From: Paul Wouters (paul_at_xtdnet.nl)
Date: Thu Aug 01 2002 - 11:13:12 CEST
On Wed, 31 Jul 2002, Ian Brown wrote:
> I attempt to connect to your web service. My ipsec is currently
> turned off, but I have TXT and KEY records in my reverse map. I try to
> connect directly to your port 80. Somehow something intercepts this
> connection attempt and %holds it. (How does this happen btw?
My freeswan will do that yes.
> So the only weakness here is the dns service itself. since OE
> relies on dns, if dns fails for whatever reason, OE and the rest of your
> system (aside from static tunnels) will be dead to the world.
Yes. That's one reason why you should try to use dns servers close to the OE
machine, or even on the OE machine, or security gateway itself.
> Okay, so the only computers you can now use to administer your
> oe-dead server are either computers with static tunnels, or non-oe boxes.
> If everyone starts to use OE in the future, your only hope would be the
> static tunnels.
Actually, OE and static tunnels don't work very well togther yet.
> So for the most part OE is great for scaling, yet you'll still
> need to have static tunnels or/and ssh for those important servers.
OE and ssh serve two different purposes.
> Regular firewalling only stops the packets or lets them through.
> It doesn't decide what gets encrypted and what doesn't.
Right. My point was, OE (or IPsec in general) is NOT a firewall. IPsec only
encrypts against third party snooping. You can even use it to limit who is
allowed to communicate with you. But it does not implement a security
scheme about which protocol or at what time of day, someone is allowed to
use Kazaa. Use firewalls for that.
> In otherwords, if
> OE dies on me it would be nice if I still had some way to get to my box
> without oe getting in the way. (SSH for instance wouldn't need to be
> encrypted through OE since it does that by itself). This way I'm not
> blocked from using my other oe-only computers to administer.
And how would you recognise "ssh"? port 22? What if a filesharing program
starts using port 22 as well? Do we then need to understand the SSH protocol
itself before allowing it through? IPsec should not start playing the game
of making decisions based on the content of packets.
> An example would be the Red Alert virus. Because of the
> increased bandwidth that was getting eaten up, Isp's had to block
> the spreading by blocking access to most people's port 80. This would
> not have been possible if things were encrypted and passing through port
> 500. Their only recourse would be to block udp port 500 traffic... which
> would halt ALL communications to your servers instead of just port 80.
So a quick hack to a rogue hack to a bad hack of a program wouldn't work
anymore. Perhaps it would be in everyone's interest if Microsoft's products
escalated the damage done so that they finally start taking security
serious. Yes, I am an ISP myself, and yes I would miss the option of
disabling it, but I still don't think it is a valid argument for looking at
people's traffic and decide for them what is legitimate traffic and what's
not. You want to only block Code Red, China only wants to block Free Speech,
and the US only wants to block Copyright Terrorists. Everyone has their
reasons. IPsec should not make political decisions.
> Another more important example. Distributed Denial of Service.
The only way out of this is if everyone does proper spoof protection and
filtering of outgoing packets. If I'm right, ipv6 would resolve this issue
already. Any DoS can now be traced and blocked.
> The problem here is that OE hides something that perhaps shouldn't
> be.
That's not a problem, that's a feature! AT&T also doesn't listen in on your
phone conversations to determine wether it might be better for you not to
have that conversation.
> What I don't see as important is encrypting the information
> about the connections themselves.
(forgive the following rant :)
Information as to what ports I use in itself is information that should be
private. If I run OE, and then use port 139, in your setup I still have
the BSA knocking on my door for either using an unlicenced program, a
program which they would like me not to use anymore (win9x) or a program
I'm no longer entitled to use anymore (XP, Palladium, TCPA), or perhaps
even for voilating their IPO rights (Samba). I don't want to be seen as a
criminal just for using port 139. The legal system is cracking up on all
sides. I get the most hillarious and outrageous legal claims, I get bailifs
at my door for things that are obviously legal and is just meant to scare me
away. My personal information has been sold against my wishes hunderds of
times. That's why I want to hide not only what I communicate, but also how
I communicate and with whom I communicate. I try to be a citizen, not a
consumer.
> You also break any chance of prioritization
Isn't that my choice? If you want your webcam session, or conversation to
your mother to be prioritized, and you need to pay for not using crypto, then
you should not be using crypto.
Actually, you can do this fairly easy with Freeswan. My favourite EuroTrance
internet radio broadcast is not going through IPsec like the rest of my
traffic. I added a specific host route to their server, so that it doesn't
get caught in the OE machinery.
> I'm curious... how did you set up OE on your computers?
You're now comparing a handful of machines you administrate with ssh, with
the million of computers I want to talk OE to. Perhaps with some hacks, you
can do the first (though I bet you just hit 'yes' without checking anyway).
I cannot check every webserver with OE that I connect to and hit 'yes'
after verifying they're okay.
> you've already got the ssh stuff in place. Also, I thought that "yes"
> thing only happens the first time you use ssh with a specific host.
> Doesn't that question only pop up if the host key changes?
Yes, but how often did you CHECK that those new or changed keys were indeed
not a man in the middle? I bet you've never done that.
ssh and ipsec are different tools for a different job.
Paul
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.4 : Mon Aug 05 2002 - 21:01:35 CEST