<< | Thread Index | >> ]    [ << | Date Index | >> ]

Subject: Re: RFC: Large dynamic CIPE VPN (2nd posting)
From: Christian Lademann <cal,AT,zls,DOT,de>
Date: Sun, 22 Oct 2000 12:21:45 +0200
In-reply-to: <39F1DA7F.DB8DBCD4@zls.de>

Martijn van Oosterhout wrote:

> There is one thing that may make your job a little easier. In the server
> config, if you specify the remote peer as, it will accept any
> connection that has the right static key. So the server config file
> would
> not need to contain the address of the client machine.

That is true. But as the cipic-server knows the ip-address of the
it can as well use that information to add a little extra security. On the 
hand it
also gives the possibility to dynamically reconfigure the firewall to accept 
specific udp-port only from THAT client-address

> Now, depending on what your security requirements, you may be able to
> keep
> a static mapping between port numbers and server keys, so then you would
> never need to modify the server config file at all. Or maybe just
> rewrite
> them all just once per day.

If configuration information is changed at all, that means it has to be
propagated to
the clients. So why not exchange the complete information every time?

<< | Thread Index | >> ]    [ << | Date Index | >> ]