Hi
anyone who is faced with questions from their customers regarding this
criticism of CIPE should begin by directing them to the paragraph:
> "Whenever someone thinks that they can replace SSL/SSH with something much
> better that they designed this morning over coffee, their computer speakers
> should generate some sort of penis-shaped sound wave and plunge it
> repeatedly into their skulls until they achieve enlightenment."
Believe me, serious and well thought out criticism of whatever product does
not include such statements. Your customers should understand that.
The respected gurus of the crypto world such as Shamir, Schneier, Diffie etc.
would never stoop to this level of criticism.
This is the kind of remark most of us have refrained from since high school
days. As well as its immature sexual analogy and personal attack on the
intellegence of those involved it clearly does not relate to CIPE.
CIPE is about as old SSL/SSH and has been safer than these products for
several years. The latest SSH security breaches are very recent - and that's
in version 2. The original version is considered insecure at a crypto design
level despite not having been designed during coffee break.
What the theorists forget is that sytems fail at the weakest link. In the
case
of CIPE vs IPsec that weak point is likely to be implementation errors on the
part of those who designed and wrote the programs. CIPE is a simple product
which has been unchanged for about two years. It is self contained and does
not call upon crypto services which are not part of the package.
I know of only one implementation error in CIPE - the loss of key entropy
because of a bug in a hex to binary routine. That in itself did not result in
any successful attacks. Open source combined with simplicity made the
discovery of this bug possible without waiting for customers to be attacked.
CIPE wins hands down over any Closed Sources product however good the theory
behind that product may be. Until Open Source IPsec has the same level of
stability and maturity as CIPE it should be avoided on the above grounds
alone.
If I get time I will add comments at the detail level. I hope this will
suffice to persuade your customers.
Best regards
Allan