Jerry Leichter <[email protected]> writes: > On Jul 26, 2009, at 11:20 PM, Perry E. Metzger wrote: >> Jerry Leichter <[email protected]> writes: >>> While I agree with the sentiment and the theory, I'm not sure that it >>> really works that way. How many actual implementations of typical >>> protocols are there? >> > I'm aware of at least four TCP/IP implementations in common use, > Can you name a single system that allows you to substitute different > TCP/IP stacks?
I could answer literal mindedly and note that QNX and a couple of other embedded OSes let you do that (or so I recall). However, it is clearly not necessary for that to be possible for people to reap the benefits of diversity. > The practical difference between a bug that affects 25% of the world's > systems and 100% of the world's systems - assuming unrealistically an > even division - isn't all that great. That's completely untrue -- the two situations are extraordinarily different. For example, a high security firewall that has identical filtering boxes with the same stack in front of and behind the DMZ has a 100% chance of failure if a TCP bug is found, but will remain fine if two different stacks are in use. (And yes, I've built systems like that, and for exactly that reason.) >> several common HTTP servers (though there are far more uncommon >> ones), > > Apache and IIS together make up the bulk of implementations. Perhaps, but I'm not using either, and neither are many of the worlds largest web sites. There are a lot of web servers out there, and if you want, you can pick any you like based on the characteristics you like. >>> One way or another, a single implementation usually wins out in the >>> OSS community. >> >> See above -- even counting only open source, we have *many* >> implementations. Heck, there are even multiple independent open source >> SSL, SSH and PGP implementations. > > Yes, you can find examples. But there are also examples where there > is little diversity. How many active competitors to zlib are there? Two, I think. I have trouble thinking of a lot of types of protocol implementations where there is only one available -- you originally claimed this was rare, but it is, in fact, nearly the rule, not the exception. I didn't even mention SMTP, where we have Sendmail, qmail, Postfix, MMDF, and more, and that's just the open source offerings. IMAP implementations are even more diverse. Anyway, you claimed there aren't a lot of diverse protocol implementations, and there are for practically everything important I can think of. You asked: >>> How many actual implementations of typical protocols are there? ...and the answer is, for typical protocols that are widely used, quite a number. If you want to argue that multiple implementations aren't interesting, that's another question, but you claimed they don't exist, and generally, in fact, they do exist. > Keeping multiple implementations going is expensive Having multiple supermarket companies or computer companies is also "expensive". None the less, we seem to have that happen. Perry -- Perry E. Metzger [email protected] --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [email protected]
