Hans Steegers <steegers,AT,steegers,DOT,nl>|
Re: About P.Gutmann's critique of CIPE - etc. etc.|
Les Mikesell <les,AT,futuresource,DOT,com>|
26 Sep 2003 07:48:04 -0500|
On Fri, 2003-09-26 at 06:56, Hans Steegers wrote:
> 3. OpenVPN - James Yonan
> Your contribution is very informative and OpenVPN looks like an alternative
> in many occasions. Being user-space it can use libraries, which is
> impossible or undesirable for a kernel module. OpenVPN is promising, but
> young and still has to prove itself. And please don't make it a religion.
> Tribalisme should be avoided.
> 6. CIPE is _NOT_ fundamentally flawed and _BEYOND_REPAIR_, but can and
> should be improved and there is _NO_ emergency that needs an immediate fix.
> If you think otherwise, don't use CIPE, or submit a patch with your fix to
> your problem.
Can someone comment on what CIPE still has as an advantage over OpenVPN
(does it have blowfish?) and whether these could be merged in the
future? Cipe has served me well and I'd like to thank Olaf and everyone
else involved in its development. For most of the time I've used
it there was no other free software that would have worked. I don't
have an immediate concern for security in the places I'm using it,
although it might make sense now to drop an ipchains/iptables filter
on the cipcbn interfaces to catch the possibility of udp/icmp packet
injection. However, since I also tend to run ssh and ssl connections
on the same server (yes, I know it's a bad practice...) I'll have
to keep those libraries up to date anyway and it makes a certain
amount of sense to have the same crypto libs do everything.