And behold, the IEEE gods gave us 802.1AE. #MACsechttps://twitter.com/RichFelker/status/1009870219333062658 …
Using IPsec for access control is another iteration of the same insecure design. You're granting access to any process that can make a connection from the magically-trusted host.
-
-
You're like my hero, so I will not pick a fight with you, but we're clearly talking about different things. I apologize for commenting in the first place and will stay out of your way. Take care
-
OK, maybe so. FWIW I have no objection to using IPsec or similar tools as a privacy layer, but I do think it's really dangerous to think they suddenly make it safe to treat location-on-network as an access control method.
End of conversation
New conversation -
-
-
In doing so, you're throwing out all privilege boundaries within that host or between other hosts it might forward/nat traffic for, and treating them all as one big trusted blob.
-
Some of these boundaries can be recreated with fancy iptables rules controlling which processes can make connections on which ports, but that's a sloppy, fragile replacement for process memory space isolation, filesystem permissions, etc.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.