From owner-freebsd-current  Mon Dec 28 04:45:41 1998
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id EAA28335
          for freebsd-current-outgoing; Mon, 28 Dec 1998 04:45:41 -0800 (PST)
          (envelope-from owner-freebsd-current@FreeBSD.ORG)
Received: from ns1.adsu.bellsouth.com (ns1.adsu.bellsouth.com [205.152.173.2])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id EAA28330
          for <freebsd-current@FreeBSD.ORG>; Mon, 28 Dec 1998 04:45:39 -0800 (PST)
          (envelope-from ck@ns1.adsu.bellsouth.com)
Received: (from ck@localhost)
	by ns1.adsu.bellsouth.com (8.9.1a/8.9.1) id HAA00158;
	Mon, 28 Dec 1998 07:31:49 -0500 (EST)
Message-ID: <19981228073149.U1333@ns1.adsu.bellsouth.com>
Date: Mon, 28 Dec 1998 07:31:49 -0500
From: Christian Kuhtz <ck@ns1.adsu.bellsouth.com>
To: Poul-Henning Kamp <phk@critter.freebsd.dk>, Matt White <mwhite@cmu.edu>
Cc: freebsd-current@FreeBSD.ORG
Subject: Re: PPTP and FreeBSD
References: <4235743047.914768809@FRAUGHT.NET.CMU.EDU> <68859.914787333@critter.freebsd.dk>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.93.2i
In-Reply-To: <68859.914787333@critter.freebsd.dk>; from Poul-Henning Kamp on Sun, Dec 27, 1998 at 08:35:33PM +0100
Sender: owner-freebsd-current@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Sun, Dec 27, 1998 at 08:35:33PM +0100, Poul-Henning Kamp wrote:
> >Since we don't consider our local wire to be secure in any way shape or
> >form, we encrypt all sensitive traffic in the application.  IMO, this is
> >the only sane way to do things.
> 
> We used to have a war-chant we used against the OSI people, it went 
> something like:
> 	"Anything but end-to-end ACKs is a waste of time"
> 
> I pressume that it would be equally valid if you did a:
> 
> s/ACKs/encryption/

Encryption comes at a cost.  Particularly obvious when you're talking about 
encrypting the bandwidth equivalent of what might be user session inside an
OC-3 (short term) or OC-12 (mid term) circuit.

It is a question of whether you can afford to pay for it.  Although I'd opt
for encryption, too, (just to be paranoid) if I got the choice, once somebody
actually places $$$ figures on it, the whole story changes quickly.

Think of all the people who are using frame-relay today and don't have
a problem with it.  Very few are actually using bricks or application layer
encryption to provide security.  And then ask yourself how many companies have
had problems with that?  Even though it is admittedly trivial to acquire and
use a protocol analyzer.

And there's nothing that says that you couldn't run IPSec tunnel mode around 
L2TP or GRE for that matter.  Voila, encryption of a layer 2 service of IP.

Cheers,
Chris

-- 
Frisbeetarianism, n.:
    The belief that when you die, your soul goes up on the roof and gets stuck.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message