[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Bruce Schneier on IPsec

To: msa@hemuli.tte.vtt.fi
Subject: Re: Bruce Schneier on IPsec
From: Phil Karn <karn@ka9q.ampr.org>
Date: Tue, 1 Feb 2000 00:49:46 -0800
CC: sandy@storm.ca, ipsec@lists.tislabs.com
In-reply-to: <200001201359.PAA18372@anise.tte.vtt.fi> (message from MarkkuSavela on Thu, 20 Jan 2000 15:59:17 +0200 (EET))
References: <200001201359.PAA18372@anise.tte.vtt.fi>
Reply-to: karn@qualcomm.com
Sender: owner-ipsec@lists.tislabs.com

>I don't understand what the big fuss is about two modes. In my
>implementation the core IPSEC code implements only TRANSPORT MODE! The
>tunnel mode is achieved simply by slapping IP tunnel on a packet and
>THEN applying the transport mode transformation. Seems to work fine
>and is very simple.

Exactly. I could never figure it out either.

I read the Counterpane paper, and I strongly agreed with almost
everything they said. About the only exception was their proposal to
do away with transport mode, which is exactly opposite of what should
be done. As you say, tunnel mode should be eliminated in favor of
standard tunneling techniques (IP in IP, GRE, etc) before the packet
is handed to IPSec.

Their complaints about the extreme complexity of IPSEC really
resonated with me. I've watched the IPSec specifications grow
seemingly without bound or discipline in the 8 years since I held the
BoF in San Diego that led to the IPSec working group. Indeed, the most
important thing that can be done to the IPSec specs now is to go at
them with a meat cleaver, removing all the superflouous modes (e.g.,
AH) and whittling the remainder down to something that is both
implementable and analyzable from a security point of view.

Phil

Follow-Ups:

Re: Bruce Schneier on IPsec

From: Michael Richardson <mcr@solidum.com>

Next by Date: Re: Bruce Schneier on IPsec
Next by thread: Re: Bruce Schneier on IPsec
Index(es):
- Main
- Thread