> But Bill, I'm trying to understand what your point is. We can't force > people to use security. IPsec is standard in most major business > operating systems (Win2K, Solaris, *BSD, etc.) and available for for > Linux. There are hardware solutions -- I have a small IPsec box with > me in Minneapolis. But except for VPN scenarios, most people choose > not to use it. I think there's a lesson there, but I fail to see how > Steve Kent or any of the other players in the history of IPsec are at > all at fault. > > --Steve Bellovin, http://www.research.att.com/~smb I would like to comment on the other issue in this paragraph, about why IPSEC deployment might lack vigour. I set up VPN over IPSEC on a national academic network with 40mbit backbone and 10/100 mbit site linkspeeds. the best end-to-end performance I could get was 2mbit rising to 3-4 burst, and I was flooded by fragmented IP. Stuff like pMTU end-to-end is absolutely vital to make non-aware clients and servers cope with encapsulated protocols. I have also played with the client side code, and found that UDP protocols like Windows SMB do not work well on noisy/long-delay links. THis repeats the experience of encapsulated LAT some of us ex-DECheads remember: you can't fix bad protocol experiences by wrapping them in better protocols if the end-to-end behaviour depends on the badness (eg timer dependencies) Please don't get me wrong: I use IPSEC, I like IPSEC, but I have to recognize that off the beaten track, or for some (very useful) contexts it turns out not to work as well as we'd like, for reasons probably not to do with IPSEC per se, but the general state of the network. When you factor in that most of the 'simple' things can be done equally well in SSH, or by less clued people using non-secured tunnels, it gets harder to do a sell on IPSEC. which is a shame, because I really like IP layer abstracted methods, and the idea of generic infrastructure rather than applications-level point solutions. cheers -George -- George Michaelson | APNIC Email: ggm@apnic.net | PO Box 2131 Milton QLD 4064 Phone: +61 7 3858 3100 | Australia Fax: +61 7 3858 3199 | http://www.apnic.net