Re: Gartner: IPsec Dead by 2008

[Florian Weimer <fw () deneb enyo de>]

* Erik Fichtner:

> At first blush, "Good!" comes to mind.  IPsec/IKE is terrifically
> complicated and is serious overkill when deployed as "The Technology
> That People Want"(tm); which is to say the traditional many-to-one
> remote access solution.

It's not overkill, it's just the wrong tool.  Traditionally, IPsec at
its best provides host-based authentication (in the real world, only
few people use host-to-host IPsec, though).  In a typical VPN
scenario, you want to grant specific users access to a resource, and
not their machine.  Various proprietary kludges have been provided to
work around this discrepancy (and the result isn't the pure IPsec
anymore), but it's still there.  It's less significant in the off-site
laptop case, but in most other scenarios, it's a reall bugger.

> IPsec is no good for that remote access.  Baking or grafting TUNNEL mode
> IPsec into every end node was a mistake.  TRANSPORT mode IPsec is a great
> tool for building secure LANs out of.

If you talk to implementers, tunnel mode looks much more viable
because it doesn't require the egregious IP stack hacks transport mode
needs.  Consequentially, tunnel mode is basically dead.

And I see more and more people who cheat and use OpenVPN for
implementing VPNs -- which also only implements tunnel mode.
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.