MJ [m...@sci.fi] wrote: > > On 16 Jan 2014, at 20.24, Chris Cappuccio <ch...@nmedia.net> wrote: > > > > Block traffic with specific ciphers from traversing the network? That's > > sci.fi > > > > You?re right again - this stuff is futuristic but could potentially be > accomplished via inspection of unencrypted packet headers, etc (i.e. via > packet-pattern/flow analysis). However, it could likely be accomplished for > things that access the machine itself. > > We are getting into the realm of wirespeed DPI now. If we won?t be doing it, > somebody else will. What are our efforts worth if the crypto exists in silos > and is vulnerable to side channel attacks? Is it really worth delegating > these sorts of things to ports? >
This is just another area where someone has to have the interest and the skill. I don't think you'll ever see pf trying to filter out bad crypto. On that note, Franco Fichtner has been doing some nice DPI work. https://github.com/fichtner Although you'll probably have to track him down and email him to get some more current code. Fichtner's work has been mated with Netmap more recently (which I started porting to OpenBSD but never finished, it compiles...) and I bet it could also be mated with divert-packet for performance (see http://quigon.bsws.de/papers/2013/vbsdcon/mgp00044.html)
