Re: Gartner: IPsec Dead by 2008

[Erik Fichtner <emf () nfr net>]

Fergie wrote:
> Huh. That's news to me. :-)
>
> I'd be curious to hear what others think about this...

At first blush, "Good!" comes to mind.  IPsec/IKE is terrifically
complicated and is serious overkill when deployed as "The Technology
That People Want"(tm); which is to say the traditional many-to-one
remote access solution.  SSL-"VPN"'s are filling telnet's shoes--
shoes that telnet took away from RS232 technologies (terminals, modems,
teletypes, oh my.)

IPsec is no good for that remote access.  Baking or grafting TUNNEL mode
IPsec into every end node was a mistake.  TRANSPORT mode IPsec is a great
tool for building secure LANs out of.  TUNNEL IPsec is a great tool for
connecting sites together.     Most of "us" don't have that kind of network,
though.[1]  At my previous job, we were phasing out IPsec towards SSL when
I left.[2]   I'm using an SSL connection right now.  From my POV, Gartner's
predicting the past.

Gartner's no good with forecasting dates, though, so I'd pad it to 2010,
since there are still sites that have managed to flog IPsec/IKE TUNNEL
into just barely working as long as they don't poke it too often, and
as those break down; they tend to convert to easier answers; SSL-blick.

Network admins will still use IPsec, as it's the best tool for their job.




[1] I've got a small experimental net at the house that requires transport
ipsec to pass packets from node to node.  IPsec interoperability falls
somewhere between "Sucks" and "Doesn't".  ;-)  I can't imagine trying to
do that in a real production environment.

[2] niche-market hosting provider.

-- 
Erik Fichtner
NFR Rapid Response Team

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.