From owner-freebsd-security Fri May 29 14:12:41 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA03589 for freebsd-security-outgoing; Fri, 29 May 1998 14:12:41 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gateman.zeus.leitch.com (gateman.zeus.leitch.com [204.187.61.193]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA03518 for ; Fri, 29 May 1998 14:12:08 -0700 (PDT) (envelope-from woods@tap.zeus.leitch.com) Received: from zeus.leitch.com (tap.zeus.leitch.com [204.187.61.10]) by gateman.zeus.leitch.com (8.8.5/8.7.3/1.0) with ESMTP id RAA14378 for ; Fri, 29 May 1998 17:11:37 -0400 (EDT) Received: from brain.zeus.leitch.com (brain.zeus.leitch.com [204.187.61.32]) by zeus.leitch.com (8.7.5/8.7.3/1.0) with ESMTP id RAA23363 for ; Fri, 29 May 1998 17:11:38 -0400 (EDT) Received: (from woods@localhost) by brain.zeus.leitch.com (8.8.8/8.8.8) id RAA14302; Fri, 29 May 1998 17:11:37 -0400 (EDT) (envelope-from woods@tap.zeus.leitch.com) Date: Fri, 29 May 1998 17:11:37 -0400 (EDT) Message-Id: <199805292111.RAA14302@brain.zeus.leitch.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit From: woods@zeus.leitch.com (Greg A. Woods) To: freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD Tunneling In-Reply-To: Philippe Regnauld's message of "Fri, May 29, 1998 17:39:09 +0200" regarding "Re: FreeBSD Tunneling" id <19980529173909.62558@deepo.prosa.dk> References: <01bd8afd$5fdb2bc0$8a8266ce@violet.eznets.canton.oh.us> <19980529173909.62558@deepo.prosa.dk> X-Mailer: VM 6.45 under Emacs 20.2.1 Reply-To: freebsd-security@FreeBSD.ORG Organization: Planix, Inc.; Toronto, Ontario; Canada Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org [ On Fri, May 29, 1998 at 17:39:09 (+0200), Philippe Regnauld wrote: ] > Subject: Re: FreeBSD Tunneling > > Regarding interoperability: > > http://www.rsa.com/rsa/SWAN/swan_test.htm The most interesting and curious thing revealed to even an outsider by the interoperability reports presented on this page is that ISAKMP/Oakley just doesn't seem to interoperate. (Although I'm sure it must be a mistake the table even claims that major ISAKMP products don't interoperate with each other....) Given what I've seen of the complexity, I've no doubt why early implementations don't interoperate either. SKIP, on the other hand, is apparently widely available, and reasonably widely interoperable. There are at least two or three SKIP implementations not mentioned in the table that I know interoperate with at least Sun's PC SKIP client, and of course with themselves. One thing I have learned about IPSec in my recent wanderings is that I've never seen anything so error prone to create and manage and as difficult to prove correct as "security associations". What a brain-dead concept. At any significant degree of complexity you'd have to live with a network sniffer plugged into your brain for weeks before you could give any reasonable degree of assurance that your network was still safe and secure. Is anyone out there writing tools (eg. filters for NFR) that will prove that a given VPN configuration is what it is supposed to be? -- Greg A. Woods +1 416 443-1734 VE3TCP Planix, Inc. ; Secrets of the Weird To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message