<< | Thread Index | >> ]    [ << | Date Index | >> ]

To: "cipe-l" <cipe-l,AT,inka,DOT,de>
Subject: Re: What do you guys think about this?
From: "Russell Berry" <russ,AT,berrex,DOT,com>
Date: Tue, 23 Sep 2003 18:24:29 -0400
References: <8D7C5F56B409554D9D46AC22195807F3061D48@exchwenz01.dmcwave.co.nz>

I'd just like to interject something here.

Currently I manage literally hundreds of CIPE tunnels, used in every sector
you can imagine including academia, medical community, city offices and
municipalities, financial institutions, manufacturing facilities, service
industries, medical supply facilities, and yes, even law enforcement
agencies.  Sorry for all the commas.  Having said that, I'm not concerned
with any of the 'flaws' presented thusfar with the implementation of CIPE.
There are many other aspects of my connections/tunnels than just the
underlying protocol. There is solid access control that I, and my clients
(even considering their required compliance with mandated security
policies), find adequate for the respective application.

You can do anything you want with CIPE, fix it, break it, standardize it, or
scrap it.  I'll still use what I have happily and prosperously.

Thanks to all the CIPE contributors, and open source enthusiasts.

Regards,
---russ

----- Original Message -----
From: "Rod Boyce" <rod_boyce,AT,stratexnet,DOT,com>
To: "cipe-l" <cipe-l,AT,inka,DOT,de>
Sent: Tuesday, September 23, 2003 3:36 PM
Subject: RE: What do you guys think about this?

> These concerns are all fine from a theoretical point of view.  But in the
> real world if the data you are transporting is that important then maybe
> some kind of hardware encryption would make better sense...
>
> So to put this another way how long ( and how much effort) is it going to
> take an attacker to either intercept the packets with a man in the middle
> attack or break the cipher and how important is the data?  I have never
done
> VPN's for banks or military or any other organisation that imposes high
> security restrictions.  Most of the VPN's I have installed are sending
> e-mail and the odd remote client session between two offices either across
> the world or across the town / country.
>
> IMHO CIPE is far more that adequate for this job.  The time and effort
> required for an attacker to interrupt the data stream or break the cipher
is
> far greater than the knowledge that can be gained from the information.
>
> Don't forget that even hardware encryption devices can be hacked all these
> boxes do is provide a false sense of security for bosses and managers that
> have far too much money to spend and aren't getting the right advice.
>
> Regards,
> Rod Boyce
>
> > -----Original Message-----
> > From: Mr Allwyn Fernandes [mailto:af+cipel,AT,stobor,DOT,net
> > Sent: Tuesday, 23 September 2003 4:58 p.m.
> > To: cipe-l
> > Subject: Re: What do you guys think about this?
> >
> > I can't stand anyone who thinks that they are better than everyone else
> > just because they have the tag "expert"... However...
> >
> > What bothers me is that I can read both:
> > http://sites.inka.de/sites/bigred/devel/CIPE-Protocol.txt
> > and:
> > http://www.mit.edu:8008/bloom-picayune/crypto/14238
> > repeatedly one after the other, and come away thinking that I have
> > missed something in both...
> >
> > I should look at the source, I've been meaning to help out for a while
> > now but I haven't gotten around to it... My real question is: if we
> > look past his childish attitude, does he have any real concerns?
> > And if so, is there anything we can do to fix them?
> >
> > From what I can tell, his points are:
> > * integrity protection for data is weak,
> > * weak protection against message insertion or deletion. This is
> > acknowledged as weak protection against replays in the protocol
> > description,
> > * keys can be modified in transit, allowing an attacker to pick certain
> > keys, and
> > * an attacker can manipulate the key exchange process.
> >
> > So the questions are:
> > - Are any of these considered "fixed" or not-an-issue by the developers?
> > (For example, replay attacks against most systems will be not-an-issue
> > because of the tunneled protocol...)
> > - Are any of these under development ATM? are they known todos?
> > - Are they anything we should be considering as issues?
> >
> >
> > And finally, Is there anything I can do to help??
> >
> > Cheers,
> >
> > Allwyn.
> >
> > PS: I'm otherwise a satisfied user...
> >
> > On Tue, 23 Sep 2003 13:54, you wrote:
> > > yeah, pissed me off too.  But you hit the nail on the head with
> > > infantile in the same paragraph with Gutmann.  Rant away....
> > >
> > > ---russ
> > >
> > > Russell Berry
> > > Berrex Computer Solutions
> > > http://www.berrex.com
> > > Russ,AT,berrex,DOT,com
> > > 1-877-558-9507
> > > ----- Original Message -----
> > > From: "Damion Wilson" <dwilson,AT,ibl,DOT,bm>
> > > To: "Groups" <groups,AT,hasely,DOT,com>
> > > Cc: <cipe-l,AT,inka,DOT,de>
> > > Sent: Monday, September 22, 2003 11:20 PM
> > > Subject: Re: What do you guys think about this?
> > >
> > > > Alright. I've just seen this on Slashdot and a few things pissed me
> > > > off:
> > > >
> > > > 1. CIPE has apparently been declared a "dead" project.
> > > >
> > > > 2. The cursory analysis by Peter Gutmann appears to have missed
> > > > subtle
> > >
> > > things.
> > >
> > > > For instance, CIPE primarily using Blowfish (and not IDEA).
> > > >
> > > > 3. The apparent zeal with which all non IPSec or SSL
> > > > implementations are attacked as basically infantile and not worth
> > > > entertaining smacks of patronising.
> > > >
> > > > 4. Some issues are stated as being known "years ago" and ignored. I
> > > > don't recall the issues he raises as having crossed my 5 year
> > > > participation on
> > >
> > > this
> > >
> > > > list, the "man in the middle" vulnerability notwithstanding. We
> > > > appear to have voted for simplicity in this regard, correct me if
> > > > I'm wrong. It's easier to believe that your ISP isn't out to get
> > > > you.
> > > >
> > > > If Mr. Gutmann had bothered to peruse the mailing list archives
> > > > (the link
> > >
> > > was
> > >
> > > > right on the same page as the protocol description), He might have
> > > > had the chance to determine what was important to the userbase and,
> > > > instead of declaring CIPE, Tinc, OpenVPN, et al. "dead", He might
> > > > have realised what
> > >
> > > was
> > >
> > > > important enough to them to specifically eschew IPSec, etc in
> > > > choosing our specific flavours of VPN.
> > > >
> > > > He deems us stupid and foolhardy for making the decision to use
> > > > these products, develop for them, and show loyalty to them in the
> > > > face of
> > >
> > > software
> > >
> > > > and techniques that he prefers. Apparently, we're all a bunch of
> > > > idiots
> > >
> > > and
> > >
> > > > it only took him a 30 minute or more analysis for him to determine
> > > > it, and the other projects weren't as lucky. Let's all remember the
> > > > Andrew
> > >
> > > Tanenbaum
> > >
> > > > v Linus Torvalds "discussion" over the relative technical merits of
> > > > Minix over Linux.
> > > >
> > > > I'm still pissed. I need to rant some more later
> > > >
> > > > I'd like to know if Olaf has anything to say about it, though.
> > > > Peter
> > >
> > > Gutmann
> > >
> > > > apparently attempted to contact him.
> > > >
> > > > DKW
> > > >
> > > > On Monday 22 September 2003 08:57 pm, Groups wrote:
> > > > > I've been using CIPE for over a year now, and my boss just
> > > > > forwarded
> > >
> > > this
> > >
> > > > > link, http://www.mit.edu:8008/bloom-picayune/crypto/14238, to a
> > > > > posting about the security of CIPE.  Does anyone have any
> > > > > arguments that may
> > >
> > > help
> > >
> > > > > me out?
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > --
> > > > > Message sent by the cipe-l,AT,inka,DOT,de mailing list.
> > > > > Unsubscribe: mail majordomo,AT,inka,DOT,de, "unsubscribe cipe-l" in 
> > > > > body
> > > > > Other commands available with "help" in body to the same address.
> > > > > CIPE info and list archive:
> > > > > <URL:http://sites.inka.de/~bigred/devel/cipe.html>
> > > >
> > > > --
> > > > Message sent by the cipe-l,AT,inka,DOT,de mailing list.
> > > > Unsubscribe: mail majordomo,AT,inka,DOT,de, "unsubscribe cipe-l" in 
> > > > body
> > > > Other commands available with "help" in body to the same address.
> > > > CIPE info and list archive:
> > >
> > > <URL:http://sites.inka.de/~bigred/devel/cipe.html>
> >
> > --
> > Allwyn Fernandes
> > Director
> > Stobor Pty Ltd
> >
> > Mobile: + 61 414 470 392
> > Email: af+cipel,AT,stobor,DOT,net
> >
> > --
> > Message sent by the cipe-l,AT,inka,DOT,de mailing list.
> > Unsubscribe: mail majordomo,AT,inka,DOT,de, "unsubscribe cipe-l" in body
> > Other commands available with "help" in body to the same address.
> > CIPE info and list archive:
> > <URL:http://sites.inka.de/~bigred/devel/cipe.html>
>
> --
> Message sent by the cipe-l,AT,inka,DOT,de mailing list.
> Unsubscribe: mail majordomo,AT,inka,DOT,de, "unsubscribe cipe-l" in body
> Other commands available with "help" in body to the same address.
> CIPE info and list archive:
<URL:http://sites.inka.de/~bigred/devel/cipe.html>


<< | Thread Index | >> ]    [ << | Date Index | >> ]