[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Bruce Schneier on IPsec
"Joshua D. Guttman" wrote:
>
> > fyi,
> >
> > http://www.counterpane.com/ipsec.pdf
> > http://www.counterpane.com/ipsec.ps.zip
>
> Snippets aside, the paper raises a lot of important questions, and it
> would be worthwhile to step back from the details of IPsec to talk
> about them.
>
> The paper includes political, technical, and expository challenges to
> the current IPsec. I'll give a sample of each:
>
> 1. Political: Would we get better results with a process modeled on
> the NIST AES competition, rather than the current IETF committee
> process?
>
> 2. Technical: Could the protocols be simplified greatly without
> undermining their usefulness? For instance,
>
> - could transport mode be eliminated?
> - could AH be scrapped in favor of ESP with authentication?
> - could ISAKMP and IKE be significantly simplified, sharpened,
> and disentangled from each other?
If you're going that far, why not cut it down further? Dump manual
mode, aggressive mode, rekeying without PFS, ... All you really need
are automatically keyed PFS connections.
Of course, dump DES as Schneier and Ferguson also recommend.
Then the next question is whether we can cut down the SPD and the
assortment of authentication mechanisms to something simple and clean.
> 3. Expository: Where is it explained what the overall security goals
> of the IPsec enterprise are, and how all the ingredients fit
> together to meet those security goals?
>
> It may be that the authors are ill-informed or misinformed or
> misguided in some of their comments. But that could also be a good
> reason to discuss the paper here!
>
> By the way: The paper has in fact two authors, Niels Ferguson and
> Bruce Schneier.
>
> Joshua
>
> --
> Joshua D. Guttman <guttman@mitre.org>
> MITRE, Mail Stop A150
> 202 Burlington Rd. Tel: +1 781 271 2654
> Bedford, MA 01730-1420 USA Fax: +1 781 271 3816
References: