[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: (IPng) in-band key mgmt, IPV6, export issues, DES hardware


1)   The IPv6 specs do NOT "clearly state that in-band cannot be used
for IPv6".

  The IPv6 specs merely state that the IPv6 security specs were "not
intended for use with in-band" key management.  In-band clearly works
as has been described by Ted T'so and others.  Even the in-band
advocates believe that it will using the technique that Ted has
described.  Within an IETF spec, things that are not explicitly
prohibited using "MUST NOT" language are permitted.  There is no
language that I am aware of that says one "MUST NOT" use in-band key
management or even says one "SHOULD NOT" use in-band key management.
There is a difference between what the designer intended and what
is possible and permitted.

2)  With regard to the export issues, I can provide some data,
but I don't have any legal answers (I'm not a lawyer :-)  :

  I am not an expert on laws in any country, but I have been told
repeatedly by folks in France that French law prohibits all USE of all
encryption algorithms even by French citizens within France (except
under special circumstances where the user has prior permission from
the French government).  I mention France only to provide a specific
example.  There are probably other countries at least this restrictive
in their laws and regulations.

  This not withstanding, it is widely known that certain anonymous ftp
sites in Finland make DES and other encryption algorithm source code
freely available with no technical restrictions on access from outside
Finland.  I do not know if Finnish law regulates exports or not, but
in practice those systems will de facto permit downloading to anyplace
on the net.  It is my understanding that someone from TIS actually
demonstrated this fact to the US Congress during hearings sometime in
the past several years (Steve Crocker probably knows the details on

   At least one major router vendor (i.e. Network Systems) now has
DES encryption of IP traffic as a commercially available option.
They use a hybrid Diffie-Hellman key mgmt technique.  This to
me indicates that they believe they have a business case to
sell such an option.  Other businesses might well decide they
do not have such a business case.

3) I have some data on DES hardware that some might find interesting
and so I'll pass it along for information.  This is not and must not
be misconstrued as an endorsement of any vendors product :

  Digital Equipment Corporation made a demonstration to the IPsec
working group at the Columbus IETF meeting of fast DES encryption
hardware that they were designing/manufacturing in Israel and then
exporting to various countries (including the US).  If I understood
the DEC people correctly, one reason for selecting Israel was that it
was less restrictive than the US about exports of DES hardware.  I do
not recall exactly how fast the DEC DES chip is, but I think it was
over 100 Mbps.

  By the way, the US firm "VLSI Technology" reportedly also has a
commercially available DES chip that will process hundreds of megabits
per second.  I have not actually seen or used such a chip, so this
might be vaporware.  There might also be other vendors of similar
products that I am not aware of at this time.  I do not endorse any
particular vendors product.  I am just trying to note that fast DES
encryption appears commercially implementable.  I would be interested
to hear about any MD5 or SHA hardware that is/will-be commercially