* Peter van den Heuvel wrote on Thu, Jun 13, 2002 at 11:55 +0200:
the install script does everything for you; patch the kernel, build & install it :-) The less kernel patches required, the better I like it.
But the origin of the patches are more important :)
The simpler it is the better I like it (both from a maintenance as well as a security point of view).
That is an important point I think! But IPSec is straight-forward, but of course you need to read half a page about IPSec to understand it. Well, there are multiple "modes" for IPSec operation and so on, at least here is potential for misconfigurations or such.
Complex -> much code -> many bugs.
This rule is definitly wrong. The number (and kind) of bugs depend on the quality which itselfs depend on the software creation processes. And many small "hacked-in" things are horrible :)
Much configuration -> much time and many mistakes that are hard to find.
Yes, this is correct. But you cannot implement a solution which is more easy than the problem, usually ;) Well, VPN is not a trivial theme, even if M$ and all those stuff suggests. If you use simple protocols, maybe they are just so simple since they are bad by design?
Also have a look at cipe. - It's not a standard (no co-op with Cisco and friends). - It's a module without kernel patches.
Where is the difference to a kernel patch? A module runs in kernel space and has access to any resource, and a wild pointer can happily crash your system.
- It runs on most Microsoft platforms.
Well, for Win it may be ok, and insecure VPN for insecure systems :) SCNR.
- It uses UDP for transport (never use TCP for serious tunnelling).
Hum, why UDP? IPSec uses protocol 50,51 IIRC. Well, tunneling UDP Packets in a TCP tunnel would dramaticall increase the reliance :)
- It's got one small config file (and even that causes enough problems to those who don't know - their networking basics).
Without knowledge noone should start :) oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.