Date: Wed, 15 Dec 1999 21:19:47 -0400 From: "Jeroen C. van Gelderen" <jeroen@vangelderen.org> To: Terry Lambert <tlambert@primenet.com> Cc: jmb@hub.freebsd.org, ragnar@sysabend.org, brett@lariat.org, dscheidt@enteract.com, noslenj@swbell.net, chat@FreeBSD.ORG Subject: Re: dual 400 -> dual 600 worth it? Message-ID: <38583E33.3FBCE8E3@vangelderen.org> References: <199912160054.RAA28607@usr09.primenet.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Terry Lambert wrote: > > > The ";login:" article identifies many attacks against IKE/ISAKMP, > > > and provides source code for one of them. > > > > This still has nothing to do with it's 'Clipper heritage' as you > > originally implied[1]. > > I don't understand how you can make this bald a statement; the > problems with Fortezza based systems are that the underlying > state machine sucks. Now you are talking about Fortezza. There is a difference between clipper (the chip, MYK-78T) and Fortezza. You got your terminology wrong. > Why is it when knee-jerk reactionaries see "Clipper", they > automatically think I'm talking about back doors, rather than > the quality of the technology? Because clipper is all about backdoors and the quality of the clipper chip is actually rather good. > > > The ";login:" document, or the IKE/ISAKMP document? > > > > The ";login:" document. The part you quoted doesn't tell us that > > the problems stem from any 'Clipper heritage', so quote the > > relevant part. > > A great many of the problematic specifications are due > to the IKE/ISAKMP framework. This is not surprising, > since the early drafts used ASN.1 and were fairly clearly > ISO-inspired. The observations of another ISO implementor > (and security analyst) appear applicable: > > The specification was so general, and left so many > choices, that it was necessary to hold "implementor > workshops" to agree on what subsets to build and > what choices to make. The specification wasn't a > specification of a protocol. Instead it was a > framework in which a protocol could be designed and > implemented. [Folklore-00] > > The IKE/ISAKMP framework relies on a "Domain of > Interpretation" (DOI) for the actual details. IKE/ISAKMP > has required numerous implementation workshops to reach > agreement on the interpretations of the spcifications. > Implementation and testing has already taken several years. Still says nothing about 'clipper' nor about Fortezza. It talks about ASN.1 and ISO. > In any case, if you want to read more, you can always get a copy > of the December ";login:" from any technical library, instead of > having me type it in for you. I have a copy, thanks. Cheers, Jeroen -- Jeroen C. van Gelderen - jeroen@vangelderen.org Interesting read: http://www.vcnet.com/bms/ JLF To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-chat" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?38583E33.3FBCE8E3>