[Info-vax] HP's Partner Virtualization Program
Michael D. Ober
obermd. at .alum.mit.edu.nospam.
Sat Aug 15 12:04:30 EDT 2009
"Richard B. Gilbert" <rgilbert88 at comcast.net> wrote in message
news:yJ-dnb4DHoqzSxvXnZ2dnUVZ_i1i4p2d at giganews.com...
> R.A.Omond wrote:
>> Richard B. Gilbert wrote:
>>> [...big snip...]
>>> In twenty years as a system manager, VMS and several flavors of Unix, I
>>> NEVER used, or even encountered, IPSEC! We've all gotten along without
>>> it somehow. I never missed it! Why has it suddenly become a sine qua
>>> non?
>>
>> Richard, please use some of the next twenty years to learn how to snip.
>
> Please try to answer the question!
>
Richard - there are a two problems that IPSec supposedly solves.
First, packets are encrypted in transit. There is a growing realization
that packets in the clear are large enough to carry a lot of personal data.
Credit card data, including name, address, card number, and card security
number, for instance, can be fully stored inside the 1500 or so byte limit
imposed by most routers. So to steal your credit card, a packet sniffer
only needs to grab a single packet. You don't have to defeat security on
the OS to steal credit cards. Transmission security is a necessary, but not
sufficient requirement, for internet commerce of any sort. Yes, IPSec isn't
the only method, but it's well understood and relatively easy to implement
on most routers and OSs.
Second, IPSec uses very well defined ports for communication and is thus
relative easy for routers to handle. RPC for Windows and some variants of
Unix don't use the standard well-known port negotiation for service. This
gives firewalls fits.
In addition to solving these two problems, as long as no one figures out how
to factor large numbers that are the products of two large primes, IPSec
security can be increased simply by increasing the key length, so long as
the underlying key exchange is kept secure. In fact, the current wireless
standards provide an option to use IPSec for transmission security, allowing
wireless networks to actually stand a chance against packet sniffers.
Mike Ober.
More information about the Info-vax
mailing list