[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Bruce Schneier on IPsec



> I don't like this retreat from end-to-end purity either, but it's a
> fact of life. These applications still need security, and it's clear
> that IPSec cannot hope to provide it on a proper end-to-end basis.
> There's just no alternative to application-level security.
> 
> IPSec still has a very important role in creating secure virtual
> private networks.  But it is going to have to be *substantially*
> simplified if it's going to have a real chance to do this in a way
> that satisfies experts like Schneier. The very last thing we want is
> something we think is secure, but isn't.
> 

Concur 101 percent.  Should build something simple and secure
without too many features and insure that DoS attacks are
addressed.  Building a very secure tunnel mode first, which
is easily managed, sustainable, and not subject to every
future kiddie script-style hack is 'key'.  Suggest a phased
approach which insures a level playing field for all potential
IPSEC vendors.

-Neo



Follow-Ups: References: