Re: 10 years and no ubiquitous security

[Alex Alten <Alten@attbi.com>]

At 10:18 AM 3/18/2002 -0600, Steven M. Bellovin wrote:
>In message <3C93EEA3.28833ABD@greendragon.com>, William Allen Simpson writes:
>>"The Purple Streak (Hilarie Orman)" wrote:
...
>
>But Bill, I'm trying to understand what your point is.  We can't force 
>people to use security.  IPsec is standard in most major business 
>operating systems (Win2K, Solaris, *BSD, etc.) and available for for 
>Linux.  There are hardware solutions -- I have a small IPsec box with 
>me in Minneapolis.  But except for VPN scenarios, most people choose 
>not to use it.  I think there's a lesson there, but I fail to see how 
>Steve Kent or any of the other players in the history of IPsec are at 
>all at fault.
>

At last call call several years ago I detailed my misgivings about
the design.  However since so many talented people had already put
years of work into it I also wrote that the market must decide its
fate. It seems to have decided, IPsec has settled into a fairly modest
VPN market niche ($200M/yr revenues or so?). It is not turned on by
(or not available on) at least 99% of the Internet hosts.

I guess the $64 question is whither do we go now with IPsec?
1. Do we do significant surgery on it and muddle on?
2. Do we stop working on it and start over with a fresh design?
   (Besides VPN what other pressing problem needs a solution?)
3. Do we give up? (Or at least be satisfied with a VPN only solution.)

I'm a little amazed that IPsec has had as much success as it has had
to date.  I've seen so many other secure IETF protocols die much more
quickly; SNMPSEC, PEM, SHTTP, etc.

- Alex


--

Alex Alten
Alten@ATTBI.com