[76865] in North American Network Operators' Group
Re: IPv6, IPSEC and DoS
daemon@ATHENA.MIT.EDU (Iljitsch van Beijnum)
Sun Jan 2 05:22:10 2005
In-Reply-To: <Pine.GSO.4.58.0501011516050.553@qentba.nf23028.arg>
Cc: NANOG <nanog@merit.edu>
From: Iljitsch van Beijnum <iljitsch@muada.com>
Date: Sun, 2 Jan 2005 11:20:11 +0100
To: Rob Thomas <robt@cymru.com>
Errors-To: owner-nanog-outgoing@merit.edu
On 1-jan-05, at 22:20, Rob Thomas wrote:
> ] But as long as people get to snif your packets, you're dead in the
> ] water unless you use IPsec.
> The same is often said about SSL for web transactions. This is
> why keystroke loggers are so popular in bots and other malware.
> The point is that folks shouldn't assume that encrypted packets
> keep them safe. Encryption != security.
Well, then use IPsec between your keyboard and the host. :-)
And IPsec != encryption.
Obviously there are many ways to be insecure even if you use IPsec, but
my point is that if someone can snif your packets, they always get to
break your sessions unless you use IPsec (or TCP MD5). Even SSL doesn't
do you any good since it sits on top of TCP which leaves TCP
vulnerable. SSL however will make sure that IF your session stays up
whatever data makes it through hasn't been modified and even if
sniffed, the clear text isn't available to others.
