"Marcel Popescu" <[EMAIL PROTECTED]> writes:

>> From: [EMAIL PROTECTED] [mailto:owner-
>> [EMAIL PROTECTED] On Behalf Of Peter Gutmann
>> I can't understand why they didn't just use TLS for the handshake (maybe
>> YASSL) and IPsec sliding-window + ESP for the transport (there's a free
>> minimal implementation of this whose name escapes me for use by people who
>> want to avoid the IKE nightmare).  Established, proven protocols and
>> implementations are there for the taking, but instead they had to go out
>> and try and assemble something with their own three hands (sigh).
>Do you have some articles about these protocols? I can't find anything on
>your webpage, and a newbie (like myself) can't distinguish between well
>designed and badly designed protocols. Can you recommend such a collection of
>well designed protocols for various purposes? With implementation caveats if

Well, the above text mentions the recommended protocols.  You can get YASSL
from http://yassl.com, and the IPsec ESP implementation from
http://ringstrom.mine.nu/ipsec_tunnel/ (although it looks like it hasn't been
updated for awhile, Freshmeat,
http://osx.freshmeat.net/projects/ipsec_tunnel/, seems to have newer info).
My article on problems I found in homebrew VPN implementations is at
http://www.linux-magazine.com/issue/39.  If you want to save yourself the
effort of building your own TLS + ESP combination, you can use OpenVPN,
http://openvpn.net/ (and if you've ever had to struggle with IPsec, you should
also consider OpenVPN - unlike IPsec, you can just point it at your target
system and that's it, you don't have to start a new career in network and
server reconfiguration :-).

(actually To be precise OpenVPN doesn't use the ESP format directly (which is
 rather IPsec-specific), only the general protocol design:

    OpenVPN's security model can be summarized as such: Use the IPSec ESP
    protocol for tunnel packet security, but then drop IKE in favor of SSL/TLS
    for session authentication. This allows for a lightweight, portable VPN
    implementation that draws on IPSec's strengths, without introducing the
    complexity of IKE.


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to