Re: RFC: p&p ipsec without authentication

Henning P. Schmiedehausen (hps@intermeta.de)
Mon, 16 Dec 2002 09:20:27 +0000 (UTC)


Rik van Riel <riel@conectiva.com.br> writes:

>Hi,

>I've got a crazy idea. I know it's not secure, but I think it'll
>add some security against certain attacks, while being non-effective
>against some others.

While the idea itself is nice, it would allow many attackers on your
host to "dive" under IDS systems or avoid stateful firewalls which do
protocol verification. And IDS system is "a three letter acronym
listening on your traffic". And you want to avoid that. =:-)

It won't traverse many firewalls either (because they won't let IPSEC
pass) and you might get in trouble with NAT and protocols that need
NAT fixup.

And you basically divide the Internet into "Linux <-> Linux" and "the
rest". :-)

Regards
Henning

-- 
Dipl.-Inf. (Univ.) Henning P. Schmiedehausen       -- Geschaeftsfuehrer
INTERMETA - Gesellschaft fuer Mehrwertdienste mbH     hps@intermeta.de

Am Schwabachgrund 22 Fon.: 09131 / 50654-0 info@intermeta.de D-91054 Buckenhof Fax.: 09131 / 50654-20 - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/