Re: Last Call: Security Architecture for the Internet Protocol to

["M.C.Nelson" <netsec@panix.com>]

P.S.  In any case, since the hoped for standards are to be mandatory, it
seems a simple matter of public responsibility that they be subjected to a
meaningful and practical test. This seems preferable to any attempt at
proof by inspection.


On Tue, 7 Apr 1998, Steve Bellovin wrote:
> 	 
> 	 On Fri, 27 Mar 1998, Scott G. Kelly wrote:
> 	 > 
> 	 > IPSEC as currently spec'd is SSSSEEEECCCCUUURRRREEE.
> 	 > 
> 	 
> 	   Has this been established?  It seems doubtful in view of
> 	   (i) its complexity, and (ii) its explicit support for gateways
> 	   and "trusted networks".
> 	 
> 	   Lets construct a set of ten targets and award a cash prize to the
> 	   first ten hackers to break three of them.
> 
> The weaknesses that have been found thus far -- and the ones I fear in
> IKE -- have been in the cryptographic protocols.  I've never yet seen
> a hacker attack one of those -- it's an arcane skill, and difficult
> for even the best cryptographers.
> 
> However -- cryptography is not equivalent to security.  An ipsec channel
> between a hacker and, say, an old version of sendmail will not protect
> you.
>

---

Follow-Ups:

• Re: Last Call: Security Architecture for the Internet Protocol to
• From: hsw@columbia.sparta.com (Howard Weiss)

References:

• Re: Last Call: Security Architecture for the Internet Protocol to
• From: Steve Bellovin <smb@research.att.com>

---

• Prev by Date: Re: Last Call: Security Architecture for the Internet Protocol to
• Next by Date: Re: Last Call: Security Architecture for the Internet Protocol to
• Prev by thread: Re: Last Call: Security Architecture for the Internet Protocol to
• Next by thread: Re: Last Call: Security Architecture for the Internet Protocol to
• Index(es):
  • Main
  • Thread