[ale] SSL-based VPNs (OpenVPN) vs IPSec

Michael H. Warfield mhw at wittsend.com
Thu Feb 24 21:50:24 EST 2005


On Thu, 2005-02-24 at 18:54 -0500, Michael H. Warfield wrote:
> On Tue, 2005-02-22 at 15:06 -0500, M Raju wrote:
> > I have been thinking of playing with OpenVPN and convert my existing
> > setup at home which comprises of mainly an IPSec VPN for WiFi/External
> > access - OpenBSD Firewall/Access Point running (ISAkmpd), Racoon on OS
> > X and OpenSWAN for Linux.
> 
> > Anyone prefer SSL over IPSec? Found an interesting paper on OpenVPN Security -> 

> > http://www.sans.org/rr/papers/20/1459.pdf

> 	Personally, I would avoid an ssl based VPN like the plague.  There is
> no "perfect forward secrecy" or rekeying and the session keys can be
> determined from the PKI authentication keys (in other words, if you
> compromise the key from either end, you can decrypt the traffic, which
> is not the case with IPSec w/ PFS and Diffie-Hellman).

	I may have to moderate my thoughts about OpenVPN a bit.  It seems that
it's not an "SSL based VPN".  It uses SSL/TLS for authentication but has
support for rekeying and is NOT an SSL tunnel.  It's not clear, from the
descriptions, if it has perfect forward secrecy, but it might.  It does
precompute the DH parameters, which is not good (implying that it does
NOT have perfect forward secrecy, but I'm looking into that further).
What IS amusing is that it IS apparently IPSec based, at least on the
session level.

] OpenVPN uses an industrial-strength security model designed to
] protect  against both passive and active attacks. OpenVPN's
] security model is based on using SSL/TLS for session
] authentication and the IPSec ESP protocol for secure tunnel
] transport over UDP.

	Sooo...  Apparently, it is using IPSec ESP for it's transport just like
IPSec NAT-T.  Only difference seems to be the key negotiation utilizing
SSL/TLS as oppose to NAT-T.  Not sure what that's suppose to buy you at
that point, considering that IKE supports PKI and all...

> > _Raju

	Mike
-- 
 Michael H. Warfield    |  (770) 985-6132   |  mhw at WittsEnd.com  
  /\/\|=mhw=|\/\/       |  (678) 463-0932   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 307 bytes
Desc: This is a digitally signed message part




More information about the Ale mailing list