On Tue, Mar 02, 2004 at 03:49:47AM +0100, Thomas Shaddack wrote: > I maintain a small conglomerate of private and corporate networks. We use > FreeS/WAN quite extensively, with great success - in last 2 years we had
no drop-out caused by the crypto infrastructure fault. No attempt for > opportunistic crypto on the IP level, though, at least not yet. What sank FreeS/WAN for me (as compared to StarTLS for opportunistic email encryption) is requirement to publish DNS records and KLIPS always failing on next kernel upgrades. Opportunistic encryption suffers from fax effect; FreeS/WAN made things unnecessarilly difficult. We have KAME/Racoon support in OS X, and IPsec seem to have been present in Windows since NT, OpenBSD has support, and now we see 2.6 kernels becoming available (Knoppix, Fedora Core 2 test1 and Mandrake seem to have it). What's needed is a good OE patch for 2.6.x which is activated and shipped in mainstream Linux distros as default (fallback to plain will probably produce visible delays). Until that happens, OE in IPsec will remind largely a pipe dream, and only grow very slowly among the early adopters. > It was a good project. Hope somebody picks up the torch and keeps it > burning, possibly even brighter. Is there a protocol flaw in IPsec which prevents it from going OE as StartTLS does? -- Eugen* Leitl leitl ______________________________________________________________ ICBM: 48.07078, 11.61144 http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE http://moleculardevices.org http://nanomachines.net
[demime 1.01d removed an attachment of type application/pgp-signature]