I agree as well that ESP-Null the way to go for integrity. From
operational perspective if you are supporting both v4 and v6 (and you
will) then having different protocols will be a nightmare. Common
denominator is ESP-Null.
Realistically for IPsec, unless you have the scalable credential
issue resolved and easier configs from vendors, the operational time
sync will have many looking elsewhere to accomplish what's needed in
the name of security. (total bummer IMHO).
- merike
On May 26, 2009, at 4:35 PM, Jack Kohn wrote:
The delusion that network operators can successfully use unhelpful
protocols and/or smoke and mirrors to force idealist network
design on
others needs to end. People use new protocols because they are
better.
If the benefit of moving to a new protocol does not outweigh the
pain
of moving to it, people don't use it. That's why the OSI
protocols did
not kill IP like they were supposed to in the 90s, it is why the
largely
forgotten mandated move from Windows to secure OSes (ie, Unix) for
all
government employees never happened, and it is why IPv6 is
sputtering.
If people want to use NAT, they are going to use NAT. They may stop
using it if the widespread adoption of peer to peer protocols
means they
are missing out on things other people are doing. They are not
going to
stop using NAT to use a protocol maliciously designed to break it;
they
will just wait, patiently and nearly always successfully, for
somebody
to come out with a version that has no such malice. They are
certainly
not going to stop using NAT because somebody tells them they
should use
a security protocol that does not secure anything worth securing.
BitTorrent is a better anti-NAT tool than AH ever will be. More
carrot,
less stick.
I agree. Folks are going to use ESP-NULL if they really want Integrity
Protection ..
-Dave
