Monoculture
Simon Josefsson
jas at extundo.com
Thu Oct 2 12:37:33 EDT 2003
"Perry E. Metzger" <perry at piermont.com> writes:
> Guus Sliepen <guus at sliepen.eu.org> writes:
>> > In that case, I don't see why you don't bend your efforts towards
>> > producing an open-source implementation of TLS that doesn't suck.
>>
>> We don't want to program another TLS library, we want to create a VPN
>> daemon.
>
> Well, then you might consider using an existing TLS library. It is
> rather hard to make a protocol that does TLS things that is both safe
> and in any significant way simpler than TLS.
Several people have now suggested using TLS, but nobody seem to also
refute the arguments made earlier against building VPNs over TCP, in
<http://sites.inka.de/~bigred/devel/tcp-tcp.html>.
I have to agree with many things in the paper; using TCP (as TLS does)
to tunnel TCP/UDP is a bad idea. Off-the-shelf TLS may be a good
security protocol, but it is not a good VPN protocol. Recommending
TLS without understanding, or caring about, the application domain
seem almost arrogant to me.
Admittedly, you could invent a datagram-based TLS, but this is not
widely implemented nor specified (although I vaguely recall WTLS) so
then you are back at square one as far as security analysis goes.
Thanks,
Simon
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list