I agree about IPSec as you can see from my post - in fact Ferguson and Schneier's paper on it was one of the things in my mind when I wrote it. It isn't the only network-layer protocol we have - look at the number of "SSL VPNs" out there - and it was on my list of protocols that needed to be replaced.
I'd nonetheless like to see if we could get away with just replacing IKE, and leaving something like IPSec with most options removed in place.
I'm still not wholly convinced of the inherent merits of transport-layer security. I can imagine a scenario in which you can learn about the sender, and thus make authorization decisions, just by looking at the IP address of the other party and determining from it that they are a particular party who is communicating via a VPN. In practice, though, transport-layer security can offer such great convenience of integration that it's probably not worth trying to be "pure" about this and insisting on one network security protocol to rule them all.
![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png)
timeasmymeasure
no subject
Date: 2007-02-20 10:51 pm (UTC)I'd nonetheless like to see if we could get away with just replacing IKE, and leaving something like IPSec with most options removed in place.
I'm still not wholly convinced of the inherent merits of transport-layer security. I can imagine a scenario in which you can learn about the sender, and thus make authorization decisions, just by looking at the IP address of the other party and determining from it that they are a particular party who is communicating via a VPN. In practice, though, transport-layer security can offer such great convenience of integration that it's probably not worth trying to be "pure" about this and insisting on one network security protocol to rule them all.