<< | Thread Index | >> ]    [ << | Date Index | >> ]

To: cipe-l,AT,inka,DOT,de
Subject: Re: Peter Gutmann + Slashdot
From: Phil Scarratt <fil,AT,draxsen,DOT,com>
Date: Wed, 24 Sep 2003 11:04:25 +1000
In-reply-to: <200309231349.52932.dwilson@ibl.bm>
Organization: Draxsen Technologies
References: <200309231349.52932.dwilson@ibl.bm>

Damion Wilson wrote:

Is this thing worth some kind of official response ? I feel that Open Source VPN's as a whole are being attacked. I appreciate constructive criticism but the language of Peter Gutmann's "appraisal" is just too condescending to regard as beneficial.

I think - at last check anyway - /.'s did OK at defending the OS side of things. Part of the thread included a discussion about the merit's of PG's statement "It's possible to create insecure "security" products just as readily with open-source as with closed-source software". Having said that, none of the /.'s (except maybe Dan Kaminsky) bothered to look terribly hard at CIPE and it's purpose to really see if PG was right or not.....just took another look to see if the topic is done with at /. and found this by Kynde:

Serious experts make mistakes too.

1) Cipe is not dead, on the same page as there was the specification is a link to the mail archives. Far from dead if you look in there.

2) Ranting about Cipe being vulnerable to replay attacks shows that he's missed the point. Cipe was designed to be _stateless_ protocol over UDP, so that it has the exact characteristics that IP has. There are quite enough crypto streams out there, but disregarding IPsec, we don't have that many packet based solutions.

3) Heck, even IP is is vulnerable to replay, and to state the obvious it can actually do that witout being attacked against. There are no guarantees that you wouldn't get duplactes, over and over again even. Thus all protocols that plan on being invulnerable to replaying provide such mechanisms _OVER_ ip.

My 2c worth: a response may be worthwhile, but I suspect the topic is dead at /. now (ahhh timezones) (and as has been mentioned the crypto list met it with silence anyway), so I suspect it could be wasted. However, maybe something like Hans posted here....to show we appreciate the "contructive" criticism but not the childish, offhand manner in which it was delivered, then various points (as per say Hans' post) specific to the analysis.

Again, kudos to DKW and Olaf and others for the coding efforts...


<< | Thread Index | >> ]    [ << | Date Index | >> ]