Differences between version 4 and predecessor to the previous major change of OpportunisticEncryption.
Other diffs: Previous Revision, Previous Author, or view the Annotated Edit History
| Newer page: | version 4 | Last edited on Saturday, February 28, 2009 3:49:44 pm | by LawrenceDoliveiro | Revert |
| Older page: | version 3 | Last edited on Saturday, February 28, 2009 3:47:06 pm | by LawrenceDoliveiro | Revert |
@@ -7,8 +7,9 @@
With OE, each system/network administrator puts the key(s) needed to create IPSEC tunnels with their networks into the [DNS]. Then when another OE enabled IPSEC gateway wants to send packets to a host on the Internet, a check is first done to see if there are any keys in the DNS for that host and if there are, they are fetched and an encrypted tunnel is set up transparently. If there are no keys, then the packets MAY (if the administrator of the sending network allows so in his security policy) be sent in the clear.
FreeSwan 2 does [OE] out of the box. [FreeSWAN's quickstart to Opportunistic Encryption|http://www.freeswan.org/freeswan_trees/CURRENT-TREE/doc/quickstart.html] might help.
-See the very readable [IETF draft for the Opportunistic Encryption specification|http://www.sandelman.ottawa.on.ca/SSW/freeswan/oeid/draft-richardson-ipsec-opportunistic.html]
+See the very readable [IETF draft for the Opportunistic Encryption specification|http://www.sandelman.ottawa.on.ca/SSW/freeswan/oeid/draft-richardson-ipsec-opportunistic.html].
+Note that OE does ''not'' guard against ManInTheMiddle attacks, unless the keys can be independently authenticated, for example by [DNSSEC].
----
CategoryCryptography
