You do realize a lot of NSA-approved encryption devices use IPSEC, don’t you? Also, two “major flaws” pointed out by this guy actually have valid purposes:
-
Null encryption is useful for when you need to troubleshoot all of the other aspects of an IPSEC tunnel (MSS, authentication, routing, etc…) without encryption obscuring your view of traffic. It is not for production use and production VPNs should be configured to reject null crypto.
-
single DES and 768-bit DH are weak and everyone knows it. There are plenty of cases where weak crypto is OK, if bandwidth is more important, the endpoints are small/embeded systems, and the data you are encrypting isn’t that sensitive. Case in point: DRM on DVD, CableCARD, satellite, IPTV… for the most part it is all DES, RC4, or something similarly weak. (The keys do change frequently tho so cracking one key is just going to give you a few seconds of video)
but whatever… neckbeards gonna wharrgbl…
