Menu
▾
▴
Re: [Openvpn-users] Features that should be in OpenVPN or VTun
|
From: Guus S. <gu...@sl...> - 2002-03-31 11:46:51
|
On Sun, Mar 31, 2002 at 06:09:54AM -0500, bishop wrote: > - public-key encryption based on KEY records in DNS >=20 > Hit the DNS, get the key, now you don't have to store it any place, and y= ou=20 > can discover it. If you can think of an easier way to discover a KEY, th= en=20 > I'm all ears. Really, that is not very secure. Somebody could take over the DNS server, or spoof one, and change both IP and KEY to one of his own servers and vpn daemons. The only way to make sure you get the right KEY is to have the DNS replies signed. You can do that with DNSSEC for instance. But, in order to verify the reply you get you'd need yet another public key. There is just no way to make sure the other end is who he is if you don't have a public or shared private key IN ADVANCE. > - Dynamic on-demand default tunnels using discovered Keys >=20 > Send all data out via the TUN, except data that's already encapsulated. = If=20 > a tunnel cannot be established, then send it in the clear. Otherwise, se= t=20 > up tunnel and shoot data. Hmz... very hard to do, because in addition to accessing the TUN device, which is relatively easy, you must send the "clear" packets out via the real interfaces, which means using operating system dependent hooks. Furthermore, there are serious security implications even when just sending the first few packets in the clear. Why bother to encrypt the rest at all then? --=20 Met vriendelijke groet / with kind regards, Guus Sliepen <gu...@sl...> |
