"ISAKMP" flaws?

[Peter Gutmann]

William Allen Simpson <wsimpson at greendragon.com> writes:

>So, where is the community to replace ISAKMP with something more robust?

Already happened, unfortunately it's diverged into three different branches:

- VPN hardware vendors replaced it with "management tunnels", typically things
  like single-DES-encrypted backdoors with no message integrity or message
  flow integrity protection and 8-character uppercase-only passwords.

- Open source folks replaced it with OpenVPN.

- The remaining user base replaced it with on-demand access to network
  engineers who come in and set up their hardware and/or software for them and
  hand-carry the keys from one endpoint to the other.

  I guess that's one key management model that the designers never
  anticipated... I wonder what a good name for this would be, something better
  than the obvious "sneakernet keying"?

Peter.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com