Subject: Re: ssh - are you nuts?!?
To: Steven M. Bellovin <smb@research.att.com>
From: RJ Atkinson <rja@inet.org>
List: tech-security
Date: 12/18/2000 11:21:01
At 11:04 18/12/00, Steven M. Bellovin wrote:
>I'd like to [use ESP], too, but it's hard.
The set of boxes that I talk with has a lot of locality
and they are all running real operating systems with ESP already
in the kernel, so it was pretty straight-forward to get
things configured among that set (without needing any
Certificates).
If the set of boxes that one uses has less locality,
then configuring stuff to support ESP really IS harder.
In no event are certificates really required, fortunately.
A variety of tunneling VPN/firewall boxes are
available off the shelf. @Home tended to use the RedCreek
boxes. My current employer favours a different brand for
their use. I would guess that a stock NetBSD box could be
converted for this purpose, though I'm not terribly familiar
with the internal details of encrypted route support, so am
a bit uncertain. I haven't installed NetBSD 1.5 yet, though
am grateful to the elf who was distributing the Wasabi CDs
at the IETF last week. :-)
>IPsec requires kernel changes; until very recently,
>most off-the-shelf operating systems didn't include it.
Understood. I think we've had this chat before. :-)
The OSs that I most commonly use already include
ESP and AH in the shrink-wrap; obviously that means Win9x
is not my primary OS. The one machine I have that runs
Win9x is actually running "98lite" in any event, which
tweak was needed to obtain stability.
My sense is that folks managing networks are using
OpenSSH more and more, because a big router vendor only supports
SSHv1 whereas its main competitor (and most of the small
fry vendors) only support SSHv2. This circumstance tends
to be "pull" for deployment of OpenSSH, which supports both
versions and is nicely interoperable all around.
Ran
rja@inet.org
NB: My terminology is/was precise, I'm talking about ESP,
not about some larger amorphous set of stuff.