Slashdot Mirror

← Back to Stories (view on slashdot.org)

Opportunistic Encryption of IP traffic: FreeS/WAN 2.0

Posted by michael on from the fight-the-man dept.

Russ Nelson writes "Since 1996, John Gilmore has dreamed of an Internet where all traffic between cooperating sites is encrypted. He has supported the FreeS/WAN project which uses IPSEC to encrypt IP traffic on an opportunistic encrypting basis. The team has released Linux FreeS/WAN 2.00, their first release optimized for Opportunistic Encryption (OE). After installation, ZERO host configuration is required for OE! A Linux box running 2.00 will encrypt all IP packets to other OE capable boxes whenever possible, provided you publish a key and IPsec gateway information in DNS." Nice.

4 of 153 comments (clear)

  1. Re:Weakest link by Great_Jehovah · · Score: 5, Insightful

    True. But no one is claiming that OE is something you should depend on. It's main purpose is to make the job of snoops with no resources a lot harder.

    The real weakness in this scheme is that very few admins will go to the trouble of registering keys with DNS due to laziness or lack of perceived value.

  2. Someones not going to like this by glesga_kiss · · Score: 5, Insightful
    If this becomes popular, I can see the intelligence agencies having a fit. They might lose one of their best information feeds; the internet.

    If this sort of technology were to be rolled into the main distributions as well as Microsoft/Apple packages, the internet would then have a decent level of privacy.

  3. Re:Weakest link by gadwale · · Score: 5, Insightful


    What you have pointed out is true. However, it does not sound like OE is ever meant to protect against main in the middle attacks. By its very definition, it simply encrypts traffic whenever possible. This has two good outcomes:

    1. More encrypted traffic in general, so when you begin encrypting your traffic it does not look suspicious to anybody who is monitoring traffic

    2. Opportunistic sniffers will not be able to read the stream of data since it is automatically encrypted without your having to configure anything

    OE is not a replacement for a VPN, nor is it meant to ensure the identity of the parties involved. If you really wanted to be sure, you would find some other medium to exchange keys initially or ensure that keys you received are signed by a CA or another verifying authority. That way, even if a third party does intercept your data, the data cannot be decrypted without the corresponding private key since you are using the authentic public key and not a spoof.

    Of course, the CA or signing third party may be compromised. In that case, there are only two solutions:
    1. Use telepathic brainwaves
    2. Use carrier pigeons, because nobody will be expecting them

    Adi Gadwale.

  4. Virus heaven by pseudorandom · · Score: 5, Insightful

    Has anybody thought about the fact that this removes the option of network level filtering? Think about the scenario in which a virus is created that spreads quickly via web servers (e.g. IIS). Currently, it is possible to filter out viral traffic because the routers can inspect the messages. This prevents the spread of the virus even though the hosts/severs remain vulnerable.

    Once all traffic is encrypted using OE, the routers/firewalls cannot recognise the type of traffic anymore, and virii will be able to spread to all vulnerable hosts.