| To: | Hans Steegers <steegers,AT,steegers,DOT,nl> |
| Subject: | Re: About P.Gutmann's critique of CIPE - etc. etc. |
| From: | Les Mikesell <les,AT,futuresource,DOT,com> |
| Date: | 26 Sep 2003 07:48:04 -0500 |
| Cc: | CIPE-list <cipe-l,AT,inka,DOT,de> |
| In-reply-to: | <003901c38425$3fcf1c20$d620a8c0@pcw_hans.hnsasd.priv> |
| Organization: | |
| References: | <003901c38425$3fcf1c20$d620a8c0@pcw_hans.hnsasd.priv> |
On Fri, 2003-09-26 at 06:56, Hans Steegers wrote: > 3. OpenVPN - James Yonan > Your contribution is very informative and OpenVPN looks like an alternative > in many occasions. Being user-space it can use libraries, which is > impossible or undesirable for a kernel module. OpenVPN is promising, but > young and still has to prove itself. And please don't make it a religion. > Tribalisme should be avoided. > > 6. CIPE is _NOT_ fundamentally flawed and _BEYOND_REPAIR_, but can and > should be improved and there is _NO_ emergency that needs an immediate fix. > If you think otherwise, don't use CIPE, or submit a patch with your fix to > your problem. > Can someone comment on what CIPE still has as an advantage over OpenVPN (does it have blowfish?) and whether these could be merged in the future? Cipe has served me well and I'd like to thank Olaf and everyone else involved in its development. For most of the time I've used it there was no other free software that would have worked. I don't have an immediate concern for security in the places I'm using it, although it might make sense now to drop an ipchains/iptables filter on the cipcbn interfaces to catch the possibility of udp/icmp packet injection. However, since I also tend to run ssh and ssl connections on the same server (yes, I know it's a bad practice...) I'll have to keep those libraries up to date anyway and it makes a certain amount of sense to have the same crypto libs do everything. --- Les Mikesell les,AT,futuresource,DOT,com