Re: No more IP spoofing??
- From: Ertugrul Soeylemez <never@xxxxxxxxxxxxxx>
- Date: Sat, 30 Sep 2006 15:47:59 +0200
"Stachu 'Dozzie' K." <dozzie@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx> (06-09-29 18:26:08):
I'm talking about flaws, not actual vulnerabilities. It has a lot
of cryptographic flaws. You can find background information at .
I've already read it. Many of these comments apply to OpenVPN as well:
1. lack of protocol specification (_any_ specification, not a clear
one, as for IPsec),
2. lack of protocol goal (as a result of 1.),
3. lack of rationale (as a result of 1.).
The rest of comments concern complexity of protocol as bytes sent over
the wire and not actually as cryptographic operations.
Conceptual complexity, actually. BTW, I'm not talking about complexity
in terms of the complexity theory, but about complexity to understand
and use. The primary protocol itself isn't too complex, but the
secondary protocols often in use, like the key-agreement protocol, etc.
See the feature list at . A few of those things, which IPsec
doesn't provide, or are too difficult to do with it: server farms,
What do you mean saying "server farms" and how OpenVPN deals with
I was assuming you checked that list: "... configure a scalable,
load-balanced VPN server farm using one or more machines which can
handle thousands of dynamic connections from incoming VPN clients, ..."
Ah, I see. You think IPcomp doesn't exist and LZO saves more than
10kbps for each 1Mbps (tested on `dd if=/dev/zero of=file.img bs=1M
IPComp is not part of IPsec.
What is "advanced tunneling" for you and why you think IPsec limits it
in any way?
There are some issues with IPsec, which makes tunneling more difficult.
However, most of those issues have been resolved in ESP. Well, let's
change "advanced tunneling" to "advanced routing". Again: Look at the
You didn't compare Openswan's and OpenVPN's config, did you? I'm using
both of these VPN implementations and Openswan's config is _much_
simpler, shorter and clearer, even considering it with up/down
Yes, I actually haven't used OpenSWAN yet, and I wasn't talking about
any actual IPsec implementation. What I actually mean is IPsec's
complexity. Sure, an implementation can always provide reasonable
defaults, but imagine you wanted to fully configure an IPsec
implementation by hand -- you'd have gone crazy.
OpenVPN's concept is simpler. Maybe there are a few more configuration
options, which makes it take longer to configure, but it doesn't make it
It uses the OpenSSL library, which is well tested. So there isn't
much of a protocol specification left to write.
Oh yes there is. [...]
You're right in that OpenVPN is lacking an official specification.
Well, that's the problem with free software -- if nobody writes it, then
it isn't there. But imagine that a specification would be there, it
would be much simpler than the IPsec specification. One reason for that
is that OpenVPN does in no way extend the IP. It runs completely in
user-space (which is also a security benefit).
- Re: No more IP spoofing??
- From: Stachu 'Dozzie' K.
- Re: No more IP spoofing??
- Prev by Date: Re: No more IP spoofing??
- Next by Date: Re: No more IP spoofing??
- Previous by thread: Re: No more IP spoofing??
- Next by thread: Re: No more IP spoofing??