[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Bruce Schneier on IPsec




>>>>> "Phil" == Phil Karn <karn@ka9q.ampr.org> writes:
    >> I don't understand what the big fuss is about two modes. In my
    >> implementation the core IPSEC code implements only TRANSPORT MODE! The
    >> tunnel mode is achieved simply by slapping IP tunnel on a packet and
    >> THEN applying the transport mode transformation. Seems to work fine
    >> and is very simple.

    Phil> Exactly. I could never figure it out either.

    Phil> I read the Counterpane paper, and I strongly agreed with almost
    Phil> everything they said. About the only exception was their proposal
    Phil> to do away with transport mode, which is exactly opposite of what
    Phil> should be done. As you say, tunnel mode should be eliminated in
    Phil> favor of standard tunneling techniques (IP in IP, GRE, etc) before
    Phil> the packet is handed to IPSec.

  I must agree strongly.
  However, the definitions of the various tunnel techniques do not have 
security in mind. Tunnel entry and exit conditions are important.

    Phil> Their complaints about the extreme complexity of IPSEC really
    Phil> resonated with me. I've watched the IPSec specifications grow
    Phil> seemingly without bound or discipline in the 8 years since I held

  Frankly, one reason is that doing everything right is complicated. I
tend to favour specifying the minimum, and then letting people like l0pht.com
determine which vendors understood the problem and which vendors implemented
literally only what the spec said they had to.
  Others felt that unless the spec said "do X" there was very little chance
that they'd ever see a product that "did X"

    Phil> the BoF in San Diego that led to the IPSec working group. Indeed,
    Phil> the most important thing that can be done to the IPSec specs now is
    Phil> to go at them with a meat cleaver, removing all the superflouous

  You are probably right. I think this should be done in the form of BCPs.
There are a number of things that we built in that just aren't needed
*today*. But I think we will find that people use them as soon as the
products start shipping with IPsec standard. The export regulations
relaxation, and projects like FreeS/WAN and KAME will get IPsec into people's
basements, and those people will start discovering which features are
frequently used, and which turn out to be a loss.

   :!mcr!:            |  Solidum Systems Corporation, http://www.solidum.com
   Michael Richardson |For a better connected world,where data flows faster<tm>
 Personal: http://www.sandelman.ottawa.on.ca/People/Michael_Richardson/Bio.html
	mailto:mcr@sandelman.ottawa.on.ca	mailto:mcr@solidum.com





Follow-Ups: References: