[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Interactions between IPSEC and NAT
At 02:39 AM 2/5/98 -0500, Perry E. Metzger wrote:
>Maybe you ought to read the spec. It might answer a lot of your
>questions. Believe it or not, we did know what we were doing.
I have to really question if you knew what you were doing. Go
read Rogaway's cryptographic analysis--have you fixed the issues
he raised? Are you still seriously considering a PK solution for
managing trust? If so, then God help anybody that has to implement
it and get a real customer to use it.
>Your viewpoint is a wee bit unrealistic -- there is, in practice, no
>way to make even a tiny fraction of the routers trusted. It is also
>unneeded -- we know how to provide security in a network where nothing
>except the endpoints need to be trusted.
Unfortunately you have come up with a solution I find cumbersome,
slow, difficult to administer, with an awkward trust model, no
auditing, and no key recovery.
> Might I suggest that you
>study this topic a bit more in depth before commenting further?
You know Perry, not everyone who studies this field goes off and wastes
their time writing RFC's and I-D's. I prefer to apply for patents and sell
them.
- Alex
--
Alex Alten
Andrade@Netcom.Com
P.O. Box 11406
Pleasanton, CA 94588 USA
(510) 417-0159
Follow-Ups:
References: