funsec mailing list archives
Re: Gartner: IPsec Dead by 2008
From: Florian Weimer <fw () deneb enyo de>
Date: Tue, 17 Jan 2006 10:42:30 +0100
* Erik Fichtner:
At first blush, "Good!" comes to mind. IPsec/IKE is terrifically complicated and is serious overkill when deployed as "The Technology That People Want"(tm); which is to say the traditional many-to-one remote access solution.
It's not overkill, it's just the wrong tool. Traditionally, IPsec at its best provides host-based authentication (in the real world, only few people use host-to-host IPsec, though). In a typical VPN scenario, you want to grant specific users access to a resource, and not their machine. Various proprietary kludges have been provided to work around this discrepancy (and the result isn't the pure IPsec anymore), but it's still there. It's less significant in the off-site laptop case, but in most other scenarios, it's a reall bugger.
IPsec is no good for that remote access. Baking or grafting TUNNEL mode IPsec into every end node was a mistake. TRANSPORT mode IPsec is a great tool for building secure LANs out of.
If you talk to implementers, tunnel mode looks much more viable because it doesn't require the egregious IP stack hacks transport mode needs. Consequentially, tunnel mode is basically dead. And I see more and more people who cheat and use OpenVPN for implementing VPNs -- which also only implements tunnel mode. _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Gartner: IPsec Dead by 2008 Fergie (Jan 16)
- Re: Gartner: IPsec Dead by 2008 Dude VanWinkle (Jan 16)
- Re: Gartner: IPsec Dead by 2008 TheGesus (Jan 16)
- Re: Gartner: IPsec Dead by 2008 Florian Weimer (Jan 17)
- Re: Gartner: IPsec Dead by 2008 Anton Chuvakin (Jan 27)
- Re[2]: Gartner: IPsec Dead by 2008 Pierre Vandevenne (Jan 28)
- Re: Gartner: IPsec Dead by 2008 Florian Weimer (Jan 17)
- Re: Gartner: IPsec Dead by 2008 Erik Fichtner (Jan 16)
- Re: Gartner: IPsec Dead by 2008 Florian Weimer (Jan 17)
- Re: Gartner: IPsec Dead by 2008 John Levine (Jan 16)
- RE: Gartner: IPsec Dead by 2008 William Lefkovics (Jan 16)