Good direction, but I'd drop the requirement for policing the network by actively preventing hams from using crypto.  Hams are supposed to be self-policing, and we'll be engaging a losing battle, and inviting exploits.  Let's just provide the tools to play nice.  If people wanna run astray of rules, HamWAN as repeater operator, is not ultimately responsible.

Let us know how the infonerd thing goes.  :)

--Bart


On 2/21/2013 7:21 PM, Benjamin Krueger wrote:

I think we can solve a lot of our crypto-regulation problems if we explore IPSec in Authentication Header Transport mode. This signs every IP packet which gets us connection integrity, origin authentication, and replay protection without encrypting anything. Then we only have to take very basic measures to ensure folks don't intentionally or unintentionally make encrypted connections (over SSL, SSH, or other commonly encrypted protocols). The only outstanding question then is how to handle IKE (key exchange) in an automated way with certificates.

I'm going to speak to some infosec geeks about this tonight

NB: This doesn't handle initial network access authentication. That's still a problem to be solved, possibly with 802.1X, though that has its own problem since RouterOS only supports TLS-EAP which incorporates crypto.

--

Benjamin

_______________________________________________
PSDR mailing list
PSDR@hamwan.org
http://mail.hamwan.org/mailman/listinfo/psdr_hamwan.org

_______________________________________________
PSDR mailing list
PSDR@hamwan.org
http://mail.hamwan.org/mailman/listinfo/psdr_hamwan.org