Posted by: Anonymous Coward
on September 29, 2005 12:50 AM
Good grief man! Are you the author of the IPSec spec? Why are you taking it so personally?
He offered a good paper that may have a flaw or two but, it is still far better than almost anything else on this site and is much more coherent than your post.
You posit that IPSec is already available in every modern OS. While this may technically be true it is very disingenuous. Firt off, few people are using IP V6 even if it does come with the OS. Furthermore, those OSes that include IP V4 IPSec implementations are so convoluted and difficult to configure and manage that almost everyone uses a separately installed third party client for their VPN implementations. It may be possible to natively connect a Windows 2000 system to a Cisco 3000 with the Microsoft IPSec client but that client sucks so badly that almost everyone will use a SafeNet or Cisco client instead. Let's be honest here before accusing someone else of spreading FUD!
Then of course there is the fact that regardless of whether the IPSec implementation comes with the OS or not, it must be configured by an administrator. Or are you going to suggest that the typical salesdroid roadwarrior can configure Microsoft's IPSec client themsleves, or even Cisco's for that matter. What's IPSec? What's IKE? What's ISAKMP? What's an IP address? What's my password?
You offer up security bulletins for OpenVPN which are indeed a fact. But, they are all denial of service issues. None of them are breaches. But IPSec is not without issues either and with the recently discovered problems with MD5 most IPSec VPNs that are older that 1 year at at risk, though I'll bet you think that everybody went out and bought new kit that could support AES256, no matter how unrealistic.
As for the slowness complaints... All encryption schemes are going to slow things down some what but, since 100Mbps wide area and internet connections are still very rare hardware throughput is still a paper tiger. The real issue with any encryption scheme is not hardware throughput but rather the 50% loss of already limited network bandwidth. Very few people need a VPN server that can push 100Mbps or more. Most people will require VPN hardware throughput to be FAR below 45Mbps.
Obviously you prefer IPSec solutions so, you should continue to use them and just chill. The article is recommending OpenVPN as a more secure solution over SSL VPN's but is still easier to implement than IPSec and in that respect it is dead on, regardless of your opinion.
Learn about Linux
Download Linux
Get Linux help
Re:Uninformed FUD
Posted by: Anonymous Coward on September 29, 2005 12:50 AMHe offered a good paper that may have a flaw or two but, it is still far better than almost anything else on this site and is much more coherent than your post.
You posit that IPSec is already available in every modern OS. While this may technically be true it is very disingenuous. Firt off, few people are using IP V6 even if it does come with the OS. Furthermore, those OSes that include IP V4 IPSec implementations are so convoluted and difficult to configure and manage that almost everyone uses a separately installed third party client for their VPN implementations. It may be possible to natively connect a Windows 2000 system to a Cisco 3000 with the Microsoft IPSec client but that client sucks so badly that almost everyone will use a SafeNet or Cisco client instead. Let's be honest here before accusing someone else of spreading FUD!
Then of course there is the fact that regardless of whether the IPSec implementation comes with the OS or not, it must be configured by an administrator. Or are you going to suggest that the typical salesdroid roadwarrior can configure Microsoft's IPSec client themsleves, or even Cisco's for that matter. What's IPSec? What's IKE? What's ISAKMP? What's an IP address? What's my password?
You offer up security bulletins for OpenVPN which are indeed a fact. But, they are all denial of service issues. None of them are breaches. But IPSec is not without issues either and with the recently discovered problems with MD5 most IPSec VPNs that are older that 1 year at at risk, though I'll bet you think that everybody went out and bought new kit that could support AES256, no matter how unrealistic.
As for the slowness complaints... All encryption schemes are going to slow things down some what but, since 100Mbps wide area and internet connections are still very rare hardware throughput is still a paper tiger. The real issue with any encryption scheme is not hardware throughput but rather the 50% loss of already limited network bandwidth. Very few people need a VPN server that can push 100Mbps or more. Most people will require VPN hardware throughput to be FAR below 45Mbps.
Obviously you prefer IPSec solutions so, you should continue to use them and just chill. The article is recommending OpenVPN as a more secure solution over SSL VPN's but is still easier to implement than IPSec and in that respect it is dead on, regardless of your opinion.
#