[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Bruce Schneier on IPsec
> I don't like this retreat from end-to-end purity either, but it's a
> fact of life. These applications still need security, and it's clear
> that IPSec cannot hope to provide it on a proper end-to-end basis.
> There's just no alternative to application-level security.
>
> IPSec still has a very important role in creating secure virtual
> private networks. But it is going to have to be *substantially*
> simplified if it's going to have a real chance to do this in a way
> that satisfies experts like Schneier. The very last thing we want is
> something we think is secure, but isn't.
>
Concur 101 percent. Should build something simple and secure
without too many features and insure that DoS attacks are
addressed. Building a very secure tunnel mode first, which
is easily managed, sustainable, and not subject to every
future kiddie script-style hack is 'key'. Suggest a phased
approach which insures a level playing field for all potential
IPSEC vendors.
-Neo
Follow-Ups:
References: