[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TODO List - Volunteers welcomed

At 02:56 AM 5/27/00 +0200, Bastiaan Bakker wrote:
>Ah right, up until now I've been focussing on tunnel mode, because most
>people, including me are primarily interested in using IPSec for VPN's
>at the moment.

Tunnels are popular because most application protocols are not
secured.  But because tunnels are transparent to applications,
they are not actually as secure as mechanisms which the application
is aware of.  How many times have I heard "I though my packets
were going through the tunnel...."

>On the other hand Bruce Schneier has argued in his
>analysis of IPSec ( http://www.counterpane.com/ipsec.html) in favor of
>eliminating transport mode....

And replace it with what?  All protocols that operate at the transport
layer need security services.  We don't need separate solutions for
each transport protocol... and certainly not for each application

With LDAP, TLS is an option as LDAP operates over TCP... of course,
we could start talking about CLDAP.  Anyways, my attitude is to
support generally useful features.  Like TLS, IPSEC support will
be useful.  Of course, we support features only as they get
implemented and they tend to get implemented out of need.

>OK, I look into IPSec based authentication a bit further, this weekend.
>Probably, it's best not to focus specifically on OpenLDAP support

I'd be interested in a "what's possible today" summary.  I've
never toyed with the various IPSEC APIs.

>PS. Shouldn't stuff like this be on the 2.X or 3.0 ToDo list, rather
>than the 2.0 one?

Actually, IPv6 and IPSEC are just on THE todo list.  They will
be included in the release in which they get done for.

The 2.0 specific items are at the top of the list.  Other
items are listed because we'd like to see them implemented
eventually or they are nice projects for new developers or
because they might intrigue someone enough to work in that
area.  You might say IPSEC is in the latter category.  IPv6,
however, is in the first.  We need IPv6... the sooner the