[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: RESEND: Thoughts on identity attacks

To: "Khaja E. Ahmed" <khaja.ahmed@attbi.com>
Subject: Re: RESEND: Thoughts on identity attacks
From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
Date: Thu, 07 Feb 2002 12:15:33 -0500
cc: ipsec@lists.tislabs.com
In-reply-to: Your message of "Wed, 06 Feb 2002 19:16:46 PST." <GCEGKDEGCPFGJNGILFIPGEJJCJAA.khaja.ahmed@attbi.com>
Sender: owner-ipsec@lists.tislabs.com

-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "Khaja" == Khaja E Ahmed <khaja.ahmed@attbi.com> writes:
    Khaja> My recommendation is quite simple:  Do not add any feature or capability to
    Khaja> the protocol (or indeed any protocol or product for that matter) unless
    Khaja> there is substantial reason to believe that it serves a useful purpose and
    Khaja> will be used.

  okay, but please define "substantial".
  If your definition is equal to "popular" then we should be running PPTP.

    Khaja> What will be of great help is for you, Paul or someone else to cite
    Khaja> sources/information that makes a case for putting this feature in.  The

  IPsec is a technology. It is not a solution.

  This is why I suggest that if you think that identity protection is
unnecessary for your application, that you write a BCP on applying IPsec to 
solve your problem. I'm very serious here - take an appropriate subset of
IPsec useful to VPN vendors, write *that* down. 

  IPsec is NOT "network layer encryption". It is strong security features for IP.

    Khaja> By the way, it is probably not productive to exhume that old battle where
    Khaja> RFC writers/editors/contributors blame implementers for doing a
    Khaja> sloppy/mercenary job and implementers blaming RFC writers for producing
    Khaja> ambiguous, impractical and over engineered standards.  Mistakes can and are
    Khaja> made on both sides.  Please, let us not go there.

  ah, but if the real culprit for making IKE complex is in fact the
certificate problems, then it seems unfair to demand that IKE get simpler
when it is in fact dealing with certificates that makes it hard.

]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy");  [

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: latin1
Comment: Finger me for keys

iQCVAwUBPGK2M4qHRg3pndX9AQEKqAP8Cp2bpUAscCd11tLcxWo0JegW5h0dwPuf
f8TAxtmo5wItTdpLuT2pD7U6vHCIEKtsS6K9uBkq23ZVu7IN+F7LhCLVX3VoiTQH
2BXIcRe3yuFquARmpvM768tS+b0PgcH30onFPCNhqS3+7EpnYvJ5H9eW5Y3XqcmF
ArtHzLmtxeo=
=SK2g
-----END PGP SIGNATURE-----

References:
- RE: RESEND: Thoughts on identity attacks
  - From: "Khaja E. Ahmed" <khaja.ahmed@attbi.com>

Prev by Date: IPSECv2 Was: Thoughts on identity attacks
Next by Date: I-D ACTION:draft-ietf-ipsec-sctp-03.txt
Prev by thread: RE: RESEND: Thoughts on identity attacks
Next by thread: Re: RESEND: Thoughts on identity attacks
Index(es):
- Date
- Thread