Re: IP security

Linus Torvalds (torvalds@cs.helsinki.fi)
Wed, 7 Aug 1996 12:49:09 +0300 (EET DST)


On Tue, 6 Aug 1996, Jauder Ho wrote:
>
> has anyone looked/implemented this? the url is
>
> http://www.cisco.com/public/library/isakmp/ipsec.html

I'd just like people to look into ssh before getting all that excited about
secure IP. Quite frankly, doing cryptography in the IP layer sucks raw eggs,
and anybody who thinks it's a good idea has probably not really thought it
through.

Most "secure IP" packages seem to think that having a per-host key is a good
idea. In fact the whole idea sucks: you need to be the host maintainer to
change the keys etc. That means that the user is at the mercy of the
maintainer, who may be overworked, uncaring about the users needs, or simply
stupid. You can't really protect against a actively _evil_ root, but ipsec
doesn't even protect against a _uncaring_ root..

With "ssh", you get something that works today, is secure and usable, and can
be installed easily on the system with minimal need for maintenance, so you
don't need to worry overmuch about maintaining it. It ports to just about any
UNIX, and because it's connection-oriented you can use it or not use it as
you see fit.

Note: if somebody thinks ipsec is useful and implements it cleanly for Linux,
I'd be more than happy to add it to the kernel despite the above text. I
don't think ipsec is _evil_, I just don't think it's the right way to do
security on the internet.

Linus