RE: [Cfrg] Re: [saag] Algorithm upgrades

[pgut001 at cs.auckland.ac.nz (Peter Gutmann)]

"Hallam-Baker, Phillip" <pbaker at verisign.com> writes:

>It is certainly no occasion for a victory dance. If I was going to design a
>VPN from scratch I would simply tunnel over SSL and completely ignore the
>IPSEC stack. IPSEC is useless to me unless it works in the hotel I am staying
>in. SSL works through NAT reliably. IPSEC does not.

One of the most practical designs I've seen uses TLS for the initial
negotiation (completely sidestepping the IKE quagmire) and then ESP for
transport. The best-known implementation of this is OpenVPN, which is more or
less the SSH of VPNs, it's easily available, runs on everything, and works out
of the box without any need for endless fiddling and configuration problems.
Just like SSH did years ago, it seems to be slipping in everywhere for more or
less the same reasons that SSH was adopted.

(There was a plan to do an RFC on this a while back but it kinda fizzled out,
 mostly because everyone just grabs OpenVPN and uses it rather than bothering
 to read/write about it.  Again, it's a strong parallel to the original SSH).

Peter.


_______________________________________________
Cfrg mailing list
Cfrg at ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg