[ipv6hackers] opportunistic encryption in IPv6

Mark Smith markzzzsmith at yahoo.com.au
Sun Jun 16 02:41:45 CEST 2013 




----- Original Message -----
> From: S.P.Zeidler <spz at serpens.de>
> To: IPv6 Hackers Mailing List <ipv6hackers at lists.si6networks.com>
> Cc: 
> Sent: Friday, 14 June 2013 6:05 PM
> Subject: Re: [ipv6hackers] opportunistic encryption in IPv6
> 
> Hi,
> 
> Thus wrote Tim (tim-security at sentinelchicken.org):
> 
>>  Here, I just don't understand the logic.  To me, encrypting without
>>  authenticating buys you absolutely nothing, except to burn CPU cycles
>>  and contribute to global warming.
> 
> Yes and no; if we had long sessions that weren't encrypted anyway,
> it might help you detect that someone has started to MitM your
> existing conversation.
> Given that long term sessions are the exception rather than the norm,
> that will not often be the case though.
> 

BTNS is at the IP layer, as it is a form of IPsec, and is therefore host to host, for as long as the hosts maintain the IPsec session, . This means that all IP traffic traffic between the hosts is encrypted. This results in encryption of traffic for all applications that don't currently encrypt. Yes it would be an overhead for already encrypted application traffic, but that is probably in the minority.

> Also I wonder what traffic exactly is supposed to get opportunistically
> encrypted that isn't encrypted or at least encryptable already?
> 
>>    - The act of communicating with a node causes their key (or CA's
>>      key) to be signed and that signature to be published
>>      automatically.  The logic is, if you trusted a node's identity
>>      once, then you should share the knowledge of that trust. This
>>      publishing process needs to be anonymized somehow.  There needs to
>>      be incentives for publishing (think bitcoin).
> 
> So if I visit a URL promising "cute kittens!", I endorse the identity 
> of
> the site? even though I don't care a figs' leaf about the site identity?
> That does not seem particularily wise to me.
> 

Well, as the name suggests, it is Better Than Nothing.

> regards,

>     spz
> -- 
> spz at serpens.de (S.P.Zeidler)
> _______________________________________________
> Ipv6hackers mailing list
> Ipv6hackers at lists.si6networks.com
> http://lists.si6networks.com/listinfo/ipv6hackers
>

More information about the Ipv6hackers mailing list