[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Bruce Schneier on IPsec

To: Henry Spencer <henry@spsystems.net>, ipsec@lists.tislabs.com
Subject: Re: Bruce Schneier on IPsec
From: "Marcus Leech" <mleech@nortelnetworks.com>
Date: Thu, 20 Jan 2000 11:01:17 -0500
References: <Pine.BSI.3.91.1000119203938.18717S-100000@spsystems.net>
Sender: owner-ipsec@lists.tislabs.com

Henry Spencer wrote:

> 
> And where, exactly, are these written up in a form intelligible to non-WG
> observers?  In a fairly strong sense, it does not *MATTER* whether the WG
> has discussed them, if that discussion, its reasoning, and its conclusions
> are not openly and readably documented.  For some protocols, a "trust us,
> this is right" approach is at least defensible; for security protocols, it
> isn't.
>
Archives of this very mailing list, for one, and the published proceedings of
  IETF meetings.  Granted, that doesn't quite fit the bill of being completely
  understandable to the unwashed, but given the process, it's about as good
  as you're going to get.  

Raise your hand if you want to volunteer to write up the minutes of 
  IPSEC meetings in a form suitable for non-participants.  Hmmm, stunning
  silence...
 

> 
> I wouldn't be surprised; in fact, the authors admit as much in some
> places.  But whose fault is that?  The IPSEC spec is better than it used
> to be, but it's still pretty bad.  Most notably, as F&S observe, it is
> glaringly deficient precisely in explaining *why* it does things the way
> it does.  Again, this is a situation which might be tolerable in some
> contexts but is unacceptable in the Internet's central security protocol.
> 
I have to agree with this.  The IKE/DOI/ISAKMP documentation, in particular,
  is quite hard to follow--even for someone who's been involved from the
  beginning.  The more-or-less continuous stream of "how do I interpret this
  section of the IKE documents" questions on this mailing list should be a
  good indicator of how confusing and unclear those documents are.

-- 
----------------------------------------------------------------------
Marcus Leech                             Mail:   Dept 8M70, MS 012, FITZ
Systems Security Architect               Phone: (ESN) 393-9145  +1 613 763 9145
Security and Internet Solutions          Fax:   (ESN) 395-1407  +1 613 765 1407
Nortel Networks                          mleech@nortelnetworks.com
-----------------Expressed opinions are my own, not my employer's------

Follow-Ups:

Re: Bruce Schneier on IPsec

From: Paul Hoffman <paul.hoffman@vpnc.org>

Re: Bruce Schneier on IPsec

From: "Theodore Y. Ts'o" <tytso@mit.edu>

References:

Re: Bruce Schneier on IPsec

From: Henry Spencer <henry@spsystems.net>

Prev by Date: Re: Bruce Schneier on IPsec
Next by Date: Re: Deflate issue
Prev by thread: Re: Bruce Schneier on IPsec
Next by thread: Re: Bruce Schneier on IPsec
Index(es):
- Main
- Thread