Re: No more IP spoofing??



"Stachu 'Dozzie' K." <dozzie@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx> (06-09-29 18:26:08):

I'm talking about flaws, not actual vulnerabilities. It has a lot
of cryptographic flaws. You can find background information at [1].

I've already read it. Many of these comments apply to OpenVPN as well:
1. lack of protocol specification (_any_ specification, not a clear
one, as for IPsec),
2. lack of protocol goal (as a result of 1.),
3. lack of rationale (as a result of 1.).

The rest of comments concern complexity of protocol as bytes sent over
the wire and not actually as cryptographic operations.

Conceptual complexity, actually. BTW, I'm not talking about complexity
in terms of the complexity theory, but about complexity to understand
and use. The primary protocol itself isn't too complex, but the
secondary protocols often in use, like the key-agreement protocol, etc.


See the feature list at [2]. A few of those things, which IPsec
doesn't provide, or are too difficult to do with it: server farms,

What do you mean saying "server farms" and how OpenVPN deals with
them?

I was assuming you checked that list: "... configure a scalable,
load-balanced VPN server farm using one or more machines which can
handle thousands of dynamic connections from incoming VPN clients, ..."


compression,

Ah, I see. You think IPcomp doesn't exist and LZO saves more than
10kbps for each 1Mbps (tested on `dd if=/dev/zero of=file.img bs=1M
count=2').

IPComp is not part of IPsec.


advanced tunneling,

What is "advanced tunneling" for you and why you think IPsec limits it
in any way?

There are some issues with IPsec, which makes tunneling more difficult.
However, most of those issues have been resolved in ESP. Well, let's
change "advanced tunneling" to "advanced routing". Again: Look at the
feature list.


easy configurability.

You didn't compare Openswan's and OpenVPN's config, did you? I'm using
both of these VPN implementations and Openswan's config is _much_
simpler, shorter and clearer, even considering it with up/down
scripts.

Yes, I actually haven't used OpenSWAN yet, and I wasn't talking about
any actual IPsec implementation. What I actually mean is IPsec's
complexity. Sure, an implementation can always provide reasonable
defaults, but imagine you wanted to fully configure an IPsec
implementation by hand -- you'd have gone crazy.

OpenVPN's concept is simpler. Maybe there are a few more configuration
options, which makes it take longer to configure, but it doesn't make it
more difficult.


It uses the OpenSSL library, which is well tested. So there isn't
much of a protocol specification left to write.

Oh yes there is. [...]

You're right in that OpenVPN is lacking an official specification.
Well, that's the problem with free software -- if nobody writes it, then
it isn't there. But imagine that a specification would be there, it
would be much simpler than the IPsec specification. One reason for that
is that OpenVPN does in no way extend the IP. It runs completely in
user-space (which is also a security benefit).


Regards,
E.S.
.



Relevant Pages

  • Re: No more IP spoofing??
    ... Many of these comments apply to OpenVPN as well: ... lack of protocol specification (_any_ specification, ... Conceptual complexity, actually. ... What is "advanced tunneling" for you and why you think IPsec limits it ...
    (comp.os.linux.security)
  • Re: No more IP spoofing??
    ... And what are the other flaws of IPsec? ... I'm talking about flaws, not actual vulnerabilities. ... lack of protocol specification (_any_ specification, not a clear one, ... What do you mean saying "server farms" and how OpenVPN deals with them? ...
    (comp.os.linux.security)
  • Re: No more IP spoofing??
    ... IP spoofing will no longer be possible "with the new IP protocol" ... IPsec on the other hand is ... I'd say it's even simpler than OpenVPN ...
    (comp.os.linux.security)
  • RE: IPSEC VPN connection from client in SBS 2003 premium
    ... the IPSec protocol cannot pass through ISA if IPSec ... pass-through would not work in firewall client method. ... VPN scenario, between the remote client and the VPN gateway, all VPN ...
    (microsoft.public.windows.server.sbs)
  • RE: Passwords with Lan Manager (LM) under Windows
    ... A device's security associations are contained in its Security Association Database ... Internet Protocol Security (IPSec) provides application-transparent encryption services for IP network traffic as well as other network access protections for the Windows 2000 operating system. ... As for "article you reference does indeed use the phrase "IPSec Authentication," but as any who reads it ...
    (Pen-Test)