Re: Position statement on IKE development

[Rick Smith at Secure Computing <rick_smith@securecomputing.com>]

At 03:20 PM 8/3/2001, Alex Alten wrote:

>Unfortunately what you and I think probably doesn't matter.  What matters
>is that end user customers will hear that IPsec's IKE is broken, and they
>will then ask themselves the question, is all of IPsec also broken?  It's
>anyone's guess as to how this will play out in the VPN markets, etc.

It's not as if VPN customers have a well-recognized alternative with a less 
tarnished reputation. If anything, this simply illustrates how much 
pioneering work has gone into IKE.

>My own personal question is why the IPsec working group did not have a
>thorough cryptanalysis done by professionals, say by an outfit like ISSI,
>before the standards were issued?

Some weaknesses emerge only after you've actually built and deployed a 
protocol. Such flaws may be in the implementation, but some may be faulty 
assumptions about how the protocol will work in a practical deployment. 
It's especially hard to predict problems when the protocol is the 
foundation of a fairly new class of products, like VPN gateways, since 
there's not enough well-known prior art to base the analytical models on.

Rick.
smith@securecomputing.com

---

References:

• Re: Position statement on IKE development
• From: Henry Spencer <henry@spsystems.net>
• Re: Position statement on IKE development
• From: Alex Alten <Alten@home.com>
• Re: Position statement on IKE development
• From: Alex Alten <Alten@home.com>

---

• Prev by Date: Re: Position statement on IKE development
• Next by Date: Re: Position statement on IKE development
• Prev by thread: Re: Position statement on IKE development
• Next by thread: Re: Position statement on IKE development
• Index(es):
  • Main
  • Thread