"Marcel Popescu" <[EMAIL PROTECTED]> writes: >> From: [EMAIL PROTECTED] [mailto:owner- >> [EMAIL PROTECTED] On Behalf Of Peter Gutmann > >> I can't understand why they didn't just use TLS for the handshake (maybe >> YASSL) and IPsec sliding-window + ESP for the transport (there's a free >> minimal implementation of this whose name escapes me for use by people who >> want to avoid the IKE nightmare). Established, proven protocols and >> implementations are there for the taking, but instead they had to go out >> and try and assemble something with their own three hands (sigh). > >Do you have some articles about these protocols? I can't find anything on >your webpage, and a newbie (like myself) can't distinguish between well >designed and badly designed protocols. Can you recommend such a collection of >well designed protocols for various purposes? With implementation caveats if >possible?
Well, the above text mentions the recommended protocols. You can get YASSL from http://yassl.com, and the IPsec ESP implementation from http://ringstrom.mine.nu/ipsec_tunnel/ (although it looks like it hasn't been updated for awhile, Freshmeat, http://osx.freshmeat.net/projects/ipsec_tunnel/, seems to have newer info). My article on problems I found in homebrew VPN implementations is at http://www.linux-magazine.com/issue/39. If you want to save yourself the effort of building your own TLS + ESP combination, you can use OpenVPN, http://openvpn.net/ (and if you've ever had to struggle with IPsec, you should also consider OpenVPN - unlike IPsec, you can just point it at your target system and that's it, you don't have to start a new career in network and server reconfiguration :-). (actually To be precise OpenVPN doesn't use the ESP format directly (which is rather IPsec-specific), only the general protocol design: OpenVPN's security model can be summarized as such: Use the IPSec ESP protocol for tunnel packet security, but then drop IKE in favor of SSL/TLS for session authentication. This allows for a lightweight, portable VPN implementation that draws on IPSec's strengths, without introducing the complexity of IKE. Peter. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]