That *should* be how things work, but a bunch of rulings about message passing on packet networks threw that on its head. We need to take reasonable precautions to prevent encrypted traffic from moving over the network. Blocking common encrypted ports is simple and no-cost.


On Thu, Feb 21, 2013 at 7:46 PM, Bart Kus <me@bartk.us> wrote:
Good direction, but I'd drop the requirement for policing the network by actively preventing hams from using crypto.  Hams are supposed to be self-policing, and we'll be engaging a losing battle, and inviting exploits.  Let's just provide the tools to play nice.  If people wanna run astray of rules, HamWAN as repeater operator, is not ultimately responsible.

Let us know how the infonerd thing goes.  :)

--Bart



On 2/21/2013 7:21 PM, Benjamin Krueger wrote:
I think we can solve a lot of our crypto-regulation problems if we explore IPSec in Authentication Header Transport mode. This signs every IP packet which gets us connection integrity, origin authentication, and replay protection without encrypting anything. Then we only have to take very basic measures to ensure folks don't intentionally or unintentionally make encrypted connections (over SSL, SSH, or other commonly encrypted protocols). The only outstanding question then is how to handle IKE (key exchange) in an automated way with certificates.

I'm going to speak to some infosec geeks about this tonight

NB: This doesn't handle initial network access authentication. That's still a problem to be solved, possibly with 802.1X, though that has its own problem since RouterOS only supports TLS-EAP which incorporates crypto.

--
Benjamin


_______________________________________________
PSDR mailing list
PSDR@hamwan.org
http://mail.hamwan.org/mailman/listinfo/psdr_hamwan.org


_______________________________________________
PSDR mailing list
PSDR@hamwan.org
http://mail.hamwan.org/mailman/listinfo/psdr_hamwan.org




--
Benjamin