|
From: | Alec H. Peterson |
Subject: | Dynamic Addresses issue |
Date: | Sun, 18 May 2003 21:35:43 -0600 |
Greetings,I'm trying to use CFEngine in an environment where I will have CFEngine clients deployed theoretically anywhere in the IPv4 unicast address space. I was hoping to find a feature where keys on the server could be looked up by the public key, instead of historical IP addresses, but according to my reading of the code and documentation that is not currently implemented.
It doesn't seem that it would be too hard to do, and as such I'm considering just doing it myself, but first I'm curious if anybody thinks there would be a security implication of doing this. The way I see it, trusting the public key is more secure than the current method of just trusting the IP address, since somebody could hijack an IP address in the dynamic range and insert an un-trusted key.
Granted this would add some additional server load, since one would need to load the keys every time, instead of just doing a directory lookup, but that shouldn't be an issue until somebody has thousands of keys.
Thanks for your input. Alec
[Prev in Thread] | Current Thread | [Next in Thread] |