Re: new tech report on easy-to-use IPsec
On Aug 11, 2010, at 12:21 47PM, Adam Aviv wrote: > I think the list may get a kick out of this. > > The tech-report was actually posted on the list previously, which is > where I found it. Link included for completeness. > > http://mice.cs.columbia.edu/getTechreport.php?techreportID=1433 Thanks. I'll add that the code is now up on SourceForge under a BSD license: http://sourceforge.net/projects/simple-vpn/ > > > > Original Message ---- > Subject: Re: new tech report on easy-to-use IPsec > Date: Wed, 28 Jul 2010 21:36:47 -0400 > From: Steven Bellovin > To: Adam Aviv > > > On Jul 28, 2010, at 9:29 51PM, Adam Aviv wrote: >> I couldn't help but notice this nugget of wisdom in your report: >> >> [quote] >> >> Public key infrastructures (PKIs) are surrounded by a great >> mystique. Organizations are regularly told that they are complex, >> require ultra-high security, and perhaps are best outsourced to >> competent parties. Setting up a certifcate authority (CA) requires a >> "ceremony", a term with a technical meaning [13] but nevertheless >> redolent of high priests in robes, acolytes with censers, and >> more. This may or may not be true in general; for most IPsec uses, >> however, little of this is accurate. (High priests and censers are >> defnitely not needed; we are uncertain about the need for acolytes >> ...) > > Peter Gutmann told me privately that he thinks the alternate model > involves human sacrifices and perhaps a goat... > > > --Steve Bellovin, http://www.cs.columbia.edu/~smb > > > > > > - > The Cryptography Mailing List > Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com > --Steve Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
Fwd: Re: new tech report on easy-to-use IPsec
I think the list may get a kick out of this. The tech-report was actually posted on the list previously, which is where I found it. Link included for completeness. http://mice.cs.columbia.edu/getTechreport.php?techreportID=1433 Original Message Subject: Re: new tech report on easy-to-use IPsec Date: Wed, 28 Jul 2010 21:36:47 -0400 From: Steven Bellovin To: Adam Aviv On Jul 28, 2010, at 9:29 51PM, Adam Aviv wrote: > I couldn't help but notice this nugget of wisdom in your report: > > [quote] > > Public key infrastructures (PKIs) are surrounded by a great > mystique. Organizations are regularly told that they are complex, > require ultra-high security, and perhaps are best outsourced to > competent parties. Setting up a certifcate authority (CA) requires a > "ceremony", a term with a technical meaning [13] but nevertheless > redolent of high priests in robes, acolytes with censers, and > more. This may or may not be true in general; for most IPsec uses, > however, little of this is accurate. (High priests and censers are > defnitely not needed; we are uncertain about the need for acolytes > ...) Peter Gutmann told me privately that he thinks the alternate model involves human sacrifices and perhaps a goat... --Steve Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
new tech report on easy-to-use IPsec
Folks on this list may be interested in a new tech report: Shreyas Srivatsan, Maritza Johnson, and Steven M. Bellovin. Simple-VPN: Simple IPsec configuration. Technical Report CUCS-020-10, Department of Computer Science, Columbia University, July 2010. http://mice.cs.columbia.edu/getTechreport.php?techreportID=1433 The IPsec protocol promised easy, ubiquitous encryption. That has never happened. For the most part, IPsec usage is confined to VPNs for road warriors, largely due to needless configuration complexity and incompatible implementations. We have designed a simple VPN configuration language that hides the unwanted complexities. Virtually no options are necessary or possible. The administrator specifies the absolute minimum of information: the authorized hosts, their operating systems, and a little about the network topology; everything else, including certificate generation, is automatic. Our implementation includes a multitarget compiler, which generates implementation-specific configuration files for three different platforms; others are easy to add. We hope to have the code up on Sourceforge soon. --Steve Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
