[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: l2tp as ipsra solution

To: David Jablon <dpj@xxxxxxxxxxxxx>
Subject: Re: l2tp as ipsra solution
From: "CHINNA N.R. PELLACURU" <pcn@xxxxxxxxx>
Date: Wed, 21 Jun 2000 21:46:51 -0700 (PDT)
Cc: ietf-ipsra@xxxxxxxx
In-reply-to: <>
List-archive: <http://www.vpnc.org/ietf-ipsra/mail-archive/>
List-id: <ietf-ipsra.vpnc.org>
List-unsubscribe: <mailto:ietf-ipsra-request@vpnc.org?body=unsubscribe>
Sender: owner-ietf-ipsra@xxxxxxxxxxxxx

Nicely snipped.

I don't see any point in such a massively snipped mail. I don't want to go
through the effort of rebuilding a reply with the original context.

I think we are not adding to original discussion of "L2TP as ipsra
solution", and so I would like take any further discussion offline.

    chinna

On Thu, 22 Jun 2000, David Jablon wrote:

> At 04:29 PM 6/21/00 -0700, CHINNA N.R. PELLACURU wrote:
> >> >I don't think any security consious customer is still using protocols that
> >> >are vulnerable to passive off-line brute-force attacks.
> 
> So, what operating system are *you* using?
> I'm hard pressed to find *any* password system out there that's 
> *not* vulnerable to off-line brute force attacks, or worse.
> 
> Furthermore, I fail to see why you highlight only "passive" attacks.
> An enemy who can read packets can often write them.
> 
> >On Wed, 21 Jun 2000, David Jablon wrote:  [condensed]
> >> Just a few problems here ...
> >> (1)  Why limit concern to just "passive" off-line brute-force attacks?
> >> (2)  Many security conscious customers DO NOT HAVE A CLUE ABOUT
> >> CRYPTO, but they still want it, for good reasons.
> >> (3)  Most password-based products, and standards for that matter,
> >> do not prevent off-line brute force attacks.
> >> (4)  Lots of people care, and know what problems to care about, and some even
> >> know what solutions are possible, but still cannot find suitable products.
> 
> > ... Yeah, I hear this all the time, customers are dumb, and users are dumb, ...
> 
> "Dumb" is surely a stupid word to use in this context.
> I don't know who you hear this from, but it certainly isn't me,
> or anyone who works at my company.
> 
> If you read what I said carefully, I said customers are not (and should
> not be expected to be) cryptographers, or even terribly aware of cryptography,
> but they want and deserve the benefits that good crypto provides.
> Because they're not getting it ... we have efforts like IPSEC and IPSRA.
> 
> > ... and only the cryptographers in the IPSRA and IPSec WGs are the smartest
> >people, ...
> 
> I have no comment on the mental capacity of any such person.
> 
> > ... and so you should impose the most secure system on customers/users
> > so that even if they choose to be not very secure, you infact make sure
> > that they are absolutely secure.
> 
> If we're talking about a *security standard*, I'd expect some minimal
> level of security that will likely be well beyond what is strictly necessary
> for some customers' low expectations or needs.
> 
> CHINNA:
> >> > So, there is no value in providing a migration path from a protocol that
> >> > is vulnerable to passive off-line bruteforce attacks to a PKI based
> >> > authentication. I don't think these customers will ever migrate to PKI,
> >> > if they haven't migrated to a much secure legacy authentication.
> 
> David:
> >> Wow.  Count me among those who strongly disagree.
> 
> CHINNA:
> > On what basis do you disagree. Do you think that much secure legacy
> > systems are not available in the market, or is this just because the
> > "best crypto" never gets sold.
> 
> David:
> Frankly, I'm interested in all easy migration paths to strong authentication,
> and, personally, whether it's PKI-based or not is somewhat irrelevant.
> 
> I think there's a continuous process of education in the market, and
> many people become aware of problems they hadn't thought much about
> before, and sometimes, eventually, they decide to upgrade.
> 
> Everything gets sold, from junk to even the best stuff.  But I do think
> it's a shame when a customer is sold short, either because they aren't
> *extremely* well educated, or perhaps because their trusted vendor
> wasn't quite up to speed.
> 
> CHINNA:
> >> > I don't think these customers are necessarily dumb. It may be that the
> >> > customer needs just the amount of security, that those simple systems
> >> > provide. I guess it depends on what they are trying to protect.
> 
> David:
> >> I think it really depends on what they know they can get.
> >> 
> >> Lots of customers are comparison shoppers.  Sure they make crude
> >> judgements, but they tend to want the best that they can get at a fair price. 
> >> Let the vendor with the longest checklist win!  :-)
> 
> CHINNA:
> > ... You are not the first one to tell me that customers are mostly dumb, ...
> 
> Holy s**t!  There's that "D" word again.
> 
> I honestly can't think of when my remarks have ever been so severely
> misinterpreted.
> 
> I think the process of educating our >>> presumably intelligent <<< customers
> requires educated vendors.  Kick me for trying.
> 
> ---------------------------------------------------
> David P. Jablon
> Integrity Sciences, Inc.
> dpj@xxxxxxxxxxxxxxxxxxxxx
> www.IntegritySciences.com
> 
> 

chinna narasimha reddy pellacuru
s/w engineer

References:
- Re: l2tp as ipsra solution
  - From: David Jablon

Prev by Date: RE: Authentication Mechanism Matrix (was L2TP vs IPSEC)
Next by Date: RE: Authentication Mechanism Matrix (was L2TP vs IPSEC)
Previous by thread: Re: l2tp as ipsra solution
Next by thread: RE: l2tp as ipsra solution - IKE machine auth using user cert
Index(es):
- Date
- Thread