Re: No more IP spoofing??
- From: Ertugrul Soeylemez <never@xxxxxxxxxxxxxx>
- Date: Thu, 28 Sep 2006 21:31:28 +0200
Carlos Moreno <moreno_at_mochima_dot_com@xxxxxxxxxxxxxx> (06-09-28 13:16:10):
During a conversation with a colleague, it was pointed out that
IP spoofing will no longer be possible "with the new IP protocol"
(that was his exact phrasing).
When I asked for clarification, he was unsure; so I thought you
guys could clarify this?
Is he talking about IPv6? IPsec? Are there new elements to be
implemented in the current IP protocol to make IP spoofing
impossible?
The only interesting thing I got from a Google search is the
ip verify reverse-path Command, in one of the Cisco PIX pages,
but somehow this comment sounded like something more general
than that.
Well, the 'new' Internet Protocol is IP version 6, which extends the
address space to up to 2^128 possible addresses, and also adds some new
host addressing features like anycasts. IPsec on the other hand is
nothing too new.
However, the (actually old) IPsec protocol is in fact a protocol
extension, which can be used with both IPv4, the current protocol, as
well as IPv6. It adds cryptographic features to IP, with which you can
make spoofing practically impossible (authentication). If needed, it
also makes sniffing impossible (encryption).
Many serious cryptographers have analyzed IPsec and found it's
inherently flawed. The most disturbing property of IPsec is its
unnecessarily high complexity.
I'd rather recommend OpenVPN for such tasks. It offers the same
features, and even a few more, it's highly portable, technically simple
(which is a big security advantage), and very easy to use.
Regards,
E.S.
.
- References:
- No more IP spoofing??
- From: Carlos Moreno
- No more IP spoofing??
- Prev by Date: No more IP spoofing??
- Previous by thread: No more IP spoofing??
- Index(es):
Relevant Pages
|
|
