[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Network World article on IPSec
This is an important subject, may be it is better to have the discussion
direct on the mailing list.
CryptoNEWS
In a message dated 9/18/98 8:32:48 AM Pacific Daylight Time, aha@East.Sun.COM
writes:
<< An 8/24/98 article by Ellen Messmer in Network World titled "The
remaking of IPSec" claims that IPSec and IKE are not ready for prime
time, and that productization needs to wait for IPSecond. This is
not the impression I have gotten from talking to vendors and from
following the ipsec mailing list.
Can anyone fill me in on details of some of the following claims
from the article? Please reply directly to me (aha@East.sun.com),
and I will summarize the responses to the list.
1. "The harder IPSec change will be standardizing on an IPSec remote
client. The goal of the IETF meeting is to define a client that
can support IP address changes automatically."
[Anne] To what extent is this a barrier to deployment of the
existing IPSec? Only in NAT environments?
2. "Another difficult item on this week's agenda will be redefining
the core IKE protocol. Security experts recently uncovered a
flaw related to the improper exposure of information."
[Anne] Is this referring the discussion about exposure of
identities during IKE negotiation in Pre-Shared-Key-Auth Main
Mode? Is this really a barrier to deployment?
3. "And IKE, as it now exists, handles time-expiration of session
keys in a way that could cause one gateway not to understand
another."
[Anne] Is this referring to the use of kbytes-based lifetime
payloads versus seconds-based lifetime payloads? To what extent
is this a barrier to deployment? Does it just cause a delay, or
is it a Big Problem?
--
Anne Anderson Email: aha@east.sun.com
Sun Microsystems Laboratories or: aha@acm.org
2 Elizabeth Drive, UCHL03-205 Tel: (978) 442-0928
Chelmsford, MA 01824 USA Fax: (978) 250-5067
>>