Date: Mon, 28 Dec 1998 07:31:49 -0500 From: Christian Kuhtz <ck@ns1.adsu.bellsouth.com> To: Poul-Henning Kamp <phk@critter.freebsd.dk>, Matt White <mwhite@cmu.edu> Cc: freebsd-current@FreeBSD.ORG Subject: Re: PPTP and FreeBSD Message-ID: <19981228073149.U1333@ns1.adsu.bellsouth.com> In-Reply-To: <68859.914787333@critter.freebsd.dk>; from Poul-Henning Kamp on Sun, Dec 27, 1998 at 08:35:33PM %2B0100 References: <4235743047.914768809@FRAUGHT.NET.CMU.EDU> <68859.914787333@critter.freebsd.dk>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Dec 27, 1998 at 08:35:33PM +0100, Poul-Henning Kamp wrote:
> >Since we don't consider our local wire to be secure in any way shape or
> >form, we encrypt all sensitive traffic in the application. IMO, this is
> >the only sane way to do things.
>
> We used to have a war-chant we used against the OSI people, it went
> something like:
> "Anything but end-to-end ACKs is a waste of time"
>
> I pressume that it would be equally valid if you did a:
>
> s/ACKs/encryption/
Encryption comes at a cost. Particularly obvious when you're talking about
encrypting the bandwidth equivalent of what might be user session inside an
OC-3 (short term) or OC-12 (mid term) circuit.
It is a question of whether you can afford to pay for it. Although I'd opt
for encryption, too, (just to be paranoid) if I got the choice, once somebody
actually places $$$ figures on it, the whole story changes quickly.
Think of all the people who are using frame-relay today and don't have
a problem with it. Very few are actually using bricks or application layer
encryption to provide security. And then ask yourself how many companies have
had problems with that? Even though it is admittedly trivial to acquire and
use a protocol analyzer.
And there's nothing that says that you couldn't run IPSec tunnel mode around
L2TP or GRE for that matter. Voila, encryption of a layer 2 service of IP.
Cheers,
Chris
--
Frisbeetarianism, n.:
The belief that when you die, your soul goes up on the roof and gets stuck.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19981228073149.U1333>