From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from smtp2.unina.it (smtp2.unina.it [192.132.34.62]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by huchra.bufferbloat.net (Postfix) with ESMTPS id 4253120175B for ; Fri, 27 May 2011 23:52:22 -0700 (PDT) Received: from mail-qw0-f43.google.com (mail-qw0-f43.google.com [209.85.216.43]) (authenticated bits=0) by smtp2.unina.it (8.14.4/8.14.4) with ESMTP id p4S77SpQ005486 (version=TLSv1/SSLv3 cipher=RC4-SHA bits=128 verify=OK) for ; Sat, 28 May 2011 09:07:29 +0200 Received: by qwf6 with SMTP id 6so1702902qwf.16 for ; Sat, 28 May 2011 00:07:28 -0700 (PDT) MIME-Version: 1.0 Received: by 10.229.20.19 with SMTP id d19mr2092691qcb.245.1306566448504; Sat, 28 May 2011 00:07:28 -0700 (PDT) Received: by 10.229.88.66 with HTTP; Sat, 28 May 2011 00:07:28 -0700 (PDT) Received: by 10.229.88.66 with HTTP; Sat, 28 May 2011 00:07:28 -0700 (PDT) In-Reply-To: <9D0E918C-6A80-47A1-8CA4-DDACE9E6B426@gatech.edu> References: <9D0E918C-6A80-47A1-8CA4-DDACE9E6B426@gatech.edu> Date: Sat, 28 May 2011 09:07:28 +0200 Message-ID: From: Walter de Donato To: Srikanth Sundaresan Content-Type: multipart/alternative; boundary=0016367d63be09e13404a450b5bc Cc: bismark-devel@lists.bufferbloat.net Subject: Re: [Bismark-devel] vpn thoughts X-BeenThere: bismark-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: BISMark related software development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 28 May 2011 06:52:22 -0000 --0016367d63be09e13404a450b5bc Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable I found the way to keep the current schema more secure. I did a coulpe of commits about that. Now using the ssh key allows only to open remote port redirections (supporting recovery shell notifications) and upload files to the data folder. I think that's enough for a quick costless solution. If dropbear gives the possibility to ignore the server host key we can also support management server migrations. -Walter Il giorno 28/mag/2011 07.43, "Srikanth Sundaresan" ha scritto: > This is good stuff. I think it's a good idea to test these out; the current solution is quite elegant, but the security holes are worrisome. > > - Srikanth > On May 28, 2011, at 5:39 AM, Dave Taht wrote: > >> I have put my thoughts towards VPNs up on the wiki at: >> >> http://www.bufferbloat.net/projects/bismark/wiki/VPN_solutions_under_evalua= tion >> >> Completely outside for the scope of the existing tunneling scheme, I hav= e had multiple requests for a working vpn solution from outside of this project, so I hope to spend a little time next week looking into the problems and alternatives as I catch up on cerowrt and iscwrt. >> >> However, if you have any thoughts towards requirements or would be willing to join in a test, >> please add them to the wiki page. >> >> -- >> Dave T=E4ht >> SKYPE: davetaht >> US Tel: 1-239-829-5608 >> http://the-edge.blogspot.com >> _______________________________________________ >> Bismark-devel mailing list >> Bismark-devel@lists.bufferbloat.net >> https://lists.bufferbloat.net/listinfo/bismark-devel > > _______________________________________________ > Bismark-devel mailing list > Bismark-devel@lists.bufferbloat.net > https://lists.bufferbloat.net/listinfo/bismark-devel > --0016367d63be09e13404a450b5bc Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable

I found the way to keep the current schema more secure.
I did a coulpe of commits about that.
Now using the ssh key allows only to open remote port redirections (support= ing recovery shell notifications) and upload files to the data folder.
I think that's enough for a quick costless solution.

If dropbear gives the possibility to ignore the server host key we can a= lso support management server migrations.

-Walter

Il giorno 28/mag/2011 07.43, "Srikanth Sund= aresan" <srikanth@gatech.edu= > ha scritto:
> This is good stuff. I thi= nk it's a good idea to test these out; the current solution is quite el= egant, but the security holes are worrisome.
>
> - Srikanth
> On May 28, 2011, at 5:39 AM, Dave Taht wro= te:
>
>> I have put my thoughts towards VPNs up on the wiki= at:
>>
>> http://www.bufferbloat.net/p= rojects/bismark/wiki/VPN_solutions_under_evaluation
>>
>> Completely outside for the scope of the existing tunn= eling scheme, I have had multiple requests for a working vpn solution from= outside of this project, so I hope to spend a little time next week lookin= g into the problems and alternatives as I catch up on cerowrt and iscwrt. <= br> >>
>> However, if you have any thoughts towards requirement= s or would be willing to join in a test,
>> please add them to the= wiki page.
>>
>> --
>> Dave T=E4ht
>&g= t; SKYPE: davetaht
>> US Tel: 1-239-829-5608
>> http://the-edge.blogspot.com
>> ___________________= ____________________________
>> Bismark-devel mailing list
>= > Bismark-devel@l= ists.bufferbloat.net
>> h= ttps://lists.bufferbloat.net/listinfo/bismark-devel
>
> __= _____________________________________________
> Bismark-devel mailing= list
> Bismark-devel@l= ists.bufferbloat.net
> https://lists.bufferbloat.net/listinfo/bismark-devel=
>
--0016367d63be09e13404a450b5bc--