"Perry E. Metzger" <[EMAIL PROTECTED]> writes: > Guus Sliepen <[EMAIL PROTECTED]> writes: >> > In that case, I don't see why you don't bend your efforts towards >> > producing an open-source implementation of TLS that doesn't suck. >> >> We don't want to program another TLS library, we want to create a VPN >> daemon. > > Well, then you might consider using an existing TLS library. It is > rather hard to make a protocol that does TLS things that is both safe > and in any significant way simpler than TLS.
Several people have now suggested using TLS, but nobody seem to also refute the arguments made earlier against building VPNs over TCP, in <http://sites.inka.de/~bigred/devel/tcp-tcp.html>. I have to agree with many things in the paper; using TCP (as TLS does) to tunnel TCP/UDP is a bad idea. Off-the-shelf TLS may be a good security protocol, but it is not a good VPN protocol. Recommending TLS without understanding, or caring about, the application domain seem almost arrogant to me. Admittedly, you could invent a datagram-based TLS, but this is not widely implemented nor specified (although I vaguely recall WTLS) so then you are back at square one as far as security analysis goes. Thanks, Simon --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
