Slashdot Mirror

← Back to Stories (view on slashdot.org)

Opportunistic Encryption of IP traffic: FreeS/WAN 2.0

Posted by michael on from the fight-the-man dept.

Russ Nelson writes "Since 1996, John Gilmore has dreamed of an Internet where all traffic between cooperating sites is encrypted. He has supported the FreeS/WAN project which uses IPSEC to encrypt IP traffic on an opportunistic encrypting basis. The team has released Linux FreeS/WAN 2.00, their first release optimized for Opportunistic Encryption (OE). After installation, ZERO host configuration is required for OE! A Linux box running 2.00 will encrypt all IP packets to other OE capable boxes whenever possible, provided you publish a key and IPsec gateway information in DNS." Nice.

3 of 153 comments (clear)

  1. Re:Wireless applications? by kmcmartin · · Score: 5, Informative

    This is a very useful application of IPsec. The wavesec project is an example of using IPsec to secure the link between a client and the wireless access point.

    This was in-practice last year at OLS where the FreeS/WAN folks set up a wavesec encrypted link, while the folks that were not using wavesec had their traffic snooped and displayed on a monitor.

    The problem with using IPsec as a replacement for WEP, however, is that IPsec is higher up on the OSI layer diagram, so more information is left unencrypted than when using WEP (yes, I'm aware that WEP is weak and in this case, won't make a difference, I'm just illustrating a point.)

  2. KEY record debate... by pabl0 · · Score: 5, Informative
    One potential problem with this is that KEY records were originally intended for DNSsec usage and some controversy has arisen with regard to using KEY records for other purposes, such as OE. This pretty much sums it up, however, and it seems as though they've gone on using KEY for this purpose.

    (I realize the articles listed are 8-9 months old, but clearly the issue is still relevant.)

    I'm unfortunately not running OE, as my DNS provider (UltraDNS) did not provide the capability to add KEY records to a zone at the time I went through the installation process. Not sure if they do so now; perhaps time to check! I'd be interested in discovering which DNS providers do or do not provide the ability to insert KEY records into zones.

  3. Re:Weakest link by velkro · · Score: 5, Informative

    Yes, DNS is currently the weakest link.

    DNSSec will fix most of this, however that requires all of the TLD and gTLD's support it. Currently, only .nl will sign records all the way to the root zone. We need more TLD/gTLD buy-in for DNSSec to become commonplace.

    --
    ken@freeswan.ca