Search Mailing List Archives

Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] [cryptography] [ipv6hackers] opportunistic encryption in IPv6

Bill Woodcock woody at
Thu Jun 13 09:01:08 PDT 2013

On Jun 12, 2013, at 4:25 PM, Nico Williams <nico at> wrote:
> There have been many proposed ways of doing roughly the same thing.
> To my knowledge not one has succeeded wildly.  RFC5660 has not been
> implemented.  Lacking IPsec channels one needs something like CGA to
> ensure peer key/ID continuity, as otherwise IPsec only authenticates
> individual packets (and their senders), not *packet flows*, which
> wouldn't be a problem if IP addresses weren't assigned dynamically.

Any reasonable way to bootstrap this off DNSSEC and dynamic DNS in the in-addr?  More complicated than DANE, but if the key distribution is the hard part, and DNSSEC solved that, I'd rather do the hard part once and get the benefit of it for multiple other protocols, rather than reinvent the wheel each time.


More information about the liberationtech mailing list