Enhancing to "ipcrypt"

[Sworddragon]

tcpcrypt is designed to encrypt only TCP connection so I was thinking what about to go a layer down? Would it be possible to encrypt all network data that is delivered over ip connections or would this cause technical problems? If tcpcrypt would be able to really encrypt all network traffic this would be a very nice enhancement.

[aaboagye]

For the network layer, there's IPsec as well as some security extensions for IPv6.

On Wed, Jul 9, 2014 at 11:16 AM, Sworddragon [email protected] wrote:

tcpcrypt is designed to encrypt only TCP connection so I was thinking what about to go a layer down? Would it be possible to encrypt all network data that is delivered over ip connections or would this cause technical problems? If tcpcrypt would be able to really encrypt all network traffic this would be a very nice enhancement.

— Reply to this email directly or view it on GitHub https://github.com/sorbo/tcpcrypt/issues/22.

Aseda Gyeke Aboagye

[Sworddragon]

Hm, in this case I'm wondering what is the main difference (except the different layers) between tcpcrypt and IPsec. Does IPsec after installing/configuring also automatically encrypt if the other site supports it and fallback to plaintext if not?

[intgr]

IPSec fell into the "design by committee" trap, it tries to solve all possible problems for all possible use cases, which makes it so complex and fragile that most security-conscious people recommend to avoid it entirely. There were attempts to make IPSec fully opportunistic, but it turned out to be a failure. And it would have introduced lots of state into a layer that should be stateless.

In this light, tcpcrypt seems like a very reasonable compromise.