| To: | cipe-l,AT,inka,DOT,de |
| Subject: | RE: Long message - thoughts on Gutmann response |
| From: | David Brodbeck <DavidB,AT,mail,DOT,interclean,DOT,com> |
| Date: | Wed, 24 Sep 2003 16:43:16 -0400 |
> "Whenever someone thinks that they can replace SSL/SSH with > something much > better that they designed this morning over coffee, their > computer speakers > should generate some sort of penis-shaped sound wave and > plunge it repeatedly > into their skulls until they achieve enlightenment." Of course, some things are left unsaid. - I have yet to see an SSH/SSL-derived VPN system that's suitable for production use. The only ones I know of are PPP-over-SSH or PPP-over-SSL. These will always be horribly broken because they tunnel TCP over TCP, which is Considered Harmful due to retry timer issues. They work until you start getting dropped packets, but then they succumb to spiralling death syndrome. - PPTP is already known to be insecure, so that pretty much leaves IPSec as the only protocol that would be acceptable in Gutmann's eyes. Fine, except that in my (limited, admittedly) experience, IPSec simply does not interoperate between platforms. Just enough is left up to the individual implementation that it seems to be more a collection of proprietary protocols than an actual standard.