[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: l2tp as ipsra solution

To: "CHINNA N.R. PELLACURU" <pcn@xxxxxxxxx>
Subject: Re: l2tp as ipsra solution
From: David Jablon <dpj@xxxxxxxxxxxxx>
Date: Thu, 22 Jun 2000 00:35:46 -0400
Cc: ietf-ipsra@xxxxxxxx
In-reply-to: < >
List-archive: <http://www.vpnc.org/ietf-ipsra/mail-archive/>
List-id: <ietf-ipsra.vpnc.org>
List-unsubscribe: <mailto:ietf-ipsra-request@vpnc.org?body=unsubscribe>
References: <>
Sender: owner-ietf-ipsra@xxxxxxxxxxxxx

At 04:29 PM 6/21/00 -0700, CHINNA N.R. PELLACURU wrote:
>> >I don't think any security consious customer is still using protocols that
>> >are vulnerable to passive off-line brute-force attacks.

So, what operating system are *you* using?
I'm hard pressed to find *any* password system out there that's 
*not* vulnerable to off-line brute force attacks, or worse.

Furthermore, I fail to see why you highlight only "passive" attacks.
An enemy who can read packets can often write them.

>On Wed, 21 Jun 2000, David Jablon wrote:  [condensed]
>> Just a few problems here ...
>> (1)  Why limit concern to just "passive" off-line brute-force attacks?
>> (2)  Many security conscious customers DO NOT HAVE A CLUE ABOUT
>> CRYPTO, but they still want it, for good reasons.
>> (3)  Most password-based products, and standards for that matter,
>> do not prevent off-line brute force attacks.
>> (4)  Lots of people care, and know what problems to care about, and some even
>> know what solutions are possible, but still cannot find suitable products.

> ... Yeah, I hear this all the time, customers are dumb, and users are dumb, ...

"Dumb" is surely a stupid word to use in this context.
I don't know who you hear this from, but it certainly isn't me,
or anyone who works at my company.

If you read what I said carefully, I said customers are not (and should
not be expected to be) cryptographers, or even terribly aware of cryptography,
but they want and deserve the benefits that good crypto provides.
Because they're not getting it ... we have efforts like IPSEC and IPSRA.

> ... and only the cryptographers in the IPSRA and IPSec WGs are the smartest
>people, ...

I have no comment on the mental capacity of any such person.

> ... and so you should impose the most secure system on customers/users
> so that even if they choose to be not very secure, you infact make sure
> that they are absolutely secure.

If we're talking about a *security standard*, I'd expect some minimal
level of security that will likely be well beyond what is strictly necessary
for some customers' low expectations or needs.

CHINNA:
>> > So, there is no value in providing a migration path from a protocol that
>> > is vulnerable to passive off-line bruteforce attacks to a PKI based
>> > authentication. I don't think these customers will ever migrate to PKI,
>> > if they haven't migrated to a much secure legacy authentication.

David:
>> Wow.  Count me among those who strongly disagree.

CHINNA:
> On what basis do you disagree. Do you think that much secure legacy
> systems are not available in the market, or is this just because the
> "best crypto" never gets sold.

David:
Frankly, I'm interested in all easy migration paths to strong authentication,
and, personally, whether it's PKI-based or not is somewhat irrelevant.

I think there's a continuous process of education in the market, and
many people become aware of problems they hadn't thought much about
before, and sometimes, eventually, they decide to upgrade.

Everything gets sold, from junk to even the best stuff.  But I do think
it's a shame when a customer is sold short, either because they aren't
*extremely* well educated, or perhaps because their trusted vendor
wasn't quite up to speed.

CHINNA:
>> > I don't think these customers are necessarily dumb. It may be that the
>> > customer needs just the amount of security, that those simple systems
>> > provide. I guess it depends on what they are trying to protect.

David:
>> I think it really depends on what they know they can get.
>> 
>> Lots of customers are comparison shoppers.  Sure they make crude
>> judgements, but they tend to want the best that they can get at a fair price. 
>> Let the vendor with the longest checklist win!  :-)

CHINNA:
> ... You are not the first one to tell me that customers are mostly dumb, ...

Holy s**t!  There's that "D" word again.

I honestly can't think of when my remarks have ever been so severely
misinterpreted.

I think the process of educating our >>> presumably intelligent <<< customers
requires educated vendors.  Kick me for trying.

---------------------------------------------------
David P. Jablon
Integrity Sciences, Inc.
dpj@xxxxxxxxxxxxxxxxxxxxx
www.IntegritySciences.com

Follow-Ups:
- Re: l2tp as ipsra solution
  - From: CHINNA N.R. PELLACURU

References:
- Re: l2tp as ipsra solution
  - From: David Jablon

Prev by Date: Re: Authentication Mechanism Matrix (was L2TP vs IPSEC)
Next by Date: RE: Authentication Mechanism Matrix (was L2TP vs IPSEC)
Previous by thread: Re: l2tp as ipsra solution
Next by thread: Re: l2tp as ipsra solution
Index(es):
- Date
- Thread