From owner-freebsd-chat Wed Dec 15 17:20:55 1999 Delivered-To: freebsd-chat@freebsd.org Received: from cypherpunks.ai (cypherpunks.ai [209.88.68.47]) by hub.freebsd.org (Postfix) with ESMTP id 486F015414 for ; Wed, 15 Dec 1999 17:20:51 -0800 (PST) (envelope-from jeroen@vangelderen.org) Received: from vangelderen.org (hoefnix.ai [209.88.68.215]) by cypherpunks.ai (Postfix) with ESMTP id 597B44A; Wed, 15 Dec 1999 21:20:49 -0400 (AST) Message-ID: <38583E33.3FBCE8E3@vangelderen.org> Date: Wed, 15 Dec 1999 21:19:47 -0400 From: "Jeroen C. van Gelderen" X-Mailer: Mozilla 4.61 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: Terry Lambert Cc: jmb@hub.freebsd.org, ragnar@sysabend.org, brett@lariat.org, dscheidt@enteract.com, noslenj@swbell.net, chat@FreeBSD.ORG Subject: Re: dual 400 -> dual 600 worth it? References: <199912160054.RAA28607@usr09.primenet.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-chat@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Terry Lambert wrote: > > > The ";login:" article identifies many attacks against IKE/ISAKMP, > > > and provides source code for one of them. > > > > This still has nothing to do with it's 'Clipper heritage' as you > > originally implied[1]. > > I don't understand how you can make this bald a statement; the > problems with Fortezza based systems are that the underlying > state machine sucks. Now you are talking about Fortezza. There is a difference between clipper (the chip, MYK-78T) and Fortezza. You got your terminology wrong. > Why is it when knee-jerk reactionaries see "Clipper", they > automatically think I'm talking about back doors, rather than > the quality of the technology? Because clipper is all about backdoors and the quality of the clipper chip is actually rather good. > > > The ";login:" document, or the IKE/ISAKMP document? > > > > The ";login:" document. The part you quoted doesn't tell us that > > the problems stem from any 'Clipper heritage', so quote the > > relevant part. > > A great many of the problematic specifications are due > to the IKE/ISAKMP framework. This is not surprising, > since the early drafts used ASN.1 and were fairly clearly > ISO-inspired. The observations of another ISO implementor > (and security analyst) appear applicable: > > The specification was so general, and left so many > choices, that it was necessary to hold "implementor > workshops" to agree on what subsets to build and > what choices to make. The specification wasn't a > specification of a protocol. Instead it was a > framework in which a protocol could be designed and > implemented. [Folklore-00] > > The IKE/ISAKMP framework relies on a "Domain of > Interpretation" (DOI) for the actual details. IKE/ISAKMP > has required numerous implementation workshops to reach > agreement on the interpretations of the spcifications. > Implementation and testing has already taken several years. Still says nothing about 'clipper' nor about Fortezza. It talks about ASN.1 and ISO. > In any case, if you want to read more, you can always get a copy > of the December ";login:" from any technical library, instead of > having me type it in for you. I have a copy, thanks. Cheers, Jeroen -- Jeroen C. van Gelderen - jeroen@vangelderen.org Interesting read: http://www.vcnet.com/bms/ JLF To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-chat" in the body of the message