[cryptography] very little is missing for working BTNS in Openswan

Taral taralx at gmail.com
Thu Sep 12 20:44:59 EDT 2013


On Thu, Sep 12, 2013 at 12:04 PM, Nico Williams <nico at cryptonector.com> wrote:
> Note: you don't just want BTNS, you also want RFC5660 -- "IPsec
> channels".  You also want to define a channel binding for such channels
> (this is trivial).

I am not convinced. It's supposed to be *better than nothing*. Packets
that are encrypted between me and whatever gateway the endpoint elects
to use are strictly better than unencrypted packets, from a security
and privacy standpoint.

Insisting that "BTNS should not be used without X, Y, and Z" had
better come with a detailed explanation of why BTNS without X, Y, Z
makes me *less* secure than no BTNS at all.

-- 
Taral <taralx at gmail.com>
"Please let me know if there's any further trouble I can give you."
    -- Unknown


More information about the cryptography mailing list