From: Ian Brown (freeswan_at_wopr.mitchellandmitchell.com)
Date: Thu Aug 01 2002 - 21:24:40 CEST
On Thu, 1 Aug 2002, Paul Wouters wrote:
> > In otherwords, if
> > OE dies on me it would be nice if I still had some way to get to my box
> > without oe getting in the way. (SSH for instance wouldn't need to be
> > encrypted through OE since it does that by itself). This way I'm not
> > blocked from using my other oe-only computers to administer.
>
> And how would you recognise "ssh"? port 22? What if a filesharing program
> starts using port 22 as well? Do we then need to understand the SSH protocol
> itself before allowing it through? IPsec should not start playing the game
> of making decisions based on the content of packets.
You wouldn't need to recognize ssh. I'm just talking about
disabling port 22 on my server because I know that I've got ssh set up
there. I'm not talking about disabling port 22 for everyone using OE. So
there would be two settings in ipsec.conf. In mine there would be
something like disableport=22. If you wanted to protect yourself against
me sabotaging your oe by, say, also disabling my web site port, you could
have a setting in your ipsec.conf like ifdestinationoeportdisable=block.
>
> > An example would be the Red Alert virus. Because of the
> > increased bandwidth that was getting eaten up, Isp's had to block
> > the spreading by blocking access to most people's port 80. This would
> > not have been possible if things were encrypted and passing through port
> > 500. Their only recourse would be to block udp port 500 traffic... which
> > would halt ALL communications to your servers instead of just port 80.
>
> So a quick hack to a rogue hack to a bad hack of a program wouldn't work
> anymore. Perhaps it would be in everyone's interest if Microsoft's products
> escalated the damage done so that they finally start taking security
> serious. Yes, I am an ISP myself, and yes I would miss the option of
> disabling it, but I still don't think it is a valid argument for looking at
> people's traffic and decide for them what is legitimate traffic and what's
> not. You want to only block Code Red, China only wants to block Free Speech,
> and the US only wants to block Copyright Terrorists. Everyone has their
> reasons. IPsec should not make political decisions.
By not giving the choice to filter traffic, ipsec *IS* making a
political decision as is your choice to use it with that limitation.
There are a lot of large isp's that probably will not take the view that
you do when it comes to loosing control of their traffic.
> > Another more important example. Distributed Denial of Service.
>
> The only way out of this is if everyone does proper spoof protection and
> filtering of outgoing packets. If I'm right, ipv6 would resolve this issue
> already. Any DoS can now be traced and blocked.
Right now if someone starts to flood my port 80, I can ask my isp
to block all traffic to port 80. The rest of my system will run
unhindered. I don't have to worry about reporting each and every person
flooding me and block each and every one. I imagine that would be a
huge undertaking especially if the dos attack comes from a rotating group
of ip addresses.
Btw, you mentioned in the paragraph above that you don't want
*ANY* filtering, yet here you state that proper filtering of outgoing
packets are necessary. Wouldn't OE prevent this filtering?
>
> > The problem here is that OE hides something that perhaps shouldn't
> > be.
>
> That's not a problem, that's a feature! AT&T also doesn't listen in on your
> phone conversations to determine wether it might be better for you not to
> have that conversation.
If I encrypt a conversation over the phone, it doesn't encrypt how
the communication took place. OE encrypts both. If I've got some stalker
calling me, I want at&t to have records to that affect so that I can go
after the bastard.
>
> > What I don't see as important is encrypting the information
> > about the connections themselves.
>
> (forgive the following rant :)
> Information as to what ports I use in itself is information that should be
> private. If I run OE, and then use port 139, in your setup I still have
> the BSA knocking on my door for either using an unlicenced program, a
> program which they would like me not to use anymore (win9x) or a program
> I'm no longer entitled to use anymore (XP, Palladium, TCPA), or perhaps
> even for voilating their IPO rights (Samba). I don't want to be seen as a
> criminal just for using port 139. The legal system is cracking up on all
> sides. I get the most hillarious and outrageous legal claims, I get bailifs
> at my door for things that are obviously legal and is just meant to scare me
> away. My personal information has been sold against my wishes hunderds of
> times. That's why I want to hide not only what I communicate, but also how
> I communicate and with whom I communicate. I try to be a citizen, not a
> consumer.
I'm almost in agreement with you here.... If you
can be though of as a criminal for using port 139, then why can't you be
thought of as a criminal for using udp port 500? What looks more like
you're trying to hide something? If anything, using OE would trigger MORE
attention from said agencies. 2nd, as you stated above, I can use
whatever service I want on port 139. Since the traffic itself would be
encrypted, they'd only be able to go after me for using that port, which I
doubt would get them very far. Mind you, if that *is* possible in
the future, then they could also go after me for using ipsec's port too.
So what about China? They block web sites for content. Certainly having
the port 80 connection information unencrypted will raise a red flag (pun
intended). It would seem in this case that OE *SHOULD* encrypt the
connection information too.. But knowning China, they'd simply just look
for udp port 500 traffic and arrest those people...
Btw, your personal information will still be sold with OE...(most
if not all of the information comes from servers that people
connect to, not from the traffic itself). The only difference now is
that they'll be able to encrypt it making it that much harder to track
down.
>
> > You also break any chance of prioritization
>
> Isn't that my choice? If you want your webcam session, or conversation to
> your mother to be prioritized, and you need to pay for not using crypto, then
> you should not be using crypto.
> Actually, you can do this fairly easy with Freeswan. My favourite EuroTrance
> internet radio broadcast is not going through IPsec like the rest of my
> traffic. I added a specific host route to their server, so that it doesn't
> get caught in the OE machinery.
>
That's just it. As OE is now, it's not your choice. Either you
encrypt and loose prioritization, or you gain prioritization and loose
encryption. If I had a choice I'd rather loose partial encryption by
letting my connection information known than loose the ability to encrypt
entirely. Who cares if someone sees that I'm chatting with my mom
as long as they don't know what I'm saying? *THAT* should be my choice.
What I'm trying to say here is that these should be choices that I
can make in my ipsec.conf file... I'm not talking about changing the way
OE works for everone... just give me choices as to how I can encrypt
things. You can configure your system to reject anything that I might
have set up that you don't like.
Ian
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.4 : Mon Aug 05 2002 - 21:01:35 CEST