[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Position statement on IKE development
At 03:20 PM 8/3/2001, Alex Alten wrote:
>Unfortunately what you and I think probably doesn't matter. What matters
>is that end user customers will hear that IPsec's IKE is broken, and they
>will then ask themselves the question, is all of IPsec also broken? It's
>anyone's guess as to how this will play out in the VPN markets, etc.
It's not as if VPN customers have a well-recognized alternative with a less
tarnished reputation. If anything, this simply illustrates how much
pioneering work has gone into IKE.
>My own personal question is why the IPsec working group did not have a
>thorough cryptanalysis done by professionals, say by an outfit like ISSI,
>before the standards were issued?
Some weaknesses emerge only after you've actually built and deployed a
protocol. Such flaws may be in the implementation, but some may be faulty
assumptions about how the protocol will work in a practical deployment.
It's especially hard to predict problems when the protocol is the
foundation of a fairly new class of products, like VPN gateways, since
there's not enough well-known prior art to base the analytical models on.
Rick.
smith@securecomputing.com
References: