[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Exporting an IPSec implementation
As a reminder, if you need to build an ipsec implementation
that is exportable, you can use the RC5 transforms that we described
in two internet drafts published on the IETF sites and on rsa.com's
site. RC5 has both a 128 bit and a 40 bit variant. We have received
basic approval for the 40 bit variant to be used with IPsec
implementations (you still need to do the export paperwork, but it
should go fast and we can help with it). Within the USA, RC5 should
be licensed from RSA Data Security, outside the USA anyone can
implement it. The internet drafts provide enough detail,
sample code and test vectors to ensure that independent
implementations of RC5-CBC and the ESP transform will interoperate.
By the way, if you have a restricted target market like
IPSec for an international bank, then you should attempt to get
an export license for a full strength 56 bit DES. Similar situations
have worked successfully for our customers.
--Bob Baldwin
Disclaimer: To legally claim that a product implements "IPSec",
the product MUST implement 56 bit DES-CBC which of course is
not exportable for general applications. So, if your product only
performs a 40 bit RC5, which would allow you to post it on
the web and give it away for free throughout the world, then
your legal claims should indicate that it is a demonstration
version not a true implementation of IPSec.
Follow-Ups: