On Friday 26 September 2003 04:57, James Yonan wrote:
> One observation I would make is that CIPE is a relatively old project,
> having been started at a time when IPSec was impractical, tun/tap drivers
> did not exist, and high-quality crypto libraries were either nonexistent or
> in a nascent state of development.
Wisdom comes with age and so does reliable software. Striving for the newest
is seldom compatible with safety in this arena.
> Today, many of the functions that CIPE is trying to do, both at the crypto
> level and at the networking level, can be done quite well by external,
> independently developed libraries and drivers. IMHO, to avail itself of
> these resources would make CIPE a stronger, more lightweight solution.
CIPE is self contained as far as crypto is concerned. It is small enough to
well understood and has been stable for years. It will not fail just because
the latest libssl contains a bug.
In many cases it makes good sense to offload functionality to standard
libraries - this is not such a case. CIPE contains a correct implementation
of all the crypto functionality it needs. Absolutely nothing is gained by
delegating this to a library function.
> James Yonan
> OpenVPN Developer
I wish you well with your project. If you achieve the proven reliability of
CIPE it will be a great success. However I believe that when we leave CIPE it
will be for a standard product like IPsec - however that has to wait until we
have sufficient faith in that product.