[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Windows 2000 and Cicsco router interoperability
On Wed, 24 May 2000, Scott G. Kelly wrote:
> Glen Zorn wrote:
>
> <trimmed...>
>
> > Henry Spencer wrote:
> >
> > > Granted, if security isn't important to the customer, their security is
> > > likely to be weak. But careful design by specifiers and suppliers can
> > > have a big effect on *how* weak it is, both by avoiding gratuitous holes
> > > and by influencing customer behavior in the right direction. Such
> > > measures can considerably improve the odds that a cracker will pick on
> > > somebody else. (Flu vaccination will not guarantee that you don't get the
> > > flu, but it considerably improves the odds of getting only a mild case.)
> >
> > To continue your medical analogy (though I'm not sure how appropriate it
> > is), if flu shots were as painful as rabies treatment, how many people would
> > just take their chances w/the flu? My point here is that the entire purpose
> > of xuth/mode config/etc. seems to be to create precisely the functionality
> > already present in PPP (and by extension, L2TP).
> >
>
> Actually, I think the entire point of the various user auth proposals
> are to create the minimal necessary and sufficient *subset* of the
> functionality present in ppp and l2tp in order to enable secure remote
> access.
>
However, experience has shown, that when you trim down and think you can
offer the trimmed down version to customers, they usually say: Cool. This is
great. Can it also do <foo>? Where foo is usually something that your concept
was precisely designed NOT to do...
Trimming down, in my opinion, is a bad choice, if you already have a
mechanism that does the superset. People invariably will want all features
of the superset in the subset (which by definition means you've just
reinvented the superset).
jan
--
Jan Vilhuber vilhuber@cisco.com
Cisco Systems, San Jose (408) 527-0847
Follow-Ups:
References: