But Bill, I'm trying to understand what your point is. We can't force
people to use security. IPsec is standard in most major business
operating systems (Win2K, Solaris, *BSD, etc.) and available for for
Linux. There are hardware solutions -- I have a small IPsec box with
me in Minneapolis. But except for VPN scenarios, most people choose
not to use it. I think there's a lesson there, but I fail to see how
Steve Kent or any of the other players in the history of IPsec are at
all at fault.
--Steve Bellovin, http://www.research.att.com/~smb
I would like to comment on the other issue in this paragraph, about why
IPSEC deployment might lack vigour.
I set up VPN over IPSEC on a national academic network with 40mbit backbone
and 10/100 mbit site linkspeeds. the best end-to-end performance I could get
was 2mbit rising to 3-4 burst, and I was flooded by fragmented IP.
Stuff like pMTU end-to-end is absolutely vital to make non-aware clients
and servers cope with encapsulated protocols.
I have also played with the client side code, and found that UDP protocols
like Windows SMB do not work well on noisy/long-delay links. THis repeats
the experience of encapsulated LAT some of us ex-DECheads remember: you
can't fix bad protocol experiences by wrapping them in better protocols
if the end-to-end behaviour depends on the badness (eg timer dependencies)
Please don't get me wrong: I use IPSEC, I like IPSEC, but I have to
recognize that off the beaten track, or for some (very useful) contexts
it turns out not to work as well as we'd like, for reasons probably not
to do with IPSEC per se, but the general state of the network.
When you factor in that most of the 'simple' things can be done equally
well in SSH, or by less clued people using non-secured tunnels, it gets
harder to do a sell on IPSEC. which is a shame, because I really like
IP layer abstracted methods, and the idea of generic infrastructure rather
than applications-level point solutions.
cheers
-George
--
George Michaelson | APNIC
Email: ggm(_at_)apnic(_dot_)net | PO Box 2131 Milton QLD 4064
Phone: +61 7 3858 3100 | Australia
Fax: +61 7 3858 3199 | http://www.apnic.net