see below for reply. On Mon, 14 Oct 2002, Stephen Kent wrote: > DARPA planners unfortunately were short sighted and did not > anticipate the technology would become an international standard for > communications. The community of users and networks connected to DARPA > were small and trusted so security concerns were a low priority. The > end result was the deployment of insecure protocols that have kept > many security experts gainfully employed. Even secure protocols are > hacked. Today there are millions of compromised computer systems busy > trying to hack other computers. And many of those busy hacking > computers may no longer be under the control of the original script > kiddy hacker who launched them. In fact I suspect many such computers > are operating independently of a human operator. > > As one of the fortunate folks who participated in the ARPANET and the > beginning of the Internet, I can attest to the accuracy of the first > sentence. Unfotunately, most of the rest of the paragraph, and the > rest of your message, is incorrect. > > The first crypto-based security protocols for packet nets (and > devices that implemented them) were developed in the mid-70s, here at > BBN, and deployed in the ARPANET. In the later half of the 70s we > also developed the first IP-based end-to-end crypto protocols and > devices, using KDC-style technology well before the development of > Kerberos at MIT under project Athena. So, it is inaccurate to suggest > that the DoD did not pay attention to security concerns in the > development of IP. Steve you took a tangent into outer space here. Time to bring you down to earth. I do not dispute end to end crypto protocols were developed at various stages in the game. Unfortunately I have yet to see anything that actually works and stands the test of time. You mentioned two security protocols above - well they have proven to be vulnerable. http://search.cert.org/query.html?col=allcert&col=certadv&col=incnotes&col=research&col=secimp&col=techtips&col=trandedu&col=vulnotes&ht=0&qp=&qt=KDC&qs=&qc=&pw=100%25&ws=1&la=en&qm=0&st=1&nh=25&lk=1&rf=2&rq=0&si=1 http://search.cert.org/query.html?rq=0&ht=0&qp=&qs=&qc=&pw=100%25&ws=1&la=&qm=0&st=1&nh=25&lk=1&rf=2&oq=&rq=0&si=1&col=allcert&col=trandedu&col=vulnotes&col=techtips&col=research&col=certadv&col=incnotes&col=secimp&qt=kerberos > The primary security mechanisms that are part of IPv6, are the same > ones that are available for IPv4 today, namely IPsec. So it would > also be inaccurate to suggest that IPv6 offers significant new > security options relative to v4. Although one can argue that the > address space capabilities of v6 offer the potential for increased > privacy relative to v4, even this may not be true in practice, as > there are many ways by which privacy is likely to be compromised by > higher layer protocols. Thats exactly my point. I have yet to see anything that can't be compromised. > Depending on the type of traffic that Carnivore is being used to > intercept, I doubt that the transition to v6 form v4 will be a > concern, absent use of IPsec or S/MIME or SSL/TLS. I'm not sure what you mean here. > IPsec does not make IP "less prone to man in the middle interception > ..." It makes v4 and v6 immune to such interception. IPv6 will NOT do IPsec does not make any system immune from man in the middle interception. Maybe the transmitted data is immune from your average joe in the middle but not from those who can and have the resources to decrypt these transmissions. That is after all what intel (intellegence communities) do as a standard part of their business. Granted IPsec makes it more costly to view the stream - but not impossible. There is no such thing as an immune protocol. > this automatically. It still requires user/admin configuration and > key management, which has often proved to be an impediment, largely > because of poor management designs/interfaces. Yes and that is always a problem. User interfaces are not terribly friendly. > I could go on to identify many more errors in the statements you made > re various security matters. As the military would say, you message > is a "target rich environment." But, I think this ones noted above > suggest that you don't really understand the nature of security in > the Internet. go ahead - consider it a learning challenge. and feel free to do so privately. cheers joe baptista