[18993] in cryptography@c2.net mail archive
Re: "ISAKMP" flaws?
daemon@ATHENA.MIT.EDU (Peter Gutmann)
Sat Nov 19 20:53:45 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
From: pgut001@cs.auckland.ac.nz (Peter Gutmann)
To: cryptography@metzdowd.com, wsimpson@greendragon.com
In-Reply-To: <437E945D.2000103@greendragon.com>
Date: Sat, 19 Nov 2005 16:31:58 +1300
William Allen Simpson <wsimpson@greendragon.com> writes:
>So, where is the community to replace ISAKMP with something more robust?
Already happened, unfortunately it's diverged into three different branches:
- VPN hardware vendors replaced it with "management tunnels", typically things
like single-DES-encrypted backdoors with no message integrity or message
flow integrity protection and 8-character uppercase-only passwords.
- Open source folks replaced it with OpenVPN.
- The remaining user base replaced it with on-demand access to network
engineers who come in and set up their hardware and/or software for them and
hand-carry the keys from one endpoint to the other.
I guess that's one key management model that the designers never
anticipated... I wonder what a good name for this would be, something better
than the obvious "sneakernet keying"?
Peter.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
