[cap-talk] End to end encryption (was: network level ...)

[Stephen J. Bevan]

Jed at Webstart writes:
 > That was my understanding also.  Is there some general hope
 > (e.g. particularly in the IPsec community) that IPsec will
 > spread enough that ultimately (soon?) this will be true?
 > Is there any particular reason for hope or dismay in that
 > area?

As I noted with Microsoft including IPsec in Windows and Linux having
IPsec natively (as opposed to a third-party patch) the situation is
much better than it was 5 years ago.  However, there seems to be some
level of disagreement on how to do end-to-end encryption with some
arguing for IPsec while others instead create a xxxS or Sxxx version
for every (TCP) protocol xxx (e.g. HTTPS, POP3, IMAPS, SSMTP,
... etc.).  Theoretically IPsec is the right way to do things but it
was arguable too little to late e.g. SSL was easier to use/deploy
especially when it comes to NAT and asymmetric authentication.  IKEv2
fixes a lot of the issues with IKE but users will have to wait years
for that to be (widely) deployed and so in the meantime the
pragmatists carry on creating xxxS protocols.


 > Does this fall the same area as the comparable
 > issue with IPv6 (Catch 22: won't be useful until it's everywhere,
 > and won't be put everywhere until it's useful)?

IPsec is part of IPv6 so if IPv6 catches on (and it will in some areas
e.g. DOD is pushing it for its networks) then IPsec will come with it.