Re: RFC: p&p ipsec without authentication

From: Henning P. Schmiedehausen (hps@intermeta.de)
Date: Mon Dec 16 2002 - 04:20:27 EST


Rik van Riel <riel@conectiva.com.br> writes:

>Hi,

>I've got a crazy idea. I know it's not secure, but I think it'll
>add some security against certain attacks, while being non-effective
>against some others.

While the idea itself is nice, it would allow many attackers on your
host to "dive" under IDS systems or avoid stateful firewalls which do
protocol verification. And IDS system is "a three letter acronym
listening on your traffic". And you want to avoid that. =:-)

It won't traverse many firewalls either (because they won't let IPSEC
pass) and you might get in trouble with NAT and protocols that need
NAT fixup.

And you basically divide the Internet into "Linux <-> Linux" and "the
rest". :-)

        Regards
                Henning

-- 
Dipl.-Inf. (Univ.) Henning P. Schmiedehausen       -- Geschaeftsfuehrer
INTERMETA - Gesellschaft fuer Mehrwertdienste mbH     hps@intermeta.de

Am Schwabachgrund 22 Fon.: 09131 / 50654-0 info@intermeta.de D-91054 Buckenhof Fax.: 09131 / 50654-20 - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/



This archive was generated by hypermail 2b29 : Mon Dec 23 2002 - 22:00:13 EST