Received: (from majordomo@localhost)
	by oss.sgi.com (8.11.2/8.11.3) id f7M4Pq919771
	for netdev-outgoing; Tue, 21 Aug 2001 21:25:52 -0700
Received: from almesberger.net (IDENT:root@lsb-catv-1-p021.vtxnet.ch [212.147.5.21])
	by oss.sgi.com (8.11.2/8.11.3) with SMTP id f7M4Pn919768
	for <netdev@oss.sgi.com>; Tue, 21 Aug 2001 21:25:49 -0700
Received: (from almesber@localhost)
	by almesberger.net (8.9.3/8.9.3) id GAA13093;
	Wed, 22 Aug 2001 06:25:43 +0200
Date: Wed, 22 Aug 2001 06:25:43 +0200
From: Werner Almesberger <wa@almesberger.net>
To: bert hubert <ahu@ds9a.nl>
Cc: netdev@oss.sgi.com
Subject: Re: Simple Packet Signing
Message-ID: <20010822062543.E27708@almesberger.net>
References: <20010821180553.A21415@fork.powerdns.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20010821180553.A21415@fork.powerdns.com>; from ahu@ds9a.nl on Tue, Aug 21, 2001 at 06:05:53PM +0200
Sender: owner-netdev@oss.sgi.com
Precedence: bulk
Content-Length: 979
Lines: 23

bert hubert wrote:
> For more rationale, see the URL. I would very much appreciate your input. Is
> this a wise idea? Are there better ways to achieve this, are people already
> working on this (besides IPSEC)? etc et.

You can set up SSH such that it only looks at a key, not at the IP address
(well, it looks at it briefly, but look away if it doesn't like what it
sees).

You can either just copy the public host key of your dynamic systems to
$HOME/.ssh/authorized_keys on your server (if you trust every user on
those dynamic systems), or - better - generate new keys for all trusted
users on those dynamic hosts with ssh-keygen and use it with ssh -i.

If you want, you can then also run PPP over SSH to build your own little
VPN.

- Werner

-- 
  _________________________________________________________________________
 / Werner Almesberger, Lausanne, CH                    wa@almesberger.net /
/_http://icawww.epfl.ch/almesberger/_____________________________________/