so
> over? could my app say i don't care who the root CA is?

The idea with RFCs 5387 and 5660 is that there is no need for an IPsec
PKI for IPsec to be useful, and, indeed, that IPsec for authentication
is tricky because -after all- it deals in... IP addresses, which are not
useful for authentication.

Instead, use IPsec for session crypto and use channel binding to bind
IPsec channels to higher-layer protocols where authentication can and
does happen.

Nico
-- 




[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Mhonarc]     [Fedora Users]

  Powered by Linux