To: linux-kernel@vger.kernel.org
Path: forge.intermeta.de!not-for-mail
From: "Henning P. Schmiedehausen" <hps@intermeta.de>
Newsgroups: hometree.linux.kernel
Subject: Re: RFC: p&p ipsec without authentication
Date: Mon, 16 Dec 2002 09:20:27 +0000 (UTC)
Organization: INTERMETA - Gesellschaft fuer Mehrwertdienste mbH
Message-ID: <atk5sr$a06$1@forge.intermeta.de>
References: <Pine.LNX.4.50L.0212151745360.2711-100000@imladris.surriel.com>
Reply-To: hps@intermeta.de
NNTP-Posting-Host: forge.intermeta.de
NNTP-Posting-Date: Mon, 16 Dec 2002 09:20:27 +0000 (UTC)
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 1234
Lines: 29

Rik van Riel <riel@conectiva.com.br> writes:

>Hi,

>I've got a crazy idea.  I know it's not secure, but I think it'll
>add some security against certain attacks, while being non-effective
>against some others.

While the idea itself is nice, it would allow many attackers on your
host to "dive" under IDS systems or avoid stateful firewalls which do
protocol verification. And IDS system is "a three letter acronym
listening on your traffic". And you want to avoid that. =:-)

It won't traverse many firewalls either (because they won't let IPSEC
pass) and you might get in trouble with NAT and protocols that need
NAT fixup.

And you basically divide the Internet into "Linux <-> Linux" and "the
rest". :-)

	Regards
		Henning

-- 
Dipl.-Inf. (Univ.) Henning P. Schmiedehausen       -- Geschaeftsfuehrer
INTERMETA - Gesellschaft fuer Mehrwertdienste mbH     hps@intermeta.de

Am Schwabachgrund 22  Fon.: 09131 / 50654-0   info@intermeta.de
D-91054 Buckenhof     Fax.: 09131 / 50654-20   
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/