On Sun, Dec 16, 2018 at 10:30:22AM -0500, Greg Troxel wrote: > > What's the deal wiht IPSEC? > > The protoocol is called IPsec (and often miscapitalized), and our kernel > option is IPSEC. > > > I've never used it, but I was under the impression it gives encryption > > for free for things that otherwise don't have it. > > It provides confidentiality and data origin authentication at the IP > level, via a per-packet protocol called Encapsulating Security Protocol. > > In this respect it is sort of like TLS, but operating at the IP layer > rather than the TCP layer. > > However, implementations of it are OS services, rather than code in user > space. (But the key management is in user space.) > > > Do all the programs need to have ipsec-specific goo to use it? telnet > > does, as well as having its own encryption code. > > No. One configures the use of IPsec via Security Policy Database > entries, which in NetBSD are managed via setkey(8). > > The encryption is telnet is I believe Kerberos. Kerberos predates IPsec > by a lot, and is based on symmetric cryptography only (which is all that > was feasible in the early 80s). As far as I know, Kerberos processing > is always done within the application program rather than being a kernel > service.
Kerberos is only in authentication. The encryption code in the program is DES. I asked to delete it but I was told it'd be socially inconvenient to do so right now. You're a difficult bunch.
