[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Bruce Schneier on IPsec
> fyi,
>
> http://www.counterpane.com/ipsec.pdf
> http://www.counterpane.com/ipsec.ps.zip
Snippets aside, the paper raises a lot of important questions, and it
would be worthwhile to step back from the details of IPsec to talk
about them.
The paper includes political, technical, and expository challenges to
the current IPsec. I'll give a sample of each:
1. Political: Would we get better results with a process modeled on
the NIST AES competition, rather than the current IETF committee
process?
2. Technical: Could the protocols be simplified greatly without
undermining their usefulness? For instance,
- could transport mode be eliminated?
- could AH be scrapped in favor of ESP with authentication?
- could ISAKMP and IKE be significantly simplified, sharpened,
and disentangled from each other?
3. Expository: Where is it explained what the overall security goals
of the IPsec enterprise are, and how all the ingredients fit
together to meet those security goals?
It may be that the authors are ill-informed or misinformed or
misguided in some of their comments. But that could also be a good
reason to discuss the paper here!
By the way: The paper has in fact two authors, Niels Ferguson and
Bruce Schneier.
Joshua
--
Joshua D. Guttman <guttman@mitre.org>
MITRE, Mail Stop A150
202 Burlington Rd. Tel: +1 781 271 2654
Bedford, MA 01730-1420 USA Fax: +1 781 271 3816
Follow-Ups:
References: