[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Bruce Schneier on IPsec
In message <Pine.BSI.3.91.1000119203938.18717S-100000@spsystems.net>, Henry Spe
ncer writes:
>
>> And it is my humble opinion, that the authors don't fully understand the
>> protocol, nor indeed some of the special challenges of networking...
>
>I wouldn't be surprised; in fact, the authors admit as much in some
>places. But whose fault is that? The IPSEC spec is better than it used
>to be, but it's still pretty bad. Most notably, as F&S observe, it is
>glaringly deficient precisely in explaining *why* it does things the way
>it does. Again, this is a situation which might be tolerable in some
>contexts but is unacceptable in the Internet's central security protocol.
Many of their comments aren't new. I've been arguing against AH for years,
for example. (The WG didn't agree with me, so I haven't pursued the
question.) Similarly, lots of people complained about the complexity of
ISAKMP way back when. For reasons that are too painful to dredge up, it
became the only choice. Those two points are, perhaps, a result of the
consensus process that Ferguson and Schneier have criticized.
On the other hand, the distinction between transport mode and tunnel mode is a
vital matter of network architecture, and I don't think that that was properly
understood by the authors. (I sent a long note to them on this topic quite
some time ago.) I'm quite convinced that we made the right choice there, and
see no reason to revisit it.
The really interesting issue is whether or not we should revisit IKE. In one
sense, I'd hate to -- it's taken a long time to get to this level of
implementation and interoperability. On the other hand, at the very least the
documents, and perhaps the protocol, are quite hard to understand -- just read
the mailing list to see where there are differences in interpretation,
questions about meaning, etc. IKE may or may not be necessary, sufficient,
and correct -- but it's awfully hard to comprehend.
--Steve Bellovin
Follow-Ups: